Even though the name and email of the suspect are redacted, it says that the suspect is being investigated for 18 U.S.C. §§ 641, 793d-e, and 798(a)(3). This is exactly what Edward Snowden was charged under[0].
Amazing to see what a disadvantage citizens are facing when going up against the government. Just reading the transcript you can imagine how anyone without a very experienced (and expensive) attorney would be overwhelmed and not understand what's happening since they're not in their element. Levinson seems to do better than most but it's a rigged game.
I'm actually curious if there is a forum or fora where only vetted well intentioned legal scholars are able to crowd source legal advice and research in cases like this.
I know that StackExchange is trying to do something like this for patents, but it would be interesting to see something similar for constitutional legal issues like this and maybe forums for other areas like medical law, etc.
Prosecutors can throw the entire weight and resources of the US government, but it would be nice if the people could throw around the weight of the entire legal community without tipping their hand in court (e.g. allowing the prosecution to see what the defense will argue in court for example).
If such a forum existed, it would be interesting if the terms of service could help with establishing a looser attorney-client relationship, where you are entitled to share all the information with all the eligible users (i.e. licensed by eligible state bar associations), but where those users are more arms length and have fewer obligations except for good faith (i.e. can't be sued for any advice unless it can be demonstrated that they are a ill intentioned actor, such as one acting on behalf of the other side, such as the prosecution).
I don't want to say too much b/c I have competitors here (looking at you, Casetext! jk Jake is a very nice guy) but this is pretty much my 5-10 year plan for my company. Of course, we have to do some other things and build some other tools before we get to that point but it's not not being worked on.
Not only is your statement sillier but it misunderstands the point he was trying to make.
When you go up against the govt, you're going up against govt players as arbitrator, as opponents, in the govt's house, with rules the govt controls more easily than a citizen. Not even close to a "like any other organized group" comparison.
Except it isn't exactly the same, really. To suggest that the corporations own the courts is for sure popular to say in this day and age, and surely, it's true that their deep pockets offer them an advantage over the average individual, but if the claim were actually true, there would never be judgements / damages / awards issued as the result of lawsuits or class actions.
As we know that those types of judgements are awarded, we can easily disprove that corporations own the judicial system.
"As we know that those types of judgements are awarded, we can easily disprove that corporations own the judicial system."
Negative. On the list of things that could be used to prove a lack of corporate ownership of the courts, that falls very close to irrelevant. Just because damages for and against various entities of varying power, wealth, and importance, does not necessarily mean a lack of control. While a C level or two might get fired for something egregious enough, to the kinds of corporations we are talking about, a court damage is just another business cost and isn't that big of a deal. You win some, you lose some...
Let's not forget there are two court systems. The real key, is not in the civil courts, which I would agree with you are largely tipped in the favor of corporations over citizens (and sometimes in favor of more powerful corporations), but in the criminal courts. It is in the criminal courts where the real "ownership" of the court system comes into play.
To take a look at the numbers behind the private prison industry, especially as it it relates to non-rights violating crime, and say that it is easy to disprove that corporations own the judicial system, is naive and ill-informed at best. At the very least there is much more to be discussed before such powerful conclusion could be reached.
Let us take for example, that an FBI whistleblower contact of Sibel Edmonds who was part of the vetting of judicial candidates says that anytime he came back and said a candidate was clean, they were immediately dropped from the roster. The implication is that only dirty, and therefore more easily controlled, people would be allowed to take the position. Or major supreme court cases where clear conflicts of interests were present, and yet a member of SCOTUS would not recuse themselves, with almost no backlash. With the well known for decades tactics of blackmail of the NSA on judges and their 6 degrees of KBacon just coming to light to the public, the real kicker to keep in mind is that Snowden was working for a corporation, not directly for NSA itself, and yet still got access to all this information!
I would venture to say that any kind of in depth study of the judicial system would show that the rule of law itself is in tatters, and the corruption is expanding in every corner. Such is the path of a nation who has forgotten the reasons behind The Great Rising, but that is another discussion entirely.
I stand corrected. I have quibbles with the argument you present, but overall I find the gist of it compelling enough that I won't bother haggling over them.
