Lavabit Case Shows Why We Need Tech Literate Judges
from the a-failure-of-knowledge dept
While there's plenty of attention being paid to Lavabit's temporary re-opening for the sake of letting people export their accounts, a much more interesting issue is the recent development in the legal case. Lavabit has filed its latest brief, and there are some interesting discussions about the details of the case. From my reading, Lavabit makes a very strong argument that the government has no right to demand the production of Lavabit's private SSL keys, as it's an overreach way beyond what traditional wiretapping laws allow. Lawyer Orin Kerr's analysis argues that Lavabit's case is weak, mainly arguing that the federal government can subpoena whatever the hell they want, and just because it conflicts with your business model: too bad. Lavabit argues that complying with the government's order is oppressive because it would effectively mean it would be committing fraud on all its customers:[T]o comply with the government’s subpoena would have either required Lavabit to perpetrate a fraud on its customer base or shut down entirely. That is the key point, and the resulting harm goes far beyond a mere inconvenient search for records. Just as requiring a hotel owner to install glass doors on all its hotel rooms would destroy the hotel’s business, Lavabit cannot exist as an honest company if the government is entitled to take this sort of information in secret. Its relationship with its customers and business partners depends on an assurance that it will not secretly enable the government to monitor all of their communications at all times. If a mere grand jury subpoena can be used to get around that (in secret, no less), then no business—anywhere—can credibly offer its customers a secure email service.But Kerr points out that this is a "really weak argument":
This strikes me as a really weak argument. Lavabit is essentially claiming that its anti-government business model trumps the subpoena power. That is, it is arguing that the subpoena is “oppressive” precisely because it would work: It would allow the government to conduct the surveillance it is allowed to conduct under the Pen Register statute.Further, Kerr argues that to accept Lavabit's argument would mean that any company that announces an "ideology or business strategy" that opposes government surveillance could then resist legitimate government subpoenas simply by arguing that they are oppressive and abusive.
I respect Kerr and always look forward to his legal analysis, but I think he's wrong at a variety of levels here, and, tragically the judge in the case seems to have the same confused view of what Lavabit is actually arguing (though, one could argue, that is actually the fault of Lavabit in not making its case clearly). Lawyer Scott Greenfield does a good job explaining why Kerr has mischaracterized Lavabit's defense -- first noting that being pro-privacy is hardly being "anti-government" as Kerr implies. Then pointing out that Lavabit's argument isn't that the government's demand for its private keys was merely oppressive because of its business model, but because it would put Lavabit out of business -- which is not the same thing.
This isn't really a fair characterization of Lavabit's point. Initially, the argument is that revelation of the private key would be the ruination of the business. By exposing every customer to government disclosure, and covert disclosure at that, the government would take a viable business, making money and delivering a service as businesses are allowed to do in America, and destroy it. Poof, company gone. Business gone. Revenue gone. Wham, bam, thank you, Ladar.But there's an even bigger point in here, which I think Kerr misses entirely, and Greenfield skips over: from a technology standpoint, what the government is demanding of Lavabit is absolutely oppressive and abusive. And, for that, it helps to look at Ed Felten's discussion of the case, in which he notes that the judge and other DOJ supporters in this case (including, it would seem, Kerr) are basically arguing that "If court orders are legitimate, why should we allow engineers to design services that protect users against court-ordered access." But Felten points out that requiring "court ordered access" is tantamount to requiring a massive vulnerability to insider attacks:
To see why, consider two companies, which we’ll call Lavabit and Guavabit. At Lavabit, an employee, on receiving a court order, copies user data and gives it to an outside party—in this case, the government. Meanwhile, over at Guavabit, an employee, on receiving a bribe or extortion threat from a drug cartel, copies user data and gives it to an outside party—in this case, the drug cartel.Now, go back to the judge's order or Kerr's analysis, and revisit it with what Felten pointed out, and you realize how far off-base both the Judge and Kerr are in their analyses. Lavabit didn't design its system to be setup the way it was because it was "anti-government," but rather because it wanted to create secure email that protects against a variety of different kinds of attacks, both insider and outsider. That's why it found the government's request so "abusive" and "oppressive." Not because of an ideological disagreement, but rather because of the technological reality that handing over Lavabit's private keys absolutely wrecks any real security of Lavabit's system, which is Lavabit's entire business.
