SAN FRANCISCO -- According to one of the nation's top digital civil liberties attorneys, U.S. companies have little legal recourse when powerful law enforcement agencies like the FBI make overreaching demands for their customers' sensitive data.
In a presentation at last Thursday's inaugural TrustyCon event, attorney Marcia Hofmann told attendees that the circumstances in which private email provider Lavabit opted to shutter its business might not be unique. Last summer Lavabit and Silent Circle, two providers of encrypted digital communications services, shuttered their services to avoid forced disclosure of their users' data to U.S. government agencies.
Hofmann, a digital rights lawyer best known for her role as a special counsel for the Electronic Frontier Foundation, currently represents Ladar Levison, who founded and ran Lavabit.
Hofmann's presentation focused on the legal implications of the case, which is still working its way through the courts, but Hofmann said she believes the FBI may well have approached other similar providers for customer data. If they chose to cooperate, she pointed out, we wouldn't be aware of it.
"I don't think Lavabit is a unicorn," Hofmann said.
There are two key legal questions to be asked about the Lavabit case, she said. First, "can a court force a service provider to help law enforcement conduct surveillance and, if so, how far does a provider have to go in providing that assistance?" The second is whether the Fourth Amendment allows the government "to demand a service's SSL keys?"
Hofmann said government law enforcement officials think that the data being encrypted has no legal relevance.
"I think that's odd, personally, considering the whole Fourth Amendment test is based on the question of whether you have a reasonable expectation of privacy," Hofmann said. "And, if you don't have a reasonable expectation of privacy in encrypted data, when would you have a reasonable expectation of privacy?"
The government has further argued, Hofmann said, that a service provider has to aid in whatever way it can to help with surveillance.
"Whatever they demand of you, you have to do," Hofmann said. "If it's something that disrupts your business quality or flies in the face of the basic guarantees that you've made to your consumer, or completely compromises your service, that's not their problem."
Speaking with SearchSecurity after the session, Hofmann added that she believes Internet users should "get away from relying on service providers" to protect sensitive data, and instead push that responsibility back to the individual data owners.
When asked what hope she has for the enhancement of U.S. data privacy laws, she said they needed to change. But it won't happen overnight.
"Law takes a long time to evolve," she said. "I have confidence that this will happen, but we're still getting there."