I'll take that. Honestly it's sad when hacker news is one of the few places left to honest discussion of matters, and it's responses like yours that make the effort of a conversation worth having.
And all that time, having to think that the eye is watching.
Which is equally true of a system like the US government, or most modern democracies, where the judiciary is separate from the legislature.
The government isn't one guy, it isn't even a small group. It's thousands of people, at minimum, just to run things at the top. When the US government goes to court, it can't just get the rules changed on a whim. It can't even necessarily afford the best lawyers in the field it may be going into.
Pardon? I'll cede that it bears little relevance to the proceedings here, but the notion that the government isn't subject to the whims of a single entity has pretty effectively been debunked.
Between the PATRIOT Act, the NDAA, etc., the Executive Branch has the authority to bomb you, kill you, or indefinitely detain you with zero approval or oversight from Congress.
I agree. I think he handled it very well all by himself, especially the hearing about the trap/trace that was NOT about the encryption keys where the govt wished to make it all about the keys.
Sometimes it's intelligence and perception over and above balls; for many, it is a choice between basic liberty or death. Jail doesn't factor into it. (See weev's sentencing transcript for an example of that to which I refer.)
I hope weev has access to plenty computing books in prison. I can't imagine being very involved in technology and then be separated from its progress for several years.
Form my past posts you'll know that I am critical of government spying and overreaching authority in the bogus name of fighting terrorism.
In this case, though, didn't the process work? There is no blanket spying, no action by the executive branch alone.
This a court order for a specific case in an ongoing criminal investigation, reviewed and signed by a judge.
Isn't that how the system is supposed to work? The executive branch needs to request court order in order to commence surveillance... All checks and balances are in place.
If anything, this is good. The government could and did not spy on the user at issue here.
To echo what someone else said, the problem here is when presented with the following scenarios:
1) Levison saying "absolutely, you are entitled to Snowden's contact/header details and I will give it to you within 60 days (or more frequently for more compensation)"
vs.
2) The govt saying "not good enough, give us the keys to everything real-time and we promise we won't get his communications content plus we will ignore the other 399,999 subscribers we will have access to".
Arguments on pg. 76 describe how this discretion should not be allowed.
Also, the govt said it required real-time access which I'm not sure is true - although certainly they would like it. That's why I think they should have compromised with Levison and they would have been granted what they wanted.
The problem in this case isn't the request ("we need email records of X user"), the problem is that they requested the private encryption key for the whole website, which would allow them to read the emails of every user.
Just because the more specific requests for individual records were not complied with, and the government resorted to broader mechanisms in its subpoena to get the data it wanted, does not make it illegal.
The gov't asked for specific access to specific account(s), those were not complied with, so they requested that the ssl certs be handed over so that they could get access to the specific individuals they needed. None of this is illegal.
I don't see why it isn't illegal since it is clearly unconstitutional. Asking for access to the keys to everything is absurd and clearly not aligned with "particularly describing the place to be searched, and the persons or things to be seized." Asking for the keys is the same as saying "we're asking to search all persons and all things." That most certainly exceeds the scope of the word "particular", especially when you take the words "upon probable cause, supported by Oath or affirmation" into account, since they clearly don't have probably cause for the other ~399,999 subscribers.
If the Constitution isn't clear enough on this matter, maybe this is something that we should pass into law. The government should never ever ever being able to ask for access to all the information from any service provider in third-party doctrine cases.
The judge understood this, but can't convict on a pre-crime. Assuming good faith might seem laughable here, but it does apply. Until there is proof that the gov't did in fact access anyone else's data (w/o authorization), there is no charge. There is a good analogy somewhere in there about an apartment building. 364 days of the year, the gov't can't go touching the building's master key, but the one day they have an investigation, they get a copy.
The govts request was akin to asking for your hidden phone number in a phone book full of hidden phone numbers. On its face it was specific but it could not actually be carried out without generally applying to 400k people.
The government stated that they have filters which will make it so that no one would see any information other than what is requested. The judge stated that that was reasonable.
Using your analogy, the government wanted to "grep '^target_name$' phone_book.txt", so while software did see all 400k phone numbers, the government did not.
