The Washington Post

How a common law enforcement tool could be abused to spy on you illegally

Privacy advocates are warning that the legal gray area in a key court case may make it easier for the government to spy on Americans illegally. By using what's called a pen trap order — a type of judicially approved surveillance mechanism that's only supposed to capture metadata about electronic communications — it appears that the government has the theoretical ability to capture the content of those communications as well.

The case involves Lavabit, the secure e-mail service used by NSA leaker Edward Snowden. Broadly, the case is about whether the government can force an Internet company like Lavabit to hand over its encryption keys. In a ruling Wednesday, a federal appeals court sided with law enforcement. But a closer look at just how the government can obtain the keys has civil liberties scholars very worried.

To understand what's at stake, let's dig a little bit into how encryption works. An encryption key is exactly what it sounds like: A way for one person to turn a message into a jumble of illegible numbers and letters, and a way for the intended recipient to decrypt that message. If someone else gets a hold of the recipient's key, they can decrypt the message, too.

The government wanted Lavabit's owner, Ladar Levison, to hand over his encryption keys — not necessarily to read the messages being sent using the service, but to install what's called a pen trap. A pen trap captures basic information about a message, such as when it was sent and who it was sent to, but not the contents of the message.

Under the law, pen traps can only be used to monitor that kind of metadata. Getting access to content is another matter. But the recipient of a pen trap order is also required by law to cooperate with law enforcement officials in installing the device.

In this case, the pen trap order was interpreted after it was issued to mean that Lavabit was required to surrender its encryption keys as a part of that cooperation provision. (The initial order was pretty vague, and it wasn’t until Lavabit failed to comply that the government explicitly requested the SSL keys to be handed over.) This would be a big deal. If the government can use an order that's restricted to metadata to obtain keys it could then use to decrypt content, then a nefarious actor could gain access to content without jumping through the judicial hoops necessary for demanding content.

"One of [the government's] arguments was that the assistance provisions of the pen trap order can require the Internet company to do whatever is necessary. And encryption keys might be covered under the pen trap order," said Brian Hauss, a legal fellow at the American Civil Liberties Union.

"I think if they did it that way, it would be illegal," he added. "If they get a pen trap order and then use that to get the SSL key and go out on a limb on their own — that search would be outside the scope of their judicial authority."

Unfortunately for Lavabit, Levison initially failed to challenge the legality of the pen trap order — allowing the appellate court to rule against Lavabit without deciding the civil liberties question.

The government would probably be loath to flout the law so openly. But then again, nobody thought the NSA would be spying on Americans either, until recently.

Brian Fung covers technology for The Washington Post, focusing on telecommunications and the Internet. Before joining the Post, he was the technology correspondent for National Journal and an associate editor at the Atlantic.



Success! Check your inbox for details. You might also like:

Please enter a valid email address

See all newsletters

Show Comments
Most Read



Success! Check your inbox for details.

See all newsletters

Your Three. Videos curated for you.
Play Videos
Don’t be ‘that’ sports parent | On Parenting
Miss Manners: The technology's changed, but the rules are the same
A flood of refugees from Syria but only a trickle to America
Play Videos
John Lewis, 'Marv the Barb' and the politics of barber shops
Kids share best advice from mom
Using Fitbit to help kids lose weight
Play Videos
This man's job is binge-watching for Netflix
Transgender swimmer now on Harvard men's team
Portland's most important meal of the day
Play Videos
5 ways to raise girls to be leaders
How much can one woman eat?
The signature drink of New Orleans
Next Story
Brian Fung · April 17, 2014

To keep reading, please enter your email address.

You’ll also receive from The Washington Post:
  • A free 6-week digital subscription
  • Our daily newsletter in your inbox

Please enter a valid email address

I have read and agree to the Terms of Service and Privacy Policy.

Please indicate agreement.

Thank you.

Check your inbox. We’ve sent an email explaining how to set up an account and activate your free digital subscription.