
Gag Order on Lavabit’s Levison Lifted - nullspace
https://www.facebook.com/KingLadar/posts/10157136844775038
======
Timothycquinn
This news is definitely a win for humanity. Ladar and Edward, we need more
people like you. Thank you!

For those who dont want to read blog posts on Facebook, here is a well written
piece on this: [https://techcrunch.com/2016/06/24/ladar-levison-finally-
conf...](https://techcrunch.com/2016/06/24/ladar-levison-finally-confirms-
snowden-was-target-of-lavabit-investigation/)

------
mzarate06
Great news of the gag order being lifted, and to hear from Levison himself.

Although in regard to the post title (which has since been changed) indicating
Snowden was the Lavabit investigation target, here's original discussion from
March:
[https://news.ycombinator.com/item?id=11308160](https://news.ycombinator.com/item?id=11308160)

------
c-slice
When the court forced him to turn over the SSL private key for lavabit's
servers, Ladar submitted the private key in miniscule font on like 30 printed
pages. The gov was not pleased. Mad respect for Mr. Levison. Glad to hear the
gag was lifted.

------
andrepd
It's a bit ironic how a news about such a topic as this is posted on
facebook...

------
joshka
Replace title with: "Gag Order on Lavabit’s Levison Lifted After Three-Year
Battle" perhaps?

~~~
dang
Ok, we'll use that.

------
peterkshultz
No surprise here. Snowden knew he was the target as soon as Lavabit got shut
down.

~~~
orik
I think the attack vector (getting ssl/tls keys) the government was going
after was a surprise. I had thought they would have requested access to the
servers.

~~~
neopallium
Either they had captured packets from Lavabit that they wanted to decrypt, or
they wanted to be able to decrypt all traffic to/from Lavabit.

With how much traffic the NSA was collecting and archiving during that time,
it is very likely that they had captured traffic that they thought might
contain messages to/from Snowden.

~~~
pedrocr
Hopefully Lavabit was using TLS with forward secrecy making this impossible:

[https://en.wikipedia.org/wiki/Forward_secrecy](https://en.wikipedia.org/wiki/Forward_secrecy)

------
ekianjo
While it's an official confirmation it was already very clearly mentioned
several months ago.

------
redouane
already known, i believe it was leaked due to a non-redaction ( by mistake) of
a released document

~~~
gsmethells
I concur. This is old news.

~~~
imron
The gag order being lifted is new news.

------
runesoerensen
Also
[https://news.ycombinator.com/item?id=11308160](https://news.ycombinator.com/item?id=11308160)

------
Pyxl101
> The original case concerned law enforcement’s authority to compel the
> disclosure of an SSL/TLS private key, which belonged to Lavabit, and was
> used to protect the communications of all 410,000 customers, when only one
> of those customers was the subject of a criminal investigation.

No, not completely true. From what I recall about the case, law enforcement
asked Lavabit to eavesdrop on his communications. I recall law enforcement
claiming that Lavabit had done this before, previously, when asked. Lavabit
balked this time for some particular reason, and ineffectively attempted to
fight the request in immature ways. When asked for digital data, printed out a
bunch of hex or base64 on many reams of paper. Courts frown on this kind of
shenanigans. In this and other ways, Levison engaged with the court in naive,
immature, and ineffectual ways, including by appearing in court without
representation. By failing to make a number of arguments in his defense at
trial, he was consequently unable to revisit most issues on appeal. (You
usually cannot raise new issues on appeal.)

It was only after Lavabit refused to eavesdrop, after receiving a lawful order
to do so, that law enforcement demanded the TLS keys in order to do it
themselves. Lavabit's ineffectual handling of the issue alone was what put the
privacy of the rest of their users at risk.

Lavabit was not a secure service. The site could easily eavesdrop on your
communications at will and decrypt your data. The site simply made a promise
not to store a key based on the user password (if I'm recalling correctly),
but had the technical ability to do so upon each login. Quote from their site:
"Lavabit has developed a system so secure that it prevents everyone, even us,
from reading the email of the people that use it."

The site was not actually secure in the ways that it claimed, specifically the
claims that it was secure against site operators reading your data, and as a
consequence obviously against law enforcement. Lavabit was poorly designed and
dangerously close to snake oil, and I don't think they should be hailed as
having done something venerable by privacy or security advocates. They were
essentially a regular webmail service with a gimmick that allowed them to
claim they were doing something different, without actually doing something
that provided a meaningful security guarantee. This critique by Moxie
Marlinspike includes a detailed substantiation of my statements above:
[https://moxie.org/blog/lavabit-critique/](https://moxie.org/blog/lavabit-
critique/)

> The cryptography was nothing more than a lot of overhead and some shorthand
> for a promise not to peek. Even though they advertised that they “can’t”
> read your email, what they meant was that they would choose not to.

