Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ed Felten: Why Email Services Should Be Court-Order Resistant

Posted by Soulskill on from the it's-not-a-bug-it's-a-feature dept.

Jah-Wren Ryel sends this excerpt from Ed Felten at Freedom to Tinker: "Commentators on the Lavabit case, including the judge himself, have criticized Lavabit for designing its system in a way that resisted court-ordered access to user data. They ask: If court orders are legitimate, why should we allow engineers to design services that protect users against court-ordered access? The answer is simple but subtle: There are good reasons to protect against insider attacks, and a court order is an insider attack. To see why, consider two companies, which we’ll call Lavabit and Guavabit. At Lavabit, an employee, on receiving a court order, copies user data and gives it to an outside party—in this case, the government. Meanwhile, over at Guavabit, an employee, on receiving a bribe or extortion threat from a drug cartel, copies user data and gives it to an outside party—in this case, the drug cartel. From a purely technological standpoint, these two scenarios are exactly the same: an employee copies user data and gives it to an outside party. Only two things are different: the employee’s motivation, and the destination of the data after it leaves the company."

39 of 183 comments (clear)

  1. Are they completely blind? by Anonymous Coward · · Score: 5, Insightful

    So a court case that was created as a knee-jerk response to Snowden is arguing that organizations shouldn't take steps to prevent leaks like Snowden .....

    1. Re:Are they completely blind? by tchdab1 · · Score: 4, Funny

      Or, put another way, the court cannot perceive how it is the same as an extortion ring.

    2. Re:Are they completely blind? by MrKaos · · Score: 4, Insightful

      Or, put another way, the court cannot perceive how it is the same as an extortion ring.

      No, the court hasn't perceived it from the perspective of a citizen issue where the motivations are to commit a criminal act, such as fraud against citizens. They are currently blind to unlawful uses of what they consider to be legitimate access rights. The court has to be educated as to why this is a bad thing (tm).

      --
      My ism, it's full of beliefs.
    3. Re:Are they completely blind? by Anonymous Coward · · Score: 3, Insightful

      The courts need to be educated that if encryption is properly done it's like asking them to hand over the moon, You can order them to do it but that doesn't mean it's possible.
      Since encryption is legeal some things are beyond the court's grasp. That is the lesson that must be taught.

    4. Re:Are they completely blind? by Anonymous Coward · · Score: 5, Insightful

      That's self-consistent and consistent with the way lawyers and judges view the world. In their view, the rules of society aren't defined by the way the world is, but by the way the legislative wants them to be. In their view, upholding the rules is not the job of engineers. It's the job of the police, and justice is the job of lawyers and judges. Lawyers and judges have no problem with telling you that you're wrong to say that 3+2 equals 5 if the law says that it's wrong. By making a system which is resistant to court orders, you're making it impossible for them to uphold the law, and even if you do so to prevent a violation of the law (an illegal leaking of information), that's still wrong, because upholding the law is their job, not yours.

    5. Re:Are they completely blind? by Dr+Damage+I · · Score: 2

      Unless it's a civil liability lawsuit, in which case exactly the same thing amounts to negligence.

      --
      "Cursed is he who rises early in the morning..." Isiah 5:11
    6. Re:Are they completely blind? by foniksonik · · Score: 2

      adjective
      adjective: catholic;adjective: Catholic
      1.
      (esp. of a person's tastes) including a wide variety of things; all-embracing.
      synonyms: universal, diverse, diversified, wide, broad, broad-based, eclectic, liberal, latitudinarian; More
      antonyms: narrow

      That word doesn't mean what you think it means.

      --
      A fool throws a stone into a well and a thousand sages can not remove it.
    7. Re:Are they completely blind? by intermodal · · Score: 2

      It's not the court so much as legislators that need to be made aware of just how this is a bad thing. They actually write laws, while courts make them up as they go.

