By 2004, he was involved with creating a one-man business that would eventually bring the FBI to his door. That’s one reason his neighbors at Mockingbird Station might have taken to stopping by on the way home from the bars. They knew Ladar would be awake, sucking down Mountain Dew, cranking out computer code.
If you wanted to attract an audience and then charge advertisers to reach that audience, you could either spend a lot of money to create content for the audience, or, far more cheaply, you could build a platform and let the audience generate its own content. That’s email. Seeing it as a medium around which to wrap ads might not sound groundbreaking today, but at the time, no one had heard of “user-generated content.” Wikipedia was in its infancy. Gmail didn’t exist until the same year Nerdshack did.
Ladar launched his free email service in April 2004. There were no ads initially, and revenue was nonexistent. Really, it was an expensive hobby. Rodenberg was working at the time for a startup based in downtown Dallas. He let his buddy Ladar use the company’s T1 internet connection for Nerdshack, but it quickly sucked up so much bandwidth that it had to be moved to a separate data center and pay its own way.
Ladar thinks there might be 1,000 people on the planet who share his combination of skill sets. (This assessment does not take into account his proficiency in volleyball or wilderness survival.) There is writing software for an email service, and then there’s running the hardware and the databases that make the service hum. Without venture capital or employees, Ladar did it all himself. And then, a year and a half after he started Nerdshack, he revamped the entire operation.
In 2006, he rolled out a major reconfiguration of his email service (adding IMAP to his POP service, if you must know). And as long as he was doing that, he figured, he should come up with a snappier name, something with less “nerd” in it. Too, he’d been reading about the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001. Better known by its abbreviated acronym, the Patriot Act had become law in a legislative paroxysm triggered by the 9/11 attacks, greatly expanding the government’s surveillance operations on several fronts. In high school, Ladar had debated the legality of random locker searches as a member of the Junior State of America. He now saw parallels between that situation and this one, where the liberties of the many innocent would be curtailed in pursuit of the guilty few. He also saw a business opportunity. Thus was born Nerdshack’s offspring, Lavabit, an email service for the privacy-minded.
“That’s why they were trying to keep it a secret,” Ladar says of the FBI’s wire tap. “They have figured out how to listen to a large number of encrypted conversations in real time.”
Remember the DEF CON gig in Vegas that young Ladar snuck off to when he was 14? “I knew those hackers,” he says. “I’d seen them work. I knew a lot of the techniques they used. So when I built my own system, I took a paranoid approach to security. I wanted to keep my friends out.”
As for the Patriot Act and the mother lode of metadata it handed over to the feds, Ladar designed Lavabit to forget it all. “I had been reading the news,” he says. “I knew about national security letters and the position they put internet service providers in. And I was, like, I’m starting with a clean slate. I can choose not to record that information, just not write the code to do it. I won’t collect and log any information that I don’t need.”
Beneath the metadata, though, Ladar’s revamped service also handled the most private of all user information, the email messages themselves. For paying customers, then, Ladar created a system to send and store data so securely that even he couldn’t read his users’ messages. Space and your storyteller’s slippery grasp of hashing algorithms and asymmetric key systems prevent a detailed description of how, precisely, Lavabit worked, but here is all you need to know: [email protected].
That’s an email address Edward Snowden, the infamous former NSA contractor and information leaker nonpareil, used from January 2010 until August 2013, at which time Ladar shut down his email service in response to an FBI tap designed to capture email information about a target who may or may not have been Snowden. In other words, a guy with a pressing need for privacy and an intimate knowledge of the planet’s best-funded, most sophisticated surveillance operation—that guy used Lavabit.
•••
I might know things I shouldn’t know. Honestly, though, I don’t know with certainty what it is that I should and shouldn’t know. And I don’t know how close I am to the truth with certain guesses that I’ve hazarded. Ladar knows the rules, and he is painfully careful about what he says concerning certain court cases that he can discuss and others that he cannot. I’ve sat on the couch in his Uptown apartment while his tiny Italian greyhound, Princess, has occupied my lap, looking at me like I owe her something. Ladar has asked me at times to turn off my recorder. I, of course, have no recollection of what transpired when said recorder wasn’t recording what was or wasn’t said.
But here is something I can report: on July 11, when the FBI attempted to serve Ladar with a subpoena, he did not, as an assistant U.S. attorney claimed in a court filing, “exit his apartment from a backdoor, get in his car, and drive away.” Ladar lives on the fifth floor of an apartment building. His “backdoor” opens onto a small patio. Such an exit would be impressive.