(Moxie is behind Open Whisper Systems, the end-to-end encryption system that
was recently integrated into WhatsApp)

There is no way for a webmail provider to ever handle your email in the clear
(such as while sending or receiving it) while claiming not to be able to read
it. The only way for this to be true is with end-to-end encryption with keys
that reside exclusively on client machines.

DarkMail, however, which Levison started contributing to after the shutdown of
Lavabit, does appear to attempt to provide true end-to-end security for email
participants. [https://darkmail.info/](https://darkmail.info/)

~~~
tonmoy
> Appearing in court without representation

From [https://lavabit.com](https://lavabit.com) :

> It took a week for me to identify an attorney who could adequately represent
> me given the complex issues involved – and we were in contact for less than
> a day when agents served me with a summons ordering me to appear in a
> Virginia courtroom (over 1,000 miles from home). Two days later, after
> admitting their demand to my lawyer, I was served a subpoena for the
> encryption keys – also marking the first time they put their demand in
> writing.

With such short notice, my first attorney was unable to appear alongside me in
court. Because the whole case was under seal, I couldn't admit to anyone who
wasn't a lawyer that I needed help, let alone why. In the days before my
appearance I would spend hours repeating the facts of the case to a dozen
attorneys, as I sought someone else that was qualified to represent me. I also
discovered that as a third party in a federal criminal indictment, I had no
right to counsel. Thus my pleas for more time were denied. After all, only my
property was in jeopardy – not my liberty. My right to a “fair hearing” was
treated as a nuisance, easily trampled by a team of determined prosecutors. In
the end, I was forced to choose between appearing alone, or face a bench
warrant for my arrest.

~~~
Pyxl101
A person who is running a business focused on this kind of privacy should have
counsel for their company set up and ready to go. The fact that they didn't
was another sign that the company was unprepared for the business that they
were handling.

I'd expect someone running this sort of business to have an attorney on
retainer who has advised the company of its rights and responsibilities, and
who is ready to provide at least emergency counsel if not trial counsel.

~~~
tonmoy
I don't think Lavabit was that big of a bussiness. They had to shutdown just
because of a $10,000 contempt fee.

And even if they didn't have enough foresight to have regular attorney, it
seems very bullish for the government to try to overwhelm the guy with seven
different court orders in about 30 days. Just because I do not have the
foresight to have an attorney before something like this stars, it doesn't
mean I don't have the right to run my bussiness and neither does it make any
more acceptable for the government to close it down just because they didn't
get their way.

~~~
vkou
You're erroneously assuming the legal system is intended to work well when
you're not wealthy.

For the same reason, never piss off a retired lawyer. The amount of
asymmetrical pain they can cause you is virtually unbounded.

~~~
Drdrdrq
Are you stating that that's the way it is (because I think parent knows that
already) or that it's OK this way? Cause it's not.

~~~
mjevans
I'll take the view that they are saying:

This is the way things are, and it's not going to change soon.

~~~
tonmoy
The original discussion was if the owner of Lavabit is to be blamed for being
at court without representation, any it was established that he probably
didn't have enough resources/foresight to keep an attorney on call (and should
not be "blamed" IMO). How things are/should be is off-topic in that matter.

------
kordless
> when such opinions are concerned with such a public and controversial issue
> as state surveillance

This is the first rule of state surveillance.

------
exodust
The problem with linking to Facebook posts is that non-Facebook users are now
greeted with a "sign in or sign up" pop-over that cannot be removed and
obstructs the page. This is a relatively recent change. Facebook do not want
to be part of the open web, so don't link to them as if they are.

~~~
RKearney
This is a public wall post by the creator of Lavabit himself. Would you rather
a random third party news site pick it up first before it is reposted here?

I see no problem with Facebook posts if they were created by an authoritative
representative of the discussion and that was the primary point of publication
(i.e. not a Facebook post pointing to their blog, in which case their blog
would be a better place to link to.)

~~~
exodust
Yep and there is nothing wrong with a public wall post up until 2016 when
Facebook decided to restrict read-access to those public pages by way of the
annoying nag prompt. Clicking "not now" doesn't hide the nag prompt enough to
call the page 'publicly accessible'. Sorry to be off-topic on this, but I feel
Facebook is quite arrogant with this behavior, as their users should be in
control of the public status of their posts, not Facebook.

