
Lavabit Founder Says He Had ‘Obligation’ to Shut Service - bmmayer1
http://bits.blogs.nytimes.com/2013/08/12/lavabit-founder-says-he-had-obligation-to-shut-service
======
grey-area
There's also an interview with the Lavabit founder Ladar Levison and his
lawyer over on democracy now (seems to be on the HN banlist):

[http://www.democracynow.org/2013/8/13/exclusive_owner_of_sno...](http://www.democracynow.org/2013/8/13/exclusive_owner_of_snowdens_email_service)

~~~
guelo
Whoa, I had never heard of an attorney-client gag before:

> LADAR LEVISON: Well, just to add one thing to Greenwald’s comments, I mean,
> there’s information that I can’t even share with my lawyer, let alone with
> the American public.

~~~
anologwintermut
My understanding was attorney client privilege was basically absolute. So it
would be nigh unto impossible to actually prevent you from sharing something
with your lawyer. I wonder if the guy is embellishing some of this.

Of course, if you engage in a criminal conspiracy with your lawyer, it's
breakable(sorry Walter White). So they could claim espionage. But the catch 22
is proving it it if the only evidence is itself covered by said privilege.

~~~
thecodeore
It would be a technical violation of the law to reveal to ANYONE including
your lawyer that you received an NSL.

~~~
antihero
Just saying, there is no law on god's earth that would stop me talking to my
girlfriend. The government simply does not have that right and I would NEVER
recognise it.

~~~
mcherm
You don't have to recognize that right so long as you're willing to take
Snowden's route: flee to a country that is willing to stand up to the US and
never return.

------
betterunix
I am more concerned about this:

"Lavabit had complied with 'narrowly tailored' court orders for user
information on at least two dozen occasions in the past"

In other words Lavabit is not any better than Hushmail. Lavabit did not base
its security on cryptography, it based on it trusting the people who worked
for the company. Cryptography was just a side show, just like with Hushmail,
because Lavabit could get the plaintexts whenever someone working there wanted
(or whenever they were compelled to do so by a government, criminal
organization, etc.).

~~~
jmillikin
Lavabit was hosted webmail, and therefore inherently dependent on the host not
being evil. It is not possible to construct a hosted webmail service that is
safe against a malicious/compromised host.

The phrase "user information" is vague; it could include timestamps of all
requests from a particular IP, for example. Given that he was willing to shut
down his sole source of income on principle, I'm willing to believe that he
had reasonable crypto in place to protect user data at rest.

    
    
      Cryptography was just a side show, just like with
      Hushmail, because Lavabit could get the plaintexts
      whenever someone working there wanted (or whenever they
      were compelled to do so by a government, criminal
      organization, etc.).
    

Assuming good faith and a reasonable storage implementation, it is possible
that Lavabit is not capable of providing plaintext messages on demand. I heard
somewhere that messages were stored with a key derived from the user's
password; if true, then a warrant for johndoe@lavabit.com might not be
fulfillable until after the next successful login from johndoe@.

~~~
betterunix
"The phrase "user information" is vague; it could include timestamps of all
requests from a particular IP, for example."

Sure, but this warrant makes it pretty clear that the government was seeking
message bodies, attachments, etc.:

[http://ia600908.us.archive.org/9/items/gov.uscourts.mdd.2362...](http://ia600908.us.archive.org/9/items/gov.uscourts.mdd.236204/gov.uscourts.mdd.236204.docket.html)

"I heard somewhere that messages were stored with a key derived from the
user's password; if true, then a warrant for johndoe@lavabit.com might not be
fulfillable until after the next successful login from johndoe@."

...or to try brute forcing the password offline, which has a reasonable
probability of working. Either way, it is not any different than the situation
with Hushmail, and I would put both squarely in the "snake oil" category.

~~~
AaronFriel
> ...or to try brute forcing the password offline, which has a reasonable
> probability of working. Either way, it is not any different than the
> situation with Hushmail, and I would put both squarely in the "snake oil"
> category.

