Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lavabit Case Unsealed: FBI Demands Companies Secretly Turn Over Crypto Keys

Posted by timothy on from the c'mon-fellas-it's-for-the-greater-good dept.

jest3r writes "Lavabit won a victory in court and were able to get the secret court order [which led to the site's closure] unsealed. The ACLU's Chris Soghoian called it the nuclear option: The court order revealed the FBI demanded Lavabit turn over their root SSL certificate, something that would allow them to monitor the traffic of every user of the service. Lavabit offered an alternative method to tap into the single user in question but the FBI wasn't interested. Lavabit could either comply or shut down. As such, no U.S. company that relies on SSL encryption can be trusted with sensitive data. Everything from Google to Facebook to Skype to your bank account is only encrypted by SSL keys, and if the FBI can force Lavabit to hand over their SSL key or face shutdown, they can do it to anyone."

43 of 527 comments (clear)

  1. Nothing left to do by Anonymous Coward · · Score: 5, Insightful

    Understandable that he shut down.
    The USA is ruled by evil bastards that have no respect for the citizens.
    Time to revolt is now.

    1. Re:Nothing left to do by Lunix+Nutcase · · Score: 3, Insightful

      You mean the time is now for others to revolt while you sit in the basement playing armchair general. Who about you actually di something rather than just make empty threats?

    2. Re: Nothing left to do by Anonymous Coward · · Score: 3, Insightful

      Land of the cowards, home of the slaves.

      Where else in the world can people be so cowed while simulatenously bragging about their right to go armed?

    3. Re: Nothing left to do by jedidiah · · Score: 3, Insightful

      It's almost like there's more than one person wandering around.

      --
      A Pirate and a Puritan look the same on a balance sheet.
    4. Re:Nothing left to do by sociocapitalist · · Score: 3, Insightful

      Understandable that he shut down.
      The USA is ruled by evil bastards that have no respect for the citizens.
      Time to revolt is now.

      It's basically your fault there will be no revolution because you decided not to put an exclamation point which, very appropriately,sums up the attitude of most Americans about anything other than sports, shitty beer and big tits.

      --
      blindly antisocialist = antisocial
  2. Why? by jbmartin6 · · Score: 4, Insightful

    I don't see why they would want the SSL key, when presumably they have easy access to the data on the servers under the laughable "due process" already in place. Why would they want to intercept the traffic when they could just read it off the server?

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    1. Re:Why? by CanHasDIY · · Score: 5, Insightful

      If you read the article, they demanded the SSL key since Lavabit did not comply with the earlier order. All the Feds originally wanted was metadata for one user. Lavabit could have provided that, but refused. The prosecutors asked they be held in contempt of court, and then asked for the SSL keys. This is on Lavabit.

      Yes, how dare the impudent bastards attempt to protect their customers from illegal surveillance!

      Seriously, I think you just posited a digital variant of the 'skinny jeans defense' rapists use.

      --
      An enigma, wrapped in a riddle, shrouded in bacon and cheese
    2. Re:Why? by LateArthurDent · · Score: 4, Insightful

      Lavabit wasn't as principled as claimed by Glenn Greenwald et al. They did actually plan (or told the courts and the FBI they would anyway) to release the records relating to $PROBABLY_SNOWDEN to the FBI. At best you can argue they were lying, but how's that showing integrity?

      Once they were given a proper warrant, complying is the principled thing to do. That's proper due process. The point is to prevent the government from gaining access to information while skipping said due process. So no, at best I can argue they were telling the truth, and doing the right thing.

      Lavabit made a number of elementary legal mistakes from the beginning, even avoiding using a lawyer in the first hearing. These mistakes made it easy for the FBI to argue that they couldn't trust Lavabit to do what Lavabit was offering to do. Lavabit should have contacted the FBI immediately, made it clear their concerns

      Assuming the facts are correct, agreed.

      and not made a clearly bad-faith offer to provide something useless to the FBI

      I don't think that's what they did. The first offer of providing the information on a monthly basis seems both useful and better targeted than the initial FBI request. Why is this a bad-faith offer?