      --
      In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
  2. Good model by gweihir · · Score: 4, Insightful

    This model describes the problem pretty well. Of course it can be extended: What if the judge or (given an over-broad wiretap order) the police is in league with the attacker, freely or by coercion? That is not unheard of either.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:Good model by Jane+Q.+Public · · Score: 4, Insightful

      Besides: the court has another, arguably "more American" avenue: it can order the defendant to turn over the information. (If, that is, it doesn't violate his 5th Amendment rights.)

      I never did buy this concept that just because you have a business deal with someone, the court could order THEM to turn over personal papers related to you. Seems to me, the same standard of getting a warrant should apply. Otherwise, the whole purpose of warrants is being subverted.

      Let the courts criticize. There's not a damned thing they can do. They have no legal authority to order people to make their websites police-friendly.

    2. Re:Good model by bruce_the_loon · · Score: 2, Insightful

      Um, a warrant is a court order. The investigators explain to the judges what they suspect, why they suspect it and what and where they need to look to get more evidence. The judge then issues the warrant. Legality of the source of the evidence used to obtain the warrant can be challenged in the future case and will affect the chain of admissibility.

      Warrants don't just apply to the defendant directly, and are issued on a one-sided basis to prevent destruction of evidence by the defendant.

      --
      Trying to become famous by taking photos. Visit my homepage please.
    3. Re:Good model by Anonymous Coward · · Score: 5, Insightful

      But, as the story yesterday showed, only the company the warrant is issued against can challenge it, not the person they want to collect information about.

      So they may well violate your 5th amendmend rights, but the only ones who can do anything about it, is a company whose primary purpose is to minimize cost and maximize shareholder value. Not to protect your rights.

      So, adding 2 and 2 together, you don't have any rights.

    4. Re:Good model by Anonymous Coward · · Score: 3, Insightful

      The Feds have justified warrentless wiretapping on the basis that an -mail is like a post card, that everyone can read. The courts have ruled that an e-mail stored on a server unencrypted in like a postcard, and thus is not entitled to consitutional privicay protections. A system set up to avoid leaving an unencrypted copy on the mail server requires no further justification than preserverving constitutional rights to privacy that exist in oridnary snail mail.

    5. Re:Good model by Jane+Q.+Public · · Score: 4, Informative

      "Um, a warrant is a court order. The investigators explain to the judges what they suspect, why they suspect it and what and where they need to look to get more evidence. The judge then issues the warrant. "

      You are nitpicking, and not even doing it well.

      While a warrant is technically a kind of court order, there are other kinds as well. What is commonly referred to as a "court order", a "search warrant", and a "subpoena". They are ALL court orders, but they differ in the standards of evidence that is required for each.

      What is commonly called a "court order" has a very low evidence threshold, or even none at all. You are "ordered" by the court to appear on a certain date. You are "ordered" by the court to pay reparations to someone you defrauded. Etc.

      A subpoena also has fairly low standard of evidence. You can be subpoenaed by courts for a number of reasons, and there are a great many situations in which a subpoena has no force or can be quashed.

      In order to issue a warrant, on the other hand, the court must be shown probable cause. This is a higher standard than either of the other examples above.

      However, a defendant's 5th Amendment rights override both warrants and subpoenas. No court in the nation has the authority to violate the 5th Amendment, for any reason.

    6. Re:Good model by khallow · · Score: 2

      So they may well violate your 5th amendmend rights

      I don't see it since the primary aspect of the Fifth Amendment is constraints on forcing self-incrimination. Evidence provided by other parties just doesn't qualify, even if it originally came from you, unless it requires you to register evidence of a crime (say a federal law requiring Facebook users to register with Facebook any illegal drug trades they conduct via Facebook). Maybe you're speaking of the Fourth Amendment which is about constraints on searches and seizures?

    7. Re:Good model by Jane+Q.+Public · · Score: 2

      I don't see it since the primary aspect of the Fifth Amendment is constraints on forcing self-incrimination. Evidence provided by other parties just doesn't qualify, even if it originally came from you, unless it requires you to register evidence of a crime (say a federal law requiring Facebook users to register with Facebook any illegal drug trades they conduct via Facebook). Maybe you're speaking of the Fourth Amendment which is about constraints on searches and seizures?

