The Fourth Circuit Court of Appeals is in the process of deciding the first legal challenge to government seizure of the master encryption keys that secure our communications with web sites and email servers. The case could decide the future reliability of encryption protocols to protect all Internet communications. While the government wants these keys to decrypt user information, there is really no acceptable way for the Court to order a secure communications service to break its encryption protocol. The danger to innocent users is too great, and there are network effects that would shatter critical trust in SSL implementation as a whole.
This dispute involves Lavabit, a now-shuttered encrypted email service provider, which the federal court for the Eastern District of Virginia ordered to give to FBI investigators its SSL key to assist in its investigation of one of Lavabit’s users. We do not know, but some have made an educated guess that the targeted user is whistleblower Edward Snowden. SSL is a standard security protocol for establishing an encrypted link with web or email servers to ensure that your communications over the network remain private and unadulterated. Turning over the key would not only have given the FBI the ability to obtain information about the suspect, but also about all 400,000 of Lavabit’s customers. Lavabit refused to turn over the key, and closed its doors instead. Now the District Court order is on appeal, and three groups, the ACLU, the Electronic Frontier Foundation and the start up Empeopled filed diverse amicus briefs yesterday.
Aside from the danger to secured communications overall, nothing in our law requires providers of legitimate email services to turn over keys or otherwise dismantle the security on their systems to help out in a government investigation. Luckily, there’s an easy answer here. Lavabit offered to decrypt itself the data the FBI wants on the suspect and disclose it to the government, and the government presumably can get a search warrant for that particular user. This is what the Fourth Circuit should order, rather than undermine cybersecurity for us all in the hunt for one person.
1. Background
The U.S. government had obtained a federal district court order requiring Lavabit to turn over its SSL key to enable investigators to collect Internet transactional data on one of Lavabit’s customers. Lavabit refused on the grounds that disclosing the key would give the government access to communications of all other Lavabit customers, as well as the targeted user. Rather than comply with the order, in mid-August Lavabit shut its doors. Other secure communications providers, including Silent Circle (encrypted email) and CryptoSeal (VPN), soon followed suit, on the ground that these services could not longer promise customers security if law enforcement could force disclosure of the master keys. Lavabit subsequently challenged its disclosure order in the Fourth Circuit Court of Appeals. Friday, the ACLU and ACLU of Virginia (“ACLU”), the Electronic Frontier Foundation (“EFF”), and a start-up discussion platform called “Empeopled” filed amicus briefs in support of Lavabit.
SSL stands for Secure Sockets Layer. It is the standard security mechanism for establishing an encrypted link between software on your computer and web or email servers on the Internet. SSL ensures that all data passed between the server and the software remain private and unaltered.
A protocol describes how a cryptographic algorithm like SSL should be used. Trust is an essential part of the SSL protocol. “Certificate authorities” are organizations that validate web or email servers as being genuine and issue SSL certificates. Each SSL Certificate consists of a key pair as well as verified identification information. When client software attempts to communicate with an SSL secured site, the server shares the public key with the client to establish an encryption method and a unique session key. The client software confirms that it recognizes and trusts the issuer of the SSL Certificate. This is the “SSL handshake” and begins a secure communications session that protects message privacy, message integrity, and server security. If an SSL key is compromised, the business is generally obligated to inform the certificate authority that signed the keys.
Our online security depends on the reliability of the SSL infrastructure — everything from social networking to online banking depends on trust in SSL certificates.
2. The Lavabit Case
In the Lavabit case, the FBI wanted the company to install a “pen register” – a device which collects in real time Internet traffic information, targeting one of the company’s users. But Lavabit’s system was engineered so that that pen register information was encrypted and could not be obtained. The government then asked Lavabit for its SSL key, so the government could pretend it was Lavabit when that user attempted to log into the service, and could thereby collect the data. Disclosing the SSL key would give the government access to both pen register data and the content of communications of all other Lavabit customers, as well as that of the targeted user.
Lavabit’s owner, Lavar Levison, offered to collect the data for the government, a compromise that would get the FBI the information it wanted without impacting the security of its other customers. Unappeased, the government obtained a court order commanding Levison to travel from Texas to personally appear in a district court in Virginia to explain his refusal to produce the key. It further secured a grand jury subpoena, which explicitly commanded Levison to appear before the grand jury and bring with him Lavabit’s private keys. While Levison was traveling to appear pro se in district court, the government obtained a third order, this time a search warrant, which again commanded Lavabit to hand over its private keys and also gagged Levison and the company from telling anyone that the government had done so. The District Court ruled against Levison and gave him 24 hours to comply. At that point, Levison closed down Lavabit’s services.
Lavabit then retained counsel and appealed the District Court’s orders to the Fourth Circuit. Lavabit’s attorneys argued that the government had no statutory authority to compel disclosure of the SSL key. Specifically, the pen register statute only requires companies to “furnish … all information, facilities, and technical assistance necessary to accomplish the installation of the pen register unobtrusively and with a minimum of interference with the services.” It does not require companies to decrypt, though Lavabit offered to do that. Nor does it require disclosure of encryption keys. Similarly, the Stored Communications Act compels providers to turn over stored content, information pertaining to a user, or account data, but not the company’s cryptographic keys. The company also argued that such disclosure would violate the Fourth Amendment because it is not in itself evidence of any crime, and would give the FBI access to 400,000 other customers’ emails.