Many journalists had assumed that the FBI (or some combination of government initialisms) had taken an interest in Ladar only after Snowden very publicly used a Lavabit address. But before the attempted subpoena, he had been in contact with federal authorities regarding an ongoing criminal investigation—the one whose target the FBI will not acknowledge—for a couple of weeks. And he had cooperated with government warrants previously. In June, Ladar provided the FBI with information on a user for a child pornography case in Maryland.
At the time, about 400,000 subscribers were using the service, with 10,000 or so paying for adless email and encrypted storage. The company was generating enough cash that Ladar had been able to scale back his outside consulting projects and hire an overseas part-time tech support guy.
An aside: Ladar did once have a girlfriend. She was an electrical engineer for Raytheon, and they dated for five years. Here’s how he fit Lavabit into their relationship: “I’d work solid for five days, basically sleep two hours a night, then go over to my girlfriend’s place, where I’d sleep for two days straight, then go back and do the cycle all over again.”
The business eventually won out over the girlfriend. Rodenberg recalls the end: “She really liked Ladar. He should not have let that go. He’s not going to find another girl that puts up with his crap as well as she did. I still remember this exchange. He said, ‘She wants to spend all this time with me.’ I’m like, ‘Dude, that is called having a girlfriend. That is not an outrageous request.’ I don’t remember exactly how it happened. A few months later, they broke up, and he was super depressed.”
But by last summer, the backbreaking work and the sacrifice were paying off. Lavabit was chugging along. The service typically gained about 150 new accounts every day. Then, on July 12, just a day after the FBI knocked on Ladar’s door, everything changed. Lavabit was hit with about 5,000 new registrations. Ladar thought he was under attack from spammers registering zombie accounts. His tech support guy told Ladar to google “Snowden” and “Lavabit.”
July 12 was the day that Snowden used his Lavabit address to call a press conference at Moscow’s Sheremetyevo Airport, where he made his bid for whistleblower asylum. Among the hundreds of stories about Lavabit bouncing around the internet that day, Yahoo News said Snowden’s use of the service was “an incredible brand endorsement for any pro-privacy, anti-government-snooping organization out there.” Lavabit generated about $12,000 in the month after Snowden’s press conference, more than double its pre-Snowden monthly revenue.
Imagine having invented a putter and then watching Tiger Woods use it to win the Masters. Lavabit, as Yahoo News noted, had received a lucrative endorsement, and the service was taking off. Ladar’s first thought when he saw the spike in registrations was that he needed to get some extra servers online.
By August 8, his thinking had changed. Ladar shut down Lavabit, posting a message to the site that brought him even more attention than had Snowden’s implicit endorsement. Ladar’s note to his users read, in part:
“I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly 10 years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot.”
On October 2, a raft of court documents was unsealed, and we now know why Ladar’s explanation for taking Lavabit offline was so oblique. (The order to unseal the documents is still under seal, making it unclear why they were unsealed, but it seems that when Ladar’s case made its way up the chain, an appellate court judge decided he’d had enough of the secrecy.) As the FBI sought to tap Lavabit in a novel way, an effort that began in June, Ladar was under a gag order to remain silent about the process, including but not limited to revealing information about the target(s) of the eavesdropping (again, one of which everyone has assumed, with good reason, to be Snowden).
Here’s something else I think I can report: agents of the federal government have broken the internet’s standard form of encryption. This is where the gun comes into play.
Most encrypted online communication uses a protocol called secure sockets layer, or SSL. To oversimplify, SSL protected the emails, passwords, and other information sent to and from Lavabit’s servers. To do this, a user employed a public key to encrypt an email that could then only be decrypted with a corresponding private key, which in theory would only be known by the intended recipient. Each connection was protected by a third key, called a session key.
The FBI needed two things: a warrant to see metadata (the recipient of an email and time it was sent, for example, but not the content of the email) and a method to decrypt the SSL connections. The warrant was easy. The ability to decrypt SSL connections was problematic.
Normally, an email service logs metadata, and those logs can be monitored by the government. But Lavabit wasn’t a normal email service. Ladar engineered it so that such metadata were never kept on his servers. So when the feds said they wanted to monitor the email of the target(s) in real time, and when they asked for Lavabit’s private SSL master key to do so, Ladar deduced that they’d come up with a way to figure out those third keys, the session keys. Until now, uncovering a session key was thought to be theoretically possible but also so difficult that it would be impractical. Ladar realized the FBI had been able to “reduce” the problem such that it had the ability to uncover session keys in real time. This meant that once they had access to the private SSL keys, they would be able to monitor everyone who was accessing Lavabit and examine everything being sent to and from its servers.
