When it shut down, Lavabit became the first company ever to reveal that the government had demanded its SSL key. Sipa/AP

NEW YORK — Ladar Levison, creator of the ultrasecure email service Lavabit, is an imperfect civil-liberties hero. He is not opposed to working with the government, and he set out to write code, not become an activist. But after being thrust into the public eye as email provider to former National Security Agency contractor and whistle-blower Edward Snowden, he could now set a crucial precedent for online privacy. At stake is a key — a string of letters, numbers and symbols — that unlocks many of the Internet’s most basic transactions, including messaging, banking and shopping. In order to spy on a Lavabit email address widely believed to be Snowden’s — though redacted from court filings — a federal judge ordered Levison to give the government his key. With it, agents at the Federal Bureau of Investigation would have been able to unlock the encryption protecting Lavabit, known as secure sockets layer, or SSL. They would have had the capability to read everything, including email content and credit card information, flowing from its 400,000 customers. After months of stalling, Levison turned over his SSL key but shut down his company. Levison took his case to the Fourth Circuit Court of Appeals, and in his opening brief, filed Thursday, his lawyers argued that the order to turn over the SSL key violated Fourth Amendment protections against unreasonable searches and would “eviscerate” the basic purpose of companies trying to provide secure email. It was like “requiring a hotel to turn over a master key to all of its hotel rooms” or “commanding the city of Richmond to give the police a key to every house” in the search for one man, his lawyers argued. “It is unthinkable that Congress would have given the government the authority to seize keys that would make it possible to intercept all of Lavabit’s communications with all of its customers — communications that the customers have been told are private against exactly that kind of secret surveillance — except in the clearest possible words,” wrote Jesse Binnall, Levison’s lead attorney.

A former freelance computer programmer who launched Lavabit in 2004, Levison is happy to acknowledge the many government subpoenas with which he has complied. Lionized by many Internet-freedom advocates for shutting down Lavabit rather than let the FBI spy on what was almost assuredly Snowden’s email account, he had been willing to give the government most of Snowden’s data until prosecutors doomed his business anyway. “It didn’t start off ideological,” he said recently in New York City, where he had arranged a weekend sprint of interviews with eager reporters. “I’m not anti-government. But I’m pro-freedom.” Until a few months ago, during what Levison and privacy advocates call the Summer of Snowden, Lavabit’s popularity was limited to a corner of the online universe inhabited mostly by privacy fanatics, software engineers, and the odd criminal or political activist. But Lavabit’s paying users, who spent between $8 and $16 a year for extra storage space, were enough to employ Levison full time out of home offices in Dallas, where he still lives with Princess, his Italian greyhound mix. That summer, when the privacy fanatics began to look less fanatical and more prescient, the number of people seeking Lavabit’s extra security surged. Instead of registering 100 to 200 new customers a day, there were 4,000. Just as quickly, it fell apart. In May, weeks before Snowden’s leaks became public, an FBI agent left his business card on a windowsill next to Levison’s front door. By August, Levison would be summoned to the Eastern District of Virginia, the Justice Department’s home turf, where he was threatened with contempt of court and a $5,000-a-day fine and gagged by a judge’s order that sealed his entire case. SSL keys are, in the world of computer engineering, the crown jewels of an online enterprise. When you shop, bank or send an email on your computer, you are often unknowingly relying on the protection of SSL encryption. It is almost ubiquitous in 21st-century commerce. Companies such as Apple, Amazon and Gmail use SSL to prove to your computer that they are who they say they are and to protect the information you exchange with them. They are required, by industry standards, to alert the companies that certify their SSL encryption if their keys ever fall into the hands of a third party. When a tiny icon of a padlock appears in your Web browser, it is because the site you are accessing is using SSL to encrypt what you are doing — to make sure that only you and your bank know that you have just deposited your grandmother’s $100 birthday check into your savings account or donated to an activist in the Middle East. Levison’s key would have unlocked everything. Though both the FBI and NSA put serious effort into breaking SSL keys and other types of encryption with brute computing force, it is not easy, and programmers regularly invent longer and more complicated codes. The NSA has found that it is more efficient to get around the problem, often by using a variety of methods to find and store the secret keys when their owners leave them unsecured.

After Levison gave the FBI the keys and shut down Lavabit, he wrote on his website that he had been forced to choose between leaving his business or becoming complicit in crimes against the American people.