      Notwithstanding the above, the court's refusal to allow Lavabit to talk to politicians et al about the basic principles in the case seems absurd and completely unconstitutional.

      Right. The whole thing was the government throwing a fit. "Oh, you want to fight us. We'll up the ante, and ask for something completely unreasonable then.." It was very principled on their part to not fold as a result, and to shut down instead of giving them what they wanted.

    3. Re:Why? by Anonymous Coward · · Score: 4, Insightful

      Lavabit could have provided that, but refused.

      Good on them!

      This is on Lavabit.

      And for that, they are to be viewed as heroes.

      As opposed to Fed apologists, such as yourself.

    4. Re:Why? by jedidiah · · Score: 5, Insightful

      Lavabit being "in contempt" regarding the first request in no way justifies the second.

      This is just more of this sort of post-factum argumentation that is so common everywhere lately. You even see it at the level of the SCOTUS. Some goal is declared supremely important and then the law is distorted to fit that objective rather than to actually honestly examine if that objective is even legal to begin with.

      "We must do X, therefore we will ignore the law"

      Same nonsense, different day.

      --
      A Pirate and a Puritan look the same on a balance sheet.
    5. Re:Why? by TheGratefulNet · · Score: 4, Insightful

      if the US gov asked a huge mega-corp to break its whole business model and trust, essentially going out of business (think big auto makers or sony or some huge corp like that) do you think it would happen? would the gov push around a huge company and try to ruin them, just to get some (cough) meta-data?

      small guys who can be made to look 'dodgy': yes

      big co's who donate to the election campains: certainly not!

      "business as usual" ;( might makes right. time and time again, the larger the government gets, the more power it gets and the more corrupt it gets until its main goal is just to keep itself going along the same trajectory. ethics and fair treatment be damned.

      --

      --
      "It is now safe to switch off your computer."
    6. Re:Why? by HeckRuler · · Score: 3, Insightful

      Ah, the NSA lapdog comes in to try and weedle and twist and squirm any way he can to apologize for the NSA.

      But no. You can't even do that correctly, can you? Listen, the FBI demanded something. Lavabits said no. The court said yes. Then the FBI came in with an even bigger demand.

      A week later, prosecutors upped the ante and obtained the search warrant demanding “all information necessary to decrypt communications sent to or from the Lavabit e-mail account [redacted] including encryption keys and SSL keys.”

      "Upping the ante" is pretty synonymous with bullying. They refused the request, and the court order, and then the FBI "ups the ante" and demands complete access to everything? That's bullying flat out. It's abuse of power. Comply with our demands or we'll throw the whole book at you and make you dance.

      This is on Lavabit

      You mean the blame for this shit? No. No I don't think the blame is on Lavabits. I think the FBI got miffed that their cock wasn't sucked hard enough so they decided to rape a business to death.

      Hey, the FBI came back with a warrant. Ok. That's not that bad. It's actually a lot better than this bullshit warrantless "pen register order". That the warrant includes COMPLETE control over ALL communication that your entire business is specifically sold as being secure? That's bad.

    7. Re:Why? by CanHasDIY · · Score: 4, Insightful

      It's not magic, it's the rule of law: Per the Constitution, it is the supreme law of the land, and cannot be superseded by anything except a Constitutional Amendment. As no one has, to date, amended the Constitution to nullify the 4th Amendment, any "law" that violates the right of the People to be free from unlawful search and seizure is, in fact, not a legitimate law, no matter how many political appointees scream that it is.

      If the government made a law that said it was required for every goyim to kill at least 1 Jew, and the SCOTUS supported it, would you say the murders are legitimate, legal acts?

      Well, OK, maybe not you, specifically, but a person of reasonable faculties who has not already proven themselves to be an ardent licker of federal boot.

      --
      An enigma, wrapped in a riddle, shrouded in bacon and cheese
    8. Re:Why? by wiredlogic · · Score: 4, Insightful

      Lavabit made a number of elementary legal mistakes from the beginning, even avoiding using a lawyer in the first hearing.

