That judge is kind of a pushover. Hes not happy the government would have to trust Lavabit with their solution, but he doesn't even begin to question the governments proposal to just MITM all the traffic through a box with unknown software operated by whoever with certainly no tamper-safe logs of any kind.
It's likely because his level of technical competence barely suffices to turn a computer on, but yet he gets to decide on these cases, and the gov lawyer happily aids in his ignorance by supplying factually wrong technical sounding terms (the 'metadata stream') and analogues from an analog world (a 'filter').
That is a bad reason, yes. However, the prosecutor also objected to Levison's proposal to supply metadata, where he would wait until the 60 days were up, decrypt the stored messages (from which, to my knowledge, he could only read the headers unencrypted - the body is encrypted with PGP, I think), strip the "Subject" headers (per the legal standards on pen/trap orders) and then deliver that data to the FBI, via SCP, in bulk.
One reason that this was rejected, then, was that it did not fulfill the requirements of the 'trap/trace' part of the order, which require the metadata to be provided in real time or close to real time.
I'm reading/skimming through this now, and most of the beginning exhibits repeat a lot of stuff. Also, IANAL, so I may be interpreting some of this incorrectly.
On the PDF's page 51, there begins a record of a court proceeding, deliberating what, exactly, the government is looking for in these proceedings. They discuss the coverage that the FBI thinks its pen register needs. Of note is that Levison was not opposed to the pen register (which, to my understanding, would provide the FBI with all encrypted traffic going through Lavabit's servers), he was opposed only to providing the encryption keys, which Levison asserts would provide the FBI the ability to decrypt all traffic, and not just the traffic of the aforementioned SUBJECT, (read: probably Snowden).
The judge appears to not be a rubber-stamp entity, which is nice, as shown on pages 58-59.
Page 60, Levison states that all the gov needed to do to install the pen register, was set up an appointment with him. But, again, he would not provide any keys.
Ha. On page 61, the court explicitly says that all requests for oversight and monitoring will be denied:
MR. LEVISON : I guess while I'm here in regards to the pen register,
would it be possible to request some sort of external audit to
ensure that your orders are followed to the letter in terms of
the information collected and preserved?
THE COURT : No. The law provides for those things, and any other
additional or extra monitoring you might want or think is
appropriate will be denied, if that's what you' re requesting.
On page 100, Levison states that he can manage to get the information the FBI is looking for, without providing the FBI with Lavabit's encryption keys. Someone (AUSA[censored]) says that the proposed solution does not satisfy the subpoenas and court orders, because it would not provide real-time access to the data.
On page 107-108, the court has this to say about a loss of trust from Lavabit's customers, in the event that Lavabit hands over its SSL keys: "Any resulting loss of customer "trust" is not an "unreasonable" burden"
Starting on page 121, there is a court discussion about "a motion to quash the requirement of Lavabit to produce its encryption keys and the motion to unseal and lift the nondisclosure requirements of Mr. Levison."
Page 126, the court on the government's "right to information". Within the bounds of a criminal investigation, this position seems correct, but they are still requesting a key that would decrypt the communications of about 400,000 customers. Within that context, it seems like overreach.
THE COURT : I can understand why the system was set up,
but I think the government is -- government's clearly entitled
to the information that they're seeking, and just because
you-all have set up a system that makes that difficult, that
doesn't in any way lessen the government's right to receive that
information just as they would from any telephone company or any
other e-mail source that could provide it easily. Whether
it's -- in other words, the difficulty or the ease in obtaining
the information doesn't have anything to do with whether or not
the government's lawfully entitled to the information.
Man, read page 128 and 129. The judge basically says that because it's a criminal case, the 4th Amendment doesn't apply to the data they are requesting (Lavabit's SSL key, which is very emphatically NOT Snowden's data (or, sorry, THE SUBJECT's data)).
What appears to be the now infamous 11 page of 4-point key starts at page 145, as Attachment A. I can't actually verify, from this PDF, that it is text. With the image's resolution, it looks like lines of visual noise. Zooming in, there also appear to be visual artifacts reminiscent of JPG compression.
>On page 107-108, the court has this to say about a loss of trust from Lavabit's customers, in the event that Lavabit hands over its SSL keys: "Any resulting loss of customer "trust" is not an "unreasonable" burden"
This is one of the reasons why I have literally no respect for the US court, USG's supposed authority. They are all corrupt, lying, authoritarian asshats.
According to one of Sibel Edmonds recent sources, the majority of them are selected largely based on their corruptibility (if they are clean, they are removed from the selection pool).
I have to say that while I have been on HN for several years - and it is the best community online. I am farking inspired with how aware and awesomethe community on HN has revealed itself to be in light of the NSA debacle.
Even when we get into debates, like I do with TCPTACEK, the level of sober awareness of the implications of the techno-spy world we live in, the background and historical context (whereby many HNers were already aware of telco spying, Echelon, Carnivore, etc) the userbase has here is certainly terrific.
I am heartened by the fact that seemingly so many HNers are awake, aware and informed on whats really happening around us. I hope we can find a way to affect change together.
Just now saw this comment. I have also been discovering the beauty of individual thinkers blogs, in addition to HN (for example, Bruce Schneier's blog is one of my favorites). I'm a fairly recent daily HN reader who has moved from reddit, and am continually thinking about how communication on the net still has a lot of room to improve quality, but am enjoying the atmosphere here quite a lot.
None of this is shocking: If you run a commercial communications service, it's your responsibility to comply with legitimate wiretap warrants. As the judge said, setting up your system in such as way as to make tailored compliance extremely difficult or impossible doesn't release you from that requirement.
Exactly. The NSA is allowed to listen in when traffic is unencrypted because there is inherently no expectation of privacy in unencrypted traffic. The FBI has probable cause to receive all keys to everyone's encrypted traffic because you're obviously hiding something criminal.
The question I'd love to ask the heads of these various agencies. In what circumstance does the 4th amendment apply? Seems like we always ask 'is this current procedure justified' with some inevitable pretext found.
Yeah no prob. I'm particularly interested in Lavabit's story, because I'm looking to get off of Gmail and get some degree of privacy. But with how this is going, it looks like I'm going to have to wait for a non-USA company to start a similar service (I'm broke and in the USA, so I'm not in a position to start one myself).
I think the US government is engaging in a massive overreach, and I think that other countries have an opportunity to develop sane data protection laws. Normally, when you want data on one person, you get a warrant for data on that person. The US government, however, has decided that the rational move is to demand indiscriminate access to the records and communications of over 400,000 Lavabit customers.
I skimmed these pages as well, and it seems obvious now that you can no longer trust a legal system to protect your privacy. We (hackers) need to combat this with a technical system.
I would also note that it seems incredibly clear that Ladar Levison knew what was at stake: for himself, for Snowden, for his company, and for his users. His decision to shutter his doors was his last option to protect their 4th amendment rights and I'm absolutely amazed he made the right call here.
It is shocking when FBI uses the secret order for one user to demand the installation of the device which has access to everything of every user, especially when your whole business is to provide secure communication unless the user is specifically targeted.
But I understand that you wouldn't worry if your users have no privacy expectations. Your business wouldn't be affected.
They explicitly state in the court proceedings that if it were possible to give a key which only decrypted the data of the unnamed party, then they would accept that instead of the master private key. Unfortunately such a key did not exist because of the design of Lavabit's software.
But that is not what the FBI was doing. They were not seeking a "legitimate wiretap" -- they wanted full access to everything. This certainly releases you from the requirement as this is illegal activity by the LEO.