      But I think you're both missing the point I was making. If I have a private business deal with someone else, and it requires a probable-cause warrant to get information about it from ME, why should it take any lower standard of evidence to get it from someone else? Where is the justification for that?

      Completely aside from the 5th Amendment, it appears to me to be a rather blatant attempt to get around the "probable cause" requirement.

    8. Re:Good model by cornjones · · Score: 2

      We do the same, everything is audited and the data is held since the beginning of the system. We manage the size of backups w/ RO sections that are only synced once, etc. keeping things on disk is pretty cheap.. consider it a cost of doing business.

    9. Re:Good model by pla · · Score: 3, Informative

      They have no legal authority to order people to make their websites police-friendly.

      You sure about that?

      In fairness, CALEA requires backdoors from telecom firms, not independent website operators - Yet. But it already crossed that exact line, of requiring non-governmental entities to actively undermine their own best interests solely for the possible future convenience of the government.


      / Hand me my fiddle.

  3. I love the comparison by OhANameWhatName · · Score: 2

    Only two things are different: the employee’s motivation, and the destination of the data after it leaves the company

    The government won't generally kill you, just lock you up. The cartels won't generally lock you up, they just kill you. Not much difference really.

    1. Re:I love the comparison by viperidaenz · · Score: 2

      Yeah, I'd like to appeal my murder...

    2. Re:I love the comparison by Anonymous Coward · · Score: 5, Informative

      Yeah, I'd like to appeal my murder...

      Yeah, lots of others would like to appeal theirs' too.

      http://en.wikipedia.org/wiki/Wrongful_execution#United_States

      Cameron Todd Willingham was executed February, 2004, for murdering his three young children by arson at the family home in Corsicana, Texas. Nationally known fire investigator Gerald Hurst reviewed the case documents, including the trial transcriptions and an hour-long videotape of the aftermath of the fire scene and said in December 2004 that "There's nothing to suggest to any reasonable arson investigator that this was an arson fire. It was just a fire."[12] In 2010, the Innocence Project filed a lawsuit against the State of Texas, seeking a judgment of "official oppression".[13]

      Statistics likely understate the actual problem of wrongful convictions because once an execution has occurred there is often insufficient motivation and finance to keep a case open, and it becomes unlikely at that point that the miscarriage of justice will ever be exposed. In the case of Joseph Roger O'Dell III, executed in Virginia in 1997 for a rape and murder, a prosecuting attorney argued in court in 1998 that if posthumous DNA results exonerated O'Dell, "it would be shouted from the rooftops that ... Virginia executed an innocent man." The state prevailed, and the evidence was destroyed.[14]

      Johnny Garrett of Texas was executed February, 1992, for allegedly raping and murdering a nun. In March, 2004, cold-case DNA testing identified Leoncio Rueda as the rapist and murderer of another elderly victim killed four months prior.[15] Immediately following the nun's murder, prosecutors and police were certain the two cases were committed by the same assailant.[16] In both cases, black curly head hairs were found on the victims, linked to Rueda. Previously unidentified fingerprints in the nun's room were matched to Rueda. The flawed case is explored in a 2008 documentary The Last Word.

      Jesse Tafero was convicted of murder and executed via electric chair May, 1990, in the state of Florida for the murders of two Florida Highway Patrol officers. The conviction of a codefendant was overturned in 1992 after a recreation of the crime scene indicated a third person had committed the murders.[17]

      Carlos DeLuna was executed in Texas in December 1989. Subsequent investigations cast strong doubt upon DeLuna's guilt for the murder of which he had been convicted.[18][19]

      Thomas and Meeks Griffin were executed in 1915 for the murder of a man involved in an interracial affair two years previously but were pardoned 94 years after execution. It is thought that they were arrested and charged because they were not wealthy enough to hire competent legal counsel and get an acquittal.[20]

      Chipita Rodriguez was hanged in San Patricio County, Texas in 1863 for murdering a horse trader, and 122 years later, the Texas Legislature passed a resolution exonerating her.

