
In Lavabit Appeal, U.S. Doubles Down on Access to Web Crypto Keys - ghosh
http://www.wired.com/threatlevel/2013/11/lavabit-doj/
======
igravious
“After knocking on his door, FBI special agents witnessed Mr. Levison leave
the rear of his apartment, get in his car, and drive away.”

Maybe his car was parked out rear?

Maybe he needed milk?

Maybe the local convenience store wasn't within walking distance?

I'm just saying that we needn't jump to any hasty conclusions. This does look
mighty suspicious though.

Seriously though. Ladar Levison acted contra to his own best interests and in
alignment with _all_ of our best interests in thwarting the FBI's attempts at
quickly locating and apprehending Edward Snowden. Whatever we may think about
Dark Circle it is clear that his heart is in the right place. I wouldn't have
the ability and guts to do what he has done and I praise him for it. Yes, he
could have designed his previous system better, seems like he's going to try
harder next time. We should help.

~~~
malandrew
The interesting thing here is if there exist conditions under which you can
just disappear such that it is impossible to subpeona you. For example, if
they had contacted him prior to serving a notice from a judge and he expected
to receive a subpeona soon or eventually, what stops him from simply leaving
town for a while on a fishing trip or to visit family and conveniently
returning when its been long enough that getting the information is of much
less use?

~~~
thaumasiotes
It was my impression that an incorporated company is required to have a
registered point of contact. A sole proprietor wouldn't be subject to that
requirement, obviously, but most enterprises are not operated as
proprietorships.

~~~
ensignavenger
That point of contact does not have to be available 24/7/365.

~~~
malandrew
Is that point of contact required to be able to be able to handle
unconstitutional law enforcement requirements like NSLs? The only person that
needs to "disappear" is the person who can satisfy the requirements of an NSL.
i.e. the person with the SSL cert and password.

~~~
thaumasiotes
Disclaimer: I have absolutely no idea what I'm talking about. _Every single
thing in this comment_ is speculation.

That said, I wouldn't be at all surprised to see the following features in the
system:

\- Point of contact must be available during normal business hours.

\- If the point of contact is not able to handle a particular request from the
government, the company is legally responsible for making someone who can
available, within a reasonable window of time after the contact point gets the
request.

\- I don't see that the employees can be subject to a legal requirement to
appear, or be located anywhere in particular, or be reachable by any means.
But the company can.

\- I'm pretty sure whether or not the law enforcement requirements are
putatively unconstitutional makes no difference.

------
leeoniya
"That other information not subject to the warrant was encrypted using the
same set of keys is irrelevant"

Oh, that makes sense...said no one ever.

Let's trust our involuntarily-transparent government not to go on a fishing
expedition through troves of data that users intentionally chose to encrypt,
and then not find justification to get warrants against them for other reasons
that can bring the investigation full circle. /s

~~~
res0nat0r
Except there is no evidence of any fishing happening in this case.

~~~
leeoniya
let's say he gave them the SSL keys. how would anyone ever prove afterwards
what they did with the decrypted info?

evidence of this type of official misconduct doesn't exist except through
leaks which (i imagine) as far as the law is concerned is pretty far from
admissible evidence.

~~~
res0nat0r
The unrelated evidence in this case (from other users) just can't be used in
court, they need probable cause. In this case there is no probable cause to
arrest Joe Blow for a crime, this was all about getting to Snowden.

~~~
leeoniya
i think you're missing the point. having the SSL keys would give them access
to all users' decrypted data, not just Snowden's. If Joe Blow happens to have
an undeclared overseas bank account at Bank Foo, with account #1234 which can
be seen from decrypted emails, then the FBI can investigate this "anonymous
tip" overseas with no probable-cause requirement, then arrest Joe Blow for tax
evasion. the origin of the tip would not ever need to be disclosed, they will
just have gained knowledge of this bank account. afterwards, they can say "we
have knowledge that Joe Blow has undeclared offshore funds, let's get a
warrant for his email"...and so we have an illegally gained tip, used to get
legal access to his whole email account.

Anonymous tips have been used to procure search warrants in specific
circumstances [1], i'm sure there's no shortage of lawyers who can convince a
judge, "cause 9/11!"

[1] [http://gambonelaw.com/dealing-with-anonymous-tips-and-
confid...](http://gambonelaw.com/dealing-with-anonymous-tips-and-confidential-
informants/)

------
belorn
If it becomes the official policy in U.S. that companies must provide the
government with keys, passwords, and broad proprietary information related to
system design, this will have an effect on the IT industry. Its the key escrow
thing all over again.

Companies has a few option: Implement perfect forward security and see
government create laws to counter it. They can also move the data centers to
countries without key escrow laws.

~~~
dingaling
They can also implement discrete per-customer cryptographic solutions, so that
if they receive a warrant for the data and traffic relating to Customer-X then
they don't have to compromise all their other customers.

It'll cost more to set-up and run, but the benefit is that your business won't
go down the drain when the warrant arrives.

~~~
belorn
Thats a set-up that not even the military deploys, or banks for that matter.
Its arguable also in the same league of PFS, as the government could easy just
issue general warrants or alternative create laws that does the same.

~~~
ds9
You probably intended only a descriptive term, but fittingly the Americans'
opposition to what was called the "general warrant" was precisely what led to
the 4th Amendment to the US Constitution. [1]

But you are correct that this is the likely outcome, now that the rule of law
is essentially dead in the US.

