In my last post, I talked a bit about how governments might share IT forensic evidence with each other – or not. Well, plenty of shady investigation techniques happens inland too. Don’t mess with the government, or even something the government might find interesting.
Ladar Levison ran a company called Lavabit, providing secure e-mail services to its users. Ladar documents in detail how he experienced the FBI when they wanted all his encryption keys and all details of all users. He did his best to protect his users, but the government and court system seemed to be more or less all on FBI’s side. (Levison, 2014)
A key question in his appeal was this: what constitutes a search? (Casey, 2011) Was the authorities really in their right to ask for the encryption keys of a whole business and all their users, when they are only authorized to access information belonging to a few? (Or, as the government themselves revealed later by mistake: it was indeed, only Edward Snowden they were supposed to investigate. (Zetter, 2016))
To me it sounds very suspect, but the court had the FBI’s back and ignored requests to dispute claims and never given the opportunity to object.
The reasoning for being exempt from the 4th amendment law is this: before communication has been decrypted, it’s impossible for surveillance to determine which network connection belonged to the right account. The FBI argued that since their inspection would be done by a machine, they should be exempt from the search-and-seizure protections in the laws. (Levison, 2014)
Nick Merrill, of the Calyx Institute, said he could relate very much with what Levison went through. In 2004 he received a National Security Letter demanding information on a client of his ISP. He then spent years, 6 in fact, in courts arguing with the government about warrantless surveillance. As he says, if the “dragnet surveillance” was in compliance with the laws and “American values”, that would be something else. Also, if their surveillance of his client was to keep America safe it might be different. But, Merrill says, neither of those reasons covered what happened in his case with the government. (Hill, 2013)
In the end, Levison decided to close down his business of 10 years as he felt it was morally wrong to give the government free access to all of his client’s data without the clients knowing – and most likely, not having done anything wrong that deserved government surveillance. (Levison, 2014)
So, it’s not just country barriers that might stop your investigation – it might be ethical questions and encryption, within your own country.
In this case, the email was obviously not needed – the US has made it quite clear they have put together a case on Snowden and will treat him like Daniel (Chelsea) Manning, with or without email evidence. So it didn’t matter much in the end, except for Levison and all his customers.
I’m not discussing Edward Snowden or his actions, here. I am however, wondering: Should all of the other user’s privacy be compromised for some information on 1? Should we sacrifice their privacy? Or should we try to get information in some other way?
Casey, E. (2011) Digital evidence and computer crime: Forensic science, computers, and the internet. Academic press.
Hill, K. (2013) ‘Email Company Reportedly Used By Edward Snowden Shuts Down Rather Than Hand Data Over To Feds’, Forbes.com
Levison, L. (2014) Lavabit [Online] Available from: https://lavabit.com/ (Accessed: 01.07.2017).
Zetter, K. (2016) A Government Error Just Revealed Snowden Was the Target in the Lavabit Case [Online] Available from: https://www.wired.com/2016/03/government-error-just-revealed-snowden-target-lavabit-case/ Accessed: 01.07.2017).
Image source: https://pixabay.com/en/key-tag-security-label-symbol-2114293/, user: qimono. CC0 Licence, public domain.