Yesterday we saw two stories that illustrate the limits of cryptography as a shield against government. In San Francisco, police arrested a man alleged to be Dread Pirate Roberts (DPR), the operator of online drug market Silk Road. And in Alexandria, Virginia, a court unsealed documents revealing the tussle between the government and secure email provider Lavabit.
Silk Road was essentially the eBay of illegal drugs. Silk Road was operated as a Tor hidden service, meaning that it was very difficult to determine where the servers were located; and payments were handled via Bitcoin, which also provides some degree of anonymity. DPR bragged that Silk Road eliminated the violent turf wars that are endemic in face-to-face drug markets, because the technology made it practically impossible for one seller to track down another. It was all arms-length, protected by crypto.
But things didn’t work out so neatly for DPR. According to the criminal complaint, he twice contracted for the killing of Silk Road participants, one a participant who was blackmailing him and the other an employee who had cheated him. Fortunately neither killing was carried out, although DPR apparently paid for both, having been tricked into believing that they had been carried out.
Crypto also failed to protect DPR from being tracked down, probably because of failures in his operational security, such as using accounts linkable to his real name to promote Silk Road early in its development. Reading the documents, one senses that some significant details of are still being withheld.
Is this a failure of crypto? Yes and no. While it’s true that Silk Road is now shut down and the alleged DPR is in custody, it’s also true that Silk Road stayed up for a long time and processed hundreds of millions of dollars worth of transactions, and that DPR eluded identification for a long time. The lesson is that crypto can make it much harder for investigators to unravel an operation—but not impossible.
The other story concerns Lavabit, a secure email provider used by Edward Snowden, among many others. Lavabit relied on crypto to protect its users’ emails.
On August 8, 2013, owner Ladar Levison shut down Lavabit, saying that staying in business would have forced Lavabit to choose between defying the law and betraying its users. Further details were part of a sealed court proceeding.
Yesterday the court unsealed the documents, so we now have a better idea of what happened. The court ordered Lavabit to turn over metadata (to, from, size, date/time information) on all of the email of an unspecified account (presumably Snowden’s). Lavabit had refused, and prosecutors responded by asking the court to order Lavabit to disclose Lavabit’s primary private key—which would give the government the ability to spy on every single Lavabit user. The court granted this request. After some gamesmanship—which got Lavabit fined for contempt of court—Lavabit shut itself down, making the private key disclosure moot.
The court clearly felt that Lavabit had not taken its previous orders seriously enough—and judges tend to get aggressive with parties who they feel are defying the court’s authority. If it were only Lavabit’s own security that was at stake, this would look like a case of a judge getting fed up with Lavabit, and Lavabit paying the consequences.
But here it was the interests of Lavabit’s users that were impacted by the court’s order. And those users could not make an argument against the order because the case was secret. One suspects that the privacy interests of 400,000 users were undermined because the judge was mad at Lavabit.
In making his order, the judge said this:
[The] government’s clearly entitled to the information that they’re seeking, and just because you-all have set up a system that makes that difficult, that doesn’t in any way lessen the government’s right to receive that information just as they could from any telephone company or any other e-mail source that could provide it easily”.
I was surprised that a court would go so far as to order Lavabit to turn over the security crown jewels. Turning over this information would have put Lavabit in a position of essentially lying to its users about security. While it’s true that Lavabit might have headed this off by being more cooperative earlier, when only the Snowden account was at issue, this chain of events only serves to undermine users’ trust in U.S.-based technology providers. Lavabit shut down rather than lie to its users, but that’s more than most providers would have done.