      You shouldn't have to use a lawyer to get justice in a free nation. It shouldn't be possible to use a defendant's naivete as a procedural trap to extort concessions and violate due process. Judges are supposed to be biased in favor of defendants to ensure this doesn't happen. The puppet FISA "judges" are so quick to lick the boots of their real master that they can't be bothered to maintain a believable charade.

      --
      I am becoming gerund, destroyer of verbs.
  3. What moron judge allowed this? by h4rr4r · · Score: 5, Insightful

    How is this legal? How do you get a warrant that broad? Are fishing expeditions now allowed by law enforcement?

    1. Re:What moron judge allowed this? by h4rr4r · · Score: 4, Insightful

      Stop right there. The fact that they are allowed this without probable cause is already too much.

      They should have sent it 4 point one character per page.

      The fact that the judge believed the FBI would only take the info the warrant allowed makes him either an accomplice or as naive as a child.

    2. Re:What moron judge allowed this? by the+eric+conspiracy · · Score: 3, Insightful

      It's not a warrant. Email headers are not protected information under the law so all you need is a subpoena. Since they are disclosed to third parties there is no expectation of privacy under current law.

      It's the same idea that the outside of the envelope that you give the postman is not protected. Nor is a list of phone numbers that you call.

    3. Re:What moron judge allowed this? by h4rr4r · · Score: 3, Insightful

      The previous order was a violation of due process.
      Then the judge somehow believed the FBI would not take more data than they were allowed. So either he was in on it or incredibly foolish.

    4. Re:What moron judge allowed this? by loganljb · · Score: 4, Insightful

      Like I said, I don't disagree with how LavaBit handled this. In fact, I think EVERYONE should treat federal 'requests' for information the way that Ladar Levinson has, and greatly admire the stand he has taken. I was simply saying that it was more complicated than the summary made it out to be.

      That being said, in my personal opinion the fact that the fed can request envelope information with no probably cause is a travesty. I see it as no different than pulling mail out of my mailbox to see who I write letters to and who writes to me. This should be illegal search and seizure

    5. Re:What moron judge allowed this? by silas_moeckel · · Score: 5, Insightful

      The header information blanket traces back to an idiotic ruling that the outside of a letter was not protected since everybody can and had to read it to get it there (the USPS digitizes and stores all of them now). The FBI then applied this to encrypted traffic which makes no sense since it's no longer data that anybody but them or there agent can read.

      We need clear guidance, which a simple presidential order could give that prohibits all of these sorts of searches.

      --
      No sir I dont like it.
    6. Re:What moron judge allowed this? by bill_mcgonigle · · Score: 3, Insightful

      If you read TFA you'll see that it came about because Lavabit did not comply with the previous order. There is little mystery about it.

      They could have gone for enforcement (pretty much "SWAT team" these days) of the previous order. But they used the situation as an excuse to get what they really wanted, 4th Amendment be damned.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    7. Re:What moron judge allowed this? by AlphaWoIf_HK · · Score: 3, Insightful

      While that's certainly a possibility (given how illogical the law often is), it has nothing to do with whether or not these actions were wrong.

      --
      Da derp dee derp da teedly derpee derpee dum. Rated PG-13.
    8. Re:What moron judge allowed this? by FriendlyLurker · · Score: 5, Insightful

      ...when the fact emerge that they were defying [Secret, Unaccountable, Undemocratic] court orders.

      Cold Fjords subservient cheerleading to power never ceases to entertain. Obviously the operators of the Cold Fjord account have learned absolutely nothing from history, or are on the wrong side. See: "Means Used by the Nazi Conspirators in Gaining Control of the German State". Quote: "To make certain that cases with political ramifications would be dealt with acceptably and in conformity with Party principles, the Nazis granted designated areas of criminal jurisdiction to the so-called Special Courts (Sondergerhte)."

    9. Re:What moron judge allowed this? by david672orford · · Score: 5, Insightful

      Stop right there. The fact that they are allowed this without probable cause is already too much.

      It is interesting that the prosecutor portrayed this as a pen trap. Courts have ruled that users do not have a reasonable expectation that the numbers they dial on their phone line will remain private (basicaly because they show up on the bill) but that they do have a reasonable expectation that nobody is listening in. That is why this information can be obtained without probable cause. But if Lavabit offered specific guarantees that this information would not be recorded except in the encryted e-mail boxes, then the users had a reasonable expectation of privacy. This might make the use of a pen trap without probable cause illegal.

