Lavabit Case Unsealed: FBI Demands Companies Secretly Turn Over Crypto Keys

jest3r writes "Lavabit won a victory in court and were able to get the secret court order [which led to the site's closure] unsealed. The ACLU's Chris Soghoian called it the nuclear option: The court order revealed the FBI demanded Lavabit turn over their root SSL certificate, something that would allow them to monitor the traffic of every user of the service. Lavabit offered an alternative method to tap into the single user in question but the FBI wasn't interested. Lavabit could either comply or shut down. As such, no U.S. company that relies on SSL encryption can be trusted with sensitive data. Everything from Google to Facebook to Skype to your bank account is only encrypted by SSL keys, and if the FBI can force Lavabit to hand over their SSL key or face shutdown, they can do it to anyone."

Nothing left to do

Understandable that he shut down.
The USA is ruled by evil bastards that have no respect for the citizens.
Time to revolt is now.

What moron judge allowed this?

[h4rr4r]

How is this legal? How do you get a warrant that broad? Are fishing expeditions now allowed by law enforcement?

Re:What moron judge allowed this?

[silas_moeckel]

The header information blanket traces back to an idiotic ruling that the outside of a letter was not protected since everybody can and had to read it to get it there (the USPS digitizes and stores all of them now). The FBI then applied this to encrypted traffic which makes no sense since it's no longer data that anybody but them or there agent can read.

We need clear guidance, which a simple presidential order could give that prohibits all of these sorts of searches.

Re:What moron judge allowed this?

[FriendlyLurker]

...when the fact emerge that they were defying [Secret, Unaccountable, Undemocratic] court orders.

Cold Fjords subservient cheerleading to power never ceases to entertain. Obviously the operators of the Cold Fjord account have learned absolutely nothing from history, or are on the wrong side. See: "Means Used by the Nazi Conspirators in Gaining Control of the German State". Quote: "To make certain that cases with political ramifications would be dealt with acceptably and in conformity with Party principles, the Nazis granted designated areas of criminal jurisdiction to the so-called Special Courts (Sondergerhte)."

Re:What moron judge allowed this?

[david672orford]

Stop right there. The fact that they are allowed this without probable cause is already too much.

It is interesting that the prosecutor portrayed this as a pen trap. Courts have ruled that users do not have a reasonable expectation that the numbers they dial on their phone line will remain private (basicaly because they show up on the bill) but that they do have a reasonable expectation that nobody is listening in. That is why this information can be obtained without probable cause. But if Lavabit offered specific guarantees that this information would not be recorded except in the encryted e-mail boxes, then the users had a reasonable expectation of privacy. This might make the use of a pen trap without probable cause illegal.

Re:Why?

[CanHasDIY]

If you read the article, they demanded the SSL key since Lavabit did not comply with the earlier order. All the Feds originally wanted was metadata for one user. Lavabit could have provided that, but refused. The prosecutors asked they be held in contempt of court, and then asked for the SSL keys. This is on Lavabit.

Yes, how dare the impudent bastards attempt to protect their customers from illegal surveillance!

Seriously, I think you just posited a digital variant of the 'skinny jeans defense' rapists use.

Re:The USA is ruled

[TheGratefulNet]

the US gets the press, but every country is doing as much as they can (and are able to) with the money and network taps they have in place.

this is human nature. the dark side of human nature.

at least its out in the open, now. what we do with it, as a species, is up to us. do we put our data thieves (ie, the government) behind bars or do we just say 'I have nothing to hide!' and let them continue along with their abuse and theft of our privacy?

there is no country that won't do this, no matter what they say. so stop thinking its the big bad old USA. its everyone, everywhere, who CAN do it. companies includes (your corp firewall and your corp provided laptop probably has built-in certs from the company)

Re:Why?

[jedidiah]

Lavabit being "in contempt" regarding the first request in no way justifies the second.

This is just more of this sort of post-factum argumentation that is so common everywhere lately. You even see it at the level of the SCOTUS. Some goal is declared supremely important and then the law is distorted to fit that objective rather than to actually honestly examine if that objective is even legal to begin with.

"We must do X, therefore we will ignore the law"

Same nonsense, different day.

Re:The USA is ruled

[erikkemperman]

there is no country that won't do this, no matter what they say. so stop thinking its the big bad old USA. its everyone, everywhere, who CAN do it.

Qualitatively, yes you're probably right. Quantitatively, not so much. It's like the military. Every country, or almost, has one. But only the USofA spends about as much on "defense" as the rest of the planet put together.

PS Capitals, used with some restraint, go a long way to making heads and tails out of a sentence.

Re:https

[lgw]

Because I'd prefer my employer not to know my /. UID?

Never ask "why do you want privacy"; that's always a stupid question. Privacy is simply an integral part of the two prime human goals: liberty and dignity.

This is a fundamental mindset change that's needed in developers! We've learned to write software that uses the least possible privilege, as the core of security. We need to learn to write software that offers the most possible privacy, as the core of human rights.
 

Re:The USA is ruled

[ObsessiveMathsFreak]

the US gets the press, but every country is doing as much as they can (and are able to) with the money and network taps they have in place.

I live in Ireland. I can pretty much guarantee you of three things.

1) The state lacks the expertise to snoop on any communications.
2) The state lacks the legal clout to force anyone to turn over their encryption keys.
3) The government would likely not survive the closure of an IT SME such as Lavabit -- and loss of associated jobs -- which resulted from direct government interference in that company's ability to operate in Ireland.

The rules that apply to the US government do not apply to every government. Some governments lack the skills, laws, and nerve to pull off what the White House/NSA is doing to US internet companies right now. More governments simply lack the money to pay for so extensive a network of surveillance and control.

there is no country that won't do this, no matter what they say. so stop thinking its the big bad old USA. its everyone, everywhere, who CAN do it.

That can includes more than simply being ABLE to do it. It includes being EMPOWERED to do it, being PERMITTED by the people to do it, and to being able to AFFORD to do it. Right now the US government is able, empowered, but only just about permitted and certainly not able to afford to continue to finance a spying program of this magnitude.

The Soviet Union exhausted both its finances and legitimacy in trying to keep its populace under control. Hopefully the US will not have to go through as painful a breakup in order to reverse its present trend.