From a purely technological standpoint, these two scenarios are exactly the same: an employee copies user data and gives it to an outside party. Only two things are different: the employee’s motivation, and the destination of the data after it leaves the company. Neither of these differences is visible to the company’s technology—it can’t read the employee’s mind to learn the motivation, and it can’t tell where the data will go once it has been extracted from the company’s system. Technical measures that prevent one access scenario will unavoidably prevent the other one.
Insider attacks are a big problem. You might have read about a recent insider attack against the NSA by Edward Snowden. Similar but less spectacular attacks happen all the time, and Lavabit, or any well-run service that holds user data, has good reason to try to control them.
So, while Kerr and the judge in the case seem to think it's a mere ideological issue, that's simply not true. It's a technological issue, on which Lavabit's entire business was based. If Kerr and the judge are correct, then, as Felten properly notes, it becomes effectively illegal to build a really secure communications system. That seems positively ridiculous, especially in a time when we're told (by the very government agency that wants to do all this spying) that we need better online security to protect against attacks.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: doj, ed felten, email, ladar leveson, orin kerr, scott greenfield, secure email, subpoenas
Companies: lavabit
Reader Comments
Subscribe: RSS
View by: Time | Thread
Still not the right arguments or points
[ link to this | view in chronology ]
Re: Still not the right arguments or points
[ link to this | view in chronology ]
Re: Still not the right arguments or points
In this case, They are demanding not that Lavabit occasionally turn over suspects email data when asked, they are asking for a permanent back door to look into anyone's comms without anyone knowing, even the hosting company. That is wrong on every level (spying on everyone regardless of suspicion, lack of informing a third party such as the hosting company, no process).
[ link to this | view in chronology ]
Re: Re: Still not the right arguments or points
Why subpoena records when you can just write your own and get a guaranteed conviction of the accused?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
First off, self certification is available for anyone who wants it for SSL, you can self cert your own certificate any time you want. You only have to pay an external provider if you want it to be from a trusted provider rather than trying to form your own. In other words, if you're using the certificate on a public website and you want to appear to be trusted you have to pay, else you can generate your own with an internal certificate if it's just for internet users. SSL doesn't have to cost anything, depending on the use case.
Secondly, I don't think that's how they were working in the first place - certainly not through SSL, perhaps think more like PGP. As I understand it, each user had a private and public key generated to protect the content. Lavabit stored the content but did not have the private key stored. Each individual would have a separate key, but Lavabit wouldn't know what it was. When a user tried to access the mail, then and only then would the key become available to Lavabit's software to decrypt the mail in order for the user to access it. What Lavabit were being asked to do was monitor the connection and capture the key when it was used to decrypt the mail, and then provide that for use when authorities demanded it. While technically possible, this would be a huge breach or trust and any security company depends on trust in order for people to use them, hence the complaint.
Forgive me if anyone else is seeing this as wrong and I'll welcome corrections, but the bottom line is I doubt they required an individual GoDaddy or Verisign certificate for every user.
[ link to this | view in chronology ]
Re: Re:
One, while you can create a self signed SSL key, in a company with customers, this is not something you want to do. Giant error messages constantly pop up warning you that the certificate is self signed and cannot be trusted.
Two, that is how they were working. If you go back threw the Techdirt history, you'll see the article about Lavabit giving the SSL key in tiny, unreadable 4 point font. The big argument about why being forced to give out the key was a bad thing is that it would give the government complete access to all accounts on Lavabit.
This wasn't the situation described where a subpoena comes in and someone at the company decrypts the data and only that data. This was the government trying to get the ability to decrypt all the data going in and out of the system whenever it wanted without anyone at Lavabit knowing.
[ link to this | view in chronology ]
Re: Re: Re:
But surely if they had to use a costly external provider as per rw's point, then it would be irrelevant what Lavabit did, as the authorities could just go after the provider to get the keys?
[ link to this | view in chronology ]
Re: Re:
what they wanted initially was known as a 'pen register', and amounted to giving the NSA access to monitor who a person was contacting/possible content monitoring. However, because that data stream being monitored is encrypted, the pen register told them nothing.
What they then attempted was to get the SSL certificate, which we have been told would have erased the security of the system and given the NSA full access to everyone's data. Given that a Proper PGP system wouldn't be affected by the compromise of the SSL certificate, given that the PGP public private key system is independent of SSL, It seems likely that the data was encrypted using SSL.