    10. Re:What moron judge allowed this? by Anonymous Coward · · Score: 2, Insightful

      Lavabit shut down. Their other customers have lost service.

      Their other customers retained their privacy and security in the face of a well-resourced attack from the US government and Lavabit even managed to make the attack, it's tactics and its source publicly known. The owner sacrificed his business to do it. If there were a heaven for secure email services, Lavabit would be the ones getting to judge everyone else for whether they make the cut for getting in. I doubt you've ever been as successful at anything in your life as these people have in preserving their customers' privacy - which was exactly the service that they were providing.

    11. Re:What moron judge allowed this? by tnk1 · · Score: 4, Insightful

      More likely it is:

      FBI: The precedents handed down allow us to demand this.
      Judge: That sucks... unfortunately you are right.
      FBI: Tell them to hand over the goods or we'll appeal and you'll get slapped down and you'll still have to do it.
      Judge: Fine, assholes.
      Lavabit: We're going to comply in the least cooperative way.
      Judge: Don't fuck with me, I'm already in a bad mood from Special Agent Dickface over there.
      Lavabit: Nyaahhh
      Judge: Okay, fine. Which is to say, pay a fine, now.

    12. Re:What moron judge allowed this? by blueg3 · · Score: 4, Insightful

      They should have sent it 4 point one character per page.

      No. You should have a good reason for telling them "no", then you should tell them "no" with your reason, and get lawyers involved. Pretending to technically comply with a court order while making an obviously obstructive, bad-faith effort is a good way to ensure that things go rapidly downhill for you.

    13. Re:What moron judge allowed this? by dcollins · · Score: 3, Insightful

      I wish I could agree but I don't. The US government has crushed some fairly small-time players. They have the big players well in control (MS, Google, Facebook), and they aren't going anywhere (too many stakeholders, can't be moved or shut down the same way). This particular skirmish is win-win for the US government -- fewer choices for citizens, more people forced onto the big centralized systems they have full access/control to, proven threats to use against any future outliers.

      --
      We know where leadership by an anti-intellectual "strongman" who scapegoats minorities and likes boisterous rallies goes
  4. Re:That doesn't follow by h4rr4r · · Score: 4, Insightful

    In all fairness their first request was horseshit. The idea that the metadata of email even encrypted email is not protected is already so outlandish as to be nearly unbelievable. We now know we live in a police state.

    This judge is either willingly part of this bullshit or the most naive SOB that ever lived when he believed the FBI would only take the information the warrant allowed. If you give them the ability to get more they will take more.

  5. Re:That doesn't follow by the+eric+conspiracy · · Score: 4, Insightful

    Umm in a police state Lavabit would have never existed in the first place.

    We are in one of those times where the US government is over-reaching their powers under the Constitution. It isn't the first time.

    Time to wake up folks. The price of freedom is eternal vigilance.

  6. Re:That doesn't follow by h4rr4r · · Score: 3, Insightful

    All police states have to start somewhere and letting lavabit operate while holding the keys to it is one hell of an observation tool.

    I am aware this is not the first time, but like before we will need something major to wake people up.

  7. Re:Should the US still be in charge of the interne by Anonymous Coward · · Score: 2, Insightful

    If we are to chose a single country, then probably US is the best option (at least if you are not a brown person). Nations are generally divided in two bunches: US sockpupets that can be used for things even the US does not want to be seen doing (hint: like Canada) and totalitarian dumps who's leaders would gladly murder just about anyone that threatens their access to power. So a common counterargument is that we either end up with US, or someone much worse.

    But it does not have to be that way. An international agreement drafted by the major industrialized nations with an eye towards freedom of expression and democracy could be a much better deal than a single nation calling the shots. One important provision in such a treaty would be banning spying of international traffic passing though domestic lines. Nations would still be tempted but if caught it would justify international sanctions like a connectivity embargo. Imagine that, the first country with a closed internet would not be Iran, but USA. And the closure will come from the exterior. Quite a sensation on Nasdaq.

