
I was forced to shut down Lavabit (2014) - ageofwant
https://www.theguardian.com/commentisfree/2014/may/20/why-did-lavabit-shut-down-snowden-email
======
cesarb
IIRC, the Lavabit case was one of the reasons (and perhaps the strongest one)
for the current push towards forward secrecy cipher suites in TLS (with TLS
1.3 even having them as the only option).

Since Lavabit used the older RSA key exchange, instead of a DHE key exchange,
the private key they were forced to hand over could decrypt all past HTTPS
connections. With forward secret (DHE/ECDHE) key exchanges, the private key
can only be used to impersonate the server; it cannot be used to decrypt any
past (or future) HTTPS connections.

Had Lavabit used DHE/ECDHE, they would have nothing to give. Even adding a
backdoor to their servers (or a MITM logging middlebox) would gain nothing,
unless the target logged in after it was installed. They would be able to
simply respond "we have nothing useful to give" and be done with it, like
recently happened to Whispersystems.

~~~
spraak
Wow, that's amazing! Do you have a link to share regarding Whispersystems?

~~~
saycheese
Grand jury subpoena for Signal user data, Eastern District of Virginia

[https://news.ycombinator.com/item?id=12635848](https://news.ycombinator.com/item?id=12635848)

------
jonquark
I know it's an old article but re-reading it is worthwhile; it is short and
chilling - how have we ended up in a dystopian present where the ability to
perform bulk surveillance is demanded and ruled upon in secret court rooms (in
the UK where I am based the situation is even worse!).

I have never found myself in the situation that Ladar Levison describes but I
wonder (and fear) whether I would have the courage to shut down my business on
a matter of principle like that.

~~~
lmm
The only reason he had to shut down or provide bulk access is because he had
built it without a system to provide specific access.

You might believe the government should never be able to access private
communications at all, but that would be a quite extreme position. In this
case they had a (presumably legitimate) warrant for access to a specific
user's emails (and while it shouldn't affect the principles at issue, it
focuses the mind to remember that this was a child porn case IIRC).

~~~
waterphone
No, it was Ed Snowden's email account.

~~~
at-fates-hands
This was recently confirmed:

[https://www.wired.com/2016/03/government-error-just-
revealed...](https://www.wired.com/2016/03/government-error-just-revealed-
snowden-target-lavabit-case/)

 _But federal authorities recently screwed up and revealed the secret
themselves when they published a cache of case documents but failed to redact
one identifying piece of information about the target: his email address,
Ed_Snowden@lavabit.com. With that, the very authorities holding the threat of
jail time over Levison’s head if he said anything have confirmed what everyone
had long ago presumed: that the target account was Snowden’s._

------
desbest
What I don't like is how the government demands to wiretap EVERY person's
account regardless of there being no suspicion of crime in every account. How
can that be justified? To stop future whistleblowers?

It reminds me of the Investigatory Powers Act in Britain which demands ISPs to
log everyone's internet browsing history and the end of end-to-end encryption
as all encryption will have to have backdoors.

All that will happen, is that anonymous email providers will move to countries
which are privacy friendly. It's a game of whack a mole. There's already
Sigaint which is an anonymous email provider which is hosted on Tor. I'll be
using Sigaint, offshore hosting and I2VPN when I launch my anonymous website.

~~~
lmm
> What I don't like is how the government demands to wiretap EVERY person's
> account regardless of there being no suspicion of crime in every account.
> How can that be justified? To stop future whistleblowers?

The article is giving a one-sided account. The government issued a (presumably
valid) warrant to intercept messages on a specific user's account. He had
designed the system such that he couldn't provide that access except by
providing his keys to everything, and at first attempted to bill the
government for building a system that would let him grant access to individual
accounts.

~~~
desbest
No. Lavabit could have programmed a backdoor into their web interface using
the private keys that allows access to only one account, but the US government
wasn't happy with that.

~~~
res0nat0r
Sorry but that is exactly the opposite of what happened.

From the first paragraphs:

> THE U.S. GOVERNMENT in July obtained a search warrant demanding that Edward
> Snowden’s e-mail provider, Lavabit, turn over the private SSL keys that
> protected all web traffic to the site, according to to newly unsealed
> documents.

> The July 16 order came after Texas-based Lavabit refused to circumvent its
> own security systems to comply with earlier orders intended to monitor a
> particular Lavabit user’s metadata, defined as “information about each
> communication sent or received by the account, including the date and time
> of the communication, the method of communication, and the source and
> destination of the communication.”

[https://www.wired.com/2013/10/lavabit_unsealed](https://www.wired.com/2013/10/lavabit_unsealed)

------
jakubp
Whenever I read a story about the US justice system here on HN, it almost
always includes incredible level of harassment towards peaceful, (usually)
law-abiding citizens.

