The appellant’s brief on behalf of Ladar Levison and Lavabit was filed yesterday (10/10/13) in the Fourth Circuit, seeking to clean up the mess left behind by the government’s sledgehammering the “secure” email provider into cooperation. It tells a shocking story of how the government sought to strong-arm Levison into giving up the Lavabit encryption key, what the brief calls the “private key” because it was the “master key” held only by Lavabit that enabled access to every account, every customer, every email, everything.
The government, of course, only wanted (or so it said) access to one customer, one account, which is redacted in the brief but bears a remarkable likeness to Edward Snowden. On his own, Levison sought to negotiate a deal with the feds, to give up Snowden by doing the decryption on his end and handing everything “Snowden” over.
The government wasn’t satisfied, as this denied them “real time” access to Snowden’s emails. They wanted it all, and they wanted it now. As for unfettered access, the government argued that it needed access to everything to make sure it obtained access to the one customer it wanted, because you can never be too thorough and Levison might not have given up everything he had of
Snowden’s the target.
Levison tried another way around the order, printing out the encryption key, which took eleven pages at 4-point type. Tricky, but not tricky enough. While the government probably could have used this to do its dirty work, it would have required a couple hours of intense effort. Talk about contemptuousness.
So instead, they sought and obtained a contempt order for Levison’s failure to comply with three separate processes to obtain the desired private key: subpoena, pen register (trap and trace) order and a warrant under the Stored Communications Act.
To make matters worse (for Levison), whose company existed to provide “secure” communications from the government, the order forbid him from informing his other customers of the government’s demands, and that their communications would be revealed. As for the targets of the government’s ire, Levison had already given their privacy away as he was ordered. The Lavabit TOS covered compliance with court orders.
The brief, whose primary author I’m told is Marcia Hofmann (though my info could be wrong), does two basic things. It attacks the nuts and bolts of the various government efforts to obtain the private key, arguing that it does not fall within the scope of things the government is entitled to by fiat.
The second is that it argues (in a surprisingly low key fashion and at the back end of the brief) that obtaining access to the information of Lavabit’s 400,000 customers to get the content of just one is wrong.
At Volokh Conspiracy, Orin Kerr parses the technical arguments made in the brief, and finds them lacking. As he notes, Lavabit has to prevail in all its technical arguments in order to survive contempt; if the government wins one, it wins. So, Orin begins with the weakest of the points, the attack on the subpoena:
Lavabit’s weakest argument is its claim that the government couldn’t just subpoena the key from Lavabit. Surprisingly, the brief spends less than two pages on this issue at the end of the brief. I think it’s the argument that Lavabit should be the most worried about, however. Here’s the problem. The government can subpoena pretty much anything before the grand jury unless the request is overly burdensome, abusive, or oppressive.
He then offers the counter. “Lavabit argues that it would be “abusive” and “oppressive” to effectuate that because it would make it impossible to offer an email service that the government cannot monitor.” which he promptly knocks down:
This strikes me as a really weak argument. Lavabit is essentially claiming that its anti-government business model trumps the subpoena power. That is, it is arguing that the subpoena is “oppressive” precisely because it would work: It would allow the government to conduct the surveillance it is allowed to conduct under the Pen Register statute. That’s a curious argument in light of the traditional understanding of the grand jury subpoena power:
Citizens generally are not constitutionally immune from grand jury subpoenas[,] and . . . the longstanding principle that the public has a right to every man’s evidence is particularly applicable to grand jury proceedings.
This isn’t really a fair characterization of Lavabit’s point. Initially, the argument is that revelation of the private key would be the ruination of the business. By exposing every customer to government disclosure, and covert disclosure at that, the government would take a viable business, making money and delivering a service as businesses are allowed to do in America, and destroy it. Poof, company gone. Business gone. Revenue gone. Wham, bam, thank you, Ladar.
Abusive and burdensome isn’t limited to too many pages and too much work. The ruination of a lawful and viable business is pretty darned abusive as well. The destruction of a business that took ten years to build is awfully burdensome.
Regardless of whether Lavabit’s business model is “anti-government,” which is also a troubling characterization unless one equates pro-privacy with being a government-hater, there remains a right to engage in lawful business pursuits without the government destroying them with a sheet of paper and only an attenuated excuse for why it’s oh-so-important to the government to get its bit of info.
But Lavabit argues that it’s like subpoenaing Coca-Cola’s secret formula. The analogy isn’t perfect, but analogies never seem to work great when using real world things to argue technological issues, a point I’ve tried to make about a thousand times already and a good reason for everybody to stop trying to use analogies.
Orin concludes that the failing of the argument is that Lavabit’s business model doesn’t trump the government’s subpoena power:
In light of that standard, I don’t know of any authority for the view that a private company can announce an ideology or business strategy and then say that a subpoena that interferes with that strategy is “abusive” or “oppressive.” The reference point for what is “oppressive” can’t be the personal ideology or the business model of the subpoena recipient. Any other rule would nullify the subpoena power that the Supreme Court has gone out of its way to protect.
This strikes me as a by-product of the mischaracterization of the Lavabit argument, that it’s merely a business model argument, when my read is that this is more a substantive due process argument, incorporating a plethora of rights ranging from search and seizure to the takings clause, particularity to overbreadth, all of which would be ripped to shreds because the government demanded its “evidence,” even when it wasn’t actually evidence in the first place. Unfortunately, my characterization of this point isn’t quite what the brief offers either, as it doesn’t go nearly as far and barely taps, no less pounds, at the point.
And why does anybody other than Ladar Levison (and 400,000 of his best former customers) care? Because this could happen to any business that you think is protecting your confidences, and you wouldn’t even know about it as the government leisurely rummages through every private communication you make, not because of anything you’ve ever done but because one customer is in its crosshairs.
There are many lessons to this pathetic tale, not the least of which is that it demonstrates the need for new law, rather than rehash of real world law applicable by whoever can come up with the analogy that strikes a judge’s fancy, to deal with issues that never existed before the digital world.
But it also teaches that all those happy entrepreneurs starting up internet businesses need to have both the will and the funding to protect the privacy of their customers from governmental attack. If you lack the guts or funds to fight, then you’re a fraud to claim to offer privacy. Excuses don’t protect anyone or anything, and nobody said you get to have a successful business built on excuses.
Finally, it’s a reminder that not everyone on the internet wishes to give up every bit of personal information to enjoy the shiny glory of the iWorld. The sad truth is that what the government doesn’t do to us, we do to ourselves and each other, and do it happily.