

Lavabit Challenges Contempt Order: An Analysis of Its Arguments - CWuestefeld
http://www.volokh.com/2013/10/11/lavabit-challenges-contempt-order/

======
rayiner
Argument #1 is really the damning thing for Lavabit. The scope of the subpoena
power isn't some new invention of the surveillance state. The quote from U.S.
v. Calandra ("the public is entitled to every man's evidence") dates to 1742:
[http://supreme.justia.com/cases/federal/us/317/424/case.html...](http://supreme.justia.com/cases/federal/us/317/424/case.html#F2/1).
It wasn't a new concept then either. The idea of e-mail accounts the
government can't access with an appropriate court order is deeply incompatible
with how Anglo-American law conceives of the powers of courts.

There's a comment by "Jessica Darko" on the linked-to blog that I think
warrants addressing. There is a big difference between a "search" for the
purposes of the 4th amendment and a subpoena of a third party. Say the
government is investigating Bob for tax fraud. It's a "search" subject to 4th
amendment protections for the government to break into Bob's house and go
through his drawers. It's not a "search" for the government to subpoena his
accountant for any relevant financial records. It's a "search" for the
government to break into the accountant's office to get those records, but the
accountant can't hold up the 4th amendment as a shield against turning over
those records pursuant to a court order.

~~~
cperciva
The problem I see with subpoenaing SSL keys is that they are not, in fact,
evidence.

~~~
Amadou
I was hoping to see more discussion on this point.

Are there other cases where subpoenas have been issued for tools that enable
the gathering of evidence? Has that sort of thing always required a warrant?

Is it moot that a warrant was eventually issued? Or was the warrant only
issued punitively because Lavabit didn't comply with the subpoena without
regard to the validity of the subpoena in the first place?

------
coldcode
There is no hope for us if nothing we hold to be ours is available to any
government agent who demands it. A request for a single person is one thing,
it only affects that one person. Once the request affects a huge number of
unrelated people just to grab that one person it becomes unreasonable. It's
like arresting an entire city to catch a single criminal. At some point you
have to draw a line. But I wouldn't want to try that argument in front of a
Federal Judge much less the Supremes. I doubt this will work.

~~~
rayiner
Isn't it a technical problem with the service, rather than a legal problem, if
the host can't give access to one email account without compromising all
users?

~~~
thecodeore
The email encryption was not in play here, from what I understand the end user
was the only person with the key to the email "inbox" encryption

What is in play here was the SSL Key that is used to encrypt the browser
traffic between LB and the user. No differant than the SSL Cert used when you
make an online purchase

It technologically impossible/impractical to have a separate SSL cert for each
user, that is just not how the HTTPS protocall was designed

This is not Lavabits doing, that is the work of the Internet Engineering Task
Force (IETF)

~~~
eli
If your landlord only had a master key to all apartments they could use that
as a reason to refuse to turn it over for access to one apartment?

~~~
thecodeore
That is a poor analogy.

By turning over the SSL Key the FBI using the Pen Trap Device would capture in
real time all data of all users and be decrypting it in real time.

Turning over a Master Key to a building would not give the FBI instant access
to all apartments simultaneously, nor would they have the ability to go back
in time to look at previous data, nor thousands of other problems with this
analogy

People are attempting to conflate physical keys with encryption keys simply
because years ago the mathematicians used the word "keys" as analog to explain
things to the general public. This does not mean there is, in reality, any
analogous relationship between encryption keys and physical keys

~~~
res0nat0r
They could have instant access if they duplicate the key and raid all
apartments simultaneously.

Also the legal speak above states I believe that even that the FBI _clould_
technically access other user data, this does not somehow disallow this from
happening because is not ideal. It is more a fault of Lava it than anything
else.

~~~
thecodeore
How is it the Fault of Lavabit?

SSL is a standard secure communication protocol of the internet, it is not
lavabits design and it is impossible for Lavabit to modify while still keep
interoperability.