I happen to disagree with the court on this, but I think your analogy isn't useful as to understand why. Instead, there should be a balancing of cost vs. impact.
Levinson/Lavasoft stated that they would provide that pen register information for a development fee of some $2,000-$3,500. (Note: Verizon's price list says they charge about $700 for access to that data.)
The government refused to pay, saying that they were not aware of paying anyone else for pen trap data.
So the first question is, how much non-revenue generating work can a company be forced to do in order to respond to a pen register request? Obviously the answer has to be non-zero in order for the law to be meaningful, but it can't drive a company out of business.
The government points out that a cheap solution, which bypasses the internal architecture, is for the company to provide access to all of the data, and use filters to remove all non-relevant data.
The secondary question is, where does the boundary sit? Is it at the company/filter layer, where the company is force to release all records to the filter, or with the filter/human investigator layer, where the humans only see the relevant data?
Personally, I put it on the company/filter layer. The government and the court disagree with me. Their view is that you can trust the filter to do what it says it does. (When Levinson asked for oversight or audit of the filter, the judge denied the request.)
However, in the case of a "grep ... phonebook", where the filter program can be audited, and run with oversight from both sides, then I find the request to be more reasonable.
> Levinson/Lavasoft stated that they would provide that pen register information for a development fee of some $2,000-$3,500. (Note: Verizon's price list says they charge about $700 for access to that data.)
plus
> The government refused to pay, saying that they were not aware of paying anyone else for pen trap data
So the government is not aware of paying anyone, despite Verizon having a (semi)public price list?
And one involves a developer who is likely of a much higher technical ability. Given his technical ability, Levinson's hourly rate is probably several times higher than the rate for the Verizon employee that would be assigned to do the work. It's not like a manager would authorize putting their best and brightest to do work that does not generate revenue.
I take it you didn't read the PDF? Levinson also gave a time estimate of "between 20 to 40 hours" (p114), which works out to $40 to $80 per hour. Let's call it $50 for the ease of comparison. This is an entirely reasonable hourly fee.
Verizon quoted a $50 court processing fee, which almost certainly takes less than 1 hour to do. It charges a $50 activation fee, which can't reasonably take 1 hour, and $10/day pen tap fee, and I doubt a Verizon employee is spending more than 12 minutes per day per pen tap.
In other words, those documents show that Verizon is almost certainly charging more per unit time than Lavasoft would, and definitely not "several times" lower than Levinson.
No I did not. This PDF and the White House NSA recommendations I have on my todo list for after the 25th of the month. Unfortunately, right now I cannot find the time to read anything this long.
That being said, thanks for the clarification and specific relevant facts from the PDF.
As far as the law goes, there should always be disclaimers that metaphors and analogies are sometimes useful but only get you so far. Especially when it comes to technology, they almost never hold water and look silly years down the line when the technology is better understood by the general population. I don't have the necessary education or knowledge to make a better analogy so for that I apologize.
EDIT: Oh, I am a lawyer. I was just noting that in law school (and internet law especially) you have to be wary of judges/parties using analogies in their arguments b/c they are almost always imperfect in one way or another
Have you skimmed through the PDF? I've found that even though I don't have any legal training, it's usually pretty easy to read at least the transcripts. Do that a few times, and things start to make some sense.
I've found court judgements are often quite easy to understand, if you don't mind skipping a lot of citation references. For example, Computer Associates v. Altai helped me understand the abstraction-filtration-comparison test as applied to copyright of software.
Indeed you have! I find it difficult to track account names, especially unfamiliar ones, and didn't note that I had even commented elsewhere on your threads of doing that reading.
(For example, it wasn't until 7th grade that I noticed that various books that I really liked were all written by the same author, so I should get more books by that author.)
I would imagine that some sort of pair programming recorded session, where either side can pause the session and argue against what the other side would like to do next and why they believe it to be inappropriate.
This is true, of course. The dominant power never legislates against its own self interest. And so many of the darkest parts of human history were done legally. The real issue here goes deeper than the law.
The thing is, not many people believe a word the government says any-more. This is the government that doesn't "collect" any information on their citizens, doesn't "torture" anyone and so on. The government can make any promises it wants, with no intention of fulfilling them, then claim that the meanings of the words are not what you think they are, but the real meanings are secret, and why they're secret, is secret, and no one can ever know the true meaning lest we all be killed by terrorists.
