Guardian: Lavabit founder offered to log users' metadata if FBI paid him $3,500

http://www.theguardian.com/technology/2013/oct/09/lavabit-metadata-log-3500-offer

Lavabit founder offered to log users' metadata if FBI paid him $3,500

Ladar Levison, the secure email service's founder, made the offer in an effort to safeguard passwords and prevent the FBI from mining incoming data

Alex Hern

9 October 2013

Lavabit's founder offered to work with the American authorities if they would pay him $3,500 for his time, according to documents unsealed by the US courts.

Ladar Levison, the founder of the defunct secure email service, made the offer in a letter to an assistant US attorney on 13 July, in an effort to appease the authorities. His site had come under investigation due to its links to NSA whistleblower Edward Snowden.

Focusing on the so-called "trap and trace" order which he had been served on 28 June, Levison wrote that "it would be possible to capture the required data ourselves and present it to the FBI."

The order only covered email metadata, and so content and passwords would not have been provided. "The headers I currently plan to collect are: To, Cc, From, Date, Reply-To, Sender, Received, Return-Path, Apparently-To and Alternate-Recipient."

Levison asked for $2,000 "to cover the cost of the development time and equipment necessary to implement my solution", which would enable him to provide the data at the end of the 60-day period required by the order.

He told the attorney, whose name was redacted what the documents were unsealed, that he would be able to provide the data "intermittently during the collection period" for an additional $1,500.

Speaking to the Guardian on Tuesday, Levison said that "to a certain extent", he was comfortable with that level of information gathering, especially given the provenance of the order.

"A big part of the reason I didn't want that information out to begin with was because I didn't want to be put in the position of receiving an NSL [national security letter] and being forced to provide that information without judicial oversight." A national security letter is a legal document issued by a government agency, similar to a subpoena but which cannot be appealed in the courts. Such letters also typically contain gag orders.

"In this case there was a judge signing the order, so my philosophical objection was somewhat abated, and of course I was trying to prevent having to shut down my business."

Levison also explained that his motivations were driven by the knowledge that the FBI had tried to get him to reveal information not covered by the court order.

In his 28 June meeting with the FBI, where he was served with the trap and trace order, he said he was told that "they would be collecting content and passwords, which really caused a lot of friction with me. If they had been more honest and said that at that point they were only trying to collect metadata, the situation may have developed differently.

"It was a textbook example of the FBI lying to me in order to get more information, and it ended up backfiring... I think they really wanted that information, I just know, retroactively, that they didn't have authorisation from the court to collect it."

It took two weeks for Levison to get a lawyer on the case. "It turns out that if you read the pen trap and trace order, not only does it not provide the authority to demand my SSL certificate, which they claimed, but it also doesn't provide them the authority to collect content or passwords.

"If they had been more honest about that, I would have provided the code to log that for them early on."

As it was, the authorities turned down his offer to provide the logs. The stated reason, as given in court, was that "among other things, it did not provide for real-time transmission of results, and it was not clear that Mr Levison's request for money constituted the "reasonable expenses" authorised by the statute".

But there may have been a deeper motivation. "What I think real-time really means is that they wanted to be able to log into a box in my network and change the collection parameters in real time. Without any interference from me.

"And you can understand my views on that...they also refused to let me audit the device that they were going to install on my network."

Levison indicated that his offer to log metadata wasn't just a bluff. If they had said yes, he would have gone through with it, but he doesn't think it would have been the end of the matter. Asked where he thought it would have gone from there, he said "I don't think I can tell you my answer to that... it's a legal thing, because it would require admitting something I am not legally allowed to admit."

"But I definitely think they would have come back, probably in a different court and in a different setting, and demanded similar access on a different pretext."

Eventually, Lavabit was compelled to hand over the keys to its encryption. Facing a fine of $5,000 ((GBP)3140) for every day he did not comply, Levison delivered the data and shut down the site, [1] announcing his refusal to become "complicit in crimes against the American people".

While the case was under seal, the government was unable to collect the $10,000 fine accrued ($5,000 of which came about because Levison received the order late in the day. "The FBI apparently doesn't work past 6pm"), but now he'll "probably have to pay".

For that, and the time of his ten-strong legal team, he is "incredibly grateful" to the thousands of donors worldwide who have given more than $200,000 ((GBP)126,000) to the Lavabit legal defense fund.

[1] http://www.theguardian.com/technology/2013/aug/08/lavabit-email-shut-down-edward-snowden