You do not seem understand the underlying problem, as many people are
misinformed as to which key the government was requesting., They WERE NOT
asking for the key of the private inbox data, they were asking for the GoDaddy
Signed SSL key that encrypts the web browser session from the Lavabit User to
the Lavabit server, not the user level key for the encrypted mail box stored
on LB servers

This is the same protocol that HN uses for this very site, Amazon, Gmail, and
thousands of other sites use every day to secure communications between public
servers and the users of those servers

~~~
res0nat0r
> SSL is a standard secure communication protocol of the internet, it is not
> Lavabits design and it is impossible for Lavabit to modify while still keep
> interoperability.

Correct. If Lavabit wanted to be 100% immune from these type of subpoenas,
then they would have designed the system to never have been accessible this
way. I'm guessing (just like Hushmail) that having a proper end-to-end type
encryption, like forcing the users to use some sort of PGP on their end would
reduce uptake, thus preventing them from having a viable business model, so
they compromised in this way.

Just because SSL is a standard etc is irrelevant. The government is going to
use its subpoena power to get to the information they have reasonable
suspicion is being sheltered by Lavabit. If the least intrusive method
unfortunately exposes everyones data, well that really is what they call
"tough luck."

~~~
thecodeore
Further on the "tough luck" point, that is not how our legal system is suppose
to work, the government infact does not get access to any information even if
they have a reasonable suspicion it is being "sheltered", there are all kinds
of limits that are suppose to exist, and the "tough luck" part is suppose to
be the burden of the GOVERNMENT not the people,

~~~
tedunangst
You should probably cite some sources for your theory of how the legal system
is supposed to work.

~~~
thecodeore
US Constitution, Federalist Papers, 100's of years of case law, the very
concept of innocent until proven guilty, all that supports the notation that
the burdens are placed upon the GOVERNMENT not the people.

THe laws allowing for Pen Trap's are very clear that the pen trap must not
cause undue hardship on the business in question, and there are simliar limits
on all of the powers of government

The idea that the government has, or should have, unlimited power to destroy
businesses and individuals in the pursuit of "justice" is not only ridiculous
but very dangerous

~~~
tptacek
Could you perhaps cite one case in the hundreds of years of case law that
supports the argument that privacy concerns override the right of the courts
to every man's evidence?

------
hawkharris
Excellent analysis. It's refreshing to see someone dive into the legal issues
instead of spewing personal opinions about what the parties should - or should
not - have done. I hope that those who critique the author's post will take
the same amount of care in researching the law.

------
trothoun
If you s/anti-government/anti-government surveillance/ then I think the
article would be considerably improved. Was Lavabit explicitly anti-
government?

~~~
eli
I think that's probably a fair point.... Doesn't seem like it changes any of
the legal analysis though.

You can't disobey a search warrant because it would be bad for business or
because you want to protect the target.

~~~
spydum
I think the primary concern is protecting the other folks who are not the
target. Handing over keys allows for the government agency the opportunity to
violate other users 4th amendment rights.

~~~
eli
Sure, I get it, but I don't think you can ignore a subpoena just because you
don't trust the government not to abuse it.

~~~
ganeumann
Well certainly you can, because he did. I think perhaps that's the main point
here.

------
thecodeore
I believe it is very telling that a pro-privacy company, a company that has
integrity and wants to honor the commitments it has made to their customers,
is now a "anti-government" company...

I see a lot of comments about how "good" this analysis is, to me it seems very
weak, and only "good" if you believe the government should be allowed to
violate the 4th amendment, should be allowed to obtain any information from
anyone at any time, and should be allowed to get SSL Keys from service
providers, without disclosing this to the Certificate Authorities and
violation of all security agreements with said CA's.

If you're very much a "pro" government person then I can see how this
"analysis" would meet with your approval. To me it looks like pro-government
biased drivel

~~~
Amadou
My impression, as someone who is not a lawyer, is that much of what gets
posted to the volokh conspiracy is "pro-process."

