Privacy advocates are warning that the legal gray area in a key court case may make it easier for the government to spy on Americans illegally. By using what's called a pen trap order — a type of judicially approved surveillance mechanism that's only supposed to capture metadata about electronic communications — it appears that the government has the theoretical ability to capture the content of those communications as well.
The case involves Lavabit, the secure e-mail service used by NSA leaker Edward Snowden. Broadly, the case is about whether the government can force an Internet company like Lavabit to hand over its encryption keys. In a ruling Wednesday, a federal appeals court sided with law enforcement. But a closer look at just how the government can obtain the keys has civil liberties scholars very worried.
To understand what's at stake, let's dig a little bit into how encryption works. An encryption key is exactly what it sounds like: A way for one person to turn a message into a jumble of illegible numbers and letters, and a way for the intended recipient to decrypt that message. If someone else gets a hold of the recipient's key, they can decrypt the message, too.
The government wanted Lavabit's owner, Ladar Levison, to hand over his encryption keys — not necessarily to read the messages being sent using the service, but to install what's called a pen trap. A pen trap captures basic information about a message, such as when it was sent and who it was sent to, but not the contents of the message.
Under the law, pen traps can only be used to monitor that kind of metadata. Getting access to content is another matter. But the recipient of a pen trap order is also required by law to cooperate with law enforcement officials in installing the device.
In this case, the pen trap order was interpreted after it was issued to mean that Lavabit was required to surrender its encryption keys as a part of that cooperation provision. (The initial order was pretty vague, and it wasn’t until Lavabit failed to comply that the government explicitly requested the SSL keys to be handed over.) This would be a big deal. If the government can use an order that's restricted to metadata to obtain keys it could then use to decrypt content, then a nefarious actor could gain access to content without jumping through the judicial hoops necessary for demanding content.
"One of [the government's] arguments was that the assistance provisions of the pen trap order can require the Internet company to do whatever is necessary. And encryption keys might be covered under the pen trap order," said Brian Hauss, a legal fellow at the American Civil Liberties Union.
"I think if they did it that way, it would be illegal," he added. "If they get a pen trap order and then use that to get the SSL key and go out on a limb on their own — that search would be outside the scope of their judicial authority."
Unfortunately for Lavabit, Levison initially failed to challenge the legality of the pen trap order — allowing the appellate court to rule against Lavabit without deciding the civil liberties question.
The government would probably be loath to flout the law so openly. But then again, nobody thought the NSA would be spying on Americans either, until recently.