
Lavabit Proceedings Unsealed [pdf] - markmassie
http://cryptome.org/2013/12/lavabit-027.pdf
======
wylie
Even though the name and email of the suspect are redacted, it says that the
suspect is being investigated for 18 U.S.C. §§ 641, 793d-e, and 798(a)(3).
This is exactly what Edward Snowden was charged under[0].

[0] [http://news.rapgenius.com/Hon-john-f-anderson-united-
states-...](http://news.rapgenius.com/Hon-john-f-anderson-united-states-of-
america-v-edward-j-snowden-criminal-complaint-lyrics#note-1895859)

~~~
jcalvinowens
Page 84-85 of the PDF references: "websites that Alba visited" and "the
to/from addresses of Alba's E-Mail"

Did they forget to redact the suspects name there?

~~~
wylie
That looks like a reference to another case, United States vs. Forrester,
where Forrester and Alba were the defendants[0].

[0]: [http://caselaw.findlaw.com/us-9th-
circuit/1496507.html](http://caselaw.findlaw.com/us-9th-circuit/1496507.html)

~~~
jcalvinowens
Ah, ok.

------
jcc80
Amazing to see what a disadvantage citizens are facing when going up against
the government. Just reading the transcript you can imagine how anyone without
a very experienced (and expensive) attorney would be overwhelmed and not
understand what's happening since they're not in their element. Levinson seems
to do better than most but it's a rigged game.

~~~
malandrew
I'm actually curious if there is a forum or fora where only vetted well
intentioned legal scholars are able to crowd source legal advice and research
in cases like this.

I know that StackExchange is trying to do something like this for patents, but
it would be interesting to see something similar for constitutional legal
issues like this and maybe forums for other areas like medical law, etc.

Prosecutors can throw the entire weight and resources of the US government,
but it would be nice if the people could throw around the weight of the entire
legal community without tipping their hand in court (e.g. allowing the
prosecution to see what the defense will argue in court for example).

If such a forum existed, it would be interesting if the terms of service could
help with establishing a looser attorney-client relationship, where you are
entitled to share all the information with all the eligible users (i.e.
licensed by eligible state bar associations), but where those users are more
arms length and have fewer obligations except for good faith (i.e. can't be
sued for any advice unless it can be demonstrated that they are a ill
intentioned actor, such as one acting on behalf of the other side, such as the
prosecution).

~~~
MWil
I don't want to say too much b/c I have competitors here (looking at you,
Casetext! jk Jake is a very nice guy) but this is pretty much my 5-10 year
plan for my company. Of course, we have to do some other things and build some
other tools before we get to that point but it's not not being worked on.

------
clamprecht
It takes a lot of balls to stand up to the US government, under the threat of
jail time and huge fines. Full respect to Ladar Levison.

~~~
sneak
Sometimes it's intelligence and perception over and above balls; for many, it
is a choice between basic liberty or death. Jail doesn't factor into it. (See
weev's sentencing transcript for an example of that to which I refer.)

~~~
malandrew
I hope weev has access to plenty computing books in prison. I can't imagine
being very involved in technology and then be separated from its progress for
several years.

------
linuxhansl
Form my past posts you'll know that I am critical of government spying and
overreaching authority in the bogus name of fighting terrorism.

In this case, though, didn't the process work? There is no blanket spying, no
action by the executive branch alone.

This a court order for a specific case in an ongoing criminal investigation,
reviewed and signed by a judge. Isn't that how the system is supposed to work?
The executive branch needs to request court order in order to commence
surveillance... All checks and balances are in place.

If anything, this is good. The government could and did not spy on the user at
issue here.

~~~
meowface
The problem in this case isn't the request ("we need email records of X
user"), the problem is that they requested the private encryption key for the
whole website, which would allow them to read the emails of every user.

~~~
rayiner
The problem was that the site was designed in such a way that there wasn't a
key per user.

~~~
infinity0
The problem was that the site was designed in such a way that the user didn't
have their own keys.

I don't even understand how it got to this stage. Would you rent a house where
the landlord had your keys, and you had to call them up for access?

~~~
MagicWishMonkey
That is how SSL is meant to work. Do you have your own SSL keys to your banks
website? Of course not.

~~~
alexwright
You can have a client side key BTW. It's a complete dick to setup and each UA
is different so it's really not viable for a product for the unwashed masses.
But for something like Lavabit I don't think would be unreasonable.

~~~
MagicWishMonkey
Ladar had a hard enough time making ends meet with the service as it was,
adding something like that to the mix would have alienated a huge portion of
his userbase.

You would think his users would be pretty savvy but he spent lots of time and
money walking people through simple tasks like configuring Outlook or
Thunderbird to check their email. I'm pretty sure support was his biggest
operating expense.