This has the advantage, as I pointed out elsewhere, that the user gets protection against man in the middle intercepts of his data but can still email non PGP users or PGP users with whom they had not yet shared public keys. You still want to be careful emailing said unprotected users, but the security of the communications 'in-transit' is significantly improved.
And it is clear from what we have been told that there was only one SSL certificate.
[ link to this | view in chronology ]
Re: Re: Re:
That's not what I recall. As I recall, Lavabit refused to comply with the pen register order. That's when the NSA went to court to force Lavabit to comply. Things escalated from there.
Clearly, Lavabit didn't implement a "proper" PGP system, with encryption/decryption happening at the client *only*, or handing over the SSL key wouldn't have granted access to users' emails (which seems to be what's being argued). I'm not sure how Lavabit did provide its secure email services, though.
[ link to this | view in chronology ]
That's a feature, not a bug
Given that seems to be exactly what the NSA is aiming for, making every service vulnerable, just to make their jobs easier, I can certainly see why a judge would go with that argument.
Also, something that struck me, 'anti-government business model'... things are screwed up indeed when providing secure, private services are seen as 'anti-government', rather than simply common sense. By that same logic banks rely on 'anti-government business models', as they also try and keep customer data secure, and would likely object to being ordered to hand over all their customers' data/accounts, and for the same reason: doing so would cause their customers to very quickly become ex-customers.
[ link to this | view in chronology ]
Re: That's a feature, not a bug
[ link to this | view in chronology ]
Re: Re: That's a feature, not a bug
Disagree with Us? You're one of Them.
And so it goes. That is the mindset of those people we've devolved authority to and that is what we need to fight. Miss the point at your peril; we'll be too busy fighting each other to concentrate on the real enemy.
Vote the bums out in the next election, and for the love of God vote third party.
[ link to this | view in chronology ]
pro piracy = anti government
Kerr's argument is correct in that Lavabit's stand appears to be that their customer agreement should somehow trump the law, that a summons issued by the courts should somehow be able to be ignored because it would cause them issues with their clients. The excuse that handing over the keys hurts their business does not grant them any pardon from the case or excuse them from their legal liability in the issues at hand.
If their business strategy is built on obscuring things from all legal action at all times, they are very specifically anti-government, anti-law and order, and attempting to put their own actions and those of their customers somehow ahead of the legal rights of others. That doesn't seem right or fair, no matter what technological veil you try to throw over it.
[ link to this | view in chronology ]
Re: pro piracy = anti government
[ link to this | view in chronology ]
Re: Re: pro piracy = anti government
[ link to this | view in chronology ]
Re: pro piracy = anti government
Does that make them illegal?
[ link to this | view in chronology ]
Re: Re: pro piracy = anti government
Yes, and the police can show up at your LOCKED door with a valid search warrant for the premises and be able to get past the locked door - and in general be able to open any other locked doors inside of that premises within the scope of the warrant.
Lavabit is trying to say "you can't come in the building, because what we are doing is none of your business", yet the warrant (issued by a court) says otherwise. You cannot block the law just by putting a lock on something and saying "this lock is stronger than your warrant".
It doesn't make things inside illegal, but a valid warrant is still a valid warrant, and digital locks should be no different in front of the law compared to a lock on a file cabinet or a strong box.
[ link to this | view in chronology ]
Re: Re: Re: pro piracy = anti government
Not only that, but they then try and tell the building owner, the one that they are asking for the key from, that he's not allowed to mention it to those renting apartments, whether they are the one's being investigated or not.
And finally, they demand the ability to set up surveillance on all tenants, though they 'promise' that it's automated, and that despite the fact that they are demanding the ability to enter any apartment, and watch every tenant, that their efforts will only catch actions performed by their suspect, and nothing else.
[ link to this | view in chronology ]
legality != morality
[ link to this | view in chronology ]
Re: pro piracy = anti government
People who support gay marriage (in some states) are anti-government.
People who speed are anti-government.
[ link to this | view in chronology ]
Re: Re: pro piracy = anti government
OMG! I'm anti government!
[ link to this | view in chronology ]
Re: pro piracy = anti government
A warrant that seizes all the email accounts of an email provider business despite the fact that none of them are related to your investigation is not specific and therefore illegal.