You have an awfully high standard of what you define as "snake oil"
cryptography. If a brute force effort to derive the secret key constitutes
snake oil, I have bad news for you regarding the state of crypto.

~~~
betterunix
First of all, brute forcing the password is not needed _unless_ the user fails
to log in. The system is designed for the user to send the most important
secret, on which the rest of the system's security depends, to a third party.

That being said, brute forcing a password is not the same thing as brute
forcing a secret key. The distribution of passwords that people can remember
is not even remotely uniform, and the distribution of passwords that people
actually use is even more heavily biased.

Compare to GnuPG: the attacker needs access to your computer before he can
even attempt to brute force your password or try to capture it.

~~~
AaronFriel
Brute forcing an individual user's password can still be made an extremely
costly operation with appropriate measures incorporated.

------
akkartik
_" After his announcement last Thursday, a second company, Silent Circle,
based in Maryland, said it would close its secure e-mail service. That company
said it had not been served with a government order of any kind. In a pre-
emptive bid to protect its customers’ data, Silent Circle said it had
obliterated everything in its server."_

Uh, what? This could almost be the story satirized by this passage from 1911:

 _" A certain German art expert, who had obtained from the municipality of
Bergamo permission to inspect the famous masterpiece, declared it to be a
spurious Pincini... The editor of an Italian art journal refuted the
contentions of the German expert and undertook to prove that his private life
did not conform to any modern standard of decency. The whole of Italy and
Germany were drawn into the dispute, and the rest of Europe was soon involved
in the quarrel. There were stormy scenes in the Spanish Parliament, and the
University of Copenhagen bestowed a gold medal on the German expert
(afterwards sending a commission to examine his proofs on the spot), while two
Polish schoolboys in Paris committed suicide to show what THEY thought of the
matter."_

\-- Saki, "The Background"
([http://ebooks.adelaide.edu.au/s/saki/clovis/chapter6.html](http://ebooks.adelaide.edu.au/s/saki/clovis/chapter6.html))

~~~
harshreality
_Uh, what? This could almost be..._

They're nothing alike. Suppose Silent Circle sent an email to all its users
announcing that they would destroy the data on the server in 7 days. It's a
good bet the government has accounts on most privacy-advocating web services,
simply to keep tabs. That gives the government 7 days to try to get a FISA
warrant, or if they think they can get away with it, unilaterally issue a NSL.

They would only be able to subpoena a few of the email accounts (or maybe a
lot, but certainly not all), but that still breaks the privacy model many
people assume given its advertisement as "secure" webmail.

Silent Circle didn't want to take the chance, and your hyperbolic parallel
notwithstanding, they had good reason to do what they did.

~~~
akkartik
Hmm, I think we're making different assumptions about what happened to
Lavabit, so it might be useful to discuss this more.

I was assuming that:

a) Lavabit can't access its users' email, so any subpoenas are ineffective at
getting at emails stored in their servers.

b) However, the feds would force them to snoop on decrypted data for specific
accounts as it is served back to the user. This would only give access to what
the user happens to read after the order goes into effect.

c) They received a new order that was a _lot_ more invasive, perhaps to snoop
on all plaintext data as it left their servers.

d) They suspended operations before any such snooping could occur.

If all this is true, any other operation can follow the same steps. If the
feds ask for too much, we suspend operations immediately, no 7 days. But they
wouldn't need to preemptively suspend before the feds come knocking. Is there
something wrong with my reasoning? Were you making different assumptions?

~~~
thecodeore
Actually they would, with a NSL the Government can (and has been suspected of
in the past) force a Service provider to remain operational, or not to do
anything that would interfere with the collection of the data they are looking
for.

Now I dont know if the NSA attempted that with Lavabit, or if Lavabit
willfully ignored that demand, etc but the government does have that legal
power.

~~~
rbritton
Sounds remarkably familiar...

"In the name of the general welfare, to protect the people's security, to
achieve full equality and total stability, it is decreed for the duration of
the national emergency that:

...

Point Two. All industrial, commercial, manufacturing and business
establishments of any nature whatsoever shall henceforth remain in operation,
and the owners of such establishments shall not quit nor leave nor retire, nor
close, sell or transfer their business, under penalty of the nationalization
of their establishment and of any and all of their property.

