
Lavabit appeal confirms original ruling [pdf] - poulson
http://pdfserver.amlaw.com/nlj/lavabit-usca4-op.pdf
======
pdabbadabba
Note that this opinion rests almost entirely on the fact that Lavabit/Levinson
failed to raise any of his legal arguments before the trial court. Any lawyer
can tell you that, if you want a court of appeals to consider a legal issue,
you have to raise it before the lower court first to give them a chance to
rule and to develop a record for the court of appeals to review. I'm sure
there are those out there who will want to make this into a major privacy
ruling, but it just isn't.

~~~
ISL
Is an unconstitutional act acceptable if a defendant's defense is sub-par?

~~~
pdabbadabba
No. The problem, though, is that it is difficult for a court of appeals to
determine whether an unconstitutional act occurred when a party does not raise
the concern before the lower court. A court of appeals does not collect
evidence and is constrained by the factual record developed below. I don't
think we would be better off if courts of appeals resolved a constitutional
issues without the issue's having thoroughly investigated and litigated.

In considering this, remember that the record might sometimes be deficient in
ways that the court of appeals cannot identify on its own. And it seems likely
that inadequate development will cause courts of appeals to things wrong as
often as it permits them to get things right despite the procedural
"technicality."

~~~
ISL
Hm. Is there provision for, "Gee, it sure looks like important investigation
may not have occurred in this case, perhaps it should be revisited"?

    
    
      catch( DefenseDidNotDoSomethingImportantException e ){
         Case.Retrial();
      }
    

As a defendant (or coder), you don't want to have to rely on exception-
handling to save you from error, but as a citizen, I'd like to prevent
technicalities from blinding our judicial system to proper consideration of
major issues. Technicalities are often there for a reason (as this one is),
but that shouldn't stop us from getting at the heart of an issue.

~~~
saraid216
Really, this is a case for legislation. The judiciary is responsible for
comparing fact and action against agreed and applicable law. The "proper
consideration of major issues" is why we have legislation: we're supposed to
do this consideration _before_ laws are passed. That's why it takes so much
effort to pass a law; it provides time for such consideration. That's where
the allowance for filibusters came from: if someone has another angle to bring
to bear on a subject, you will goddamn consider it even if it takes a hundred
hours.

The judicial system is thus, in a sense, the very exception-handling system
you want. It's catching exceptions called "Oh shit, we didn't think of this
case and we need to decide consequences _now_ ".

~~~
ericcumbee
Which goes back to Chief Justice Roberts statement on the ObamaCare ruling.
“It is not our job to protect the people from the consequences of their
political choices,”

------
otterley
Levison should have hired a competent and experienced attorney the day the FBI
contacted him. The errors and failures cited in the appellate opinion are ones
that nearly any attorney that passed a Bar Exam wouldn't have made.

~~~
elliotz
With emphasis on experienced - Levison was represented for a bit by a business
attorney. He may have passed the bar, but he was completely inexperienced in
federal criminal cases.

~~~
jethro_tell
He was, but I think he only had representation after day 10 or something. The
first few days you was way out of his element. I think his business attorney
was experienced enough to get someone else on the case as well since it was a
bit out of his domain.

------
tptacek
The more I read about the case, the less happy I am about having donated to
Levison.

Pages 8-12 of this decision convey a narrative about Levison's handling of the
FBI requests. In particular, they detail an escalation that Levison himself
provoked:

* The DOJ reached out demanding metadata regarding (presumably, and let's just stipulate) Snowden's use of Lavabit.

* Levison rejected the request, on the auspices that Snowden had enabled the "storage encryption" feature of Lavabit.

 _Here it 's worth knowing that Levison had previously complied with similarly
narrow requests._

* Levison confirmed to the DOJ that he had the ability to circumvent the storage encryption.

* The DOJ responded to that concession by doing exactly what anyone would have expected them to do: they escalated their demand to include the decrypted Snowden data.

* The DOJ spent _eleven days_ trying to meet with Levison, who stonewalled them; Levison "ignored the FBI’s repeated requests to confer".

* Only upon being threatened with a contempt citation did Levison actually enter a productive discussion with the DOJ.

* Four days after being threatened with contempt, Levison presented the DOJ with a proposal to charge the DOJ $2000 to design and implement his own pen/trap system which would provide data to the DOJ _only at the conclusion of the order 's time window_, with timely updates being provided only at Levison's discretion and only with an additional charge attached.

* Only _after_ this sequence of events does DOJ demand the TLS keys that would have compromised all Lavabit users activities.

Levison's attorneys and the DOJ litigated the question of whether the pen/trap
order required him to cough up his TLS keys. But that only happened after
Levison did his best to deter the DOJ from collecting information about
Snowden. As evidence for this: the DOJ eventually did install a pen/trap
device of some sort, without the TLS keys, and attempted to use it to collect
evidence. Had Levison complied with the DOJ productively from the beginning,
he probably could have worked with them to produce the information they
required without compromising the rest of his users.

I already had a problem with Lavabit as an inept and dangerous privacy
solution (you can obviously see that it was; Levison was trivially able to
subvert the privacy of all of his users, and was eventually forced to do so).

But almost as bad as that is his handling of the legal situation here. Read
the language of the decision carefully and you'll see that had Levison simply
began this process with his proposal, minus the time lag problem, but perhaps
even including the price tag, he might have had that solution accepted!
Instead, he seems to have seized an opportunity to poke a giant bear with a
stick. The bear then ate him and his users.

 _Later: Also, bad facts make bad law. Great to see that we now have more case
law establishing that pen /trap orders demand TLS keys._

~~~
higherpurpose
I agree that legally, Levison probably made a mistake by stonewalling DoJ.

