A U.S. federal court has affirmed contempt charges against Lavabit, rejecting an attempt by company attorneys to argue new issues on appeal.
The ruling, released Wednesday by the 4th U.S. Circuit Court of Appeals in Richmond, Virginia, upheld contempt of court charges brought against the now-defunct secure email provider last August for refusing to hand over records of a user in a timely manner. The ruling leaves for a future court the question of whether, and under what circumstances, the government can legally spy on encrypted emails.
Although Lavabit founder and operator Ladar Levison and his lawyers had hoped to challenge the legality of using pen trap devices on encrypted communications, the appeals court decided not to consider the lawyer's arguments, citing improper procedural handling of the case on the part of Lavabit and its legal team.
"In view of Lavabit's waiver of its appellate arguments by failing to raise them in the district court, and its failure to raise the issue of fundamental or plain error review, there is no cognizable basis upon which to challenge the pen trap order," the judges wrote in their decision. "The district court did not err, then, in finding Lavabit and Levison in contempt once they admittedly violated that order."
"The court focused its decision on procedural aspects of the case unrelated to the merits of Lavabit's claims," wrote American Civil Liberties Union attorney Brian Hauss, in an email statement.
Last June, Lavabit was issued a court order to set up a U.S. Federal Bureau of Investigation pen trap to collect all routing data for one of its customers, thought to be former NSA contractor Edward Snowden, who had just come to international attention for leaking classified documents from the National Security Agency. He had used the service to alert the media of a press conference he was about to hold, according to reports at the time.
A pen trap, is law enforcement shorthand for "pen registers" and "trap-and-trace devices," which can record all routing, addressing and signaling information between electronic communications, in this case email.
Initially, Levison agreed to set up the pen trap; the company had complied to at least one other similar court order in the past. The FBI, however, had required the information in real time, and that it be unencrypted. Levison balked at these requirements.
Nearly two weeks after the court order was issued, he responded by offering to set up an internal process that would unencrypt the user's communications, then send the results to the FBI at the end of 60 days. The only other alternative, he argued, would be to send the law enforcement agency the encrypted data, which would be useless.
The FBI did not agree to this approach and in mid-July, issued a search warrant for the Lavabit SSL keys that would unencrypt the dispatches of interest. Lavabit responded by contesting the warrant. The company did set up a pen register on behalf of the FBI, but did not provide the key to unencrypt the messages.
On Aug. 1, the district court denied Lavabit's motion, ordering the company to hand over the key. Levison had responded by submitting the private key as an 11-page printout in barely legible 4-point type.
Lavabit was subsequently charged with contempt of court, which came with a $5,000-a-day fine for not complying to the warrant. Soon after, Levison provided the key, six weeks after the original order. Levison then shuttered the service, stating that handing the key to the government compromised the security of the Lavabit service.
Levison subsequently filed an appeal to clear the contempt of court charge, along with any financial penalties incurred, and possibly restore operations. The judges heard the case in January.
Privacy advocates hoped the case would address fundamental questions about how easily a government agency can obtain private keys to a user's communications without that person's knowledge. The three judges on the case -- Roger Gregory, Paul Niemeyer and Steven Agee -- focused on how Lavabit responded to the orders and search warrants.
Their decision pointed to a number of procedural errors Lavabit and its legal team made. Lavabit first challenged the constitutional issues around the pen tap order in its appeal.
"In the district court, Lavabit failed to challenge the statutory authority for the pen trap order, or the order itself, in any way," the decision noted.
"When a party in a civil case fails to raise an argument in the lower court and instead raises it for the first time before us, we may reverse only if the newly raised argument establishes 'fundamental error' or a denial of fundamental justice," the judges wrote. They concluded Lavabit did not adequately argue that the FBI made such a fundamental error.
The ACLU, which filed an amicus brief in the appeal, believes that the case left fundamental privacy issues unresolved.
"On the merits, we believe it's clear that there are limits on the government's power to coerce innocent service providers into its surveillance activities. The government exceeded those limits when it asked Lavabit to blow up its business -- and undermine the encryption technology that ensures our collective cybersecurity -- to get information that Lavabit itself offered to provide," Hauss wrote.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.