Commentators on the Lavabit case, including the judge himself, have criticized Lavabit for designing its system in a way that resisted court-ordered access to user data. They ask: If court orders are legitimate, why should we allow engineers to design services that protect users against court-ordered access?
The answer is simple but subtle: There are good reasons to protect against insider attacks, and a court order is an insider attack.
To see why, consider two companies, which we’ll call Lavabit and Guavabit. At Lavabit, an employee, on receiving a court order, copies user data and gives it to an outside party—in this case, the government. Meanwhile, over at Guavabit, an employee, on receiving a bribe or extortion threat from a drug cartel, copies user data and gives it to an outside party—in this case, the drug cartel.
From a purely technological standpoint, these two scenarios are exactly the same: an employee copies user data and gives it to an outside party. Only two things are different: the employee’s motivation, and the destination of the data after it leaves the company. Neither of these differences is visible to the company’s technology—it can’t read the employee’s mind to learn the motivation, and it can’t tell where the data will go once it has been extracted from the company’s system. Technical measures that prevent one access scenario will unavoidably prevent the other one.
Insider attacks are a big problem. You might have read about a recent insider attack against the NSA by Edward Snowden. Similar but less spectacular attacks happen all the time, and Lavabit, or any well-run service that holds user data, has good reason to try to control them.
From a user’s standpoint, a service’s resistance to insider attacks does more than just protect against rogue employees. It also helps to ensure that a company will not be tempted to repurpose or sell user data for commercial gain without getting users’ permission.
In the end, what led to Lavabit’s shutdown was not that the company’s technology was too resistant to insider attacks, but that it wasn’t resistant. The government got an order that would have required Lavabit to execute the ultimate insider attack, essentially giving the government a master key to unlock the data of any Lavabit user at any time. Rather than do this, Lavabit chose to shut down.
Had Lavabit had in place measures to prevent disclosure of its master key, it would have been unable to comply with the ultimate court order—and it would have also been safe against a rogue employee turning over its master key to bad actors.
Users who want ultimate email security will now be looking for a provider that more strongly resists insider attacks. That level of security is very difficult to achieve—but law-abiding users have good reason to seek it.
By Ed Felten