How might the feds have snooped on Lavabit?

In 2004, a 22-year-old technology enthusiast named Ladar Levison hatched a venture that fused his passion for open-source software with his belief that privacy was a fundamental right. Using the OpenSSL cryptography library, the Linux-based operating system, and close to 10,000 programming hours, he built what ultimately became Lavabit, an e-mail service that, when used correctly, made it impossible for even him to read the encrypted messages stored on his servers.

The goal from the start was to develop a technical underpinning that would resist the secret National Security Letters (NSLs) that had been authorized under the PATRIOT Act of 2001. Short for Providing Appropriate Tools Required to Intercept and Obstruct Terrorism, the statute required service providers to surrender private data relating to users named in an NSL.

Even more disturbing to Levison, the law strictly prohibited providers from disclosing the existence of the secret demand, which, unlike normal subpoenas, were issued without the oversight of a legal court. (The constitutionality of those gag orders has been called into question by at least one recent court order.) Levison's plan was simple enough—use multiple levels of encryption to ensure that only someone who knows the user-chosen password protecting each account could decode the protected messages. Because Lavabit stored the passwords as one-way hashes that were generated by a complex cryptographic algorithm, even Lavabit operators were unable to obtain the plain-text characters.

Read 15 remaining paragraphs | Comments