1\. See, e.g., [http://legal-
dictionary.thefreedictionary.com/Fourth+Amendme...](http://legal-
dictionary.thefreedictionary.com/Fourth+Amendment), "The Framers drafted the
Fourth Amendment in response to their colonial experience with British
officials, whose discretion in collecting revenues for the Crown often went
unchecked. Upon a mere suspicion held by British tax collectors or their
informants, colonial magistrates were compelled to issue general warrants,
which permitted blanket door-to-door searches of entire neighborhoods without
limitation as to person or place. The law did not require magistrates to
question British officials regarding the source of their suspicion or to make
other credibility determinations.

"The writ of assistance was a particularly loathsome form of general warrant.
The name of this writ derived from the power of British authorities to enlist
local peace officers and colonial residents who might "assist" in executing a
particular search."

~~~
belorn
I was referring to how the National Security letters has been used.

Stories like the court order requiring Verizon to turn over records of every
call "on an ongoing daily basis", or any of the many times when a blanket
searches and seizures has happen to people or their property. Their numbers
are so great that many lawyers and professors openly state that the 4th
amendment do not exist anymore.

------
betterunix
"Marketing a business as 'secure' does not give one license to ignore a
District Court of the United States"

Which is why we should always prefer technical approaches to resisting
surveillance. Promising that you will not compromise user privacy is pretty
weak.

------
Fuxy
“After knocking on his door, FBI special agents witnessed Mr. Levison leave
the rear of his apartment, get in his car, and drive away.”

What leaving the rear of the apartment is against the law after being visited
by the FBI?

Anybody else think the FBI is trying to paint an image of Ladar Levison as the
typical movie bad guy here?

I get where the government is coming from he went a little overboard resisting
them but getting the SSL certificate for the entire website for 1 guy is
unacceptable and if they don't agree they don't understand the internet.

------
res0nat0r
At least Poulsen is sticking with the facts:

> A U.S. email provider can promise its users all the security and privacy it
> wants; it still has to do whatever it takes to give the government access.

Correct.

Again: Just because Lavabit designed its security in a shitty manner to make
it easier for end users, doesn't mean he can somehow wave his hands and claim
"but but but but, I've designed this system such that you will be able to also
read other peoples emails whom you've not subpoenaed. That is against my
mission statement!".

Sorry bud.

~~~
Amadou
_doesn 't mean he can somehow wave his hands and claim "but but but but, I've
designed this system such that you will be able to also read other peoples
emails whom you've not subpoenaed. That is against my mission statement!"._

Sure it does. If the police want to do something that impacts a very large
number of innocent bystanders they need to have a higher level of
accountability than if they just want to target one specific individual. For
example it is unreasonable to search every house in a neighborhood in order to
arrest one guy who owns a house there.

~~~
XorNot
Yeah except that's not how it works. The police/law enforcement/courts can
simply get a warrant which says they're allowed to look at exactly 1 guys
email, and you are to provide decryption keys.

You don't get to play "well I don't trust the government so I'm not going to
let you" against the courts if the relevant parties promise they're not going
to look at anything else - since amongst other things that would actually be
breaking the law, and whatever they get would be inadmissible under various
umbrellas - they certainly couldn't build a case off of it.

~~~
amirmc
You might want to look into parallel construction.

"Parallel construction is a police process of building a parallel - or
separate - evidentiary basis for a criminal investigation which otherwise
would rely upon evidence or tips received either from a confidential source or
that might fall under the category of fruit of the poisonous tree. By building
a separate evidentiary basis for an investigation, such as corroborating
evidence using other resources or finding other valid reasons to investigate,
prosecutors are able to avoid disclosing confidential or otherwise unusable
evidence." (From:
[http://en.wikipedia.org/wiki/Parallel_construction](http://en.wikipedia.org/wiki/Parallel_construction))

~~~
XorNot
Yes. Note the important point though: it's based on the fact that a crime has
other sources of evidence which would independently confirm a crime if they
are found, which would be legal to pursue if they were discovered by other
means.

i.e. the murder victim, the weapon and the security tape you buried in the
local national park. The police might not find them, but they also don't need
a search warrant to go looking.

Claiming you should for some reason be above the law entirely is absurd - the
general point is to provide protection from stuff like "thought-crime"
prosecutions, or at least a warning sign if that would otherwise be a thing.

------
pixelcort
I somewhat wish this case was a simple secret order and immediate subsequent
self shutdown of a service, to test in court whether shutting down a service
would be legal when presented with such an order.

------
frank_boyd
TL;DR

> A U.S. email provider can promise its users all the security and privacy it
> wants; it still has to do whatever it takes to give the government access.

~~~
MagicWishMonkey
Not necessarily, it is not at all clear that the government has the authority
to demand a private business surrender SSL keys. Such an could very well be in
violation of the 4th amendment.

You are correct, in that the government does have the authority to demand
information on a specific person, but due to how Lavabit was designed that
information was encrypted in such a way that only Edward Snowden could provide
the password for decryption.

In most systems data is stored in plain text (or encrypted with a cipher key
known by the system administrator), so surrendering data in readable form is
not an issue.

------
tehwalrus
Well, they've played their cards, let's see which way the judge comes down.

------
marshray
Can someone explain how this represents the US attorneys "doubling down"?