      The list of wrongly jailed for life is too long to list.

  4. Life, Liberty, or Property? by 10101001+10101001 · · Score: 4, Insightful

    Commentators on the Lavabit case, including the judge himself, have criticized Lavabit for designing its system in a way that resisted court-ordered access to user data.

    What next? Complaining about hidden compartment in desks?

    They ask: If court orders are legitimate, why should we allow engineers to design services that protect users against court-ordered access?

    Oh, I don't know...because of "life, liberty, and the pursuit of happiness"? I don't know about you, Mr. Judge, but I personally don't want a court, court-ordered or not, snooping on my life--such inherently is a big way to disrupt my happiness. But, even if we forgo the DoI and move to the CotUS, it's "life, liberty, and property". Well, whether you view it as the user's property or Lavabit's property, they sure as fuck can do what they want with it. What part of any of that should be to make the court's job easier? Why would they seek to bend over backwards for any court?

    Of course, the big one is liberty. The biggest liberty of all is exploring the possibilities of math and the universe. And that heavily flows into attempts to make functionally unbreakable encryption resistant to even the US government. And is also flows from the point of just being a general asshole, which God Bless the United States of America, is very much recognized as a Creator given right. Clearly the judge is exercising it when he shows contempt for other people daring to live their lives in ways he doesn't like.

    Honestly, though, I do not try to be too much of an asshole. And I do recognize that there does need to be a means for courts and court-orders to function. The problem the judge seems to realize--and honestly why the NSA keeps getting the go ahead--is that criminals are most inclined to use those sorts of tools to hide their activities. The good response should be the obvious: most criminals don't go through the bother because they don't think they'll be caught and the rest are almost always found before the court-order (after all, you have to have evidence to get that far) or the court-order is a very inappropriate fishing expedition. All a court-order is there for is to solidify a case, not to make one. And so the very notion that there's something wrong with efforts to make their case inherently harder to prove is, well, fine by me. It almost always just means the prosecutor and the police have to work a bit harder to prove their case, if they care enough to go through the effort. The real limit of justice then is not the strength of encryption or the willingness of first or third parties to comply with handing over incrimination evidence. It has almost everything to do with running a decent investigation in the first place.

    PS - *sigh* The NSA part was probably unnecessary, but it reeks of the same stupidity and with the same sorts of results. Trying to find a needle in a haystack is easier because at least then you know you're looking for a needle. And if, by analogy, you know you're looking for a specific terrorist plot in a general time frame with certain people, you're already 90% of your way towards having a prosecutable case and a pathway to find accomplices.

    --
    Eurohacker European paranoia, gun rights, and h
  5. You mean only one thing is different. by mosb1000 · · Score: 4, Insightful

    Only two things are different: the employee’s motivation, and the destination of the data after it leaves the company.

    Actually, the employee's motivation is likely the same as well. And the destination seems to getting more similar every day.

  6. I'm not sure Ed Felton knows what is up by YesIAmAScript · · Score: 4, Informative

    As to his comment about turning over the master key, it would have made no difference if they had protections on their master key. They didn't turn over their master key anyway. They did shut down, and they would have had to shut down either way. Because if they didn't shut down and had their key secure (say in an RSA box), the government would have just compelled to give them access to their key to sign stuff or to present as a credential. In other words to impersonate them.

    The only way to avoid all this was to just shut down so there could be no mistake. If that key is used again, you know it's the NSA doing it, not Lavabit.

    I would love to hear how Ed Felten thinks a private key can be both kept inaccessible and used tens of thousands of times a day to secure SSL connections.

    Even if you keep it in a box, if the box will gleefully operate on the key thousands or millions of times a day, then you can just virtualize the key to a remote location (like say NSA HQ) by forwarding any requests to use the key to the box across the net. No need to even have the key at all in that case.

