A week later, prosecutors upped the ante and obtained the search warrant demanding “all information necessary to decrypt communications sent to or from the Lavabit e-mail account [redacted] including encryption keys and SSL keys.”
With the SSL keys, and a wiretap, the FBI could have decrypted all web sessions between Lavabit users and the site, though the documents indicate the bureau still trying only to capture metadata on one user.
Levison went to court to fight the demand on August 1, in a closed-door hearing before Claude M. Hilton, Senior U. S. District Court Judge for the Eastern District of Virginia.
“The privacy of … Lavabit’s users are at stake,” Lavabit attorney Jesse Binnall told Hilton. “We’re not simply speaking of the target of this investigation. We’re talking about over 400,000 individuals and entities that are users of Lavabit who use this service because they believe their communications are secure. By handing over the keys, the encryption keys in this case, they necessarily become less secure.”
By this point, Levison was evidently willing to comply with the original order, and modify his code to intercept the metadata on one user. But the government was no longer interested.
“Anything done by Mr. Levison in terms of writing code or whatever, we have to trust Mr. Levison that we have gotten the information that we were entitled to get since June 28th,” prosecutor James Trump told the judge. “He’s had every opportunity to propose solutions to come up with ways to address his concerns and he simply hasn’t.”
“We can assure the court that the way that this would operate, while the metadata stream would be captured by a device, the device does not download, does not store, no one looks at it,” Trump said. “It filters everything, and at the back end of the filter, we get what we’re required to get under the order.”
“So there’s no agents looking through the 400,000 other bits of information, customers, whatever,” Trump added. “No one looks at that, no one stores it, no one has access to it.”
“All right,” said Hilton. “Well, I think that’s reasonable.”
Hilton ruled for the government. “[The] government’s clearly entitled to the information that they’re seeking, and just because you-all have set up a system that makes that difficult, that doesn’t in any way lessen the government’s right to receive that
information just as they could from any telephone company or any other e-mail source that could provide it easily,” said Hilton.
The judge also rejected Lavabit’s motion to unseal the record. “This is an ongoing criminal investigation, and there’s no leeway to disclose any information about it.”
In an interesting work-around, Levison complied the next day by turning over the private SSL keys as an 11 page printout in 4-point type. The government, not unreasonably, called the printout “illegible.”
“To make use of these keys, the FBI would have to manually input all 2,560 characters, and one incorrect keystroke in this laborious process would render the FBI collection system incapable of collecting decrypted data,” prosecutors wrote.
The court ordered Levison to provide a more useful electronic copy. By August 5, Lavabit was still resisting the order, and the judge ordered that Levison would be fined $5,000 a day beginning August 6 until he handed over electronic copies of the keys.
On August 8, Levison shuttered Lavabit, making any attempt at surveillance moot. Still under a gag order, he posted an oblique message saying he’d been left with little choice in the matter.