And isn't it funny that the government can't seem to bring itself to find this pen-register information development fee, but there seems to be an infinite line of deficit spending for all kinds of corporate subsidies, bank bailouts, spying equipment and wedding killing drones.
The lawyers may argue and the courts may rule, but at the end of the day the core of this apple is rotten. And there's worms in it. Take a bite. It tastes like "freedom".
I can't understand why it is not illegal by way of being unconstitutional since it clearly tramples on the 4th amendment rights of all the other subscribers.
Absent clear mechanisms for watching the watchmen to make sure they not only respecting the 4th amendment rights of the other subscribers, but technically incapable of doing so (in order to mitigate rogue actors that want to impress their superiors via fishing expeditions), I can't see why we should have any reason to believe this information will not be abused. The government, especially the NSA and the FBI (by way of parallel construction), have proven to be outright liars. This alone should be enough for a judge to rule against the right of the government to make such broad requests. The government has be proven guilty of lying here. The burden is now on them to show that they are no longer guilty.
The problem with describing that as a problem is that there's no mandated way to operate a business (other than lawfully)
Levison didn't design it to make it harder for the govt specifically, he designed it that way to make it stronger for his users as against the rest of the world and would then make exceptions for the govt (which they turned down when he offered to custom-tailor a solution)
You can have a client side key BTW. It's a complete dick to setup and each UA is different so it's really not viable for a product for the unwashed masses. But for something like Lavabit I don't think would be unreasonable.
Ladar had a hard enough time making ends meet with the service as it was, adding something like that to the mix would have alienated a huge portion of his userbase.
You would think his users would be pretty savvy but he spent lots of time and money walking people through simple tasks like configuring Outlook or Thunderbird to check their email. I'm pretty sure support was his biggest operating expense.
I should have said for a product like Lavabit, ie mail as secure/private as SMTP likely gets right now, I hope it wouldn't be unreasonable. However, in my heart of hearts, I knew it was too much to ask for.
I guess anyone that knows how to create and setup a client side TLS cert and key would also already know privacy and SMTP can't really live together, and would setup a deaddrop for gpg encrypted messages.
Arguably asking for the SSL key is overbroad since it would effect all Lavabit users. But the government only asked for it after Lavabit refused to implement targeted mechanisms in a reasonable way.
If you read in the arguments he is willing to comply with the pen register but the FBI argues that the SSL keys are required for this to function. Based upon my understanding this would mean that the pen register would use the keys and essentially pull a MITM attack on all traffic or the FBI just really doesn't understand that the mail wasn't encrypted once it hit the server and if their pen register functioned after the SSL termination they could get what they wanted without the keys.
I might be misunderstanding here, but going through the court transcript (p. 49–50), but it sounds like the gov't was entitled to installing a pen register[0] since (replace phone with email/internet):
"that because you knowingly expose phone numbers to the phone company when you dial them (you are voluntarily handing over the number so the phone company will connect you, and you know that the numbers you call may be monitored for billing purposes), the Fourth Amendment doesn't protect the privacy of those numbers against pen/trap surveillance by the government."
Since all of the network communication happens over SSL though, they are unable to read any of the data going into or out of the network without the encryption keys.
Shouldn't they only be able to access what's exposed to the outside network, or are they actually entitled to the unencrypted text, even if that's not available without being inside the connection? Forgive my lack of technical/legal understanding here.
The problem is that the email is still sent to the address in an unencrypted format. Lavabit, upon receiving an email, then encrypted it. Therefore, Lavabit itself was provided with an unencrypted version of the email. That means that the expectation of privacy does not exist and the government has a right to the information. Or at least, that is the argument that the government puts forth.
They're not entitled to the contents of the email because the service can operate without the contents. The service can not operate without the origin and destination details however.
That's what pen register metadata is - it's not email contents.
> They're not entitled to the contents of the email because the service can operate without the contents.