    --
    http://lkml.org/lkml/2005/8/20/95
    1. Re:I'm not sure Ed Felton knows what is up by Jah-Wren+Ryel · · Score: 2

      As to his comment about turning over the master key, it would have made no difference if they had protections on their master key

      If they had designed the system to not have a master key, such that each user had their own keypair and each user had sole possession of their specific decryption key then they would have been immune to the insiders - cartels or DoJ.

      --
      When information is power, privacy is freedom.
  7. Bottomline... by duke_cheetah2003 · · Score: 2, Insightful

    If you don't want someone else to see it, stop putting it on the internet.

    Internet was NEVER EVER a means of private communication.. we've tried to make it that way for what, 20 years now? It's not going to happen. Keep your personal tidbits off the net if you don't want others finding them.

    Try using the tried and true encryption method. A piece of paper inside an envelope, with a stamp and an address. It's slower, but it's a lot more private than you'll EVER GET on the internet, now or in the future.

    1. Re:Bottomline... by oodaloop · · Score: 3, Insightful

      Try using the tried and true encryption method. A piece of paper inside an envelope, with a stamp and an address.

      That has got to be one of the dumbest comments I've ever heard on the internet. Wow. Just, wow.

      --
      Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
  8. The real subtle reason. by ttucker · · Score: 5, Insightful

    They ask: If court orders are legitimate, why should we allow engineers to design services that protect users against court-ordered access?

    The real answer question is, in what fucking world is it appropriate for courts to say what a private company programs?!? If the encryption is not illegal (it shouldn't be either way, but encryption is still legal in the US) the judiciary has no business saying whether it should be used or not.

    1. Re:The real subtle reason. by shentino · · Score: 3, Interesting

      Even if you make something impossible, you still have to convince the court that it's impossible in order to avoid being locked up for 13 years on a contempt charge.

      Which means the court can use the mere threat of a perpetual contempt sentence to coerce you to make things easier for them ahead of time...just in case.

  9. If court orders are legitimate by Charliemopps · · Score: 3, Insightful

    "If court orders are legitimate..." -- see there Mr Judge, you've answered your own question.

  10. Re:they'll order to change the system. by Sun · · Score: 4, Informative

    Technically, the sequence was a little more complicated.

    They were ordered to insert a backdoor. They ignored the order. The government then asked to get the master key. At that point they consented to putting the backdoor in, but it was too late. When they were ordered to hand the master key, they quit.

    Shachar

  11. Re:they'll order to change the system. by jkflying · · Score: 4, Informative

    Feds asked without a court-sanctioned warrant to insert a backdoor. When LavaBit didn't respond, Feds got a warrant, but this time to hand over the SSL private key. That''s when LavaBit decided that it was useless trying to fight, and quit instead.

    --
    Help I am stuck in a signature factory!
  12. Extending the model by davecb · · Score: 3, Interesting

    Imagine that one wishes to prevent subversion by drug cartels but honour (or appeal) court orders. This is the problem that public libraries have dealt with since their creation. Someone always wants to know what person X has been reading, in hopes of using it against them....

    Library software is normally written to preserve privacy, and discard the record that "X has book Y" when the book is returned. It can be written this way because several of the countries where it is sold require privacy as part of their legal system. Purchasers in other countries get privacy as a side-effect.

    Countries prohibiting privacy would require a special version for a quite limited market, and the library software companies aren't motivated to deal with them: just doing an internationalization/localization to get into a small market is hard enough!

    When an individual library is served with a court order, they can honour it by doing a lookup once a day and writing X's new books down on a piece of paper. As this doesn't scale, and is also a credible cost, the willingness of courts to order it is reduced, and the damage to privacy is limited.

    Applying this to email, one wishes to keep routing data only until a message is delivered to the next host and we get a "250 OK" from SMTP. If a court wishes to collect that metadata, they can station an officer with a laptop at the ISP and gobble up the packets routed to/from him. This is onerous, and in Canada at least requires a "wiretap warrant", which the courts restrict more than ordinary search warrants.