~~~
alexwright
I should have said for a product like Lavabit, ie mail as secure/private as
SMTP likely gets right now, I hope it wouldn't be unreasonable. However, in my
heart of hearts, I knew it was too much to ask for.

I guess anyone that knows how to create and setup a client side TLS cert and
key would also already know privacy and SMTP can't really live together, and
would setup a deaddrop for gpg encrypted messages.

------
jahfer
I might be misunderstanding here, but going through the court transcript (p.
49–50), but it sounds like the gov't was entitled to installing a pen
register[0] since (replace phone with email/internet):

 _" that because you knowingly expose phone numbers to the phone company when
you dial them (you are voluntarily handing over the number so the phone
company will connect you, and you know that the numbers you call may be
monitored for billing purposes), the Fourth Amendment doesn't protect the
privacy of those numbers against pen/trap surveillance by the government."_

Since all of the network communication happens over SSL though, they are
unable to read any of the data going into or out of the network without the
encryption keys.

Shouldn't they only be able to access what's exposed to the outside network,
or are they actually entitled to the unencrypted text, even if that's not
available without being inside the connection? Forgive my lack of
technical/legal understanding here.

[0] [https://ssd.eff.org/wire/govt/pen-
registers](https://ssd.eff.org/wire/govt/pen-registers)

~~~
chacham15
The problem is that the email is still sent to the address in an unencrypted
format. Lavabit, upon receiving an email, then encrypted it. Therefore,
Lavabit itself was provided with an unencrypted version of the email. That
means that the expectation of privacy does not exist and the government has a
right to the information. Or at least, that is the argument that the
government puts forth.

~~~
XorNot
They're not entitled to the contents of the email because the service can
operate without the contents. The service can _not_ operate without the origin
and destination details however.

That's what pen register metadata is - it's not email contents.

~~~
MWil
I'm confused by your statement. They're not entitled to the contents of the
communications b/c Congress hasn't/may no be able to authorize it.

~~~
XorNot
Pen register metadata was deemed not protected by the Supreme Court, but
privacy rights still protect the content of most communications from seizure
without a warrant.

It all comes down to reasonable expectation: to send a letter, or make a phone
call, you obviously have to tell the phone company the details of who you're
calling. Therefore the information is not considered to have a reasonable
expectation of privacy. Whereas you don't need to convey the content of your
email or voice conversations to them for the service to operate - you could
scramble your voice, or encrypt your email, and it wouldn't change a thing.

------
joering2
From Wikipedia article:

 _Levison objected saying that the key would allow the government to access
communications by all 400,000 customers of Lavabit. He also offered to add
code to his servers that would provide the information required just for the
target of the order. The court rejected this offer since it would require the
government to trust Mr. Levison and stated that just because the government
could access all customers ' communication did not mean they would be legally
permitted to do so._

This is a CORE of what is wrong with the oppressive system US become. Note
that Levison himself did not commit any crime; he simply offered the service
to host emails; he was not a criminal but yet court decided that he can't be
trusted. This is a core of the problem here. You can be a saint Pope yourself
and the Gov will not entrust you, but yet at the same time you have government
who on record murder its own people and do things after which you would have
not slept for a month, and is given carte blanche type of trust from the
judge.

~~~
malandrew
The government clearly can't be trusted either. They said they didn't collect
information on millions of Americans, which was an outright lie ("least
untruthful" statements are still lies). In another comment I proposed a
solution where there is a shared, recorded pair programming session where the
actual commands to be executed are approved by each side before execution.
What I don't know is if such a session could be set up without giving exposing
your keys to the system capable of handling the shared session.

------
r00tbeer
Sending the SSL keys to the FBI as a multi-page printout in 4-point font when
the government doesn't specify what format it wants is pretty funny. (Page 127
- 137.)

~~~
crystaln
Certainly the FBI could have used some simple OCR to import the key...

~~~
grrowl
Some of the text was so small the FBI said it was illegible (in their view).
Even a single digit wrong would render the entire key useless (B != 8)

------
pseingatl
To me the most disturbing part of the in camera proceedings was when Levinson
asked for the ability to enlist public support and the US Attorney objected--
not because it threatened the investigation, but because they didn't want
Levinson getting any help. Ultimately Levinson did get help and the case
attracted wide attention, but not everyone is so lucky. From a legal
perspective I find all the technical "under the hood" arguments fascinating--
but the courts don't care. They may care twenty years from now, but they don't
care now. The judge has lived with computers since the 1980's and he's talking
about phone numbers. Lord have mercy.

------
MWil
pg. 115 - Levison's lawyer has trouble arguing his points with the Judge

He is trying to make it clear that this is not about a system that was
designed to make it hard to get snowden's data in the sense that Levison is
actually ever arguing that snowden's data is or should be protected or is
difficult to retreive. It only becomes difficult to retreive ONLY snowden's
data and that is why the govt should be restrained in its options without
violating the privacy of 399k others.

------
MWil
(commenting as I read along) pg. 11 - Certification of Business Records

Thought he was being asked to install trap/trace/whatever by the govt
alongside his equipment - might explain why this wasn't filled out/signed.
It's not part of his regular business to record all such information.

