Federal government targeted Snowden’s email provider the day after the release of the NSA whistleblower
When in June 9 Edward Snowden got up in Hong Kong and revealed himself to the world as an NSA whistleblower, the Justice Department wasted no time targeting its email provider. A new appeals court filing today shows the government served a court order on Texas-based Lavabit the next day demanding metadata about an anonymous client that the time and circumstances suggest was Snowden.
The June 10 registration request was issued under 18 USC 2703 (d), a 1994 amendment to the Stored Communications Act that allows law enforcement to access Internet recordings without content without showing “probable cause” necessary for a search warrant. This would include the “To” and “From” email lines, and the IP addresses used to access the account, but would not include the content of the email.
This order was followed on June 28 by a “pen registry order,” which provides the same information prospectively – recording the metadata for every new email sent or received.
It is not known what information, if any, Lavabit has produced at this stage of the investigation. But on July 9, the court clearly issued a “show cause order,” which, in a filing case, is usually the result of the government asking the court to execute a request that was not executed at the time. government satisfaction.
The new information is revealed in a government filing in Lavabit’s appeal in the case. Lavabit attorney Jesse Binnall on Tuesday asked the U.S. 4th Court of Appeals to unseal certain information in the case so that public interest groups can learn enough to possibly file a case. friend briefs on basic legal issues. The government today filed its opposition to the unsealing motion – under seal, of course – along with a public timetable of previous orders keeping the matter under wraps.
“The entire district court file, including all applications, subpoenas, motions, warrants and orders, remains under seal,” prosecutors wrote on the public record.
The timeline shows that government registration applications to Lavabit in the case began on June 10, nearly two months before owner Ladar Levison shut down the service on August 8 with an oblique message saying he didn’t had had little choice in the matter.
“I was forced to make a difficult decision: to become an accomplice in crimes against the American people or to get away from almost 10 years of hard work by shutting down Lavabit,” Levison wrote at the time. “After careful soul-searching, I have decided to suspend operations.”
Levison and his lawyer are both bound by a gag order preventing them from discussing the details of the case or identifying the government target.
The June 29 pen register order may well have been the problem. A standard email provider can easily route email headers to the government in response to such a request. But Lavabit has offered paying customers a secure messaging service that stores incoming messages encrypted with a key known only to that user. Lavabit itself did not have access to it.
Levison could have met a potential demand for metadata in several ways: by providing the government with Lavabit’s private SSL certificate – allowing its users to be bugged; modifying software to store a user’s private encryption key the next time they log on; or by saving the email’s metadata before it is encrypted. But Levison may have balked at actively bypassing the privacy system he built for users.
After shutting down the site, Levison appealed on August 29. His opening brief in his appeal is due October 3.
“He is optimistic that we are taking this opportunity to eventually get good legislation,” lawyer Binnall told WIRED earlier this month. “My client is someone who is deeply concerned about privacy rights and the protection of the United States Constitution from unlawful searches and seizures and the protection of the First Amendment.”