Our nation is a constitutional republic, there are things the government CANNOT do because they are illegal. Expecting the government to obey the law isn't anti-government, it's pro-government.
[ link to this | view in chronology ]
Re: anti piracy = pro idiocy
[ link to this | view in chronology ]
Re: pro piracy = anti government
[ link to this | view in chronology ]
Re: Re: pro piracy = anti government
No one disputes that you may deservedly enjoy some privacy from the peeping-toms lurking amongst your neighbors.
But relations between the individual and the state rest on a different plane, inhabit a more lofty sphere.
Those who wish to hide from the state—are the very ones who plot against the state. The desire for concealment from the state is but the first step down the criminal's road to the hangman's noose.
When the state demands, you must yield. What the state demands, you must surrender. Anything less constitutes base treason.
[ link to this | view in chronology ]
Re: Re: Re: pro piracy = anti government
You may not be aware, but the government/those in power can be wrong at times. Crazy, I know. But what that means is if they are wrong, the right thing to do is challenge them on it, so the problem can be fixed. Just rolling over and letting them do as they please merely passes the problem on to someone else, all the while letting the problem fester and continue.
[ link to this | view in chronology ]
Re: Re: Re: Re: pro piracy = anti government
Transcript of Hearing Before the Honorable Claude M. Hilton, United States District Judge, August 1, 2013, 10:00 am
Clearly entitled.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: pro piracy = anti government
Not only that, but like all companies, Lavabit depends on their customers trusting them, and having every account compromised, just to allegedly look over one of them, would absolutely destroy that trust, putting them clean out of business in short order.
The non-digital version of an order like that would be if the feds wanted a warrant to search for a suspect in a certain town, but rather than get one that was specific, covering one house, they tried to get a warrant that would allow them to search the entire city, entering any house they pleased, listening in to any phone call they received or sent, and examining the contents of any mail that was sent or received.
A judge would have to be completely insane to grant a warrant of that scope, and you can bet it would be challenged the second it was learned about, as it wouldn't even remotely comply with the 4th amendment, which requires very specific terms and scope for a warrant. Because the judge didn't understand just what he was ordering Lavabit to do however, that's pretty much exactly what he ordered.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: pro piracy = anti government
Judge Hilton had no idea that his job was to finely calibrate the balance between individuals and the state? He had no idea? No idea?
“If only Judge Hilton knew…”
“If Only Stalin Knew: Vain Hopes In The Terror”, Special to the New York Times, published March 14, 1987
“Some kind of mistake that would soon be set right, if only they could get word to Stalin.”
Claude M. Hilton (born 1940) is a United States federal judge.… On May 15, 1985, Hilton was nominated by President Ronald Reagan to a new seat on the United States District Court for the Eastern District of Virginia… In May 2000, Chief Justice William Rehnquist appointed Hilton to serve as a judge on the Foreign Intelligence Surveillance Court.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: pro piracy = anti government
There's knowing what your job is, and actually performing it, something he didn't exactly seem to be doing here. But perhaps you can explain it, how exactly is the 'balance between individuals and the state' preserved by ordering a company to hand over the key to all of their customers' accounts, when the 'target' stated was supposedly just one of them?
That would be like if one of the alphabet agencies wanted to check the finances of a suspect in a case, but rather than order the bank to hand over the info to one account, the suspect's, they wanted access to all of the accounts, and in such a manner that they would be without any real oversight over their actions once they had said access.
I notice you list the fact that he's been nominated for different positions by a president and chief justice*, but while that suggests that he knows the law decently well, it means nothing if he wasn't aware of the technical aspects of what he was ordering here.
Look, I'm not saying he doesn't know the law, but if he didn't properly understand the technical side of what he was ordering, the fact remains that while he likely thought the warrant/order he was issuing was limited in scope and would only be used to target one person/account, due to how the order was worded, and the technical aspects involved, it would have been anything but limited, allowing access to literally thousands of accounts, with nothing more than a flimsy 'promise' to protect the data and accounts of the innocent people who'd had their accounts compromised.
No idea why you pulled out a Stalin reference, as Godwin-ing a thread requires a Hitler/Nazi reference, I don't think Stalin quite counts, and I can't think of any other reason you'd mention him.
