In a brief filed in the eastern district of Virginia, the ACLU is asking an appeals court to throw out a lower court’s contempt finding against secure email provider Lavabit, reverse the thousands of dollars the company was fined, and order the government to return or destroy its private encryption keys.
The ACLU argues that the government’s orders “requiring Lavabit to disclose its private keys imposed an unreasonable burden on the company,” and that the government could have obtained the information it sought without fatally injuring the secure email provider. While companies have an obligation to assist the government with law enforcement investigations, ACLU attorneys write, “they also have a right not to be compelled ‘to render assistance without limitation regardless of the burden involved.’”
The Supreme Court has held, in US v New York Tel Co., that companies must comply with government demands for information as long as the demands are not overly burdensome. Where compliance “require[s] minimal effort on the part of the Company and no disruption to its operations,” corporations must oblige lawful government orders. But as the ACLU argues, turning over its private encryption keys to the government “completely undermined Lavabit’s lawful business model, which was to provide a genuinely secure email service.”
Lavabit could not have withstood the massive business disruption, loss of consumer confidence, and hemorrhaging of customers that would have likely resulted after the public learned that the company had been forced to divulge its private encryption keys. The market for email services is highly competitive, and dominated by large companies that offer vast amounts of storage space for free to consumers. Security was the only advantage that Lavabit had over larger competitors like Google and Yahoo. If the company were forced to subvert such a fundamental aspect of its security—the private encryption keys were the company’s self-described “crown jewels”—it would have lost its only competitive advantage, as well as the trust of its 400,000 users.
Since Lavabit’s entire business model was predicated on providing secure email service, handing over encryption keys that would render all of its users’ information insecure was too high a burden. But not only was the order too burdensome; it was also unnecessarily broad. The government didn’t need to compromise the security of the entire system in order to gain access to the information it sought. That's because
Lavabit offered to create and install onto its servers a narrow, focused, pen-register-like surveillance system capable of providing the non-content information pertaining to the target of the government’s investigation—an alternative procedure that would have fulfilled the government’s surveillance needs without requiring the company to disclose its private keys.
In New York Tel Co. the Supreme Court specified that the government’s surveillance order was legitimate because “the company’s assistance was ‘essential to the fulfillment of the purpose—to learn the identities of those connected with the gambling operation—for which the pen register order had been issued.’”
Lavabit offered to write special code that would have given law enforcement a daily peek into the metadata associated with the target’s account, a scenario that would have given the government access to the information it demanded without compromising the email service for its hundreds of thousands of other users. The demand to hand over the company’s private keys was therefore not essential to the fulfillment of the purpose.
But astonishingly, the government rejected Lavabit’s offer on the grounds that it needed real time access to the targeted metadata. In other words, the government argued that instant surveillance gratification in the form of real time tracking, instead of a daily report, was more important than the email security of 400k people and therefore the survival of Lavabit.
Lavabit made a good faith effort to assist the government’s investigation, and the government went too far when it demanded information that effectively killed the company. As the ACLU's attorneys argue, Lavabit had no obligation to provide an email service that is easy to surveil. Here's hoping the appeals court agrees.