
Newly Unsealed Redacted Lavabit Case Filings - thinkcomp
http://www.plainsite.org/dockets/29hpeuufl/virginia-eastern-district-court/usa-v-in-re-information-associated-with-an-email-account/
======
tptacek
Worth noting the date at which these filings commence --- early August 2013,
more than month after the initial court order was generated for Snowden's
account on Lavabit.

I'd really like to see the court orders that preceded this one. According to
the timeline in the Appeals Court ruling on Levison's contempt charge, the
demand for SSL/TLS encryption keys followed a month of Levison more or less
baiting the FBI.

[https://news.ycombinator.com/item?id=7774158#up_7774823](https://news.ycombinator.com/item?id=7774158#up_7774823)

~~~
sillysaurus3
Would you speculate on Levison's motive in your sequence of events? It's a
solid analysis, but why would Levison do all of that?

Your analysis changed my view about Levison. I think people mostly equate
Levison's actions to Snowden's without really thinking about the differences.
Thought experiment: what if a mole was selling US secrets to other countries?
If Levison would respond in the same fashion as in this Snowden case, then
that obviously would be detrimental to the US's interests. But would he?

Here's where it gets tricky. It's my understanding that Levison complied with
past US orders. So that begs the question: why did Levison choose that moment
to be rebellious? Was he trying to protect Snowden? (Did anyone even know who
Snowden was or what he did at that point? My memory is hazy on the timeline.)

It's certainly a convenient excuse to say that Levison was protecting Snowden.
But if it's true, how would you feel about his actions in light of that fact?

If Levison wasn't protecting Snowden, then why did he choose that particular
hill to die on, and not any of the past compliance orders? It seems like
Levison had _some_ knowledge that prompted him to act the way he did. But if
this all happened before Snowden became public knowledge, then what knowledge
could have possibly converted him from someone who obediently follows
government requests into someone who would "bait the FBI"?

Beyond all of that, I'm interested to hear your thoughts on whether there's
any possible excuse for Levison's actions which you personally would find
redeeming.

~~~
tptacek
I don't know how to answer this, but if you want a handy rule of thumb for how
I think about controversies in tech: I generally favor the most boring of all
speculations. Snowden isn't an agent of the FSB. The NSA isn't a secret ploy
to enforce the Comics Code Authority. Levison was simply opportunistic and
inept. The Truecrypt developers got bored and gave up. NIST p-224 isn't a good
curve but it isn't a backdoor. And so on.

~~~
jnbiche
>Levison was simply opportunistic and inept

Actually, by far the simplest explanation in this case is that Levison
supported Snowden's actions and wanted to back him up.

I mean, he sacrificed his company -- his baby -- for this case, even though he
had complied with multiple prior government requests (usually relating to
child porn, from what I recall).

Clearly, Levinson went through a period of fear and doubt, but the only
consistency was his refusal to give up keys that would reveal Snowden's
communications.

Can you explain why you are convinced it's opportunism and not idealism?
Because unless you know something we don't, Occam's Razor in this case says
that Levison was simply being a Snowden supporter, to the point of sacrificing
his livelihood. In my book, that makes him a patriot.

Sillysaurus: yes, he knew the court order was for Snowden, since it
specifically mentioned him by name. Also, I believe that an edsnowden@lavabit
address (or something similar) was on GPG keyservers everywhere. So it wasn't
hard to guess. And in fact, that address was soon revealed to be Snowden's in
a public document from his lawyer sent by Wikileaks (accidentally).

~~~
tptacek
The opportunism I'm referring to was setting up Lavabit in the first place, as
a web-based email provider that made expansive claims about security that it
couldn't possibly back up.

It's easy for me to understand why people think Levison is a hero. They think
Lavabit was a noble, useful offering, and that government intervention is the
only reason it failed.

To understand my position, you need to know that Lavabit's architecture was
almost comically unsound; it claimed to protect the privacy of thousands of
users, but all the weight of that claim was borne by a set of keys Lavabit's
operators had total control over.