*Though given the second appointment was to the FISA court, which doesn't exactly have a sterling reputation these days(to put it mildly), and especially doesn't have a reputation of denying any requests from intelligence agencies, not sure that particular one is something to be proud of.
[ link to this | view in chronology ]
I thought it was a different issue
Isn't that the real issue or did I miss something?
[ link to this | view in chronology ]
Privacy IS a really weak argument. But our public servants have NO say over it.
BUT what we get here is a technocrat weenie holding that it's "a technological issue". -- NO, IT'S NOT, MIKE. It's an inalienable human right, which can be violated (perhaps necessarily) but never actually taken away. Your "technical" weenie-ing only helps gov't steal our rights by not standing on fundamental principles.
Spying is the main 'business model' of the internet, especially for Google and Facebook.
03:57:08[d-250-8]
[ link to this | view in chronology ]
Re: Privacy IS a really weak argument. But our public servants have NO say over it.
[ link to this | view in chronology ]
Read It Again
[ link to this | view in chronology ]
Counter Point
Snowden worked for NSA and had access at a very high level to very secret information including WMD type data.
Conclusions:
1. Snowdwn should have better sense than use a secure e-mail server. In his case if it could not be said in the open then he should have used some other means other than e-mail.
2. No one can stand up to government when you stand between government and government's control of WMD.
3. It is the belief of all government officials that their power knows no national boundary. Example, all USSR officials believed that the whole world was subject to soviet law. The same could be said for 18th century UK officials.
[ link to this | view in chronology ]
"Business" is the wrong word...
"...handing over Lavabit's private keys absolutely wrecks any real security of Lavabit's system, which is Lavabit's entire *activity*." And, such *activity* is expressly not to be infringed upon casually by the government. (To my mind this makes a more direct connection to 4th Amendment principles...)
It might be a small point, but I think it's necessary to clearly distinguish this case from other cases where government regulation/activity is seen (by you) as "felony interference in a business model". We don't want to foster any chance that these cases can be confused, do we? (Or do we... if that argument is succeeding with judges in those other cases? /s)
[ link to this | view in chronology ]
Re: "Business" is the wrong word...
That is WHEN government regulation happens.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Authenticating total strangers
Once authenticated, there is no stopping them from creating new channels. Not even the website can block that.
Check out: http://eccentric-authentication.org/
and the slides for my talk at BruCON: http://eccentric-authentication.org/blog/2013/09/28/talk-for-brucon.html
[ link to this | view in chronology ]
You are missing something
Mass data collection (which a subpeona for the SSL Certificate is) is justified by the Third Party Doctorine, namely that no data you give to a 'third party' has an expectation of privacy. However how can you have no expectation of privacy when the product that Lavabit sells is...privacy? Lavabit has a black box email, so it can't look at your communications data. That sounds like a situation where my communications are designed to remain private, because Lavabit can't even do any spam scanning or other 'intercept' of the communications data. If I used an encryption email, I would have an expectation of privacy with the encrypted data. So in what way can you justify a wiretap on every customer of Lavabit when privacy remains expected?
[ link to this | view in chronology ]
Re: You are missing something
[ link to this | view in chronology ]
Re: Re: You are missing something
*abridged --> exceeded.
[ link to this | view in chronology ]
Re: Re: You are missing something
[ link to this | view in chronology ]
Re: Re: You are missing something
Lavabit was aware (or should of damn well been aware) that Courts can subpoena emails or ANY documents required by a court (for discovery), and therefore was fraudulent in offering a service that he was aware he could not provide, and excepting money for that service.
That's a scam, not a business model.
[ link to this | view in chronology ]
Re: Re: Re: You are missing something
You've spammed the comments on this article, extensively, trying to make it look like Lavabit was engaged in fraud by promising a service immune to the law(which would be both fraudulent and illegal), whereas all they actually sold their service as was a secure, private service, never claiming that it was immune to the law.
Yes a court can compel a service provider to hand over certain data pertaining to a suspect or investigation, but that's not what was being demanded here, in this case they were demanding that Lavabit hand over everything, access to all of their user's accounts, which is well beyond reasonable or even sane, given the purported target was a single account.
*Something the demanded 'give us access to all of your users' accounts is anything but.
[ link to this | view in chronology ]
Really weak argument
> claiming that its anti-government business model trumps the
> subpoena power. That is, it is arguing that the
> subpoena is “oppressive” precisely because it would work:
> It would allow the government to conduct the surveillance
> it is allowed to conduct under the Pen Register statute.