    Anyway, don't get your hopes up, the way things work in the UN, there will never ever by a sanction against US, because it along with select few can veto any such action.

  8. How's that working out for you? by Anonymous Coward · · Score: 0, Insightful

    How's that "land of the free, home of the brave" thing working out for you guys?

    At some point, America is going to have to learn to reconcile their beliefs about themselves with reality.

    You're not free. You're not in favor of freedom. And you've become a country whose government which is actively working against the things you claim to stand for.

    So when the rest of the world stops buying your products, putting up with your shit, or giving a damn about your business interests ... you can own that. All of your industry has been rendered as not trustworthy by your government spying.

    There's no reason for any other country to trust America any more than they would Iran.

    Face it guys, the terrorists won, because they've more or less destroyed the last illusions you had about your way of life.

    Not so long ago if someone had said "papers please, comrade", and "if you have nothing to hide you have nothing to fear" would apply to America many of us would have laughed. Instead, we now see that America stopped being free a very long time ago.

    You're like the Roman empire -- in decline and oblivious to it. The only question is how long before you do, and if you can fix it. At this point, I seriously doubt you can.

    Manifest douchebags.

  9. Read-only vs. complete ban by tepples · · Score: 4, Insightful

    How is a user who just reads considered "abusive" to Slashdot? Treat Tor like any other open proxy, giving it read-only access.

  10. Orwellian by mrflash818 · · Score: 3, Insightful

    The court order revealed the FBI demanded Lavabit turn over their root SSL certificate, something that would allow them to monitor the traffic of every user of the service. Lavabit offered an alternative method to tap into the single user in question but the FBI wasn't interested.

    When I was growing up (70s and early 80s), all the US propaganda about how bad the Soviet Union was, how bad East Germany was, in terms of privacy, citizen rights, and being police states.

    "Hypocrisy!", in my opinion.

    In my opinion laws should protect non-suspect citizen rights, and enforcement agencies (FBI in this case) should be legally required to only target and restrict their levels of privacy breach to only those individuals or organizations of inquiry. They should have no legal authority to make such demands, and if a company or citizen gets such a demand, the FBI should be able to be publicly sued for attempting to exceed their authority.

    AND, if the FBI currently is allowed to do such dragnets, the laws should be amended to remove such authority, and be enforced.

    --
    Uh, Linux geek since 1999.
  11. The USA is ruled by nurb432 · · Score: 1, Insightful

    Its not exclusive to the US. All governments are like this.

    --
    ---- Booth was a patriot ----
    1. Re:The USA is ruled by TheGratefulNet · · Score: 5, Insightful

      the US gets the press, but every country is doing as much as they can (and are able to) with the money and network taps they have in place.

      this is human nature. the dark side of human nature.

      at least its out in the open, now. what we do with it, as a species, is up to us. do we put our data thieves (ie, the government) behind bars or do we just say 'I have nothing to hide!' and let them continue along with their abuse and theft of our privacy?

      there is no country that won't do this, no matter what they say. so stop thinking its the big bad old USA. its everyone, everywhere, who CAN do it. companies includes (your corp firewall and your corp provided laptop probably has built-in certs from the company)

      --

      --
      "It is now safe to switch off your computer."
    2. Re:The USA is ruled by erikkemperman · · Score: 5, Insightful

      there is no country that won't do this, no matter what they say. so stop thinking its the big bad old USA. its everyone, everywhere, who CAN do it.

      Qualitatively, yes you're probably right. Quantitatively, not so much. It's like the military. Every country, or almost, has one. But only the USofA spends about as much on "defense" as the rest of the planet put together.

      PS Capitals, used with some restraint, go a long way to making heads and tails out of a sentence.

      --
      Gosh, thanks. That must be why the other ships call me Meatfucker -- GCU Grey Area (Eccentric)
    3. Re:The USA is ruled by ObsessiveMathsFreak · · Score: 5, Insightful

      the US gets the press, but every country is doing as much as they can (and are able to) with the money and network taps they have in place.