In this particular case I was surprised (as a European) that one can be
summoned to a court outside of their home town. In my country it's unthinkable
that someone from another city could sue me and expect me to go there for a
court hearing. I'm sure there are exceptional cases where someone might be
summoned, say, to the capital, but AFAIK this would be a very unusual case.

Little things like this - lies, misrepresentations, pressure; I am more scared
of police and other agencies when I think of visiting the US than I am of
criminals. Unsettling.

~~~
joatmon-snoo
> that one can be summoned to a court outside of their home town

Generally it is very hard to do this. The U.S. actually has two levels of
court systems: state (each state has their own judicial system) and federal
(for cases involving federal law, agencies, and so on - IANAL so I don't
actually know the full list). This rapidly gets obscenely complicated when you
think about the fact that some people live in one state but work in another,
about how you might handle an accident on a road trip to Disneyland, or even
about how states can tax businesses that operate online, say through Amazon.

In many cases you have to file in a region convenient for the defendant to
respond.

Federal court, even at the lowest levels, is serious stuff. Combine that with

\- the NSA, \- implications for national security, which means everyone with a
title and everyone who wants one is going to raise a hullaballoo, from the
Department of State to the Department of Defense to the Department of Homeland
Security, \- countries around the world being _pissed_ , and \- the FBI, with
explicit directives to capture Snowden,

and what you get is a _very_ well-oiled political and bureaucratic machine
moving far faster than it normally would. Now, as a disclaimer, I have
absolutely no experience with federal cases, but in the state civil cases that
I saw when I interned at a small law firm, it was perfectly common for
components of the judicial process to take weeks; it takes _months_ and
egregious conduct to be found in contempt.

I was going to say that I suspected the case went to a specific subject-matter
court (yes, if you have a case dealing with a specific topic X, it's possible
- highly unlikely but possible - that you may have to deal with a subject-
matter court), but after doing some fact-checking
([https://www.wired.com/2013/10/lavabit_unsealed/](https://www.wired.com/2013/10/lavabit_unsealed/)),
it seems the suit was raised in the Eastern District of Virginia. I'm not sure
exactly what it was that gave V.A. E.D. original jurisdiction over such a
case, but I'm sure someone better versed in this could provide a better
answer.

------
herbst
And this is why i dont care how secure someone claims to be when they are
based in the U.S.

~~~
imaginenore
That's why whenever someone recommends PrivateInternetAccess as a VPN, I
facepalm.

~~~
ryanlol
They spend lots of money on those recommendations :) Their affiliate program
is probably handing out multiple hundreds of thousands of dollars monthly at
this point, even small blogs earn thousands pushing them.

~~~
herbst
So like why the world "loves godaddy". If people just would do their
homework...

------
otalp
A good alternative present today is
Protonmail([https://protonmail.com](https://protonmail.com)). Aside from being
secure and their encryption being open source, their servers are also in
Switzerland and subject to Swiss laws.

~~~
rsync
"A good alternative present today is ... (blah blah I don't run a mail
server)".

No, that's not a good alternative. None of them are. The "good alternative" is
to run your own mailserver on a physical piece of hardware, under a business
name, not at your house.

Technically speaking, it's childs play, so that's not a barrier. It does cost
something to rent 1U of space somewhere but if you shop around and pay
annually, etc., it's bearable.

What you gain is huge:

1\. Subpoenas/letters/writs go to _you_ and _you_ get to decide how to respond
to them. You're the operator.

2\. By _you_ I mean _your business entity_ which is a PO BOX somewhere. Not
your house.

3\. You get to control retention and encryption and certificates and security
features.

4\. Finally, instead of being a consumer/viewer of "the web" you get to be a
peer on the network. For some people this will be truly using the Internet for
the very first time.

~~~
sfifs
> 1\. Subpoenas/letters/writs go to you and you get to decide how to respond
> to them. You're the operator.

You're assuming here that the executive will actually follow the full.due
process of law vs. "we raided X address on suspicion and grabbed a few
servers". Not true in many parts of the world and having email encrypted and
stored in a different jurisdiction may be safer.

------
jmnicolas
Back then I thought Snowden made a difference, but 2 years later I believe the
situation is even worse than before.

Microsoft even managed to add telemetry on Windows 7, 8 and 10 without much
push-back and stores your Office docs automatically on their cloud.

------
merricksb
See also: there was a big discussion on HN when this article was published
over 2 years ago:

[https://news.ycombinator.com/item?id=7774158](https://news.ycombinator.com/item?id=7774158)

------
wonderlusts
Ladar spoke about the case at length recently, once the 3 year gag order
expired - [https://www.youtube.com/watch?v=g_lN-
RAfzRQ](https://www.youtube.com/watch?v=g_lN-RAfzRQ)

------
ptspts
This is old news, the article is more than 2 years old (from May 2014).