This strikes me as a really weak argument. The accused is essentially
claiming that its anti-government business model trumps the
enhanced interrogation techniques power. That is, it is arguing that the
enhanced interrogation techniques are “oppressive” precisely because they work:
It would allow the government to coerce the information
it is allowed to coerce under the ***REDACTED*** statute.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
You do not (or should not...) have the ability to tap every Verizon users calls and texts because a lone Verizon user is a target of a legal case. Same deal here.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Professor Kerr used to be Prosecutor Kerr.
Orin S. Kerr
Prosecutor Kerr, Special Assistant U.S. Attorney in the Eastern District of Virginia.
He knows about anti-government types.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
A hammer is a great too, it can hammer in nails, or break some one's skull in.
A computer can be used to for many things, including guiding a nuclear missile.
Any (and every) tool can be abused, or not, it's not about the tool, it's about the fool who abuses it.
Mike just because you use technology, does not exempt you from the laws.
Lavabit should have known that a court could order them to provide information therefore they were negligent and misleading to their clients, in offering them something they knew they could not deliver.
Clearly, therefore it was never a viable business model in the first place. Because if the owner of Lavabit KNOW ANYTHING ABOUT THE LAW !!!! he would know that he simply cannot assure secure email.
That's why he closed his doors, because he sold his services under false pretences. If you clients are paying through the nose for 'privacy' and he accepted that money knowing he actually could not assure that privacy, his business model is dead..
Are you Mr Masnick in the business of offering your customers something you know you cannot deliver ? We'll he is..
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
But as far as your comment is concerned: You provide your own counter argument. Tools are indeed agnostic and the person who abuses them for illegal purposes should fear that the government will come after them. People who don't abuse tools, however, have a reasonable expectation of privacy. The fact that the government asked for access to the entire dataset of customer communication meant that the government was going after everyone, not just Edward Snowden.
Yes, any business owner should practically know that the government will overstep its authority and willfully violate the Constitution, but that doesn't mean a business owner should have to compromise their business for the sake of illegal and unethical orders from the government.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
That is a crime in itself, offering a service you know you cannot actually provide and receiving money for that service.
When you advertise and sell a product that you know you can not deliver, but you keep the money anyway that is fraud!!
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
And then explain how that advertising preempts the Terms of Use Agreement which included this paragraph (emphasis mine):
"Through its network of servers and software, Lavabit provides a variety of Internet-based services. These services include, but are not limited too, e-mail service. Your use of these services signifies that you agree that all Lavabit services are provided AS IS and AS AVAILABLE and that Lavabit makes efforts to maintain its services but ultimately claims no legal liability for the availability, timeliness, security or reliability of its services. This waiver of liability covers accounts provided for free and accounts provided in exchange for money, unless a separate written service agreement is signed between the parties."
http://web.archive.org/web/20130530075339/http://lavabit.com/terms_of_use.html
[ link to this | view in chronology ]
Re: Re: Re: Re:
Professor Kerr denies that individuals have any right to converse amongst themselves free from the prying ears of the authorities.
Further, the good professor goes on to suggest that anyone who espouses such a right is necessarily disloyal to the state.
That is a prosecutor's mindset.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Government is anti-privacy
Kerr is right. Greenfield is wrong.
The government is against privacy. People for privacy are anti-government.
They are. It's just a fact.
[ link to this | view in chronology ]
Re: Government is anti-privacy
The government is against privacy. People for privacy are anti-government.
[ link to this | view in chronology ]
Re: Re: Government is anti-privacy
[ link to this | view in chronology ]
Do you trust the FBI?
Judge believes:
That the FBI wants to put a box on his network, that the box needs the SSL key and they will only take the limited evidence the judge specified and throw away the rest.
I believe:
The FBI hands the key to the NSA to do the surveillance (see 'FISA warrant leak'). The NSA doesn't need the box, it has a backbone tap already into Lavabit (secret room leak). It already stored any encrypted data into Lavabit waiting for the key (leak stating encrypting data is a reason to store US data). These things have been covered by leaks already. The NSA uses these keys for attacks (Bullrun) for data mining (e.g. Shadow Social Graph), it keeps US data regardless ('Obama's lockbox'), hands them to foreign governments (e.g. 'Israel pinky swear leak'). All of which violates the judges limited warrant. It can even go back in time and decrypt historic data for every other than Snowden.
