After weeks of speculation, it has finally been made public why Ladar Levison decided to shut down his secure email service, Lavabit, in August this year.
According to recently released documents, the US government obtained a search document in July demanding that as the email provider of NSA whistelblower Edward Snowden, Lavabit should turn over the private SSL keys protecting him and the other 400,000 users of the site.
The documents, obtained by Wired, were unsealed by a judge at the Fourth Circuit Court of Appeals where the case is currently being heard. They show that Lavabit was served with both “pen register” and “trap and trace device” orders in swift succession, meaning that the US government would have had real-time access to specific information created by users of the site.
However, Lavabit was built upon Ladar Levison’s belief that privacy is a fundamental right. In 2004 using the OpenSSL cryptography library, the then 22-year old technology enthusiast made it impossible for even him to read the encrypted messages stored on his servers. If Levison hadn’t done so, authorities using one of the devices would have access to vast amounts of information from Snowden’s account, including IP addresses and contact details.
Consequently, the US government was desperate for the SSL private key which would fittingly function as a literal key to unlock the protected information. The 162-pages of unsealed documents reveal that Lavabit was then served with a search warrant for the SSL key along with a wiretap, a device which requires a considerably higher legal standard than the previous court order for the pen register.
Refusing to comply, on 9 July prosecutors accused Levison of contempt of court at his continued refusal to hand over the key – a decision, he argues, stemming from the fact that by doing so he would compromise the security of all users.
In August eventually Lavabit handed over pages of the key, but he did so typed in a near illegible 4-point font. Irritated, the court ordered Levison to pay a $5,000 (£3,000) fine for each day of non-compliance. On the eighth day of the month, Levison destroyed the company’s servers entirely, shuttering the service.
Still under a gag order, he posted a cryptic message (above) saying he’d been left little choice in the matter: “I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly 10 years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations.”