
Lavabit Defied FBI Demands to Turn Over Crypto Keys, Documents Show - inglesp
http://www.wired.com/threatlevel/2013/10/lavabit_unsealed/
======
adamnemecek
If you want to support the Lavabit defense fund, you can do so here

[https://rally.org/lavabit](https://rally.org/lavabit)

EDIT: Since I posted the link 30 minutes ago, there is roughly $1200 more in
fund and I'm guessing that it's mostly from HN. So keep it up.

~~~
3pt14159
How many of us want to help, but are afraid of the consequences?

~~~
jrockway
I want to help, and am not afraid of the consequences. The government is not
going to go after an individual for funding another's defense fund, and if
they do, I guess I used my life for the right reasons.

~~~
smtddr
Yay! That's the jrockway I remember! Just because of this comment, I'm tossing
in $50.

~~~
jrockway
Thanks! I don't think I've ever donated to a legal defense fund, but this one
seemed like a no-brainer.

------
EthanHeilman
"The right of the people to be secure in their persons, houses, papers, and
effects, against unreasonable searches and seizures, shall not be violated,
and no Warrants shall issue, but upon probable cause, supported by Oath or
affirmation, and particularly describing the place to be searched, and the
persons or things to be seized."
[http://en.wikipedia.org/wiki/Fourth_Amendment_to_the_United_...](http://en.wikipedia.org/wiki/Fourth_Amendment_to_the_United_States_Constitution)

"particularly describing the place to be searched, and the persons or things
to be seized"

Clearly this is a violation of the 4th Amendment as such a key would give them
the ability to conduct unfettered and "unparticular" searches. A more
targeted, and constitutionally legal, approach would have been to order
lavabit to use, but not disclose, the private key to decrypt specific emails
from specific people. Given that the police know the public key, they could
verify that lavabit had supplied correct decryptions.

~~~
Karunamon
Hmm.. the FBI had probable cause to believe Snowden's email contained
incriminating data. Furthermore, targeted pen registers/trace orders aren't
exactly unconstitutional, but combine the way Lavabit is architected with the
scope of the search, and you've essentially given them the keys to the
kingdom.

Are there any older physical parallels to this? What happens if the police, in
the process of securing a lawful warrant, require access to a physical master
key or combination or etc. which would open a great deal more than access to
the suspect's belongings?

~~~
anologwintermut
It appears that the FBI's original request was narrowly targeted to Snowden
and completely above board, warrant and all. It didn't give them the keys to
the Kingdom.

When lavabit refused to comply,the FBI got more aggressive. Which seems like
exactly what would happen. Think about it. What if the FBI subpoenaed
financial records from a Bank who refuses to open the safe they were in. Well,
the US Marshals are going to show up at the bank with a court order,break open
the vault, and get access to all the records and take the one they want. It's
not an unreasonable search provided there are checks that they only get the
one record they are looking. In fact, arguably the Bank breached it's duty to
it's customers by forcing the US Marshals to go through all their records
rather than the Bank doing it self.

Obviously, it's not so clear in this case since Lavabit apparently finally did
offer to hand over some data, but it is along those lines.

------
jack-r-abbit
At first I was more on the Lavabit side on this. But it is looking more like
they started the whole thing when they defied the initial court order to
provide connection info for that one specific user that was the target of an
FBI investigation. When served with a warrant, you can't just tell them to
fuck off and expect the matter to be over. They will simply go harder... and
not go home. I'm concerned that our outrage over "mass surveillance being used
for fishing expeditions" has clouded our judgment when it comes to "law
enforcement legitimately gathering evidence for an active case against one
specific person." Once they have a person of interest, their job is to
continue to find evidence to bolster their case. That evidence will take
different forms and come from different sources. I have no problems with
companies complying with search warrants and court orders by providing
evidence regarding illegal activity of a particular suspect. This is different
than providing back doors for law enforcement to go _looking_ for suspects.