    The person wishing to provide this kind of information to a drug cartel has the same hard task, and is also more likely to be detected by the ISP.

    To oversimplify, we're keeping far too much information about email: an author or vendor should take notice of the privacy laws of their preferred markets and discard debugging/diagnostic information at the end of a successful delivery. If they wish to cover themselves against customer complaints, they might send delivery notices that the customer can read or filter out at their convenience.

    --dave

    --
    davecb@spamcop.net
  13. No idea about security by AJH16 · · Score: 2

    As much as I may not like invasions of privacy, the fact is that this summary provides a bullshit excuse for the need of making court order resistant services. This kind of issue has been addressed numerous times in the past and is actually quite easy. You just have to have a system that breaks the files up through multiple keys required to unlock it. It's called separation of duties and has been done in any good security system for decades (centuries?) This way, a legitimate order can be processed because everyone is on board with a legal order, but an illegal action, such as a bribe can not happen without having to get numerous people on-board with the action.

    --
    AJ Henderson
  14. What about locks on doors? by sribe · · Score: 2

    Or alarm systems? Safes? Etc? The exact same logic would apply. Why is this not blindingly obvious to everyone???

  15. Lavabit/Guavabit by PPH · · Score: 3, Insightful

    How many government employees combing through Lavabit's customer data are delivering it to the drug cartels?

    Court orders help because it forces crooked government employees to go before a third party to explain themselves.

    The primary problem most people have with the NSA data dragnet is that there is no system of checks to prevent such access. Once the data has been scooped up, nothing can stop an insider from misusing it. Look at Snowden. Only his motives differed from those of crooked employees.

    --
    Have gnu, will travel.
  16. Re:they'll order to change the system. by Anonymous Coward · · Score: 4, Informative

    Feds asked without a court-sanctioned warrant to insert a backdoor. When LavaBit didn't respond, Feds got a warrant, but this time to hand over the SSL private key. That''s when LavaBit decided that it was useless trying to fight, and quit instead.

    and this is why the Lavabit Design was inferior. They held a Master Key to all of their users encryption, thus any government/employee could access what you considered private. The main point is that Lavabit held the Private Keys that could decrypt any/all messages sent through their system and this is what People need to scream about due to the security violations it created by design. A better use of the Defective by Design tag

    One thing that folks haven't thought of though I doubt the Feds haven't missed is both the potential SarBox and Insider Trading issues. By Lavabit having a private key that could decrypt everything, they had the potential to scan any corporate mail for confidential information that could/would affect the share price - thus the insider trading issue. The SarBox issue comes from the same ability to decrypt information at will as it gave employees the oppurtunity to sell information that allowed a competitor an advantage, thus decreasing profits and they could be tied up in court for the rest of their lives while the sharks go through discovery.

    Anyone that used Lavabit for any reason had better consider this as any and all information that was exchanged using their service will be decrypted and read by the Courts, Lawyers and everyone else. In other words, all Lavabit users are "Screwed, Blued and Tattooed".

    Fast Turtle

  17. Re:I don't get his argument at all by Hatta · · Score: 2

    "democratically elected" in a democracy where congress has a 10% approval rate, and a 90% incumbency rate.
    "law enforcement" by a government that can't even obey its own laws.
    "judicial approval" by secret courts ruling on secret evidence and secret laws.

    None of those things you wish were true about America are actually true. We are a nation ruled by thugs. It's not criminals we need to be secure against, it's our own government.

    --
    Give me Classic Slashdot or give me death!
  18. Find the asymmetry by skeptical+scientist · · Score: 2

    Elsewhere, at Favabit, an employee receiving a court order for user data takes the encrypted user data to the three trusted employees who each know part of the decryption key. Together they verify the court order, decrypt the data, and pass it on to the court. A week later, one of the three trusted employees is forced to refuse a cartel bribe to get user data, because she does not have the power to unilaterally hand it over.

    If you can't think of a way to allow legitimate access while protecting against illegitimate access, you simply aren't thinking creatively enough.