However, I worry about what losing this case means in the grand scheme of
things. DoJ's argument was that they should be able to get the _key_ to
decrypt all e-mails for all of Lavabit's users, and the Court says that's fine
because the government "wouldn't" use the key for anything other than the
"target" \- which seems like a ridiculous and incredibly reckless argument
post-Snowden.

Would Google just hand over the key to all of their Gmail users? Let's imagine
they weren't using PFS - or let's imagine they were asking Microsoft for the
Outlook key, instead.

~~~
mpyne
> Would Google just hand over the key to all of their Gmail users?

No, Google would comply with the narrow, specific warrant the first time.
Again, it bears repeating that the _only_ reason DoJ asked for the master key
in the first place is because Levison refused to comply with the narrow
requests. If Levison wouldn't do it, then the government would figure it out
on their own, but the only reason this situation even came up is because
_Levison wouldn 't do it_.

Not complying with a narrow and specified warrant is highly hypocritical,
especially in this case since Snowden's initial claims were entirely about
wanting the NSA to have to have specific warrants for their searches instead
of using broad search authorities. But when push came to shove and the
government presented a narrow and specific warrant, of a type Levison had
previously honored, all of a sudden that was no longer good enough for this
particular privacy advocate.

~~~
higherpurpose
Wasn't it his right to fight a court order (don't think it was warrant) like
that? I think Twitter has fought court orders in the past, while refusing to
give the data in the mean time.

I think Levison's mistake was that he did it all by himself, instead of hiring
a lawyer and following the proper procedure for doing that. The government
escalated with a broader request, which I guess was also their right to try
(even if it's wrong), and then Levison tried to fight that with a lawyer, but
I guess it was a little too late for that, and what he did initially
complicated things for his case.

~~~
tptacek
He didn't simply fight the order; he deliberately antagonized the DOJ.

Presumably Twitter's lawyers avoid brinksmanship, knowing that they'll
inevitably lose and, in the process, lose credibility with the court.

------
kijin
Sigh.

Why does every landmark case involving online privacy have to involve
incompetent, unsavory, or sometimes even downright despicable people (e.g.
child pornographers) on the defense side?

In order to force the legal system to take a serious look at the core issues
(whether the Feds can compel a company to produce its SSL private keys,
whether they can compel a man to produce the password to his TrueCrypt drive,
etc.) instead of getting distracted by all sorts of procedural bullshit, the
case needs to have a competent defendant and even more competent counsel who
make no serious mistakes throughout the course of the trial. That's the only
way we're going to get a clear, decisive precedent, because otherwise the
procedural blunders will dominate the legal result.

Levison's failure to contact the EFF or ACLU the moment he received the first
pen/trap order has led us all to waste a lot of time and resources litigating
mostly peripheral issues, and probably caused a lot more hardship for Levison
himself than he ever needed to get into. Meanwhile, we still don't have a
clear idea of what the U.S. legal system thinks about forcing the disclosure
of SSL private keys.

Of course, hindsight is 20/20, so maybe there are adequate explanations for
why he thought it was a good idea to wave a middle finger in the face of the
DOJ.

But in the grand scheme of things in the battle for internet freedom, I think
we just missed a golden opportunity to get the courts to tackle some serious
constitutional issues. Just like in all those other contempt cases where
TrueCrypt drive in question obvious contained CP, or all those other
surveillance cases where the defendant was a heavy uploader. Assholes,
pirates, and child pornographers have rights, of course, but they usually
don't make effective crusaders.

------
xcyu
"Levison provided the FBI with an 11-page printout containing largely
illegible characters in 4-point type, which he represented to be Lavabit’s
encryption keys"

This made my day.

~~~
marshray
We've all chuckled at the "man pays divorce settlement with truckload of
pennies" stories before.

But this is the story of a guy without good legal representation pissing off
the judge and setting bad precedent that could affect all of us.

------
gonzo
I see this as a cautionary tale about the limits of cloud-storage of anything.
If you really care and you're facing an adversary with subpoena power over
your ISP, the only solution is to ensure the ISP simply never sees the
plaintext. Thus PGP, S/MIME, etc.

------
marshray
I don't see why the court couldn't 'refashion' Levison's statement ...

"[I object] to turning over the SSL keys because that would compromise all of
the secure communications in and out of my network, including my own
administrative traffic."

... into "anything remotely close to a statutory-text-based challenge to the
district court’s fundamental authority under the Pen/Trap Statute"

As a lay person, it sounds like the court wasn't trying very hard.

~~~
peterwoo
It's clear to me, even as a lay person, that Levinson's statement does not
refer to any statutory text. Or any legal procedure, etc. On what grounds was
he objecting?

"A party does not go far enough by raising a non-specific objection or claim"

~~~
marshray
Obviously Levison is attempting to argue that the pen/trap statute is limited
to specific information ("metatdata") and it does not allow interception of
"all of the secure communications [and] administrative traffic".

That he didn't cite the chapter and verse which this contradicts seems like an
situation where he needed a real defense lawyer.

------
igl
I fought the law and law won... just started playing in my head.