This is mistaken. It is not the case that the service must operate by law. The service can only operate if it does not infringe civil liberties. To be more specific, it must not violate the fourth amendment of the constitution. The reason that metadata does not violate the fourth amendment is that there exists an expectation for whomever you give the message to to actually read the metadata much in the same way that you expect the post office to read the mailing address.
As I was trying to say in the parent comment, Lavabit, upon receipt of an email encrypts the entire email including the metadata. This still falls short of relieving the expectation I previously discussed because it still receives the email unencrypted. Hence, the government will argue that it has a right to the entire contents (even though the headers may suffice in some cases).
Pen register metadata was deemed not protected by the Supreme Court, but privacy rights still protect the content of most communications from seizure without a warrant.
It all comes down to reasonable expectation: to send a letter, or make a phone call, you obviously have to tell the phone company the details of who you're calling. Therefore the information is not considered to have a reasonable expectation of privacy. Whereas you don't need to convey the content of your email or voice conversations to them for the service to operate - you could scramble your voice, or encrypt your email, and it wouldn't change a thing.
That's a great observation and it depends on how you define "exposed." Since it's technically feasible to capture the information, perhaps even retroactively, it's certainly been sent to a third party (Lavabit) for retention but they have just chosen to voluntarily put blinders on when it comes to that information.
So the question is whether it requires actual exposure or exposure in the regular course of business.
Levison objected saying that the key would allow the government to access communications by all 400,000 customers of Lavabit. He also offered to add code to his servers that would provide the information required just for the target of the order. The court rejected this offer since it would require the government to trust Mr. Levison and stated that just because the government could access all customers' communication did not mean they would be legally permitted to do so.
This is a CORE of what is wrong with the oppressive system US become. Note that Levison himself did not commit any crime; he simply offered the service to host emails; he was not a criminal but yet court decided that he can't be trusted. This is a core of the problem here. You can be a saint Pope yourself and the Gov will not entrust you, but yet at the same time you have government who on record murder its own people and do things after which you would have not slept for a month, and is given carte blanche type of trust from the judge.
The government clearly can't be trusted either. They said they didn't collect information on millions of Americans, which was an outright lie ("least untruthful" statements are still lies). In another comment I proposed a solution where there is a shared, recorded pair programming session where the actual commands to be executed are approved by each side before execution. What I don't know is if such a session could be set up without giving exposing your keys to the system capable of handling the shared session.
Sending the SSL keys to the FBI as a multi-page printout in 4-point font when the government doesn't specify what format it wants is pretty funny. (Page 127 - 137.)
Well, except that as I recall, Lavabit didn't use SSL with PFS, so giving the FBI their SSL keys means that all previously-captured ciphertext is decodable.
To me the most disturbing part of the in camera proceedings was when Levinson asked for the ability to enlist public support and the US Attorney objected--not because it threatened the investigation, but because they didn't want Levinson getting any help. Ultimately Levinson did get help and the case attracted wide attention, but not everyone is so lucky. From a legal perspective I find all the technical "under the hood" arguments fascinating--but the courts don't care. They may care twenty years from now, but they don't care now. The judge has lived with computers since the 1980's and he's talking about phone numbers. Lord have mercy.
pg. 115 - Levison's lawyer has trouble arguing his points with the Judge
He is trying to make it clear that this is not about a system that was designed to make it hard to get snowden's data in the sense that Levison is actually ever arguing that snowden's data is or should be protected or is difficult to retreive. It only becomes difficult to retreive ONLY snowden's data and that is why the govt should be restrained in its options without violating the privacy of 399k others.
(commenting as I read along)
pg. 11 - Certification of Business Records
Thought he was being asked to install trap/trace/whatever by the govt alongside his equipment - might explain why this wasn't filled out/signed. It's not part of his regular business to record all such information.
pg. 30 contains what sounds like a much too broad request for any and all public and private keys for ALL lavabit users including HTTPS sessions and SMTP communications, not just Snowden
Actual search warrant is much more narrow to just Snowden, although missing the date before which the warrant must be executed
Served in TX on a Thursday to show up for court the next Tuesday AM in VA - gotta love that prep time!
When it actually get to court, the judge emphasizes that only information about a specific account is needed. The judge on p115 or so emphasizes that the government can ask for that information, and it doesn't matter if it's easy or hard to access.
