Today, Lavabit, an email service provider that promised its customers better privacy and security than other publicly available services, shut its doors. Reading between the lines of a cryptic message posted on the site’s homepage, about six weeks ago the service was served with some kind of demand for user information, as well as a gag order preventing the company from disclosing both the details of that order as well as its very existence. Rather than cooperate, owner Ladar Levison has decided to close the doors on his 10-year-old company. In his letter, Levison wrote, “I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. … What’s going to happen now? We’ve already started preparing the paperwork needed to continue to fight for the Constitution in the Fourth Circuit Court of Appeals. A favorable decision would allow me resurrect Lavabit as an American company.“
If you want to donate to Lavabit’s legal fund, use this link.
There are two sad lessons to learn from the (potentially temporary) demise of Lavabit.
First, communications service providers are at a severe disadvantage when it comes to resisting even abusive or overbroad government surveillance demands. The court processes and the reasons for surveillance are kept secret from the companies. The cases that interpret the government's powers under the law are secret. Knowledgeable counsel is hard to find… and expensive.
Yet, in a world where the FISA court has rubber stamped government collection of every phone record on everybody, where foreigners have no rights and the contents of Americans’ international communications are regularly scooped up, where the FBI is installing malware on phones and laptops, and where spies are demanding user passwords and SSL network decryption keys, complying with court process can be directly at odds with protecting your customers’ right to privacy. Some lawyers believe there is little, if anything, companies can say to successful challenge even potentially dangerous forms of surveillance. Yet, failure to comply can mean fines, or jail time, or, potentially worse, seizure of the business’ servers.
So, in the choice between complicity or death, Lavabit chose death.
Second, the fact that neither Americans nor foreigners trust the U.S. government and its NSA anymore puts the U.S. communications companies at a severe competitive disadvantage. American law provides almost no protection for foreigners, who comprise a growing majority of any global company's customers. And even though Americans receive more nominal legal protection, we now know that these legal protects haven’t stopped the NSA from wiretaps fiber optic cables inside the United States, warrantlessly gathering Americans’ emails and chats from service providers like Google, Microsoft, Yahoo and Apple, collecting phone records on every American for the past seven years, or demanding that companies build, or at least maintain, surveillance backdoors in products advertised as secure from eavesdropping.
This mistrust of the U.S. government’s relationship with Internet companies is particularly damaging to cloud computing services, a sector led by American firms like Microsoft, Google and Amazon. Foreign companies say they are less likely to do business with U.S. cloud companies, and foreign governments have entertained the idea of requiring data be kept locally. The truth is, we don’t know that switching to non-U.S. based communications service providers would avoid U.S. government overreaching. The agency’s surveillance of foreigners overseas is essentially unregulated by any law. We don’t know how the NSA targets foreign providers, their methodology could be equally invasive as those programs we know about here at home. Local data storage is twice as dangerous: overseas providers are almost certainly subject to surveillance abuses by spy agencies or law enforcement in their home countries as well as in the U.S. That is one reason why I have called for a warrant requirement for any and all surveillance directed at U.S. companies, regardless of the citizenship of the target.
As Chris Sprigman and I wrote back in June, America invented the Internet, and our Internet companies are dominant around the world. But the U.S. government, in its rush to spy on everybody, may end up killing our most productive industry. Lavabit may just be the canary in the coal mine.