Forget the Back Door: The Government Now Wants the Keys to the Internet
If the Department of Justice gets its way in court, secure email could become a thing of the past.
By Dana Liebelson
Photoillustration by Matt Connolly
Internet privacy relies heavily on the ability of tech companies to hide user content—such as your emails and bank information—behind a secure wall. But the Department of Justice is waging an unprecedented battle in court to win the power to seize the keys of US companies whenever the US government wants. Edward Snowden has shown that the government is already doing a great job at getting companies to hand over information, breaking down weak doors, and scooping up unlocked material. But if the Justice Department succeeds in this case, it will be far easier for it to do so, and—poof!—there will no longer be any guarantee of internet privacy.
The case started this summer, when Lavabit—an alternative email provider that promised highly secure email—was handed a subpoena by the Department of Justice. The subpoena required that Lavabit supply the billing and subscriber information for one of its users, widely believed to be Edward Snowden. Lavabit supplied this information. Then, the government asked to install a device on Lavabit's servers that would allow it to monitor all of the metadata (time and email addresses) of the individual's account. But Lavabit encrypted all of this information, and the only way for the government to view it was to use Lavabit's private keys to break the encryption. Those keys weren't set up to access an individual account. Instead, they broke the encryption of 400,000 Lavabit email users and would allow the government to rifle through all of that content.
Lavabit offered to record the individual's information that the government requested and hand it over on a regular basis, for a fee of at least $2,000—but it refused to give up its keys. As Ladar Levison, Lavabit's 32-year-old founder, told Mother Jones in August, "What I'm against, at least on a philosophical level…is the bulk collection of information, or the violation of the privacy of an entire user base just to conduct the investigation into a handful of individuals."
The government obtained a warrant demanding that Lavabit give up the keys anyway. When the company refused (at one point, Levison turned over the keys in 11 pages of 4-point type that no one could read) it was held in contempt of court and slapped with a $5,000-a-day fine. The government prosecutor in that closed-door hearing argued that "there's no agents looking through the 400,000 other bits of information, customers, whatever…No one looks at that, no one stores it, no one has access to it." The judge presiding over the case said that sounded "reasonable."
Lavabit handed over the keys right before shutting down the entire company. On October 10, it filed its appeal of the contempt charge in the US Court of Appeals for the 4th Circuit, in a case that civil liberties groups say is the first of its kind. (A Justice Department spokesman says it does not comment on pending litigation. The department is scheduled to file a brief in response to Lavabit by November 12.)
Karl Manheim, a professor at the Loyola Law School in Los Angeles, says that that the government's demand for Lavabit's encryption keys appears "unconstitutional." The same argument is being made by the Electronic Frontier Foundation (EFF) and the American Civil Liberties Union, both of which filed amicus briefs in the case last week. "This case could set a very dangerous precedent," says Brian Hauss, a legal fellow for the ACLU. "The government regularly reminds us how important cybersecurity is right now [in relation to protecting water plants and electrical grids from hackers, for example], so for them to say that and then execute these legal orders that undermine a critical layer of that security, is somewhat paradoxical."
Here's how that critical layer of security works: Any tech company that gives a damn about privacy and security employs Secure Sockets Layer (SSL) encryption, which protects communications from being intercepted by third parties. Companies use different length "keys" to protect their encryption. It can take a lot of time, money, and expertise to crack a company's private encryption keys, but if the company just hands them to you, it's possible to read most anything on its website, including message content. "You can also decrypt the information months or years after the fact," notes Matthew Green, a professor at John Hopkins University and an encryption expert. With Lavabit's key, the US government could read any email in a Lavabit user's inbox. "Once this precedent is set, what stops them from doing this to other companies? How far can this go?" asks Green.
Snowden has maintained that the NSA can break many keys and has exploited a backdoor to Google's and Yahoo's encryption layer—gaining access to the messages and content that flow through these firms without needing any keys. The government has also reportedly asked big tech companies for their master keys, but Google and Microsoft insist they have not provided them. So internet privacy may already be undermined by NSA activity. Yet Hauss argues that if the Justice Department gets its way in court, it will be "much easier" for the NSA to engage in privacy-busting operations because the agency will "just get the key from the company." Hauss adds, "On top of that, it would give [the NSA] more legal backing and make it easier for tech companies to be complicit in these surveillance schemes."
EFF contends that the Justice Department's demand is a violation of the Fourth Amendment. It notes that it is certainly appropriate for the government to demand specific information from an internet service provider as it relates to a warrant, but obtaining the keys would provide the government access to "thousands or perhaps millions of customers who aren't the target of any criminal investigation." In its brief, the ACLU calls the request "unduly burdensome," arguing that a company shouldn't have to blow up its entire business to comply with a government request.
If Lavabit loses its case, it will have the option of petitioning the Supreme Court. Should Lavabit not triumph in the end, tech companies will have to find a new way to protect information on the internet. And they're already looking ahead. Google has started using what's called "Perfect Forward Secrecy" on most of its communications. This system generates new keys each time someone logs in, so there isn't one master key to break all the communications. And Lavabit is working on a project called the Dark Mail Alliance with another secure provider, Silent Circle, which followed Lavabit's lead and shuttered its email service in August in an effort to resist the NSA. The new service will not rely on a master key and aims to make it impossible for the NSA to obtain even a user's metadata. There's no telling how the US government will respond if Lavabit and Silent Circle succeed in developing this service.
"Everyone was saying we have to abandon all hope. There's nothing we can do to protect ourselves," says Phil Zimmermann, the founder of Silent Circle. But he says that coming up with a new way of keeping email secure could change that. "If you just do it by fighting them in court, you might lose. But if you do it by changing the architecture, well, that gives you a big advantage."