..." [1]

[1]
[http://conservapedia.com/Directive_10-289](http://conservapedia.com/Directive_10-289)

------
jusben1369
“I’ve always sort of believed it’s important for Americans to have private
conversations with other Americans,” Mr. Levison said in a telephone interview
Monday, “and not fear that their conversations were being monitored by the
government.”

The problem with that is you know your service is going to be used by
criminals, child pornography, organized crime, terrorists etc. So if you start
this service you know you're going to have to comply with government requests
for that data. It seems disingenuous to complain about their requests as
though you didn't expect them and that they wouldn't e reasonable. And I think
he's saying that in his own way when you get into the details: "Yep, I
supported the narrowly defined ones but the broadly defined ones are the straw
that broke the camels back"

~~~
joering2
I have some issues with your statement.

> The problem with that is you know your service is going to be used by
> criminals, child pornography, organized crime, terrorists etc.

Thats a huge stretch and abuse of logic IMHO. Don't build roads because
criminals and terrorists will drive on them. There will be also UPS/FedEx
couriers delivering printed child pornography driving those roads. So better,
setup checkpoint and unmanned vehicle x-ray type scanners and set them up
every where on highways.

More insane: don't open a barber shop, because if you have hairy guy robbing
bank next door, he can get a haircut at your place and cops will have hard
time recognizing him.

I don't think every one and each of Lavabit 1,500 paid customers were
terrorist. I understand and respect people willingness to have a safe and
secure email, as Constitution says you should feel save and secure in your own
skin.

> So if you start this service you know you're going to have to comply with
> government requests for that data.

We don't know what really happened. Knowing how feds work just a little bit, I
wouldn't be suprised if owners were intimidated via FBI/CIA/DEA/IRS and plenty
other Government Organisations. I wouldn't be suprised if owners, their
families and their friends would fall under heavy scrutiny and deep IRS
audits. There is really soo many things Feds can do not to break the law,
technically, and still harass $hit out of you and your family.

If they fall on each gov request, next we will have that barber share his
info, just because feds want to. You know, terrorists are humans; they do get
haircut sometimes too.

~~~
ceol
_> Thats a huge stretch and abuse of logic IMHO. Don't build roads because
criminals and terrorists will drive on them._

Just thought those two sentences were funny being right next to each other.

Let's be honest here, though: The percentage of people using his email service
for illegal reasons is much higher than the percentage of people using roads
for the same illegal reasons. It's the same problem that Pastebin faces,[0]
and it's the reason paste.pocoo.org shut down.[1] Services that advertise
complete privacy and anonymity get swamped with people who want to hide
illegal activity.

[0]: [http://www.tgdaily.com/security-features/62490-pastebin-
to-p...](http://www.tgdaily.com/security-features/62490-pastebin-to-police-
itself-for-illegal-content)

[1]: [http://paste.pocoo.org/about/](http://paste.pocoo.org/about/)

------
ballard
The problem with centralized privacy-as-a-service is the Fed raid problem. In
order to be "fed proof," a service must be sufficiently distributed.

PS: I'll say what has been said again, Lavabit was so close to being wildly
successful, it's a shame that an insecure govt leadership decided to squash a
thriving venture. Though it was a likely conclusion because of centralized
ownership.

~~~
betterunix
The problem is not limited to any specific government; the problem is that you
are doing something inherently insecure when you allow a service provider to
generate, store, and utilize your private keys. Exploits by law enforcement
are not the only problem -- spies, criminals, etc. can also exploit the
weakness.

------
vpeters25
I'm no lawyer but I think Mr. Levinson should lay low and avoid talking to the
media. I think he is already in deep trouble, if he keeps talking, he is
pretty much challenging federal prosecutors to have him "Swartz'd"

~~~
mtgx
Defy the system. Abusive governments win when everyone shuts up.

------
anovikov
An idea for fixing this is having an email provider broken up between several
countries that are not expected to cooperate (like U.S., Russia, Equador and
Iran) and coded in a way that renders information worthless unless pieces from
all parts are used. Then no court order can help.

~~~
anovikov
Correction: better having some redundancy because otherwise a single country
can shut down the system (while not steal data).

