From Apple to Lavabit: The ECPA and the Legal Struggles Surrounding Encryption

By: Debra Slutsky

Although the FBI dropped its lawsuit to compel Apple to assist it in unlocking one of the San Bernardino shooter’s iPhones, the case provides insight into how the Justice Department grapples with modern digital communications using existing law. According to Kim Zetter’s article in Wired, Long Before the Apple-FBI Battle, Lavabit Sounded a Warning, such a struggle between the Justice Department and tech companies, specifically those that offer encrypted communication services, is not new. Zetter writes that Lavabit “made a surprising cameo this month in a brief filed by US attorneys in that case. The attorneys invoked the Lavabit case in a footnote as part of a threat to Apple…” However, as the Lavabit and Apple cases demonstrate, the channels available to the government for accessing such communications are largely legally untested and dependent on law that contemplated a much more primitive technological landscape.

In the Apple case, attention was brought to the government’s use of the All Writs Act, a 227-year-old-law that grants judges the authority to issue writs, or orders, to compel parties to perform acts within the bounds of law. Through the All Writs Act, The FBI sought to force Apple to build a backdoor into its iOS operating system in order to access encrypted iMessages. The case has also brought spotlight to the Pen Register Act. The Pen Register Act is a component of the Electronic Communications Privacy Act (ECPA) of 1986. While originally intended to record outgoing telephone numbers dialed, the Pen Register Act was expanded by the Patriot Act to include IP addresses and email headers. In 1979, the significant case Smith v. Maryland affirmed that the use of a pen register by a telephone company does not violate the 4th Amendment. This metadata permissibly collected, however, provides deeper insight than just the frequency and duration of phone numbers. This was noted in Smith v. Maryland by Justice Stewart in his dissent, where he wrote that telephone metadata, “although certainly more prosaic than the conversation itself – [is] not without ‘content’…I doubt there are any who would be happy to have broadcast to the world a list of the local or long distance numbers they have dialed. This is not because such a list might in some sense be incriminating, but because it easily could reveal…the most intimate details of a person’s life.”

Similarly, in 2013, the FBI obtained and served an order pursuant to the Pen Register Act upon Lavabit founder Ladar Levison. The order permitted the FBI to obtain information sent to and from the target’s email account, Edward Snowden. Since Lavabit employed SSL encryption to protect transmitted data, the order further required Levison to provide the SSL keys to access Snowden’s emails. Lavabit’s roughly 400,000 subscribers would be placed at risk of having their emails vulnerable, since the company used only five SSL key-pairs. Levison planned to challenge the order, but lacking financial resources, he was forced to represent himself pro se during initial proceedings. He was held to be in contempt of court after refusing to comply with the order to hand over Lavabit’s encryption keys. On appeal, the contempt order was affirmed, and the appellate judge never addressed Levison’s challenge to the underlying legality of the Government’s use of the Pen Register Act to obtain SSL keys since he did not properly object to that issue during the earlier proceedings.

In its case against Apple, the Justice Department cited to the Lavabit case for the proposition that its pen register order to produce SSL encryption keys was affirmed on appeal. Levison took to Facebook to publicly state that the Government’s language was “incredibly misleading” as to the appellate court’s actual ruling. The statement is accurate. As the law stands, the Government has wide ranging authority to obtain pen register orders to access digital communications. The bounds of Government authority to obtain digital communications and the lengths it may go to compel third parties to assist in such measures is, however, ripe for review. The Lavabit and Apple cases both concluded before ever reaching a definitive ruling. With encryption becoming the standard for digital communications, a case is bound to arise in the near future that will definitively rule on the issue.