Ladar Levison, 32, has spent ten years building encrypted email service Lavabit, attracting over 410,000 users. When NSA whistleblower Edward Snowden was revealed to be one of those users in July, Dallas-based Lavabit got a surge of new customers: $12,000 worth of paid subscribers, triple his usual monthly sign-up. On Thursday, though, Levison pulled the plug on his company, posting a cryptic message about a government investigation that would force him to “become complicit in crimes against the American people” were he to stay in business. Many people have speculated that the investigation concerned the government trying to get access to the email of Edward Snowden, who has been charged with espionage. There are legal restrictions which prevent Levison from being more specific about a protest of government methods that has forced him to shutter his company, an unprecedented move.
“This is about protecting all of our users, not just one in particular. It’s not my place to decide whether an investigation is just, but the government has the legal authority to force you to do things you’re uncomfortable with,” said Levison in a phone call on Friday. “The fact that I can’t talk about this is as big a problem as what they asked me to do.”
Levison’s lawyer, Jesse Binnall, who is based in Northern Virginia — the court district where Levison needed representation — added that it’s “ridiculous” that Levison has to so carefully parse what he says about the government inquiry. “In America, we’re not supposed to have to worry about watching our words like this when we’re talking to the press,” Binnall said.
“As a Dallas company, we weren’t really equipped to respond to this inquiry. The government knew that,” said Levison, who drew parallels with the prosecutorial bullying of Aaron Swartz. “The same kinds of things have happened to me. The government tried to bully me, and [my lawyer] has been instrumental in protecting me, but it’s amazing the lengths they’ve gone to to accomplish their goals.”
Hours after Lavabit announced its shutdown, encryption app Silent Circle said it was preemptively shutting down its email service. Silent Circle founder Phil Zimmermann, who created email encryption software PGP, said the company deleted all of its customers’ existing email when it did that. “We’ll try to do something nice for them to numb the pain,” he said. The thinking being that it’s not obstruction of justice if you do it before justice comes calling?
Levison plans to appeal the government’s request from him in the Fourth Circuit and has asked supporters to donate to his legal fund. As of Thursday night, hours after making the request, he had received $40,000. (Update, 8/10/13: As of Saturday morning, Lavabit’s legal defense fund is closing in on $90,000.)
Lavabit was created in 2004, in response to the Patriot Act, says Levison. He and friends from Southern Methodist University decided to create an email service by geeks for geeks. Levison was concerned that the FBI could send a company a national security letter (NSL) that would force them to turn over information about a customer without going through a court first. “I wanted to put myself in the position of not having information to turn over,” he said. “I didn’t want to be put in the position of compromising people’s privacy without due process.”
Levison isn’t an privacy absolutist. He has cooperated in the past with government investigations. He says he’s received “two dozen” requests over the last ten years, and in cases where he had information, he would turn over what he had. Sometimes he had nothing; messages deleted from his service are deleted permanently.
“I’m not trying to protect people from law enforcement,” he said. “If information is unencrypted and law enforcement has a court order, I hand it over.”
In this case, it is the government’s method that bothers him. “The methods being used to conduct those investigations should not be secret,” he said.
I asked Levison how his service works. He says his customers’ encrypted data is secured with a public key and private key, and that the private key is protected by a password. He doesn’t have the technological capability to decrypt his customer’s data but if someone could intercept the communication between the Lavabit’s Dallas-based servers and a user, they could get the user’s password and then use that to decrypt their data.
Lavabit has 40,000 people logging in every day and sending 1.4 million messages per week. Levison has just one full-time employee — a grad student based in Europe. “I couldn’t talk to him about shutting down because the same legal restriction that applies to our conversation applies with him,” said Levison.
“Some people have suggested moving the service overseas,” said Levison. “Even if I found somewhere secure overseas, it would be hard logistically. My life is here in the States. It would be hard for me to move to another city let alone another country.”
He says he’ll only start operating again if his case sets a precedent. “It needs to be clear that the government can’t do what they’re trying to do,” said Levison. “Otherwise the same request is going to come right back at us. Other big names aren’t able to shut down in protest. I’m one person without a bunch of employees to support. If we win, we win for everyone.”
He says that win would be important for other U.S. businesses. “If there were surveillance bugs in all products coming out of China, would you buy those products?” he asks.
If the shutdown is a permanent one, Levison would be walking away from $50,000 to $100,000 in annual revenue, his primary source of income. He also walked away from his personal email address, which was shut down along with all the other Lavabit accounts.
“I’m taking a break from email,” said Levison. “If you knew what I know about email, you might not use it either.