“Nobody knows that capability exists,” Ladar says. He admits he’s just guessing, but then, he would be in a better position than anyone on the planet to guess about such a thing. “That’s why they were trying to keep it secret. They have figured out how to listen to a large number of encrypted conversations in real time. They’ve probably uncovered a weakness in the SSL algorithm. The feeling I got is that they can do it with a single device that has specialized hardware inside it.”
When the FBI asked for Lavabit’s private SSL keys, Ladar and his lawyer argued that turning them over would ruin his business and that such access would violate the privacy of all his customers by giving the feds access not just to the target(s) singled out by a warrant but also to the communications of all 400,000 of Lavabit’s users. Ladar lost this argument. After getting hit with a $10,000 contempt-of-court fine, he finally turned over Lavabit’s SSL keys. But he did it in typical Ladar fashion.
First, he connected a 4-terabyte hard drive to his servers and dumped all his users’ stored encrypted emails onto it, about 40 million messages. That drive now waits in “an undisclosed location” for Ladar to prevail in court and restart Lavabit.
Second, he chose a clever way to comply with the judge’s order. Lavabit used 2,048-bit encryption keys that each comprised 512 random characters. Rather than hand them over in a usable digital format, Ladar printed the keys in 4-point type, which required 11 pages. Because the FBI knows that Ladar owns a gun, it didn’t want to send an agent to his apartment to collect the SSL keys. Recall, too, that Ladar owns a vicious Italian greyhound.
•••
Ladar Levison is riding shotgun in my car, with Princess perched in his lap, as we barrel westward on I-30. He’s talking on his phone to a producer from CBS News in New York City. He has always been famous, to a degree. It’s the alliteration. And because the first name suggests a large antenna mounted on a military vehicle. He still encounters old SMU classmates who will greet him: “Ladar!” Of course, their poli-sci class had 50 students in it, and that was 10 years ago, so Ladar can rarely recall Jim’s name. The name is a blessing and a curse.
Now he gets approached on an entirely different level. I watched him give a speech in September at Ron Paul’s Liberty Political Action Conference, at a Marriott conference center in Northern Virginia. He concluded by saying, “It’s the job of every patriot to defend his country from his government. I don’t see myself as a hero. I just see myself as an American.” A few hundred people leapt to their feet with applause. Outside the ballroom, people took selfies with Ladar.
“This whole thing has forced me to work on my people skills,” he said. “For the past 10 years, my best friend has been a computer.”
Bruce Fein was in the audience. He’s a Washington, D.C.-based lawyer who has testified before Congress literally more times than he can count, including at Justice Antonin Scalia’s confirmation hearing. Until recently, Fein represented Edward Snowden’s father. He told me that he thinks Ladar’s case is probably headed to the Supreme Court. “It is to the Fourth Amendment what Brown v. Board of Education was to the equal protection clause. It draws the line,” Fein said. “He has decided to act as the Paul Revere, if you will, of the entire internet community.”
But right now Paul Revere has a plane to catch. After CBS on October 4 and a busy schedule of other interviews in New York, he’ll head to Arizona to give a talk at another conference, and then fly to Brussels for a European Union hearing. He’s not even sure what that’s about. Without a job or a business to run, these days he just goes where his legal team sends him.
There’s just one more thing I need to clarify before I put him and Princess on a plane. It concerns the FISA court.
The Foreign Intelligence Surveillance Act was passed in 1978. The Patriot Act amended FISA to give the NSA broader powers to snoop on “United States persons” in an effort to combat terrorism. Documents leaked by Snowden reveal that the NSA has essentially tapped the entire planet, possibly using quantum computers to analyze the data it collects. There is a FISA court, whose proceedings are secret. The Latin for this special sort of proceeding is ex parte,meaning only one side gets to present its argument to a judge. That side is the government’s.
Weaving in and out of traffic, rushing to get Ladar to his gate on time, I ask him if he has ever received a FISA warrant to tap Lavabit.
“I can’t confirm or deny that, can I?” he says. “I wanted to contest a request for the SSL keys in a federal district court, not the FISA court. I can still say which court I’d rather have a hearing in.”
He says this with a rare, fleeting smile on his face. As I say, Princess is sitting in his lap. My guess is that’s why Ladar is smiling. He loves that dog.
Write to [email protected].
