Why Did Lavabit Founder Shut Down His Company?

Melissa Block speaks with Ladar Levison, founder of the secure email system Lavabit, about how he defied orders to hand customer information over to authorities, which led to fines and his decision to shut down his business.

Copyright © 2013 NPR. For personal, noncommercial use only. See Terms of Use. For other uses, prior permission required.

ROBERT SIEGEL, HOST:

This is ALL THINGS CONSIDERED from NPR News. I'm Robert Siegel.

MELISSA BLOCK, HOST:

I'm Melissa Block and it's time for All Tech Considered.

(SOUNDBITE OF MUSIC)

BLOCK: Our focus today is on two services designed to keep Internet communications private and the National Security Agency's efforts to crack them. In a few minutes we'll hear about Tor, software that keeps people anonymous online. First, we're going to talk with the founder of an encrypted email service called Lavabit, a system much more secure than regular email such as Gmail or Yahoo.

Lavabit was used by NSA leaker Edward Snowden. And in August, as the FBI pursued those leaks, Lavabit founder Ladar Levison shut down his company. He did so in the face of a government demand that he turn over the encryption keys and computer code that would unlock the data of his 400,000 customers. Levison said in a statement at the time that he would not become complicit in crimes against the American people.

Ladar Levison joins me now from New York. Welcome to the program.

LADAR LEVISON: Hi, Melissa. Thank you for having me.

BLOCK: And we should explain that before this, you were subject to a gag order. But now, some federal court documents have been unsealed and you're free to talk. Is that right?

LEVISON: Yes, and I think the most important piece has finally come out - just exactly what the government was asking for. And that was my private SSL encryption key.

BLOCK: SSL encryption key, which would have done what?

LEVISON: SSL is - the easiest way to describe it, it's the lock in your browser that secures e-commerce transactions. But it does more than that. It secures email as it traverses the Internet. It also authenticates a person's identity, so that they know they're talking to their bank or they know they're talking to my particular service. And what they wanted to do was effectively unpeel the encryption that was protecting that information, intercept and examine it. And presumably, only record the information for the one suspect. But they were also completely unwilling to provide any transparency back to me or any type of assurance that would be the only information they were collecting.

BLOCK: Well, prosecutors argued before the judge that the metadata stream would be filtered, right? So only the one client that they were looking at would be targeted. They said no one has access to the other information. And the judge said, well, I think that's reasonable. Why is he wrong?

LEVISON: Because they didn't know which incoming connections were going to belong to the particular user. They were going to have to decrypt everyone's incoming connections and monitor them until they came across the username and password associated with the account. And then make a decision whether or not to continue recording or drop.

And if they had been willing to prove that that's what they were doing, I could've lived with them putting a device on my network and giving them the keys. But they absolutely refused. And I was completely uncomfortable with them having that level of access and losing control of my keys in that way, if they weren't going to provide transparency back to me.

BLOCK: Do you recognize, though, that the government might have legitimate legal grounds for requesting encryption keys in cases or in systems like yours that are encrypted?

LEVISON: Yeah, certainly. I mean, the government has a need to conduct surveillance on criminals. But it should be targeted. What I'm opposed to is the broad-based surveillance, the type of surveillance that violates the privacy rights of the many. And that's what was at stake here.

Here was a system that was effectively secure and they wanted to crack it open with a sledgehammer, just so that they could conduct surveillance on one person.

BLOCK: Why did you decide to shut down Lavabit without giving any notice to your clients?

LEVISON: I had decided from the very beginning, as soon as I heard the request for the SSL keys, that if I was forced to surrender them and remain silent, I felt the only ethical choice would be to shut down the service. I had heard that other services like mine had threatened to shut down and were ordered via the courts to remain open, to remain in business. So I feared that if I gave any kind of warning that I might shut down the service as a result of this, I would receive a similar order. And if I had, and I'd still shut down the service, I would probably be sitting in jail right now.

BLOCK: I've seen emails from a number of your customers who were quite angered by the fact that you shut down, that they were not given any notice and the rug was pulled out from under them.

LEVISON: I'm in the same boat as them. I used my Lavabit email account for 10 years. It was my only email account. I'm now without email access. So I feel their pain. And I'm still holding out hope that one day I'll get my inbox back.

BLOCK: Ladar Levison is founder of the now-shuttered encrypted email service Lavabit. Mr. Levison, thanks.

LEVISON: Thank you for having me.

Copyright © 2013 NPR. All rights reserved. No quotes from the materials contained herein may be used in any media without attribution to NPR. This transcript is provided for personal, noncommercial use only, pursuant to our Terms of Use. Any other use requires NPR's prior permission. Visit our permissions page for further information.

NPR transcripts are created on a rush deadline by a contractor for NPR, and accuracy and availability may vary. This text may not be in its final form and may be updated or revised in the future. Please be aware that the authoritative record of NPR's programming is the audio.

Comments

 

Please keep your community civil. All comments must follow the NPR.org Community rules and terms of use, and will be moderated prior to posting. NPR reserves the right to use the comments we receive, in whole or in part, and to use the commenter's name and location, in any medium. See also the Terms of Use, Privacy Policy and Community FAQ.

Support comes from: