Because, if this article is correct[0], his refusal to obey a court order is the only reason the FBI made him hand over private keys.
The story is the FBI asked for Snowden's emails and correspondence. Lavabit said they would not hand over the information(but admitted they had the technical capability ... it was server side encryption after all). Only after that refusal did the FBI start taking more drastic action.
This is, if that story is true, about on par with a Bank complaining that the FBI ransacked the safe all their safety deposit boxes were stored in. Expect the bank neglects to mention that the only reason the FBI had to break open the safe and be put in the position of being able easily break open all the safety deposit boxes was because the Bank failed to to hand over one box when given a valid court order.
This is particularly problematic in Lavabit's case because a major cornerstone of the argument against the NSA's warrantless surveillance is that there are legal means to compel access to data when it is actually necessary and that those means make it totally illegal to do what the NSA was doing. This is really a hard point to argue when those means don't work because other's thumb their nose at the law as well.
After studying the requirements Lavabit said they could write code to do it for $3500. But the FBI said they didn't trust Lavabit to do it right and thought it cost too much. They demanded direct access. http://imgur.com/A3RNQWY
> The story is the FBI asked for Snowden's emails and correspondence.
That's not the story that you linked.
From the article you linked: "The filings show that Lavabit was served on June 28 with a so-called “pen register” order requiring it to record, and provide the government with, the e-mail “from” and “to” lines on every e-mail, as well as the IP address used to access the mailbox. Because they provide only metadata, pen register orders can be obtained without “probable cause” that the target has committed a crime."
Yes and No. Yes they originally wanted a so called pen register.I should have been clearer with that. This request was without a warrant. Lavabit refused.
Then the fed's got an order from a Judge for it. Lavabit still refused.
Finally, the Feds, got a court order to the keys to the kingdom so to speak. At this point Lavabit is willing to implement a pen register. The fed's don't trust them to do it, so they stick with the final order. Lavabit shuts down.
Just because the FBI did not get the specific information they wanted as quickly as they would have liked should not entitle them to gather information on people not included in the original warrant... people who the FBI had no probably cause and no justification for grabbing their data.
I just don't understand how that makes sense. "You wouldn't give us Snowden's info so now we get everyone's info!" Why can't the FBI or the court further compel Lavabit to give up just the information they were authorized to get?
I agree the FBI shouldn't get access to everything. From the perspective of a Federal judge,however, there he cannot allow Lavabit to just not comply. So giving the FBI access and maintaining "safeguards" to prevent them from abusing it is an acceptable outcome. (Note, I don't trust those safeguards)
Now, why is that the outcome and not just forcing Lavabit to hand over select information via say the US Marshal's. Because Lavabit said that would take a while to implement and by this point the Feds think Lavabit is dicking around with them, the Feds decided this option won't work.
The feds obviously don't know the code base and can't implement the requested functionality themselves even if they somehow gained access to the service without taking it down. But they can ask for the SSL keys. That's a tangible piece of information the court can force Lavabit to hand over immediately. It makes sense that the government would request it. And it makes some sense that a federal judge would allow it after Lavabit itself rejected the option that preserved the privacy of the rest of it's users.
Why conceal the donate link behind a link shortener? And on yet another creepy surveillance related story. I can't be the only one that sees the irony here.
This way, you can still have your (unnecessary) click tracking while still giving the reader choice. I think you used a link shortener only to track clicks, since there is no 140 character limit here on HN. Ask yourself if this practice is really necessary.
Sorry - The shortened link was copied from his Facebook post. I thought it appeared sketchy but when I tried to expand it and paste it into HN it got corrupted (just like in your post). I was too lazy to figure a workaround. Sorry.
I wouldn't use Paypal anyway. They repeatedly stood out in the past for closing donation funds for non-profits for dubious reasons and other forms of being shitty. I don't trust them to use my money in the way I inteded it to be used.
Wouldn't the FBI have the technical capability to use optical character recognition to digitise the keys to actual text? Or maybe it's too small to be legible to a high DPI scanner? I really admire Lavabit here, they're not dealing with your average Joe, they're dealing with the American Government and that costs money. Everyone has the chance to help potentially make history by supporting Lavabit and donate to its legal fund.
