Today Lavabit filed a brief before the Fourth Circuit challenging a civil contempt order for its refusal to turn over its encryption key that the government wants to enable the government to conduct surveillance of Edward Snowden. I think Lavabit faces a very uphill battle, and in this post I’ll explain why.
First, a bit of context. The government obtained several different court orders requiring Lavabit to disclose the key. First, they obtained a pen register order; next, they issued a subpoena for the key; and third, they obtained a search warrant for the key. Lavabit refused to comply with any of them, and the court imposed a fine of $5,000 a day until Lavabit agreed to hand over the key in digital form. (In a bit of a middle finger to the government and the court, Lavabit did turn over a paper copy of the key — which was 11 pages long in 4-point type — but refused to turn over an electronic copy. Understandably, the court didn’t consider that compliance.) Lavabit then shut down its service and handed over the key. In this appeal, Lavabit is appealing the lawfulness of the judge’s orders requiring it to hand over its key by arguing that none of the court orders were valid.
In order to to win on appeal, Lavabit needs to show that all three methods are improper. I don’t think they can do this. I’ll take each argument in turn.
1) The Subpoena Argument
Lavabit’s weakest argument is its claim that the government couldn’t just subpoena the key from Lavabit. Surprisingly, the brief spends less than two pages on this issue at the end of the brief. I think it’s the argument that Lavabit should be the most worried about, however. Here’s the problem. The government can subpoena pretty much anything before the grand jury unless the request is overly burdensome, abusive, or oppressive. Compliance obviously wouldn’t be overly burdensome: Lavabit has the key and could just send a copy to the government. Instead, Lavabit argues that the subpoena is “abusive” and “oppressive” because it conflicts with Lavabit’s anti-government business model. Thanks to Lavabit’s design, the government can’t conduct surveillance without the key — and access to the key enables access to a lot of information. Now that the government has obtained a court order to conduct surveillance, Lavabit argues that it would be “abusive” and “oppressive” to effectuate that that because it would make it impossible to offer an email service that the government cannot monitor:
[T]o comply with the government’s subpoena would have either required Lavabit to perpetrate a fraud on its customer base or shut down entirely. That is the key point, and the resulting harm goes far beyond a mere inconvenient search for records. Just as requiring a hotel owner to install glass doors on all its hotel rooms would destroy the hotel’s business, Lavabit cannot exist as an honest company if the government is entitled to take this sort of information in secret. Its relationship with its customers and business partners depends on an assurance that it will not secretly enable the government to monitor all of their communications at all times. If a mere grand jury subpoena can be used to get around that (in secret, no less), then no business—anywhere—can credibly offer its customers a secure email service.
This strikes me as a really weak argument. Lavabit is essentially claiming that its anti-government business model trumps the subpoena power. That is, it is arguing that the subpoena is “oppressive” precisely because it would work: It would allow the government to conduct the surveillance it is allowed to conduct under the Pen Register statute. That’s a curious argument in light of the traditional understanding of the grand jury subpoena power:
Citizens generally are not constitutionally immune from grand jury subpoenas[,] and . . . the longstanding principle that the public has a right to every man’s evidence is particularly applicable to grand jury proceedings. The duty to testify may on occasion be burdensome and even embarrassing. It may cause injury to a witness’ social and economic status. Yet the duty to testify has been regarded as so necessary to the administration of justice that the witness’ personal interest in privacy must yield to the public’s overriding interest in full disclosure. Furthermore, a witness may not interfere with the course of the grand jury’s inquiry. He is not entitled to urge objections of incompetency or irrelevancy, such as a party might raise, for this is no concern of his. Nor is he entitled to challenge the authority of the court or of the grand jury or to set limits to the investigation that the grand jury may conduct.
United States v. Calandra, 414 U.S. 338, 345 (1974) (internal quotations and citations omitted).
In light of that standard, I don’t know of any authority for the view that a private company can announce an ideology or business strategy and then say that a subpoena that interferes with that strategy is “abusive” or “oppressive.” The reference point for what is “oppressive” can’t be the personal ideology or the business model of the subpoena recipient. Any other rule would nullify the subpoena power that the Supreme Court has gone out of its way to protect.
2) The Pen Register Argument
Lavabit also claims that it doesn’t need to hand over the key because the Pen Register statute doesn’t require it. The Pen Register statute actually has a provision about compelling providers to help them. Here’s the text:
Upon the request of an attorney for the Government or an officer of a law enforcement agency authorized to install and use a pen register under this chapter, a provider of wire or electronic communication service, landlord, custodian, or other person shall furnish such investigative or law enforcement officer forthwith all information, facilities, and technical assistance necessary to accomplish the installation of the pen register unobtrusively and with a minimum of interference with the services that the person so ordered by the court accords the party with respect to whom the installation and use is to take place, if such assistance is directed by a court order as provided in section 3123 (b)(2) of this title.
18 U.S.C. 3124(a). Lavabit argues that this doesn’t apply because handing over the keys doesn’t help accomplish the “installation” of anything; rather, it just helps the government decrypt the information after it has been obtained in encrypted form.
I’m not sure of where I come out on this argument. It’s clever, and it has some textual basis. But then it also has a textual problem that the Lavabit brief doesn’t mention. 18 U.S.C. 3127(3) defines a “pen register” as “a device or process which records or decodes dialing, routing, addressing, or signaling information” (emphasis added). And the dictionary defines “install” as “to connect or set in position and prepare for use.” Given that the government cannot decode the signaling information without the key, why isn’t handing over the key an example of providing “information” and “technical assistance” needed to connect for use the decoding of the signaling information? I suppose the best counterargument is that the requirement is of “unobtrusive” installation — a leftover from the telephone era, I would think — and it’s not clear how having the keys has anything to do with obtrusiveness. But I’m not sure what the standard is for “obtrusive” — there’s no caselaw on this, as far as I know. So I’m mixed on this argument.
3) The Stored Commmunications Act and Fourth Amendment argument
Lavabit also argues that the warrant isn’t permitted, for two main reasons. First, under the Stored Communications Act, the government isn’t seeking information that are “contents” or that are non-content records “pertaining to” a customer. This is a possible textual argument under the SCA, although it seems to me that it cuts the opposite way Lavabit wants. The SCA is a limitation on disclosure, not a grant of power, so if the SCA doesn’t apply then it just means that the government can get the information without complying with the SCA at all.
Finally, Lavabit makes an argument that the Fourth Amendment doesn’t permit the government to obtain warrants for encryption keys. The key itself is not evidence, contraband, fruits, or instrumentalities of crime, Lavabit argues, but is merely a way to get to evidence, contraband, fruits, or instrumentalities of crime. This is a clever argument pressing an undeveloped aspect of Fourth Amendment law, but I don’t think it ultimately works. It’s pretty standard for computer warrants to authorize the seizure of passwords, encryption codes, operating manuals, “and other information necessary to access the computer equipment, storage devices or data.” I haven’t seen a Fourth Amendment challenge to such provisions, but I would think they are okay because they involve instrumentalities of crime. That is, the password or encryption key is part of the tool used to commit the crime, so it is part of the instrumentality of crime and can properly be obtained in a search warrant. Cf. United States v. Peagler, 847 F.2d 756 (11th Cir. 1988); United States v. Stewart, 315 Fed.Appx. 554 (6th Cir. 2009).