A commenter on that story makes a good point: Forget for a moment that the
user they were looking for was Snowden. If the FBI had been looking for info
for a case against a serial killer or a child porn ring, would we still hold
Lavabit as heroes for not following the court order?

~~~
riquito
Lavabit didn't know who they where protecting. This has a merit

~~~
jack-r-abbit
But they knew they were protecting someone under investigation for _violations
of the Espionage Act and theft of government property_. It seems kind of
shitty to not help find that person.

~~~
generj
Yeah, because in the time frame this was going down, it would have been a
totally unreasonable assumption that someone matching those particular crimes
described Edward Snowden.

Of course they knew who they were looking for - it was necessary for that to
be disclosed in order for the government to even demand the information in the
first place. That's what a warrant _is_.

For as much was wrong with the government's request, it's first request was at
least reasonable: specific knowledge on Edward Snowden. The inherent
architecture of Lavabit rendered this request unreasonable, and things
escalated from there.

Sure enough, the court documents and transcripts clearly have "target"
followed by blacked out spaces _just_ wide enough for Snowden, spoken by both
lawyers and Mr. Levison. This happens dozens of times throughout the recently
unsealed documents.

~~~
jack-r-abbit
I didn't say they did or did not know who it was. I don't know if they knew or
not. I responded to someone who claimed they didn't know as if that was an
excuse. Whether they knew or not isn't even relevant for me. At a minimum,
they at least knew what the person was under investigation for... which should
have been enough.

------
zmmmmm
> [The] government’s clearly entitled to the information that they’re seeking,
> and just because you-all have set up a system that makes that difficult,
> that doesn’t in any way lessen the government’s right to receive that
> information just as they could from any telephone company or any other
> e-mail source that could provide it easily

I find the sense of entitlement the FBI had quite disturbing. Perhaps it is
technically true, but they clearly had an attitude not just that they were
legally authorized to access such information, but that nobody should be
allowed to stop them having it, and any personal cost involved or moral
objection is not part of the equation. For me the two do not connect that way
- I am entitled to buy a house but nobody is required to help me do it, and if
I don't have the money, I'm screwed. It doesn't allow me to murder the guy
down the street so that I can take his money to buy the house I want.

The question is, is the FBI allowed to recruit any civilian to do anything
they think is necessary to get at some information they are authorised to
acquire? Can they go to your grandmother and tell her to prostitute herself if
that will help them? At what point does technical ability to accomplish
something render you at the mercy of the state to do whatever they tell you?
It is one thing to demand someone actively stop obstructing something. But to
demand they actively assist goes a step further. The notion of conscientious
objection has been accepted and even honoured and respected, even in times of
war.

I don't know where this line is. But I know I'm very uncomfortable with the
attitude that law enforcement showed in this case.

~~~
chris_mahan
The FBI is not allowed to break the law, and the Constitution is the law.

If Snowden showed that some people in government were violating the
Constitution, and other people in government were trying to suppress his
evidence, would that not mean that the people trying to suppress the evidence
are complicit with the violators?

Even if these people didn't swear an oath to protect and defend the
Constitution, it is still the law, and they are still bound to obey it.

So, what's the penalty for helping someone violate the US Constitution? And
who enforces that?

~~~
malandrew
Participating in a drug deal to convict someone of the crime is certainly one
example of them breaking the law. IMHO, they should only be allowed to arrest
someone in a drug deal between two bona-fide drug dealers. Participating as
one of the two parties in a transaction should be illegal.

~~~
Cthulhu_
I wouldn't be sure, I'm pretty sure legal entities are allowed to employ
entrapment in a lot of cases. Watch episodes of Cops, for example, they will
attempt to buy drugs and arrest the dealer, or attempt to get people to
solicit prostitution from an undercover (female) officer.

Basically, people should stick to the law; dealing drugs or soliciting paid
sex are both crimes, no matter who you do it to/with.

------
kcorbitt
Awesome decision. It's easy to say it was the right call from the sidelines
but it's also easy to underestimate the personal cost that must have been
involved with walking away from his company, especially with the gag orders
making it impossible to discuss his reasons.

~~~
dingaling
There was more than a personal cost. The staff of Lavabit had no idea what was
happening as the servers were being shut-down, until they were told to go
home.

[http://www.emaildiscussions.com/showpost.php?p=558661&postco...](http://www.emaildiscussions.com/showpost.php?p=558661&postcount=93)

 _I apologize; it was not my intent to mislead (though it appears that I did
so inadvertently). I was told that the outage was related to maintenance
regarding the storage system_

from one of the Lavabit admins.