~~~
scrollaway
I'm opening this in incognito mode and have no trouble reading it.

We have a different definition of publicly accessible. You can block the
annoying nag prompt with your ad blocker.

I'm as upset at facebook as you are, but misleading people into not linking to
an original source is a shitty thing to do.

~~~
ominous
I don't see it as shitty. It is simply not complying with the modus operandi
of the owner of the original source (facebook).

I'd rather see [http://archive.is/ffjTe](http://archive.is/ffjTe) or even an
image than to be reminded that facebook wants to be the gatekeeper of content.

I do block these pop ups when I can (ublock). But that means you want the
average user (not using blacklists, not using whitelists, not even using
adblockers) to be reminded that he should login so as not to feel like a
criminal.

Oh wait. The average user has a facebook account and is always logged in.

I am not the average user, I am a specific person.

~~~
kevin_thibedeau
> It is simply not complying with the modus operandi of the owner of the
> original source (facebook).

The authors intent is irrelevant. They are a monetized product sold to
advertisers. Facebook will never act against its own interest of maximizing
the size and salability of its graph network.

~~~
ominous
> Facebook will never act against its own interest of maximizing the size and
> salability of its graph network.

Agreed.

What I meant to say is, if we don't like the agressive behaviour of "facebook
acting in its own interest to maximize the size and salability of its graph
network", we shouldn't link to facebook URLs.

------
Asooka
Copy-paste for people who do not wish to visit facebook:

Press Release Gag Order on Lavabit’s Levison Lifted After Three-Year Battle
For Immediate Release: June 24, 2016

Alexandria, VA--Lavabit founder Ladar Levison can finally confirm that Edward
Snowden was the target of the 2013 investigation, which led to the shutdown of
the Lavabit email service. The original case concerned law enforcement’s
authority to compel the disclosure of an SSL/TLS private key, which belonged
to Lavabit, and was used to protect the communications of all 410,000
customers, when only one of those customers was the subject of a criminal
investigation. After three years, and five separate attempts, the federal
judge overseeing the case has granted Mr. Levison permission to speak freely
about investigation. The recently delivered court decision unseals the vast
majority of the court filings, and releases Mr. Levison from the gag order,
which has limited his ability to discuss the proceedings until now.

Mr. Levison has consistently relied on the First Amendment in his court
filings, which sought to remove the gag orders entered against him. He argued
that such orders are an unconstitutional restraint against speech, and an
afront to the democratic process. He plans to use his newfound freedom to
discuss the case during a planned presentation on Compelled Decryption at DEF
CON 24 in Las Vegas, NV.

“One of the rights guaranteed to Americans, and a cornerstone for a functional
democracy, is the freedom to speak the truth,” stated Mr. Levison in
announcing the court decision. “The First Amendment protects opinions,
including those unfavorable to government, from injunctions against speech.
The gag orders in this case were a violation of that inalienable right. No
American should have to live for three years, gagged, with every word
carefully weighed, when such opinions are concerned with such a public and
controversial issue as state surveillance. I believe the public only grants
permission to be governed when it knows the means and methods its government
uses to protect the body politic. While I'm pleased that I can finally speak
freely about the target of the investigation, I also know the fight to protect
our collective freedom is far from over. That is why I will continue to do
everything within my power to protect our right to speak freely and
privately.We must decide when speech is necessary. Our rights must never be
subject to the whims of those officials we seek to criticize.”

In order to continue the fight, Mr. Levison is forming the Lavabit Legal
Defense Foundation (or “LavaLegal”), a non-profit organization founded to,
among other things, protect service providers from becoming complicit in
unconstitutional activities, and fight secret attempts aimed circumventing
digital privacy or impinging upon the right of those involved to speak of the
experience. The foundation will be funded by donations from people and
organizations all over the world that want to help protect digital privacy and
bolster our collective defense against government overreach. Donations can be
accepted at the foundation’s rally.org page or through bitcoin donations at
1Bqqy3SxZ27ZUogEeiKHYqPsmFwuRTErMu.

For more information contact Lavabit founder Ladar Levison or Lavabit’s
counsel, Jesse Binnall.

------
Steeeve
What year is it? This was widely known a long time ago.

~~~
digler999
it's the year you should start reading the article before you comment.

