Today the Fourth Circuit refrained from deciding the first legal challenge to government seizure of the master encryption keys that secure our communications with web sites and email servers (the full opinion is available here). Nevertheless, the Court upheld contempt of court sanctions, because of the Lavabit owner’s foot dragging during proceedings. Lavabit had failed to raise the substantive issues below, it decided, thus precluding appellate review. There’s little in the opinion that would help us guess what the Court would have ruled if Lavabit had properly raised its legal arguments below, but the opinion is welcome in that it shows the Court understands quite well how asymmetric transport encryption like SSL works.
The Lavabit case was closely watched, including on this blog, because it could have decided the future reliability of encryption protocols to protect all Internet communications. The government had issued a pen/trap order demanding that Lavabit capture transactional data related to one of its email customers, presumably NSA whistleblower Edward Snowden. Lavabit’s owner, Ladar Levinson, told the government that the information was encrypted. At that point, the government tried multiple legal tools purporting to compel Lavabit to disclose its encryption keys to the government.
As the Fourth Circuit realized, disclosure of the encryption keys would expose communications data for all of Lavabit’s 400,000 customers.
The security advantage that SSL offers disappears if a third party comes to possess the private key. For example, a third party holding a private key could read the encrypted communications tied to that key as they were transmitted. In some circumstances, a third party might also use the key to decrypt past communications (although some available technologies can thwart that ability). And, with the private key in hand, the third party could impersonate the server and launch a man-in-the-middle attack.
When a private key becomes anything less than private, more than one user may be compromised. Like some other email providers, Lavabit used a single set of SSL keys for all its various subscribers for technological and financial reasons. Lavabit in particular employed only five key-pairs, one for each of the mail protocols that it supported. As a result, exposing one key-pair could affect all of Lavabit’s estimated 400,000- plus email users.
Key disclosure is an even more obvious danger today than it was when the Lavabit appeal was filed. That’s because President Obama recently announced that the government will disclose information security flaws … unless they have “a clear national security or law enforcement” use. Obviously, having an SSL key to decrypt past and future traffic data would be useful to both the NSA and law enforcement. It’s hard to imagine civilian courts–not to mention customers around the world–having any kind faith in the U.S. government’s self-restraint after this announcement.
Nevertheless, it remains an open question whether and when the government can compel key disclosure. That is because Lavabit and Levinson did not consistently have legal counsel throughout the proceedings below, and thus failed to raise legal issued sufficiently that the appellate court could review them. Moral of the story: get good legal counsel immediately.
The government’s first legal argument was that it was entitled to the keys under the Pen Register/Trap and Trace statute. That includes provisions requiring third parties to provide technical assistance to the Government in connection with its efforts to collect communications transaction data in real time. See 18 U.S.C. §§ 3124(a), (b). Under the pen-register provision, for instance, Lavabit would have to provide:
all information, facilities, and technical assistance necessary to accomplish the installation of the pen register unobtrusively and with a minimum of interference with the services that the person so ordered by the court accords the party with respect to whom the installation and use is to take place. Id. § 3124(a).
Similarly, under the trap and trace provision, Lavabit would be required to furnish:
all additional information, facilities and technical assistance including installation and operation of the device unobtrusively and with a minimum of interference with the services that the person so ordered by the court accords the party with respect to whom the installation and use is to take place, if such installation and assistance is directed by a court order as provided in section 3123(b)(2) of this title. Id. § 3124(b).
(Curiously, Sections 3124(a) and (b) are similar, but not identical. The pen-register provision refers only to information “necessary to accomplish the installation,” id. § 3124(a), while the trap/trace provision references information “including installation and operation,” id. § 3124(b).)
The Fourth Circuit did not decide whether section 3124 requires disclosure of encryption keys, saying that Lavabit had waived the issue by failing to concisely raise it with the District Court.
After Lavabit resisted the pen trap order, the government got a seizure warrant from the district court under the Stored Communications Act (“SCA”). See 18 U.S.C. §§ 2701-12. The seizure warrant provided that Lavabit was to turn over “[a]ll information necessary to decrypt communications sent to or from [the target’s] Lavabit email account . . ., including encryption keys and SSL keys.” Lavabit objected to the seizure warrant, but the District Court upheld the warrant and required Lavabit to disclose the SSL key.
On the deadline, Levinson provided the FBI with an 11-page, 4-point type illegible printout, which he said was Lavabit’s encryption key. The Government instructed Lavabit to provide the key in an electronic format by the next day but Lavabit did not respond. Two days later, Levison provided the keys to the Government. But by that time, six weeks of data regarding the target had been lost.
Despite properly challenging the seizure warrant, the Fourth Circuit deftly dodged deciding the case on that ground. The district court order compelling disclosure relied on both the pen trap order and the warrant. The pen trap grounds are sufficient to uphold the order to compel on appeal, since Lavabit did not appropriately challenge them. Thus, the Fourth Circuit didn’t need to decide whether the warrant was proper, though it recognized that that question could require resolution of important constitutional questions.
As Just Security readers may remember, there were several amicus briefs filed in the case on substantive grounds. That’s because the public interest in this case goes far beyond probable cause in any particular criminal investigation. A mere warrant can’t begin to adequately protect the economic and privacy interests at stake here. While the government wants these keys to decrypt user information, there is really no acceptable way for the Court to order a secure communications service to break its encryption protocol. The danger to innocent users is too great, and there are network effects that would shatter critical trust in SSL implementation as a whole. At the very least, courts would have to compel providers to lie by omission to their customers and to the certificate authorities, and trust government investigators and whatever after-the-fact court oversight can be performed to ensure that breaking protocol is not abused, despite official policy to the contrary. That’s why the ACLU’s excellent reasoning is right: innocent third parties engaged in lawful business activity cannot be compelled to assist the government, particularly in ways that would destroy their lawful commercial enterprise.
Yet, today’s decision means we’ll have to wait for another court to decide this issue.