But then again, as long as its secret, the Judge doesn't know.
And Lavabit can't control how its keys are used, so it can't enforce any limits the Judge demands.
And the FBI told him the truth as far as the FBI knows it, plausible deniability means they only see the legit data. They never saw the data Snowden saw for example.
So it isn't a technical judge that's needed, its one that's read the Snowden leaks unredacted so hes aware of the truth and can make judgements based on that truth.
[ link to this | view in chronology ]
Mike "m" my drug dealer friend
Mike argued in court that he needs those drugs, as his clients have an expectation of delivery, he argued his entire business model revolved around being able to supply his product to his clients.
Do you think you can work out what the Courts decided ???
[ link to this | view in chronology ]
Re: Mike "m" my drug dealer friend
A better analogy is that you run a legitimate hotel and a judge orders you to provide room keys to all the rooms in your hotel.
[ link to this | view in chronology ]
Re: Re: Mike "m" my drug dealer friend
If fact it would be like running a hotel and renting out rooms saying, if you rent a room you are safe from the police if they have a warrant to search you or the room, but you have to pay MORE for our rooms.
Then when the police turn up to search one of your rooms (and clients) you tell them "my business model is such that they pay me to NOT be searched"!
Then when you go to court, you tell the judge "my business model is based on telling my clients they will not be searched"!!
Judge says "But you were aware that if the police turned up with a warrant you are legally obliged to comply with the warrant, therefore you selling your product is a act of fraud because you are selling something knowing you were not actually able to deliver to your clients what they payed for, and what you said you could deliver.
That is fraud, plain and simple
[ link to this | view in chronology ]
Re: Re: Re: Mike "m" my drug dealer friend
Ummm, no. Just no.
Lavabit never claimed that using their service would shield you from valid search warrants. In fact, they'd cooperated with them in the past.
[ link to this | view in chronology ]
Re: Mike "m" my drug dealer friend
Your drug dealing friend was arrested for dealing drugs (illegal drugs, I would assume) and argued that the drugs were required for doing business. Lavabit is saying that encrypting traffic is required for doing business. So following the simile, you think encryption is illegal.
[ link to this | view in chronology ]
Re: Re: Mike "m" my drug dealer friend
Everyone KNOW FOR A FACT that Courts can order Emails sent and received for their investigations, Look at the SCO case, or Microsoft, or Enron, or Burnie Madoff the courts order their emails.
So it WELL KNOW that Courts HAVE THE RIGHT to demand documents and information as discovery with a subpoena.
The owner of Lavabit (if not a total moron) knows this fact too, but knowing that then offering clients "protection" they he was aware he could not legally provide means he "CONED" his clients.
Again, encryption is not illegal, neither is a hammer, and used correctly they are both powerful tools.
But technology can be abused just like anything else.
It's the attitude here, that because "technology" is involved it somehow makes it 'OK'.
Lavabit was trying to provide a service and charging money for that service that legally they were not able to deliver.
And that's why lavabit is not longer a viable business model.
You might not like it, but it's the way it has ALWAYS been, it's nothing new, Courts have been able to subpoena documents and information.
IT"S NOT THE TECHNOLOGY, it HOW IT IS USED.
In this case it's not even the technology, Lavabit offered services they were not legally able to offer.
They were paid for that service. But could not provide it (because they HAVE to comply with Subpoena for discovery).
[ link to this | view in chronology ]
this may be a trap?
[ link to this | view in chronology ]
this may be a trap?
http://www.reddit.com/r/worldnews/comments/1oij1d/lavabit_comes_back_online_for_96_hours_to _allow/ccsh07b
[ link to this | view in chronology ]
Close
"It's a technological issue on which a large number of entire businesses and an increasingly ubiquitous aspect of life for private citizens are based."
There FTFY
[ link to this | view in chronology ]
This will have a DEVASTATING effect on soilicon valley cloud firms, including my own employer.
Every stakeh9older, from google, to large banks, should be throwing BILLIONS at this guy's defense fund, or risk being forced offshore under threat of irrelevancy as this order is used to kill off online encryption on US shores.
[ link to this | view in chronology ]
Re:
It's got nothing to do with technology, it's just a fact of law, and it's not new.
