As Lavabit case continues, larger battle on data ownership unfurls
The demise of encrypted email service Lavabit has not quieted its founder's claims concerning unbridled government oversight.
Just a couple of weeks ago, the government maintained via an appellate brief (PDF), filed in a federal appeals court in Virginia, that it operated within its scope of legal authority when using a search warrant and subpoena to access Lavabit's master encryption key for an investigation, which is believed to be linked to whistleblower Edward Snowden.
The brief was filed in response to an appeal by Lavabit founder Ladar Levison to reverse a ruling, finding Lavabit in contempt of court – and also leaving the business with $10,000 in sanctions. Levison was faced with the ruling after he decided to shut down his service in August, to keep the government from having access to the data of Lavabit's 400,000-strong customer base via the requested encryption key.
On Friday, Lavabit's attorneys filed a response to the government's 60-page defense of its actions.
In the reply brief, Lavabit's counsel argued that the “government has no general entitlement to enlist third parties in its surveillance efforts, [and that] it may do so only to the extent that the law explicitly provides.”
The brief also claims, among other points, that the government's warrant was “riddled with flaws” in that it sought information that didn't pertain to a particular Lavabit subscriber, and that it allowed the “general rummaging through all of Lavabit's customer communications.”
As the case continues, privacy and security experts are calling attention to the score the case could settle on the government's authority to demand a communications provider to hand over its private SSL key.
Lavabit has also argued that the government's move violated the Fourth Amendment, which prohibits unreasonable search and seizure.
In a Tuesday interview with SCMagazine.com, Catherine Crump, a staff attorney at the American Civil Liberties Union (ACLU), addressed the larger impact the appeal has on businesses that could wind up in a compromising positions similar to Lavabit.
ACLU has publicly stood behind Lavabit's decision to challenge the request for its SSL key. On Oct. 24, ACLU filed an amicus brief (PDF) supporting the company's call for appeal.
“We argue that the government went too far,” Crump said, later explaining that the case has had its effects, “not just on Lavabit, but throughout that particular industry.”
Silent Circle, another encrypted communications company, shut down its email service in August as a preemptive step to protect its clients from the government's expanding reach, Crump explained.
On Tuesday, Elad Yoran, CEO of Vaultive, a New York City-based provider of cloud data encryption solutions, also explained how the case illustrates a larger battle over data ownership.
“[The case] has profound implications on cloud computing, in that if a third party can turn our data over without our authorization, do we really own our data or control our data?” Yoran told SCMagazine.com. “And it's not just the NSA, it's other agencies, like the IRS, that can request this information with a subpoena."
For him, the case brings forth a discussion on maintaining control over data in the midst of government oversight.
"I think that this case points to one critical issue from an enterprise perspective, and that is related to the businesses' requirement to maintain control over its data," Yoran said. "At the end of the day, that's really their most valuable asset."