BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

GoDaddy Pulls Lavabit's Security Creds Because The FBI Got Ahold Of Its Encryption Keys

This article is more than 10 years old.

Two months ago, email company Lavabit abruptly shut down. The email service known to be used by NSA whistleblower Edward Snowden has been down ever since. Its homepage has been replaced by a note from founder Ladar Levison explaining that he "refused to be complicit in crimes against the American people." It was a mysterious shut down at the time, but since then, thanks to Levison's veiled comments and  court documents becoming public, the full story has come out. And that story coming out has resulted in Lavabit having its Internet security credentials revoked.

Thanks to Lavabit's design, Levison could not simply offer a tap of a particular user's communications if that user had paid for a secure, encrypted account. Given that, the FBI asked Levison to hand over the encryption keys for his website, so that it could see information about an unnamed user (ahem, Snowden), including who he was emailing, when, and where from. And the FBI wanted to be able to see it all in real time, says Levison, so it rejected his offer to do a custom coding that would allow him to capture the information the FBI wanted and hand it over to them daily. Levison complained that handing over the encryption keys to his email kingdom would compromise the security of all of his more than 400,000 users, allowing the FBI to look at any of their email metadata and communications if it chose. A court battle took place. Levison lost. In an epic trolling of the FBI, he handed over the keys but in the least convenient form possible: 11 pages of tiny font. "I intentionally chose a font that would be difficult to OCR (ed. note: digitally scan). I wanted them to have to enter it manually," said Levison in an interview last week.

The FBI complained. Levison got hit with a $5,000/day contempt of court charge, and handed over the keys in digital form two days later after being charged $10,000. He also shuttered his site, making the keys useless for future communication interception. Today, the Lavabit site is still up, simply to solicit funds for Lavabit's legal defense. Levison says he's received over $200,000, but has already spent $100,000 of it; Lavabit is currently appealing the contempt charge and arguing that asking a site to turn over its encryption keys -- imperiling the security of its business -- is unconstitutional. But if you try to access the secure version of Lavabit's site -- https://www.lavabit.com -- you'll find that it's down. "Peer's Certificate has been revoked," says the error message.

That's thanks to GoDaddy -- Lavabit's domain name provider -- which apparently saw the news coverage about Levison handing his encryption keys over to the FBI.

"[W]e're compelled by industry policies to revoke certs when we become aware that the private key has been communicated to a 3rd-party and thus could be used by that party to intercept and decrypt communications," says GoDaddy spokesperson Elizabeth L. Driscoll, in response to an inquiry about Lavabit's keys being revoked.

Knowing that the FBI has Lavabit's keys, GoDaddy shuttered its secure site. If nothing else, it's good fodder for Levison in his claims to the court that handing over the keys to his site is an unreasonable burden and a threat to his business.

"I want to set a precedent that government can't ask for SSL keys," said Levison in an interview last week. "It's the security tool that underpins the Internet."