Slashdot Mirror
ACLU: Lavabit Was 'Fatally Undermined' By Demands For Encryption Keys
An anonymous reader writes "When encrypted email provider Lavabit shut down in August, it was because U.S. authorities demanded the company release encryption keys to get access to certain accounts. Lavabit's founder, Ladar Levison, is facing contempt of court charges for his refusal to acquiesce to their demands. But now the ACLU has filed a 'friend of the court' brief (PDF) in support of Levison, saying that the government's demand 'fatally undermined' the secure email service. 'Lavabit's business was predicated on offering a secure email service, and no company could possible tell its clients that it offers a secure service if its keys have been handed over to the government.' The ACLU added, 'The district court's contempt holding should be reversed, because the underlying orders requiring Lavabit to disclose its private keys imposed an unreasonable burden on the company. Although innocent third parties have a duty to assist law enforcement agents in their investigations, they also have a right not to be compelled "to render assistance without limitation regardless of the burden involved."' Lavabit is also defending itself by claiming a violation of the 4th amendment has occurred."
Fuck that! I have no such obligation
“He’s not deformed, he’s just drunk!”
http://www.templeos.org/Wb/Kernel/Compress.html#l1 Use the /Windows/TSZ application
Or /Linux/TSZ
Isn't it hard to sue when you don't know the rulings in the secret courts? I suppose it's like attending a game in which you do not know the rules, and they also change without notice.
when the FBI wanted access to only a few accounts. instead they blew them off and brought this on to themselves
don't stand in the way of the FBI gathering evidence for an espionage investigation
In all seriousness, using a broad reading of the third amendment, might there not be a challenge there?
If you want your data secure, you do not give anyone your keys, whether that person be a third party or the government. The government can make you give them your keys, but Lavabit can't. Why do they have anybody's keys?
what happens if i don't know, if i forget, for instance, or my key store is set to autodestruct? what happens in a distributed system like (toad's) freenet, where the keys are unknown? and can anyone explain how this might apply in canada? also - off topic - for pity sake, why will slashdot not recognise simple linefeeds?
https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=7BCR4A5W9PNN4
It's the most frightening time of year--that heart pounding moment when you spot your open enrollment information lurking in your inbox, rip it open with trembling hands, and scream in horror as your annual premium increase leaps from the envelop and mercilessly feasts upon the insides of your wallet, gnashing and shredding in orgiastic ecstasy until there's nothing left but a handful of pennies and a contemptuously belched up KFC coupon.
Expired, of course.
This terrifying scene will be repeated all across America in the next few weeks.
My own horror show arrived in the mail today. I'll spare you the gory details. Here's the short version: A 25% increase in premiums for the same health coverage I carried last year. For someone on a family plan, that translates into a $1,200 yearly increase.
So congratulations. If you make somewhere around $50,000 a year, then more than your entire after tax annual raise just went to pay for Obamacare. Doesn't that feel FANTASTIC? You're bringing home less this year than you did last year.
And you're one of the lucky ones. See, you have a job. And you got a raise. You're one of life's lottery winners. A one percenter.
In the case of Lavabit, the government demanded, and was given, a warrant for the HTTPS private key to monitor the online actions of a couple of defendants. This would allow the FBI to monitor not only the specific defendants, but all Lavabit customers.
And I want to be totally clear about this: The government asked to install a pen trap device *and* have the private keys which would have allowed it to monitor all Lavabit customers.
(Unlike phone companies, E-mail providers are under no legal obligation to make surveillance easy, or even possible, by the government.)
Third parties have a duty to assist law enforcement, but that duty does not extend "regardless of the burden involved". The ACLU argument is that giving over the private keys would have completely destroyed the Lavabit business, which was an unreasonable burden to take in assisting law enforcement.
You do when they have a warrant.
Just saying "You do when they have a warrant" is no longer sufficient. There's ample evidence that judicial oversight has been compromised by the FISA court et al., and this is a particularly strong case of government overreach.
You can't take warrants at face value any more.
Lavabit gave up the encryption keys after the government obtained court orders – including a grand jury subpoena and a stored communications act –and an authorised search warrant. The court denied Lavabit's motion to quash the warrants, and when the company failed to do so by the stipulated deadline, the court held Lavabit in contempt.
"The district court's contempt holding should be reversed, because the underlying orders requiring Lavabit to disclose its private keys imposed an unreasonable burden on the company. Although innocent third parties have a duty to assist law enforcement agents in their investigations, they also have a right not to be compelled "to render assistance without limitation regardless of the burden involved", ACLU said in its brief.
The first sentence seems to say that Lavabit would give up the encryption keys of specific users in response to a warrant. But, then the next few sentences seem to say that Lavabit fought the warrants and then ended up in "contempt of court" and argues that giving up the encryption keys "imposed an unreasonable burden on the company". (Presumably, giving up the encryption details of any particular client, even in response to a warrant could be considered to be "unreasonable".)
I'm a little confused because if Lavabit refused to give-up encryption keys of specific users in response to a warrant (under the argument that compromising their service in response to a warrant would render the "secure" part of their email service useless), then I'd side with the government.
But if the government wanted the encryption details which would give them access to the emails of all their users, then I'd side with Lavabit.
Or maybe Lavabit had an encryption system that was the same for every user - meaning giving up the encryption key for any user would compromise all users, then I'd think that Lavabit did a crappy job of securing the emails and I don't really feel that bad for them.
Lavabit closed its service in August after the US authorities demanded he hand over the encryption keys for its entire service – a move Levison said would have compromised the personal details of his 40,000 clients.
Are they saying that the personal details (e.g. the name of the user, etc) but not the emails themselves were at risk if someone had the encryption key? So it's the encryption key for the metadata about their users? (Which wouldn't surprise me if they had one encryption scheme for their database of users, though I'd wonder how the government got the encrypted database of Lavabit's users.)