3. The Amicus Briefs
In its amicus brief, the ACLU argued that the government’s emphasis on thwarting cybercrime and promoting cybersecurity, and on protection of online customer data, was at odds with its position in the Lavabit case. Various government agencies, including law enforcement and the Federal Trade Commission, have lauded private companies for implementing SSL by default. Yet now, the government turns around and wants to subvert SSL to enable surreptitious access not only to the suspect’s information but also to that of all Lavabit customers. There is, ACLU argues, no authority for this demand. As a matter of first principles, innocent third parties engaged in lawful business activity cannot be compelled to assist the government, particularly in ways that would destroy their lawful commercial enterprise. The brief also addresses the scope of CALEA, the Communications Assistance for Law Enforcement Act, which requires telephone companies to design their networks to ensure a certain basic level of government access, and the Federal Communications Commission expanded the law in 2005 to include broadband Internet access and “interconnected” VoIP services which rout calls over the traditional telephone network. However, pure Internet services like Lavabit are not subject to CALEA and nothing in that prohibits these companies from building robustly secure products that protect their customers’ data and are therefore hard for the government to spy on.
The EFF’s brief starts with the unassailable position that Lavabit has a Fourth Amendment protected interest in its own SSL key. Lavabit’s customers also have a constitutional interest in the key because it unlocks access to their private constitutionally protected emails. Generally, that means the government needs either a search warrant based on probable cause or, alternatively, a reasonable subpoena to compel production. The brief goes on to argue that the warrant the FBI eventually obtained did not meet the Fourth Amendment’s particularity requirement because it contained nothing to limit the government’s access to information about Lavabit’s other users. The brief suggests, however, that a warrant which explicitly limits the government’s post-seizure investigation as suggested in the Ninth Circuit case of United States v. Comprehensive Drug Testing could be valid. [Specifically, a court could order disclosure of the key but the government would have to (1) waive the “plain view” rule, and agree to only use evidence of the crime or crimes that led to obtaining the warrant; (2) wall off the forensic experts who use the key to decrypt communications from the agents investigating the case; (3) use a reasonable search protocol to designate what information the forensic experts can give to the investigating agents; and (4) destroy or return non-responsive data.] The EFF brief further argues that a mere subpoena would never be sufficient to compel disclosure of SSL keys because compliance with it would endanger all of Lavabit’s customers as well as its lawful business.
Empeopled’s brief looks at the investigation through a First Amendment lens, arguing that government access to SSL keys interferes with freedom of expression, freedom of association, anonymous speech and other fundamental democratic rights. The Supreme Court has applied strict scrutiny in striking down statutes and court orders that interfere with the lawful exercise of these rights in cases involving anonymous political speech, private membership lists, and secret balloting. Therefore, the court should apply a “strict scrutiny” standard in the Lavabit investigation to find the government investigatory technique of demanding SSL keys unconstitutional.
The government has not yet filed a reply brief, but we’ll let readers know when they do.
4. Implications
This case takes place against the broader backdrop of revelations about the National Security Agency’s (“NSA”) efforts to circumvent a number of the encryption protocols which protect sensitive data like trade secrets, banking information and medical records as they travel over the Internet. According to reports from The Guardian, ProPublica and the New York Times, some of the agency’s most intensive efforts have focused on defeating SSL, virtual private networks, or VPNs, and the protection used on fourth generation, or 4G, smartphones.
Companies like Microsoft, Google, and Facebook have stated that they have never shared their SSL private encryption keys with the government and would vigorously challenge any government order requiring them to do so. In response, it appears the NSA, in conjunction with its U.K. counterpart the GCHQ has found a way to bypass the need to compel Google’s cooperation by performing a man-in-the-middle attack to impersonate Google security certificates. Conversely, The Guardian reported that the N.S.A. worked with Microsoft officials to get pre-encryption access to some of the company’s most popular services, including Outlook e-mail, Skype Internet phone calls and chats, and the company’s cloud storage service. In response, Microsoft asserted that it had merely complied with “lawful demands” of the government. That collaboration may have been coerced. If so, the coercion is based on a secret interpretation of law; there is no challenge on the public court dockets. As I’ve written, communications service providers are at a severe disadvantage when it comes to resisting even abusive or overbroad government surveillance demands. Executives who refuse to comply with secret court orders can face fines or jail time. When given a choice between complicity and death, Lavabit chose death. But not every service provider has the luxury of that choice.
The Lavabit case is a challenge to our preexisting legal framework for compelling access to customer communications. The interests in preserving trust in SSL and other public key encryption protocols go far beyond probable cause in any particular criminal investigation. There’s a network effect here that a mere warrant can’t begin to adequately protect. There’s no acceptable way to break protocol. Courts would have to compel providers to lie by omission to their customers and to the certificate authorities, and trust government investigators and whatever after-the-fact court oversight can be performed to ensure that breaking protocol is not abused. Courts have remarkably little experience, and even less success with post-seizure oversight. And, at some point we’d have to clean up the cryptographic mess and secretly resecure the service, if that were possible. Further, we’d have to hope that the fact that governments, whether from the U.S. or any other country, routinely interfere with SSL implementation would not have a deleterious effect on broader cybersecurity. An equally unacceptable alternative is to have intelligence agents and law enforcement operate outside of the law, man-in-the-middling Google and other SSL services and buying zero day exploits and breaking into computers.
The Lavabit case begins to tackle this hard security problem, but here, there’s an easy answer. The company offered to obtain the pen register data on the single user itself and disclose it to the government, and the government presumably can get a search warrant based on probable cause for that particular user. This is the approach the Fourth Circuit should take; the harder questions are not ones that the court can competently answer right now.