Today the Fourth Circuit refrained from deciding the first legal challenge to government seizure of the master encryption keys that secure our communications with web sites and email servers. Nevertheless, the Court upheld contempt of court sanctions, because of the Lavabit owner’s foot dragging during proceedings. Lavabit had failed to raise the substantive issues below, it decided, thus precluding appellate review. There’s little in the opinion that would help us guess what the Court would have ruled if Lavabit had properly raised its legal arguments below, but the opinion is welcome in that it shows the Court understands quite well how asymmetric transport encryption like SSL works.
Hopefully future courts to review and decide this issue will be as sophisticated. Key disclosure is an even more obvious danger today than it was when the Lavabit appeal was filed. That’s because in January, President Obama announced that the government plans to keep information security flaws secret if they have “a clear national security or law enforcement” use. It’s hard to imagine customers around the world having any kind faith in the U.S. government’s self-restraint after this announcement. Obviously, having an SSL key to decrypt past and future traffic data would be useful to both the NSA and law enforcement.
Nevertheless, it remains an open question whether and when the government can compel key disclosure. That is because Lavabit and Levinson did not consistently have legal counsel throughout the proceedings below, and thus failed to raise legal issued sufficiently that the appellate court could review them. Moral of the story: get good legal counsel immediately.
For more, see my post over at Just Security.