------
eksith
Theresa Buchanan is the same judge who ordered Twitter to turn over info on
WikiLeaks
[http://www.salon.com/2011/01/08/twitter_2](http://www.salon.com/2011/01/08/twitter_2)

------
ZoFreX
> In a work-around, Levison complied the next day by turning over the private
> SSL keys as an 11 page printout in 4-point type. The government called the
> printout “illegible” and the court ordered Levison to provide a more useful
> electronic copy.

 _How_ illegible? I'm really curious about this part.

~~~
jack-r-abbit
They go on to say that it was 2,560 characters. That many chars at 4pt type
should not have taken 11 pages. That is roughly 233 chars per page. Even at
normal point size, 1 page will hold more than 233 chars. at 4pt I would expect
it to all fit on one page. Am I missing something here?

~~~
secabeen
We don't know how many characters per line there were. A page contains about
130 lines at 4 point font.

~~~
jack-r-abbit
That is what I don't get. If 4pt gives you 130 lines per page, you would only
need to fit 20 chars per line to fit the entire thing on one page. With 2560
chars on 11 pages means 233 chars per page at 130 lines per page, we end up
with roughly 2 chars per line.

We already know he was basically giving them the middle finger by printing it
AND printing it very small. He would clearly need to do something extra odd to
make it do this.

~~~
generj
You can see how he did it on the court documents (it's attachment A on page
145-150).

He might have done some less efficient encoding, like Base-16.

~~~
dlgeek
And that's only 6 pages... it looks like he printed it in 11 columns spanning
5.5 pages...

~~~
generj
I think the court documents have two pages per page.

But still very much illegible.

He could have been "helpful" and provided ancillary information along with the
keys.

------
invalidOrTaken
Lavabit are freaking heroes.

~~~
mildtrepidation
Without taking a stance on this statement, I think it's important to realize
how alarming it is that simply _trying not to betray the trust of your users_
has become such a difficult, dangerous, and unusual task as to be called
heroism.

The intelligence community has put us in such a bad spot that anyone who
actually tries not to do something unethical, which should really be the
default, is now exceptional and lauded.

Lavabit stood up, and that's admirable. That it's _this_ admirable is a really
bad sign.

~~~
asperous
Well the founder pretty much had to throw away his livelihood as well as part
his dream to do something that could land him in jail, for someone he had
never met.

He could have easily quietly given them the key (if he had it?), and then live
the rest of his life with success and guilt.

Very, very few people would throw themselves in front of a bus the size of the
US government to save an honest stranger. Those people are worthy of calling
heroes.

~~~
mildtrepidation
_Very, very few people would through themselves in front of a bus the size of
the US government to save an honest stranger._

That's exactly my point. _This is not a situation he should have been in._ In
our current political environment, absolutely, his actions were heroic. But
all he did was what he should have done. That the potential consequences for
that are so horrifying is what makes this entire situation incredibly wrong.

------
wmf
Everybody note that the SSL key demand came only after Lavabit declined to
turn over information on one user. I can understand the logic of this from the
feds' perspective; they tried to do it the "right" way but Lavabit refused to
cooperate so then the feds starting trying progressively more aggressive
approaches to get the data.

~~~
Glyptodon
The problem is that in order to get that information the first way Lavabit
would have had to write code that made all of their business claims a lie.

~~~
tptacek
That's true. But then, engage with the question of whether those promises were
reasonable. "Even if we have the capability of complying with a request for
information on a specific user, we will resist the courts". There's a reason
providers tend not to make that promise: keeping it can involve going out of
business.

~~~
Glyptodon
That's not the promise they made, rather it was that they had not developed
and would not develop any means to circumvent the protection/encryption for
paying users' accounts.