Many would have just given up the moment things escalated, but Ladar Levison never gave in and fought for the privacy of his users at the cost of his profitable business and life. The cards are stacked against him, but he didn't let it get in the way of trying to fight the case and have it made publicly.
How many other companies have secretly complied with similar requests we don't know about? United States of America, the land of the free, right?
A simple character flip in a single letter would make the key unusable. ocr is fairly good, but it's not uncommon that you get a handful of errors. That's usually fine if the result is meant for humans, but here, 99.9% correct is not enough, you need 100% correctness.
It remind me of the case of "Free" a French ISP, they were forced like others ISP to send to the government the customer information related to IPs caught on P2P networks [0].
But the law did not specified how the data had to be sent, so to troll the government they sent everything by fax. And the volume was around multiple thousand queries a day.
I believe Julian Assange worked on a system that would make it impossible for an external entity to determine if there is any useful information on a data partition. Basically you would have a hard drive full of random numbers and it would be unfeasible to determine if there is any actual information on it, without the right keys and tools.
Its trivial to make a system where the content of the messages can only be read by the recipient. PGP and GPG email is an example of this end-to-end encryption.
The weakness in these schemes is two-fold: the update mechanism for the software (e.g. if its web-based, do you trust the server that serves the page?) and authentication: how do you know that the credentials you have for the recipient are accurate?
Its less trivial to make a system where who-is-corresponding-with-whom is obscured. Onion Routing (e.g. TOR) is in this direction, but there are laborious ways to peel the onion.
one 4 point character per page, delivered as a stack, but unstapled. Bonus points if the pages are numbered, but are sampled from a psuedo random number generator with large cycles.
Small moves like that makes me proud to be on the internet at this day and age of crisis. I hope I can tell my children or grand children that I actually cared and that I made a small difference, even if it's only the smallest of all.
I hope it will stay the way it is. Probably not, seeing how the public is ignoring and/or is not caring about the issue at all.
I broadly meant that as in not controlled by any single state, entity or corporation.
I for one welcome the new holographic internet cats shared by our minds and made entirely of pastas that are shaped into code. So long as those pastas are open.
If my understanding is correct, the FBI could decrypt historical traffic if they had the keys. So, assuming the FBI/NSA has a huge archive of Lavabit's customer traffic (would not surprise me), couldn't they decrypt it all now since they have the SSL keys?
>To make use of these keys, the FBI would have to manually input all 2,560 characters, and one incorrect keystroke in this laborious process would render the FBI collection system incapable of collecting decrypted data
That would take an intern less than an hour to digitize. Maybe three interns if you needed redundancy. This seems like a completely useless action on Levison's part since it end up giving the FBI the information they wanted but will still piss them off.
>>"To make use of these keys, the FBI would have to manually input all 2,560 characters, and one incorrect keystroke in this laborious process would render the FBI collection system incapable of collecting decrypted data," prosecutors complained.
That's pretty misleading - they make it sound like if they press the wrong key once it'll destroy the FBI's entire system.
Off topic, but brings to mind another technique famously used by Goldman when they dumped over a billion pages to the 50 staffers in the Federal Crisis Inquiry Commission:
Clever. We did something similar for a friend getting married. Instead of giving his present directly we created a text file encrypted with his public pgp key. We printed out the ascii-armored cryptotext and handed it over. He had lots of fun typing it back into his computer.
Anyway, as he decided to give the SSL key, pulling this kind of prank seems bit childish. On the other hand, he must have been under a heavy pressure, so can't blame the guy for not thinking 100% straight.
Sad, that people are sidetracked to talking about the font size instead of warrantless wiretapping.
I think he should have encrypted the key using itself. That way he can give them the key. And they can decrypt it and send it back in time so they can decrypt it.
http://tinyurl.com/m65n4ko
http://lavabit.com/
Lavabit Legal Defense Fund 10387 Main Street, Suite 205 Fairfax, VA 22030 (703) 291-1999