I think it is entirely reasonable to analyze the situation from the
perspective of the law, but it seems like underlying their analysis is that
the law is more than just a tool, that it is itself not subject to question. I
can understand that from a functional perspective. Challenging the law itself,
especially long established law (even if it is being applied to new
situations) is a very hard task. But too often (at least for my taste) the
writers there seem to bleed that over into the law having some sort of
unstated moral stature beyond its utilitarian nature.

~~~
rayiner
Volokh is not a philosophy site for people to opine about morality. It's a
site about law, courts, and lawsuits. These things are all about process. Even
when applied to new situations, the job of courts is to implement solutions
consisting with existing law and legal norms, not to stray from the law to
implement what they see as the more "moral" outcome.

~~~
ferdo
> It's a site about law, courts, and lawsuits. These things are all about
> process.

Reading Orin Kerr is akin to reading someone critique the actions of the
principals in a waterboarding without critiquing the rightness or wrongness of
waterboarding itself.

There's a creepy overtone to that kind of commentary.

~~~
tptacek
This comment perfectly encapsulates everything that is horrible about legal
discussions on HN: they are anti-intellectual, in the sense that they penalize
knowledge or understanding insofar as such understanding complicates some
poorly-stated valence issue (most often "the government should honor
everybody's right to privacy"). It's not that the angry HN commenter has a
carefully-considered (or even _specific_ ) complaint about Orin Kerr†. Rather,
the angry HN commenter is angry that anyone has taken the time to understand
the legal issue at all, instead of simply joining them in baying at the moon.

You should be embarrassed to argue this way. You should want to first
understand the issues that are at play, and then figure out how your
principles engage with those issues. You obviously shouldn't be trying to
dismiss dense sources of information that you clearly didn't already have
access to by making allusions to torture. But you do anyways, as do many on
HN, adding no value, no original insights, no new information, not even a
meaningful criticism of someone else's insight or information --- just, "new
information that doesn't fit my worldview: BAD".

I've been here long enough to know that you're getting upvoted for comments
like these, hopping from thread to thread shouting down anyone who fails to
scoop out their eyeballs, pick up the accursed panflute or vile drum, and
dance idiotically around the formless confusion of whatever issue you think
you're advocating for. Just know, the same people upvoting you for poisoning
threads are also the ones upvoting the incomprehensible douchebags who snark
about "getting their side project acquired next time they get a job offer".
You're two sides of the same debased coin.

† _You can, once in a blue moon, find a carefully considered criticism of Orin
Kerr on HN, but they 've uniformly come from people on HN with law degrees and
are thus obviously suspicious._

~~~
ferdo
> You should be embarrassed to argue this way.

You should be embarrassed for defending Orin Kerr.

> I've been here long enough to know that you're getting upvoted for comments
> like these

I got downvoted. Maybe you want to revisit what you think you think you know
and enjoy bloviating about.

~~~
tptacek
Unfortunately, I read things before I decide whether to yell at them, and so
find myself unable to howl maniacally at Orin Kerr.

------
brymaster
Levinson deserves more support than the paltry $90K
([https://rally.org/lavabit](https://rally.org/lavabit)) he's raised so far
for his legal defense war chest. I hope he can continue to fight this as he
goes up the court of appeals ladder.

------
segacontroller
The SSL key is only for the transport correct? My assumption is that the data
in storage would still be encrypted by the customer's private keys. The USG
could then obtain the private keys of the customer by watching the decrypted
SSL traffic, and is also why the gag order would be very important to the
case.

I think this is a pretty big misunderstanding by the author of the article.

------
brownbat
Footnote, Prof. Kerr literally wrote the book on Computer Crime Law:
[http://www.amazon.com/Computer-Crime-Law-American-
Casebook/d...](http://www.amazon.com/Computer-Crime-Law-American-
Casebook/dp/0314204547)

Not that you should accept his argument without scrutiny, but he's read a few
of the cases here.

------
trauco
A lesson of all of this is that encryption without control of the encryption
key is, in this brave new world, useless.

------
RexRollman
It was well written. I expect the government will respond with a sad
combination of flag waving and fear mongering.

------
thinkcomp
Fourth Circuit Court of Appeals docket and documents here:

[http://www.plainsite.org/flashlight/case.html?id=2524335](http://www.plainsite.org/flashlight/case.html?id=2524335)

