[cryptography] Lavabit-DOJ dispute zeroes in on encryption key ownership

Jeffrey Walton noloader at gmail.com
Fri Nov 15 14:23:21 EST 2013


The government's insistence, in its dispute with Lavabit, that cloud
service providers hand over their encryption keys when asked, has
refocused attention of key ownership and management in the cloud.

Security experts agree that the best way for companies to ensure that
their data is safe from snooping eyes in the cloud is to encrypt all
their data and to maintain total ownership of the encryption keys.
However, pulling off that feat is not always easy, practical or cheap.

Lavabit, a provider of secure hosted email services, shut down
operations in August citing concerns that the FBI was coercing it into
divulging personal information on its customers.

Founder Ladar Levison claimed at the time that he would rather shut
down the company than be part of what he described as crimes against
the American people. His actions were prompted by government demands
for his company's private Secure Sockets Layer (SSL) keys for
decrypting email communications believed to belong to former NSA
contract worker-turned document leaker Edward Snowden.

Levison maintained that the keys would allow the government to unlock
all encrypted communications belonging to Lavabit's users. He claimed
the government's request was similar to someone asking for the master
key to open all the rooms in a hotel, when all that was needed was
access to a single room.

After initially digging in his heels and getting slapped with a
$10,000 fine by a federal court, Levison finally hand-delivered a disk
containing the keys to the FBI in August.

The U.S. Department of Justice accused Levison of compromising its
investigation by shutting down the company and going public with his
complaints. In a motion filed in the U.S. Court of Appeals for the
Fourth Circuit this week, the DOJ maintained that Levison did not have
the right to thwart the government's legitimate surveillance
activities by shutting down the service altogether.

The DOJ angrily dismissed Levison's "parade of hypotheticals"
regarding the actions the government could take with the encryption
keys and likened his actions to that of a business locking its front
gate to thwart execution of a search warrant.

The situation shows why companies that want to protect their data in
the cloud need to encrypt everything and maintain full control of the
encryption keys.

"This disclosure issue at Lavabit is one very good example of an
organization's inability to maintain ownership and control of data in
traditional cloud computing environments," said Elad Yoran, CEO of
Vaultive, a vendor of cloud encryption technologies. "If a third party
can turn our data over without our knowledge or authorization, do we
really own or control our data in the cloud?" he said.

If a company maintains its own encryption keys, the government will
need to make a legal request for the keys with the company and not the
cloud provider, he said. Otherwise, all they would get from the cloud
provider would be "encrypted useless gibberish," he said. "This puts
the power of ownership back into the hands of businesses."

More information about the cryptography mailing list