Can corporate suicide stop the NSA?
- By Shane Harris
Shane Harris is a senior staff writer at Foreign Policy, covering intelligence and cyber security. He is the author of The Watchers: The Rise of America's Surveillance State, which chronicles the creation of a vast national security apparatus and the rise of surveillance in America. The Watchers won the New York Public Library’s Helen Bernstein Book Award for Excellence in Journalism, and the Economist named it one of the best books of 2010. Shane is the winner of the Gerald R. Ford Prize for Distinguished Reporting on National Defense. He has four times been named a finalist for the Livingston Awards for Young Journalists, which honor the best journalists in America under the age of 35. Prior to joining Foreign Policy, he was the senior writer for The Washingtonian and a staff correspondent at National Journal.
When the U.S. government orders a communications company to give up its data, the firm has two basic choices: resist, and risk its leaders going to jail, or comply, and break faith with its customers. On Thursday, Aug. 8, however, two privacy-minded businesses chose a third and unprecedented option: They committed corporate suicide rather than bend to the surveillance state’s wishes.
It could just be the opening battles in a new front of the surveillance war.
In a move that blocks governmental monitoring of private email accounts, two secure email providers closed shop on Thursday rather than divulge information about their users to the authorities. The first Dallas-based Lavabit — which reportedly counts among its users NSA-leaker Edward Snowden — stopped operations after apparently fighting a losing battle to resist a federal surveillance order. (Snowden called the decision "inspiring" in a note to the Guardian‘s Glenn Greenwald.) A few hours later, Silent Circle, headquartered outside Washington, D.C., announced it was suspending its encrypted email service as a preemptive measure before ever receiving a command from the government to spy on its users.
The companies’ extreme actions put them in an exclusive club. Security and legal experts said they could not recall a company preventing government access to its customers’ information by shutting down its business. Some companies have appealed surveillance orders in the courts or attempted to force more public disclosure about the secretive intelligence-gathering process, but they have remained functioning. Refusing to comply with an order also means the government is cut off from potentially valuable information that it may have no other means of obtaining.
Ladar Levison, the owner and operator of Lavabit, said in a cryptic public message to his users that he had "been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit."
Levison didn’t say precisely what events had led to his decision, but his letter strongly suggests that he had refused to comply with an official order to hand over Lavabit users’ emails and give the government ongoing, prospective access to the company’s systems. In the letter, Levison said he was forbidden from discussing "the events that led to my decision." Recipients of secretly issued government surveillance orders are often prohibited from disclosing or discussing them publicly.
Silent Circle, in a letter to its customers, cited Lavabit’s decision. "We see the writing the wall, and we have decided that it is best for us to shut down Silent Mail [its encrypted email service] now. We have not received subpoenas, warrants, security letters, or anything else by any government, and this is why we are acting now."
The company also acknowledged that its email service didn’t have protections as strong as those for its phone and text services, which can delete communications entirely, as well any corresponding metadata records. Email leaves a digital trail that can be recovered and therefore forcibly disclosed by the authorities.
"Tough decision but we couldn’t wait for the inevitable risking member security," Vic Hyder, the company’s chief operations officer, wrote on Twitter.
"We huddled this afternoon and saw no other choice," Jon Callas, Silent Circle’s chief technology officer and a noted computer security expert, wrote on his Twitter feed.
Companies that receive surveillance demands find themselves in an unenviable position. Some, such as Yahoo!, Microsoft, and Google, have either fought surveillance orders in court or petitioned the government to let them disclose more information about what the authorities are asking about the companies’ users. But until now, these companies and others, including Internet mainstays such as Facebook that have hundreds of millions of users, have complied with the orders and helped form the backbone of official surveillance.
Companies also know they cooperate at the risk of undermining their reputation and their business. Take the encrypted email service Hushmail, a Canadian company that like Lavabit had marketed itself as a secure system. In 2007, the firm gave over information on three customers as part of a U.S. federal investigation into illegal steroids. Although Hushmail was complying with a court order and a legal assistance treaty between the United States and Canada, its reputation was significantly damaged among its product’s core users.
Closing a company is certainly not illegal. But evading an official demand is. What penalties or charges Levison might face depends on what the government is seeking. He could face a contempt proceeding, which could include jail time, if he refused to comply with a court order, said Albert Gidari, a lawyer with the firm Perkins Coie who represents companies on surveillance and communications law.
But the government might also be looking for ongoing or prospective surveillance of Lavabit’s customers and access to the company’s systems. Given Levison’s drastic actions, that is likely the case. Shuttering the company would do little to stop the authorities from gaining access to Snowden’s or any other customer’s old emails. But going out of business would mean Lavabit couldn’t comply with any future surveillance.
"It may be that by shutting down the service, he can’t comply, and so it’s doubtful he would be held in contempt," Gidari said. But "shutting down the service could be viewed as obstruction of justice, so he isn’t necessarily out of the woods yet."
Levison faced two bad options. That helps explain why Silent Circle’s executives may have decided to avoid the quandary altogether.
Levison’s decision was greeted by some as a heroic act of protest. A fund was set up to help pay for his legal expenses. "We’ve already started preparing the paperwork needed to continue to fight for the Constitution in the Fourth Circuit Court of Appeals," he wrote.
But Silent Circle’s decision added a new wrinkle. The company appeared to be making a business decision, rather than a legal or ideological one. It had not been served with a government order. Indeed, the company, which was founded by an ex-Navy SEAL and the inventor of the first widely distributed commercial encryption software, says it counts intelligence agency employees and special operations forces as its most loyal customers. Silent Circle has billed its encrypted email service as a way for people with secretive jobs to communicate securely, not as an end run around federal surveillance. (The firm has been known to help privacy-minded journalists stay beneath government radars.) By preemptively shutting down its email service — and purging all data related to it — Silent Circle preserves its reputation as a secret-keeper. It will continue to sell its secure phone, text-messaging, and video services.
Companies may also find resisting NSA surveillance a losing battle. Recently disclosed documents show that the agency has the legal authority to collect and store any electronic communication that uses encryption. And if companies are storing email in servers within the government’s jurisdiction, they may not be able to make good on promises to users that their communications are absolutely private and secure. In his letter, Levison said, "I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States."
The government has given no indication that it will back down from using surveillance orders to demand all kinds of customer records, from Internet searches to phone logs to email metadata and content. But what Lavabit and Silent Circle have done may mark the beginning of a resistance.
The truth is that for all the government’s extraordinary powers under surveillance law and the NSA’s global reach, the U.S. intelligence community is largely at the mercy of companies to help it monitor the world’s networks. Indeed, current surveillance law was modified a few years ago to give telecom companies that assisted the NSA with warrantless wiretapping legal immunity from prosecution. Officials feared that without those protections, the companies would do everything in their power not to help the government.
If enough companies were to take the drastic step of shutting down, the government would find itself in the dark on potentially crucial intelligence. The likelihood of this happening is still remote. But the fact that two companies would take such drastic measures to preserve their independence and keep the government out of their business may speak to a dawning awareness: While the government may hold the legal power, it is not all-powerful.