~~~
MWil
Sure enough, trap/trace was ordered 18 days after the govt's initial
application was approved by the Court

~~~
MWil
pg. 30 contains what sounds like a much too broad request for any and all
public and private keys for ALL lavabit users including HTTPS sessions and
SMTP communications, not just Snowden

Actual search warrant is much more narrow to just Snowden, although missing
the date before which the warrant must be executed

Served in TX on a Thursday to show up for court the next Tuesday AM in VA -
gotta love that prep time!

~~~
dalke
When it actually get to court, the judge emphasizes that only information
about a specific account is needed. The judge on p115 or so emphasizes that
the government can ask for that information, and it doesn't matter if it's
easy or hard to access.

The judge on p50, says that encryption keys must be provided in order to make
sense of the legally obligated pen register data. Levinson, on p51, brought
the keys with him (as you mentioned, on p30), but Levinson, on p52 points out
... well, I'm not sure. I think it's that the keys in the subpoena don't
actually exist?

Levinson is willing to make the pen register available, for a development fee
of about $2,000 (p90). (Note: Verizon charges about $700 for 60 days of a pen
trap; see
[https://www.aclu.org/files/cellphonetracking/20120328/celltr...](https://www.aclu.org/files/cellphonetracking/20120328/celltrackingpra_irvine7_irvineca.pdf)
. I don't find the $2,000 to be unreasonable by comparison.) The government
says that paying development costs has never been done before (to the lawyer's
understanding), and doesn't want to do so. (p116). On p 115, the judge says
that ease or difficulty doesn't play a role on if the government is lawfully
entitled to the information. (I wonder then how Verizon can charge for it.)

Levinson, btw, wants to provide the data in a lump data dump, after 60 days of
recording (p90). More frequent updates will cost another $1,500.

The government, on the other hand, demands real-time data, and wants to
install a real-time device which captures _all_ metadata, which is then
filtered so that agents only receive what's in the pen order (p121). This
requires the full SSL keys.

The judge agrees with the government that this is reasonable. (line 18, p121).

Previously (p56), Levinson asked the court if it was possible to do an audit
of the pen register. The judge responded that any request for extra monitoring
would be denied.

BTW, Appendix A shows a copy of the infamous SSL key as 4pt font.

~~~
arca_vorago
These are the key points to me.

"The government, on the other hand, demands real-time data, and wants to
install a real-time device which captures all metadata, which is then filtered
so that agents only receive what's in the pen order (p121). This requires the
full SSL keys.

The judge agrees with the government that this is reasonable. (line 18, p121).

Previously (p56), Levinson asked the court if it was possible to do an audit
of the pen register. The judge responded that any request for extra monitoring
would be denied."

Who knows what all these little black boxes do? Just because they say it will
only transmit what is in the order, how can one know otherwise? Hence the
request for audit, which is denied... very, very suspicious.

~~~
dalke
Agreed. There's a place there where the judge asked the lawyer for Lavabit
something like "if you don't trust the government wiretap box then why should
the government trust that you are providing the required information"?

The lawyer had no real response, and agreed that the judge had a good point.

I can think of some answers which might have been better, but they require
technical collaboration to come up with a mutually acceptable answer. Or, with
the Snowden information we know now, there's a reasonable suspicion that the
unreviewed information might be stored for later, should the government decide
there are other justifiable reasons to review it in the future.

~~~
MWil
The only answer you need is that the Constitution is simultaneously built on
trust/mistrust of government. Otherwise, why bother with checks and balances.

------
MWil
pg. 92 - confirmation that the encryption at least partially foiled the govt
attempts to trap/trace at the ISP level (the ISP of Lavabit)

~~~
MWil
pg. 94 - it seems somewhat dishonest of the govt to insist that Levison has
not come up with a solution to reveal the information authorized considering
Levison offered to build it and requested IMO reasonable compensation to his
system to do so

~~~
MWil
pg. 98 - Govt says "just go buy a new $100 SSL cert from GoDaddy when we're
done!"

LOL

------
MWil
pg. 113 - The Court questions the design of Lavabit itself - as in, why should
the govt be punished b/c they promised their users would have privacy

------
MWil
It's only 147 pages. Is this Vol I and II?

------
neur0mancer
scribd link seems to be broken

~~~
popey
The cryptome link works.
[http://cryptome.org/2013/12/lavabit-027.pdf](http://cryptome.org/2013/12/lavabit-027.pdf)