The 'not complying' is only a side effect, and is more so tantamount to a
refusal to do work for the government in opposition to lavabit's own business
promises. I'm not sure the government in any instance has a right to compel
work to meet their specified ends.

~~~
thrownaway2424
That's retarded though. The absence of getpeername calls in their frontend
does not constitute an inability to comply with a pen register order.

There are costs of doing business and one of the costs is the ability to
comply with lawful court orders. You are completely wrong about the government
lacking the means to compel compliance.

------
PhasmaFelis
Like half a dozen people have tried to argue that, because the order was
lawful and Levison had complied with previous lawful orders, he has no moral
justification for refusing this one.

Let's not beat around the bush. You're willfully missing the point. The
lawfulness of the order is not at issue; the target of the order is. I would
happily obey a lawful order to turn in a fugitive rapist hiding in my
basement; I would not willingly obey a lawful order from the same authority to
turn over an escaped slave, even if I lived in a slave-holding nation.

If you don't think that Snowden should have broken the law to inform the
public of massive, unsupervised, hidden government surveillance and lies about
same, that's fine. But say so, don't go making disingenuous sidewise arguments
and thinking you're sly. Yes, Levison disobeyed a lawful order. Laws should be
obeyed because they are just, not because they are laws.

~~~
acqq
No, the difference this time is that FBI demanded to install their own
equipment inside of Lavabit facilities, having access to all users' data:
[https://news.ycombinator.com/item?id=6487852](https://news.ycombinator.com/item?id=6487852)

------
ateevchopra
This act will be remembered as a "legend".And Lavabit is THE HERO.Standing
behind its customers, almost killing itelf.You are my hero !

------
danso
I'm not taking sides against Lavabit here, but it's worth considering the
situation here without the Snowden context.

A search warrant was signed by a court for federal agents to retrieve/collect
evidence for a specific target. How is what the FBI (and prosecutors) demanded
different than a normal wiretap?

edit: If the FBI's order could not be completed in a way that would NOT
compromise ALL users, then of course Lavabit should have resisted. My question
is based on the assumed validity of this statement in the OP:

> _The July 16 order came after Texas-based Lavabit refused to circumvent its
> own security systems to comply with earlier orders intended to trace the
> Internet IP address of a particular Lavabit user._

~~~
Karunamon
Because of what handing over the data would necessarily entail. (If I
understand corectly.. someone please correct me if I have this wrong).

The data the FBI wanted wouldn't have just unearthed Snowden's emails, but
everything by every Lavabit user. And if you believe that information wouldn't
have made its way to certain other 3 letter agencies...

------
droopybuns
I wish Paulson explained where he got this information. Did Lavabit just leak
NSL data?

~~~
tedivm
First line of the article mentions that they came from unsealed court
documents.

------
bakerconspiracy
My favorite part: The SSL certificate was delivered as an 11 page paper in 4pt
font. This is so genius.

~~~
shavingspiders
Why not hand in the characters in 4pt on a single page each? Make it double
sided to make it a little more feasible. 233 characters per page is just about
nothing at that size, I don't get why they decided to stop at 11 pages.

~~~
generj
I think it was to avoid being too obviously non-compliant.

Delivering the information this way could be construed as merely avoiding
paper-costs while using formats the hide-bound government officers would be
most familiar with (paper). It's somewhat facetious, but you can almost say it
with a straight face, and a tech-illiterate judge might even accept it
(especially if you did something just _slightly_ more legible at 5 or 6
points).

It would be impossible for anyone to claim with a straight face they complied
if they did as you described. Lavabit can claim they provided the keys in a
fairly digestible format, and it bought them a few days worth of time.

Also, a single character at 4 pt surrounded by whitespace is _much, much
easier_ to decode.

Finally, most courts would charge you for delivering that much paper. For
similar reasons, paying court fees in pennies is not accepted by all
jurisdictions.

------
wellboy
This is pure evil.

~~~
baddox
Don't forget who the ruling class is and how they behave the next time a
relevant issue comes around.

~~~
wellboy
I don't think it matters since the mass data surveillance thing was started by
the Bush Administration...

~~~
barry-cotter
The NSA is older than most voters. When talking about the Stasi there is no
meaningful difference between the Republicans and Democrats, Labour and
Conservatives, etc. They're all politicians and they're all the same.

------
shmerl
I guess Lavabit figured that giving access to the data of one user in the
requested way could compromise other users' privacy/security so that would be
equal to warrantless wiretapping. Otherwise, what was the problem with
following that?

