When on June 9 Edward Snowden stood up in Hong Kong and revealed himself to the world as an NSA whistleblower, the Justice Department wasted little time in targeting his email provider. A new appeals court filing today shows the government served a court order on Texas-based Lavabit the very next day, demanding metadata on an unnamed customer that the timing and circumstances suggest was Snowden.

The June 10 records demand was issued under 18 USC 2703(d), a 1994 amendment to the Stored Communications Act that allows law enforcement access to non-content internet records without demonstrating the “probable cause” needed for a search warrant. That would include email “To” and “From” lines, and the IP addresses used to access the account, but would not include the content of the email.

That order was followed on June 28 with a so-called “pen register order”, which provides the same information prospectively — recording the metadata for every new email sent or received.

It’s not clear what information, if any, Lavabit produced at that stage of the investigation. But on July 9 the court evidently issued an “Order to Show Cause,” which in a records case is usually the result of the government asking the court to enforce a demand that hasn’t been complied with to the government’s satisfaction.

The new information is revealed in a government filing in Lavabit’s appeal in the case. Lavabit attorney Jesse Binnall on Tuesday asked the 4th U.S. Circuit Court of Appeals to unseal some information in the case so that public interest groups could learn enough to potentially file amicus briefs on the core legal issues. The government today filed its opposition to the unsealing motion — under seal, naturally — along with a public timeline of previous orders keeping the case secret.

“The entire record in the district court, including all applications, subpoenas, motions, warrants, and orders, remains under seal,” prosecutors wrote in the public filing.

The timeline shows that the government’s records demands to Lavabit in the case began on June 10, almost two months before owner Ladar Levison shut down the service on August 8 with an oblique message saying he’d been left with little choice in the matter.

“I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly 10 years of hard work by shutting down Lavabit,” Levison wrote at the time. “After significant soul searching, I have decided to suspend operations.”

Levison and his lawyer are both bound by a gag order preventing them from discussing the details of the case, or identifying who the government’s target is.

The June 29 pen register order may well have been the issue. A standard email provider can easily funnel email headers to the government in response to such a request. But Lavabit offered paying customers a secure email service that stores incoming messages encrypted to a key known only to that user. Lavabit itself did not have access.

Levison could have complied with a prospective metadata demand in a number of ways: by providing the government with Lavabit’s private SSL certificate — allowing its users to be wiretapped; by modifying the software to store a user’s private encryption key at the next login; or by recording the email metadata before it’s encrypted. But Levison may have balked at actively circumventing the privacy system he built for users.

After shutting down the site, Levison appealed on August 29. His opening brief in his appeal is due October 3.

“He’s optimistic that we use this opportunity to possibly get some good law,” attorney Binnall told WIRED earlier this month. “My client is somebody’s who’s very concerned about privacy rights and protecting the United States Constitution from unlawful searches and seizures and protecting the First Amendment.”