Online privacy tools don't need to work like this. They often do, though,
because transcending this pitiful security model requires that users install
software. Nobody wants to install software. Not to mention, most of the people
who want to build and offer these tools don't really know how to build
locally-installable software.

There's nothing wrong with lacking the competence required to build secure
messaging software. Most people do. Observe that for all the nitpicking about
crypto that I do on HN, I haven't launched a tool like this either!

But there's something very wrong with lacking competence but then going ahead
and releasing something that users will stake their freedom on anyways.

~~~
sillysaurus3
Thank you for the insights. Why would Levison refuse to comply with the
government order and shut down his company? If he was an opportunist, the
opportunistic action would've been to comply with the secret order while
keeping his compliance secret. Users would've continued to trust Lavabit.

~~~
tptacek
Because "opportunism" and "principle" exist on spectrums. Opportunism prompted
Levison to release a dangerously flawed privacy tool. But once that flaw
threatened to compromise Snowden, circumstances crossed the threshold where
principle required him to contain the damage he'd done.

~~~
jmathai
Are there NO alternatives to what Lavabit provided? Even if it required
software installation on the client?

I have to assume Snowden understood the architecture of a "secure" webmail
provider but still went with it. Better than Gmail I'm sure but far from
something to rely on.

~~~
tptacek
There are lots of alternatives, but none of them involve signing up for a web
service and not installing any software.

And no, I don't think Lavabit was likely to have been safer than Gmail.
Lavabit doesn't have one of the industry's best security teams and largest
software security budgets trying to make sure there aren't horrible
vulnerabilities in it.

------
thinkcomp
It's always fun reading court documents where the censors go totally
overboard. Here, there are a few spots where that happens, such as where they
black out the publicly available telephone and fax numbers for the various
attorneys. In other spots (page 55) the attorney names are blacked out, but
I'm pretty sure they're visible on the very next page (page 56).

------
chippy
These documents seem to back up the story that Levison, whilst obeying in past
orders, did so begrudgingly.

"..in light of Lavabit LLC's history of failing to abide by court orders...the
US needed order to compel before they complied with legal process. In fact
they have incurred fines of $10,000...associated with its failure to comply
with those court orders." edited - page 14

~~~
tptacek
They'd have to, right? The narrative about Levison resisting court orders is
established in a detailed opinion from the 4th Circuit, written by a judge who
was confirmed unanimously by the Senate in 2008.

------
belovedeagle
I find the oral argument on pdf pages 61ff. very intriguing... Under the
assumption that the case is about Snowden (which is not known, really, 100%),
it seems like the gov't lawyers were worried about revealing that the gov't is
looking into "coconspirators". The only reason they'd want to hide that is not
to tip off those hypothetical coconspirators, who would necessarily work for
NSA/other intelligence org, or else would be journalists whose identities
we're already familiar with.

In the latter case, US seems to feel some shame in targeting journalists, or
at least understands that the general public would not be pleased to hear that
the gov't is targeting journalists in particular, especially with charges of
espionage or what-have-you. But in the former case, we would be looking at a
very big-brother-esque instance of the gov't being paranoid that members of
the "inner circle" don't have the gov't's perceived best interests at heart,
which is a legitimate concern, but also we have the gov't watching those inner
circle members most closely, which is a major theme of 1984, e.g.

On the same note, there is something of an acute irony, or perhaps
subconscious characterization of the gov't viewpoint, in the argument on pdf
page 64: "because it puts those individuals ['other individuals who may now be
known or unknown to the government'] on notice[—]other people who may not be
the specific user of the account[—]that they should take steps because they
may be within the scope of the governement's investigation". The irony here is
that the government acts like it believes that _everyone_ is "within the scope
of [...] investigation", and it would be quite detrimental to the gov't's mass
surveillance efforts if "other people" become aware that they should "take
steps" to mitigate surveillance.

That being said, I'm not 100% confident that Snowden is the target of the
Lavabit investigation, and I'm wondering if anyone is aware of any alternative
speculation?

