Isn't it a technical problem with the service, rather than a legal problem, if the host can't give access to one email account without compromising all users?
The email encryption was not in play here, from what I understand the end user was the only person with the key to the email "inbox" encryption
What is in play here was the SSL Key that is used to encrypt the browser traffic between LB and the user. No differant than the SSL Cert used when you make an online purchase
It technologically impossible/impractical to have a separate SSL cert for each user, that is just not how the HTTPS protocall was designed
This is not Lavabits doing, that is the work of the Internet Engineering Task Force (IETF)
By turning over the SSL Key the FBI using the Pen Trap Device would capture in real time all data of all users and be decrypting it in real time.
Turning over a Master Key to a building would not give the FBI instant access to all apartments simultaneously, nor would they have the ability to go back in time to look at previous data, nor thousands of other problems with this analogy
People are attempting to conflate physical keys with encryption keys simply because years ago the mathematicians used the word "keys" as analog to explain things to the general public. This does not mean there is, in reality, any analogous relationship between encryption keys and physical keys
They could have instant access if they duplicate the key and raid all apartments simultaneously.
Also the legal speak above states I believe that even that the FBI clould technically access other user data, this does not somehow disallow this from happening because is not ideal. It is more a fault of Lava it than anything else.
SSL is a standard secure communication protocol of the internet, it is not lavabits design and it is impossible for Lavabit to modify while still keep interoperability.
You do not seem understand the underlying problem, as many people are misinformed as to which key the government was requesting., They WERE NOT asking for the key of the private inbox data, they were asking for the GoDaddy Signed SSL key that encrypts the web browser session from the Lavabit User to the Lavabit server, not the user level key for the encrypted mail box stored on LB servers
This is the same protocol that HN uses for this very site, Amazon, Gmail, and thousands of other sites use every day to secure communications between public servers and the users of those servers
> SSL is a standard secure communication protocol of the internet, it is not Lavabits design and it is impossible for Lavabit to modify while still keep interoperability.
Correct. If Lavabit wanted to be 100% immune from these type of subpoenas, then they would have designed the system to never have been accessible this way. I'm guessing (just like Hushmail) that having a proper end-to-end type encryption, like forcing the users to use some sort of PGP on their end would reduce uptake, thus preventing them from having a viable business model, so they compromised in this way.
Just because SSL is a standard etc is irrelevant. The government is going to use its subpoena power to get to the information they have reasonable suspicion is being sheltered by Lavabit. If the least intrusive method unfortunately exposes everyones data, well that really is what they call "tough luck."
Further on the "tough luck" point, that is not how our legal system is suppose to work, the government infact does not get access to any information even if they have a reasonable suspicion it is being "sheltered", there are all kinds of limits that are suppose to exist, and the "tough luck" part is suppose to be the burden of the GOVERNMENT not the people,
US Constitution, Federalist Papers, 100's of years of case law, the very concept of innocent until proven guilty, all that supports the notation that the burdens are placed upon the GOVERNMENT not the people.
THe laws allowing for Pen Trap's are very clear that the pen trap must not cause undue hardship on the business in question, and there are simliar limits on all of the powers of government
The idea that the government has, or should have, unlimited power to destroy businesses and individuals in the pursuit of "justice" is not only ridiculous but very dangerous
Could you perhaps cite one case in the hundreds of years of case law that supports the argument that privacy concerns override the right of the courts to every man's evidence?
You really do not understand what is going on here.
Hushmail would have the exact same problem, Hushmail is not all that different from Lavabit.
When you load a message from your hushmail encrypted inbox it is DECRYPTED on the server side using the password you provided at login, then the HTML representing the email contained in your inbox it is then ENCRYPTED by the web server using SSL and Signed Certificate that is recognized by a web browser, in Hushmails case that CA is thawte, in LB case the CA was GoDaddy and sent to you.
ALL HUSHMAIL USERS share the same SSL Encryption from the Hushmail server to their Browser, this is how the web works. There is no changing at least not by a single company.
The only way around that would be to not use HTTP, or web browsers. But then you could create an entire new messaging system like BitMessage, but LavaBit was attempting to give people private EMAIL, not create a new messaging protocol
This has no bearing again whatsoever on what the government can subpoena. Just because it "sucks" that you've designed your system that if the feds need access to one account you've configured it such that one must grant access to everyones account when you have to comply is par for the course.
You could say that the blame for Lavabit being shuttered is actually due to the technical design of the site and the compromises made for connivence. You should blame the site creator for that, not the USG for exploiting it.
I do not believe the USG has the right to the SSL keys, period
But it is clear you believe that the USG should have unlimited power with free reign to do whatever it wants.
Then do you believe that power extends to forcing a business or indivual to commit fraud? Lavabit had an agreement with both its customers and its business partner GoDaddy to NOT reveal the SSL Keys to a 3rd party, the second it was forced to do so, it had an obligation to disclose those keys were compromised, failure to do so is fraud.
Do you believe the USG should or does have the power to force people to commit said fraud
> It technologically impossible/impractical to have a separate SSL cert for each user, that is just not how the HTTPS protocall was designed
Not impossible; each paying user[0] could be granted their own subdomain based on username and then an SSL cert issued specific to that domain.
What really stands out from reading the unsealed documents is that there was no separation of data and control within Lavabit; Mr Levison argues at one point that handing-over the SSL certs will also expose his administrative commands. Well, tough. Control and data should never flow in the same channel, particularly when handling data for which you have already received and processed warrants in the past.
[0] there were only 10,000 users paying for the high-security service. The other 400,000 were on the standard offering, without at-rest encryption.