The judge on p50, says that encryption keys must be provided in order to make sense of the legally obligated pen register data. Levinson, on p51, brought the keys with him (as you mentioned, on p30), but Levinson, on p52 points out ... well, I'm not sure. I think it's that the keys in the subpoena don't actually exist?
Levinson is willing to make the pen register available, for a development fee of about $2,000 (p90). (Note: Verizon charges about $700 for 60 days of a pen trap; see https://www.aclu.org/files/cellphonetracking/20120328/celltr... . I don't find the $2,000 to be unreasonable by comparison.) The government says that paying development costs has never been done before (to the lawyer's understanding), and doesn't want to do so. (p116). On p 115, the judge says that ease or difficulty doesn't play a role on if the government is lawfully entitled to the information. (I wonder then how Verizon can charge for it.)
Levinson, btw, wants to provide the data in a lump data dump, after 60 days of recording (p90). More frequent updates will cost another $1,500.
The government, on the other hand, demands real-time data, and wants to install a real-time device which captures all metadata, which is then filtered so that agents only receive what's in the pen order (p121). This requires the full SSL keys.
The judge agrees with the government that this is reasonable. (line 18, p121).
Previously (p56), Levinson asked the court if it was possible to do an audit of the pen register. The judge responded that any request for extra monitoring would be denied.
BTW, Appendix A shows a copy of the infamous SSL key as 4pt font.
"The government, on the other hand, demands real-time data, and wants to install a real-time device which captures all metadata, which is then filtered so that agents only receive what's in the pen order (p121). This requires the full SSL keys.
The judge agrees with the government that this is reasonable. (line 18, p121).
Previously (p56), Levinson asked the court if it was possible to do an audit of the pen register. The judge responded that any request for extra monitoring would be denied."
Who knows what all these little black boxes do? Just because they say it will only transmit what is in the order, how can one know otherwise? Hence the request for audit, which is denied... very, very suspicious.
Agreed. There's a place there where the judge asked the lawyer for Lavabit something like "if you don't trust the government wiretap box then why should the government trust that you are providing the required information"?
The lawyer had no real response, and agreed that the judge had a good point.
I can think of some answers which might have been better, but they require technical collaboration to come up with a mutually acceptable answer. Or, with the Snowden information we know now, there's a reasonable suspicion that the unreviewed information might be stored for later, should the government decide there are other justifiable reasons to review it in the future.
The only answer you need is that the Constitution is simultaneously built on trust/mistrust of government. Otherwise, why bother with checks and balances.
Related to the Lavabit case (but more generally) I've been working on researching warrant canaries.
Order contains language "minimum interference to the services that are accorded persons with respect to whom the installation and use is to take place."
Possible canary-busting language as well as NSL-like "shall not disclose trap/trace or investigation" language
It would be interesting to see what their pen/trap device costs to install, I would guess far greater than $3500 if I know anything about government spending.
The difference is that Verizon already had this code built, and charged $700/request to use it. The Lavabit founder was asking for money to develop and modify his code. Even if it was his code, there is no "standard" amount for this service, so the government balking about it seems a bit disingenuous. It seems like they were annoyed they got push back to begin with, then did a heavy handed overeach to get the ssl keys because they knew the judge was friendly to their point of view.
He may have done if they agreed, but then again, maybe not. A lot of his responses seem like stalls in order to decided what to do.
In my reading, I get the same feeling of being disingenuous. The 4pt SSL key emphasizes that.
My best interpretation is that he had already decided that the only solution was to shut the company down - which I'm certain the government wasn't expecting - and given that he was likely to fail was using delay tactics.
However, my interpretation fails because he said he would do the tap if the government paid him enough money. (OTOH, he could have decided to shut it down in that case as well.)
pg. 76 contains the best argument IMO - no discretion being left to the FBI to ONLY retain header/contact details for Snowden's email and not take the keys to the kingdom
pg. 94 - it seems somewhat dishonest of the govt to insist that Levison has not come up with a solution to reveal the information authorized considering Levison offered to build it and requested IMO reasonable compensation to his system to do so
[0] http://news.rapgenius.com/Hon-john-f-anderson-united-states-...