      I live in Ireland. I can pretty much guarantee you of three things.

      1) The state lacks the expertise to snoop on any communications.
      2) The state lacks the legal clout to force anyone to turn over their encryption keys.
      3) The government would likely not survive the closure of an IT SME such as Lavabit -- and loss of associated jobs -- which resulted from direct government interference in that company's ability to operate in Ireland.

      The rules that apply to the US government do not apply to every government. Some governments lack the skills, laws, and nerve to pull off what the White House/NSA is doing to US internet companies right now. More governments simply lack the money to pay for so extensive a network of surveillance and control.

      there is no country that won't do this, no matter what they say. so stop thinking its the big bad old USA. its everyone, everywhere, who CAN do it.

      That can includes more than simply being ABLE to do it. It includes being EMPOWERED to do it, being PERMITTED by the people to do it, and to being able to AFFORD to do it. Right now the US government is able, empowered, but only just about permitted and certainly not able to afford to continue to finance a spying program of this magnitude.

      The Soviet Union exhausted both its finances and legitimacy in trying to keep its populace under control. Hopefully the US will not have to go through as painful a breakup in order to reverse its present trend.

      --
      May the Maths Be with you!
  12. Not just SSL by Todd+Knarr · · Score: 3, Insightful

    It's not limited to just SSL. Any company that holds a copy of your encryption/decryption keys (a public certificate is OK, the matching private key that goes with it is the problem) can be ordered to turn them over. The only safe system is where the keys that secure the system never leave your possession.

    For e-mail that means using S/MIME or OpenPGP with a self-signed certificate and a private key you generate yourself. For encrypted documents, the same. The e-mail and documents need to be encrypted on your end before they leave your computer. Be aware that if you're encrypting messages to someone else the security will be controlled by their handling of their keys. You're encrypting using their public key, there's no security implications from disclosure there. However, if the recipient's using a service where the provider has a copy of their private key (used to decrypt messages to them) then messages can potentially be eavesdropped on by outsiders who've compromised the provider and gotten the key. Be aware of this aspect and make sure you know how recipients are handling their own security.

    Yes, the above means any and all web-based or hosted services are automatically vulnerable no matter how they're designed. The only secure systems are ones where you, or software running on your computer and that you control, does the encryption and decryption and the private keys are never disclosed to any other party.

  13. basically by Khashishi · · Score: 4, Insightful

    Basically, the government can force you to do anything it wants, and there's nothing you can do about it. Strange, I remember hearing about some document that spelled out certain limitations on the governments powers, and certain rights that people had, but I must have misremembered.

  14. Re:https by lgw · · Score: 5, Insightful

    Because I'd prefer my employer not to know my /. UID?

    Never ask "why do you want privacy"; that's always a stupid question. Privacy is simply an integral part of the two prime human goals: liberty and dignity.

    This is a fundamental mindset change that's needed in developers! We've learned to write software that uses the least possible privilege, as the core of security. We need to learn to write software that offers the most possible privacy, as the core of human rights.
     

    --
    Socialism: a lie told by totalitarians and believed by fools.
  15. Ok, get on that then by Sycraft-fu · · Score: 3, Insightful

    Go start your revolution. Do whatever you think that entails.

    Or, if you aren't willing to do that, because revolutions are messy and often as not end up worse than what you had, kindly shut the fuck up.

    I will not be joining you because while I feel the US has not been moving in a positive direction as of late, I feel that the solution to fixing it involves using the democratic process, not violent revolution, since I understand how nasty those are and also have a perspective on how good the US has it overall.

    I get really tired of whiny, usually anonymous, basement dwellers playing toughguy on the net, decrying the US and saying we need to "revolt" or "rise up" or some BS. You aren't going to do that and you know it. So you are just being a douchebag, whining and complaining, suggesting that others should do the dirty work.

    So put up or shut up. If revolution is really what you think is needed, get on that then. Though you might want to research a little as to what often happens to revolutionaries, and to countries after. If you don't, then STFU about it. Less whine, more action.

    In fact, you will probably find that if you and other like you spent less time whining and more time working to affect actual change in the country within the system we have, things might start getting better.