Apple vs FBI: Lavabit warns FBI’s “extraordinary” action may drive US businesses offshore

Another amicus brief has been filed in support of Apple in its legal battle with the FBI over the measures it is being ordered, by a court writ, to take to help the agency break into a locked iPhone used by one of the San Bernardino terrorists. Apple is keeping an update list of amicus briefs and letters of support filed with the court here.

This time the amicus brief has been submitted by Lavabit, a technology company that previously judged it necessary to shutter its own service after receiving similarly “extraordinary” government demands for assistance to access user data, in the wake of the 2013 disclosures by NSA whistleblower Edward Snowden.

The former encrypted email service had apparently been used by Snowden for private email communications but shut down its services in August 2013 to avoid being forced to compromise user data, with founder Ladar Levison saying at the time: “I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.”

In its amicus brief in support of Apple, published on Friday, the company details the “extraordinary assistance” it was compelled to provide by the government back in 2013 — noting that the FBI sought its private encryption key, which would have enabled the agency to perform man in the middle attacks as a method for obtaining user data.

“… the FBI sought the private encryption key used by Lavabit to protect the Secure Socket Layer (“SSL”) and Transport Layer Security (“TLS”) connections to their servers. With the SSL/TLS private key in hand, the FBI would be able to impersonate Lavabit on the Internet. This would allow them to intercept, decrypt, inspect, and modify (either with intent, or by accident) all of the connections between Lavabit and the outside world,” Lavabit writes.

“In the same vein, the government now seeks extraordinary assistance from Apple,” Lavabit asserts, joining the chorus of voices arguing that the FBI’s demand “far exceeds the scope of the All Writs Act and violates the rights guaranteed to Apple under the United States Constitution”.

“The government’s extraordinary request eviscerates the purpose of the All Writs Act, and unnecessarily compromises the proprietary intellectual property of a private company that has not been implicated, in any way, with the crime under investigation,” Lavabit adds.

If Congress had intended that private entities and individuals be forced to provide such extraordinary assistance to government investigations, Congress would have passed a law to that extent.

“Congress does not hide elephants in mouseholes… If Congress had intended that private entities and individuals be forced to provide such extraordinary assistance to government investigations, Congress would have passed a law to that extent.”

(To be clear, Lavabit’s implication is that the type of assistance being sought by the FBI in the San Bernardino iPhone case is similarly extraordinary to the earlier FBI action in its case, even though the route the agency is seeking to take now against Apple is different, given it is not asking Apple to hand over its private encryption key but rather to create a security-weakened version of its OS on demand. But then Apple’s higher profile vs Lavabit makes it rather harder for the FBI to out-and-out ask for encryption keys in this case.)

Lavabit goes on to warn the government’s action risks damaging Apple’s trusted brand and reputation, as well as the reputations of third party companies providing secure services via the iOS platform. And if the Apple brand becomes mistrusted by its users as a result of government action, Lavabit makes the point that that could have a wider impact on iOS’ users security — since users may no longer trust routine security updates sent by Apple.

“Automatic updates are often critical to iOS security because they fix new vulnerabilities,” it notes. “Because consumers trust Apple, many iPhone owners have these automatic updates turned on. If the government is successful, however, many consumers may not be as trustful of these updates because of a fear (actual or imagined) that the updates will contain malware to provide a backdoor into the data on their iPhones. The result is that fewer people will automatically accept the automatic updates and the overall security of iPhones across the country will suffer.”

Lavabit also warns the FBI’s action against Apple could ultimately trigger an exodus of US companies seeking to avoid similar reputational damage.

“Such precedence would likely result in many businesses moving their operations offshore, therefore, making it more difficult for law enforcement to obtain even ordinary assistance from such companies,” it writes in the brief.

On that front, another secure encrypted comms company, Silent Circle, moved its global headquarters from the Caribbean to Switzerland back in May 2014 — citing the latter’s “strong privacy laws” as one of the reasons to headquarter its business in Europe. Various other pro-encryption startups, including ProtonMail and Tutanota, have also chosen to locate their businesses in countries in Europe that have a reputation for protecting privacy.