~~~
waqf
The problem was that following it would be a violation of the privacy of
Edward Snowden (well, of the user whom we presume to be Snowden) and of the
trust which he had placed in Lavabit.

~~~
shmerl
Violation of his privacy under warrant is what the law would expect in that
case. Violating privacy without a warrant (and probable cause and etc.), that
what is unconstitutional. Or you are saying that there can be no investigation
at all?

Lavabit even admitted, they already assisted investigators in the past for
investigation on a specific user. Apparently that request was legal in the
view of the Lavabit owner, so there should be something different here.

------
rdl
There is no way this is not a "general warrant". If it's not overturned in
appeal, the US is no longer an acceptable place to host anything or conduct
any business operations for anyone (except the USG or regulated entities).

I'm hopeful it will be overturned at the 4th Circuit, rather than waiting for
SCOTUS. There are _so many_ ways to challenge it. The only way we'd be fucked
would be if Ladar didn't have the money to appeal, but it's a super tempting
case for anyone at EFF/ACLU/etc. Funding the appeal to the max would also be
in the self interest of any cloud business in the USA.

~~~
generj
I'd be very surprised if this isn't the landmark case establishing demands for
SSL certificates as being too general.

Just like _Jewel v. NSA_ was always destined to be a landmark case, and now
will be, after the executive privilege crap got thrown out.

------
wellboy
Is there a bug in HN right now? Why is this story which was posted 4h ago
ranked #7 with 436 upvotes, when U.S. Opposes Tech Companies... is ranked #6
with 169 upvotes while it was posted 8h ago and the Google acquisition of
Flutter ranked #3, also posted 4h ago, whereas it only has 96 upvotes.

Did the HN ranking algorithm change or did I miss something?

Here the screenshot [http://imgur.com/7Yh9XB2](http://imgur.com/7Yh9XB2)

------
eps
What's the source of this info? Does anyone know?

------
siculars
Balls of steel. What a hero.

------
wnevets
Does this mean SSL is secure?

~~~
McGlockenshire
It just means that at least in some possible cases, the way that SSL is broken
is by demanding the private keys and installing a transparent proxy or tap
outside of the network.

So while it might not be broken in the way we usually expect crypto to be
broken, it continues to be broken from a trustability point of view.

~~~
fennecfoxen
I dunno. That's exactly the way you _should_ expect crypto to be broken:
"don't attack the encryption, attack how it's used"

------
lettergram
I commend him him for shutting down Lavabit instead of giving in. It was one
of those epic moments where one chooses to take a principled stance on
something no matter what the cost.

(Reminds me of a Howard Roark moment to be honest)

------
deepinsand
A service that used a separate subdomain and SSL certificate per user could
have avoided such a situation. Though this is an unreasonable burden for a
service provider to bear for operating in the US.

~~~
jlgaddis
Huh? You'd still have a private key per certificate. You might have one key
for all of them or one key per cert, but you'd still have a private key for
each of those certs.

Unless I'm missing something?

~~~
deepinsand
If I read the article correctly, the Lavabit founder was unwilling to give up
the private key because it would compromise all users, not just Snowden.

~~~
jrockway
And giving up the SSL key for Snowden wouldn't give them anything useful,
since he's probably not checking his US-based email anymore. (And SSL should
be in perfect forward secrecy mode, so the private key can't be used to
decrypt past sessions.)

------
judk
The good news here is that Lavabit only started to suffer when the feds came
calling for Snowden. Another email provider "Mavabit" could provide a quality
encrypted email service for a while as well, as long as we have a supply of
trustworthy operators.

------
balabaster
Am I the only one busting a gut that he printed out the SSL key over 11 pages
in 4pt font for them to re-key? Hahahaha that's fucking hilarious... though
the kind of OCR software the FBI has access to would no doubt have made short
work of this.

------
DrJokepu
I wonder why didn't the FBI just use some OCR tool to scan the key?

~~~
daemin
Given the reported "accuracy" of HP scanners and others on the market - i.e.
see recent posts on HN - I think that would be worse than typing it out by
hand with a magnifying glass.

------
adamnemecek
The title made me think that they managed to get what they wanted.