[ link to this | view in chronology ]
But when I was driving it home at 200mph the police pulled me over and fined me !!!
I told the police office "it's technologically possible for this car to do 200mph, therefore it's LEGAL for me to go at that speed".
The policeman said, yes, your car is technically advanced enough to go 200mph, but the speed limit here is 55mph that's the LAW.
Just because you car is 'technology' does not make it exempt from the laws as they exist.
Everyone knows Courts (in the process of discovery) can subpoena documents from a business. So basing your business on a claim that they cannot and getting paid for that is fraudulent.
Technology is not an amnesty from the law.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
The Lavabit Hotel
You advertise you can do whatever you like in your room, as you will not be searched, BUT I DONT WANT TO KNOW WHAT YOU ARE DOING IN YOUR ROOMS.. I just want your high room rent MONEY.
So people come, and knowing they are 'free from searches' set up their meth labs and start cooking.
Might be a meth lab, might be a business exec on a layover.
But because the owner says that residents are exempt from police searches (regardless of their activities) the owner of the hotel is just as liable for the meth lab as the people in the room.
Because the hotel owner says you wont be searched does not make any activities in the rooms 'legal', in fact it's an offence for the hotel owner to rent the rooms on the premise that you will not be subject to a search.
That is not saying that everyone who stays at that hotel will be doing something illegal, it's not that it's simply illegal to rent the rooms under that premise in the first place.
If you know full well that the police have the right to enter rooms and search them, but with that knowledge rent those rooms (for extra money) with that assurance, that is fraudulent.
This SSL key is the same as the police raiding and searching 1 room (because of illegal activity) and then knowing the hotel owner rents rooms with an assurance of not being searched, asked the hotel owner to provide them the names and room number of the other residents in the hotel.
Not a demand they search each room, or a statement that because 1 room was doing something illegal that all rooms are. But they are asking for the details of the other residents. But that could be simply to inform them that they are victims of FRUAD by the hotel owner is renting you a room, and telling you it cannot be searched.
It is also the hotel owner committing a crime as much as the meth lab room, because the hotel owner is profiting off the fact he is renting rooms with an assurance of impunity. In itself a fraudulent act.
The court has every right to demand the Hotel (lavabit) hand over all documentation that supports the claim they are renting rooms with an implied impunity from the law and legal searches, a separate case to that of Snowden.
That is why Lavabit is in Court and under investigation, because he was conducting a fraudulent business, providing services he was aware he could not actually deliver on.
That being impunity from legal searches, he made his money on that premise. That premise is fraudulent.
Just as you cant rent a hotel room and charge extra and guarantee no police searches WHATEVER YOU DO!!! Because it's a lie.
You also cannot really use that lie as a defence for your actions.
Nor is it going to work that saying "I sold this service I could not provide, therefore I should be able to provide it" is a stupid argument.
I don't see why it's so complicated for you people, again it has nothing to do with technology, it has to do with a fraudulent business model, because it's 'a model' or a 'business' does not makes it's activities legal, nor does the technology.
If you offer a service that you cannot legally provide, and accept money for that service (enter a contract) you are committing fraud.
Lavabit offered a service of privacy, with the knowledge that with a court order he could not assure that privacy, he was paid for something he could not deliver. He has committed an act of fraud with every one of his 400k plus clients, he sold them a product that he could not legally make good on.
The court has every right to demand discover in the investigation of this fraudulent activity, Lavabit has no choice but to cease it's fraudulent activity. Both happened.
[ link to this | view in chronology ]
Re: The Lavabit Hotel
The police have reason to believe a guest is doing something criminal in one of the rooms, so they get a subpoena and search the entire hotel and every room in it without telling any of the other occupants that their rooms had been searched.
[ link to this | view in chronology ]
RTFM
For all of you uneducated ignorants, that button is located just to the right from the another well-known button designed to reliably detect any and all online copyright infringement.
Duh.
[ link to this | view in chronology ]
This is no longer a personal liberty issue.
If Lavabit loses, the cloud industry in the US will be doomed to mediocrity at best, while the cream of the client crop go where "secret orders" to fundamentally cripple security are not tolerated.
If Lavabit wins, it may be a turning point in the war our government is waging on our privacy and our online rights.
[ link to this | view in chronology ]