

EFF Has Lavabit’s Back in Contempt of Court Appeal - DiabloD3
https://www.eff.org/press/releases/eff-has-lavabits-back-contempt-court-appeal

======
csense
It's interesting that the two strongest _practical_ arguments EFF is making
(based on how people will react to an adverse decision) are also the two that
probably the least persuasive from a legal standpoint (based on laws and court
precedents).

I'm talking about service providers moving their operations to more privacy-
friendly jurisdictions, and improving protocols with e.g. perfect forward
secrecy to make this sort of attack impractical.

So everyone suffers under an adverse decision in this case:

The US economy suffers because businesses seriously concerned about privacy
choose to locate elsewhere

Law enforcement suffers because those businesses are no longer reachable when
they have a legitimate reason to obtain the communications of spies,
terrorists, or plain old criminals, and get a narrow warrant that properly
protects the privacy of innocent bystanders.

Individual liberty suffers because a precedent will make it easier for people
who don't care about privacy and use domestic providers subject to these
overbroad warrants to be caught up in a surveillance dragnet

That being said, Congress, not the courts, is the proper venue to address
those practical arguments. Will anyone care outside of technophile bubbles
like HN? Unfortunately, I think we all know the answer.

------
einhverfr
Bravo, EFF.

Seriously, that is one heck of a broad warrant, namely the private key used to
decrypt all business records of all customers.

~~~
dingaling
The warrant was specifically for the data relating to Mr Snowden. Go and read
the disclosed documents: that is the only individual on whom data was
requested.

There was no warrant for the SSL keys; that was issued as a subpoena when Mr
Levison stated that the data-in-transit was encrypted. The judge told him to
disclose the keys that were protecting Mr Snowden's data.

That Mr Levison happened to use the same SSL certs for _all_ paying customers
isn't the fault of anyone but... him.

~~~
MagicWishMonkey
That is how SSL is intended to work. You cannot have more than one SSL
certificate for a given domain. That is an intentional design decision by the
committee that created the SSL RFC.

Does the door to your house support multiple types of keys? Or is it designed
to work with a single, specifically machined key? Can you open your front door
with your car key? Why not?

~~~
pekk
Why is one SSL key the only thing protecting these customers?

~~~
MagicWishMonkey
Because that is how SSL works. I don't understand your question. Your bank
uses one SSL key as well. Google has one SSL key for their homepage. It is not
possible for a top level domain to have more than one SSL certificate. Are you
asking why SSL works the way it does? You'll have to talk to the people who
wrote the RFC.

SSL is what is used to protect communications between a client and the Lavabit
endpoint. Once a request is inside the lavabit network other security measures
are used. For example, each email message is signed using the account key for
a given member, the account key is itself encrypted with the members password.
The only way to decrypt a message is with the account key and the only way to
decrypt the account key is with the member password. If you lose your
password, your mail is gone forever. The feds had access to snowdens encrypted
emails, but they had no way to decrypt them without his account password and
the only way to do that is with snowdens personal password, which is why they
wanted to sniff unencrypted traffic (to snag his password en route to the
lavabit server). I've simplified a few things but this is a rough overview of
how his system is designed.

~~~
pekk
Why is SSL the only thing protecting these customers? It's a really simple
question and I think you are intentionally avoiding it and attacking a straw
man.

~~~
jtgeibel
The entire second paragraph addresses the internal security beyond the SSL
protection used in transit. But yes, in effect, SSL is the only thing
protecting the user's password on the wire and this password is what is used
to generate the master key for the encrypting the messages server side.

------
chris_mahan
And there is still doubt we live in a police state?

~~~
csense
At least the issue is being discussed in public and litigated in the courts.

~~~
einhverfr
It was litigated in the courts in the USSR too. Not so much discussed in
public but I am not sure that matters.

The whole issue of making such a taboo topic is that it makes it hard for
opposition to mobilize. However in the US we have other ways of doing that.
Hyperpartisanship is something which has a remarkably similar effect while at
the same time allowing us to say with a straight face that we are not a police
state.....

~~~
simonh
I'm afraid this is what you get when you architect your political system to
institutionalize gerrymandering. I suspect that hyperpartisanship, and the
thorough political dysfunction we're seeing over in the US at the moment, is
pretty much an unavoidable consequence of developing very stable partisan
electoral ghettos.

In the UK such gerrymandering is taken very seriously because it's a
fundamental attack on the integrity of the electoral system. People found
guilty of it have had their political and personal lives ruined, and quite
rightly too. But in the US it's standard practice. I don't think this is taken
seriously enough.

~~~
einhverfr
The UK has had bad experiences with gerrymandering too, right? I am
remembering the term "pocket borough."

~~~
walshemj
Yes but we reformed those in 1832! I sometimes think the US politics is still
stuck in the 18th century.

~~~
einhverfr
Of course, the only reason I knew the term is:

"I grew so rich that I was sent

By a pocket borough into Parliament

I always voted my party's call

And I never thought of thinking for myself at all!

...

I thought so little, the rewarded me

By making me the ruler of the Queen's Navee!"

\-- Arthur Sullivan, from "The HMS Pinnafore"

The scary thing is how well that verse describes American politics these
days..... So maybe you are right....

~~~
gknoy
I think this is the first time I've seen Gilbert and Sullivan quoted on HN.
Bravo, sir. :)

------
doug1001
nice one, EFF--you guys are bad ass. EFF has of course also for the past
decade, been a relentless warrior against Patent Trolls. i don't know, but i
would be willing to bet, that the new troll-killing bill is in part due to
their efforts as well.

~~~
AsymetricCom
EFF is a pointless figurehead that does none of it's own work. It simply
coopts ongoing legal action and puts their name on it anyway they can. This is
a pointless case, like the EFF can fix https by this case? No, the cat is
already out of the bag. https has been broken for some time, first by cyber
criminals and businesses being stupid, and then the NSA trying to keep up with
the game.

------
thex86
So, how does one fight a contempt of court? Is it even possible?

(PS: Great job EFF!)

~~~
rhizome
I'm guessing it involves appealing (or similar) the court order that the
contempt finding depends on.

~~~
alttag
Yes. Lavabit's filing [0] is to the Fourth District Court of Appeals. Page 1
of their brief (after all of the disclosures and tables of content) explains
the jurisdictional stuff pretty well.

0: [pdf] [http://cdn.arstechnica.net/wp-
content/uploads/2013/10/gov.us...](http://cdn.arstechnica.net/wp-
content/uploads/2013/10/gov.uscourts.ca4_.13-4625.26.0.pdf)

------
alttag
Glad the EFF is joining.

For background, Lavabit filed their appeal a few weeks ago [0]. Ars covered it
[1], and it was discussed here on HN [2] as well.

0: [pdf] [http://cdn.arstechnica.net/wp-
content/uploads/2013/10/gov.us...](http://cdn.arstechnica.net/wp-
content/uploads/2013/10/gov.uscourts.ca4_.13-4625.26.0.pdf)

1: [http://arstechnica.com/tech-policy/2013/10/lavabits-
appeal-w...](http://arstechnica.com/tech-policy/2013/10/lavabits-appeal-were-
actually-not-required-to-wiretap-our-own-users/)

2:
[https://news.ycombinator.com/item?id=6531814](https://news.ycombinator.com/item?id=6531814)

------
theinterjection
Why did Levison have access to their users mails in the first place? Didn't
they claim that only you can see your emails? Isn't that the reason you can't
reset your password?

~~~
bskap
Because email is an insecure protocol. The email comes in unencrypted from the
sender's SMTP server.