The FBI was not interested unless the could get access to his private SSL key. He offered several times to help them install their pen tap and trace device but the FBI was not interested unless they could load it with his private SSL key.
He was also found in contempt of court after he provided his private SSL keys.
This was a case of the FBI picking on someone so hard they figured they had to carry guns to meetings with him when he was being cooperative.
This was the actions of an individual who honestly thought there was a mix up and once everything was explained to everyone (ie the Judge or the FBI officiers) this nonsense would have gone away. It didn't.
And do you want to live in a world where a secret court can compel any and every secret private key? It totally defeats the entire security architecture of the internet as it now stands. This is bad juju.
An excellent interview with Ladar Levison. Ladar walks through the events he went through. http://twit.tv/show/triangulation/125
As I recall, each paying Lavabit customers' email storage was encrypted using a key of the respective customers' choosing. Lavabit did not have these keys and could not, themselves, read customers' email, even if they wanted to.
So, I'm to believe that you can be charged with contempt for not providing something that you don't have?
A corporate employee not liking how he's being used by law enforcement can, as a general matter, simply get up and walk away from the company if he wants.
In this case - Apparently, no, he cannot.
You are mistaken. The founder is a corporate officer, not a simple employee. Corporate officers have responsibilities with respect to seeing the corporation comply with the law.
You don't when that warrant is ethically and Constitutionally wrong ...
You are mistaken, there is nothing in the Constitution that says you can pick and choose which warrants issued by a valid court you will obey.
What you are thinking of is called "civil disobedience", and civil disobedience often has a cost. Precisely the sort of thing we are seeing with respect to the contempt charge in this case. Civil disobedience is not an end run around the law nor a get out of trouble free card. What it is is a way to preserve your personal sense of ethics and a way to draw attention to and raise public awareness of an unjust law with the goal of amending or repealing the unjust law.
...is that the government actually need the private keys.
I.e. SSL, at least as implemented by lavabit, is sufficiently secure to key the government out of your private life.
I.e. they lack the compute power and/or backdoors to render such court orders unnecessary.
If you are curious (probably not, but here goes) you always hear that the people in the military have to obey the orders of their superiors. That is wrong. They have to obey the LAWFUL orders of their superiors, and REFUSE to obey unlawful ones.
Lawful and matching your personal sense of ethics or morality are two separate things. A legal order may violate a soldier's personal sense of ethics or morality. A soldier's ability to refuse an order is only with respect to the constitution, the universal code of military justice, ratified treaties concerning the international laws of war, etc.
Along those lines, the founders of this country fully believed that it was the right and duty of any citizen to oppose inappropriate laws and actions by the government.
Uh, no, "inappropriate" is grossly vague. If you want to use the word "unjust" you may be partially correct. However our founding fathers used force to enforce some laws that some people considered unjust. What our founding fathers would probably say is that if a law is unjust it should be amended or repealed. I doubt they would say that citizens get to pick and choose what laws they wish to obey, their actions as Governors and Presidents surely suggest otherwise.
They don't because of terrorists. Once the USA government pulls the "terrorism trump card" all rights are null and void. Your government managed to get a few very un-American laws instated and you need to work on getting those reversed. Fighting terrorism doesn't work this way, 12 years after 9-11 none of these laws have made a significant change in USA domestic terrorism attacks but they have greatly influenced daily life. It's time to end these laws and mend the country and it's people.
I was promised a flying car. Where is my flying car?
They have more publicity than they could ever pay for in marketing and they're playing the victim. Hmmm what should they do. IT'S OBVIOUS! Relaunch with a user self-signed system or some sort of peer to peer thing where they don't hold the keys. They just relay the encrypted gibberish and some client software makes a randomized key. That's so idiotically simple, they could throw it together in a heartbeat.
Surely in this internet age, anyone writing a blog or publishing a web page is the equivalent of 'The Press' in the days these precedents were set. In those days, there were no large multi-national media conglomerations, most of the 'Press' was local to a town or district and the editorial reflected the views of the (local) editor. "The Press" was anyone who could set up a printing press, employ some journalists (though some were one-man bands), print a paper and get people to buy it. So modern day blogs are just as much (or even more) in the spirit of what the drafters of the First Amendment to the US Constitution considered "The Press" as the current TV news and newspaper conglomerates.
If a bunch of people get together, they still have the right to freedom of speech.
Go ask Angela Merker and see if she would agree with your naÃveté.
The German Chancellor came from the former East Germany. She lived through the communist regime which used its Stasi secret police to oppress the people
Just because a bunch of people get together doesn't mean they have the right to freedom of speech.
No more text needed.
What you're forgetting is that you're commenting on an article about the government secretly forcing corporations to give up their customers' information, essentially side-stepping their fourth amendment rights. So you're saying that a corporations customers are giving up their rights simply by purchasing a product form that corporation. Does that sound good to you?
ouch sorry, idiot error, i failed to rtfm - thank you for taking the time.
-- Things are more like they used to be than they are now.
it is NOT secure!!!
Secure communication means that only you or your friend on the other end can disclose secrets, not the service in betwen.
If you run a truly secure e-mail service and Uncle Sam wants keys, the correct response is "sorry, can't help you; we do not have any keys".
windows 7 product key sale , product key windows 7 professional 64 bit free , windows 7 product keys , windows 7 profeessional key , windows 7 license keys, window 7 professionalupgrade key free
win 7 home premium key sale
win 8 professional key sale
win 8 anytime upgrade key sale
I suppose ACLU only assists the wealthy. I have begged for the millions I lost under Obamalaw that violated at least 5 amendments of our Constitution and was told now he broke you hire a rights lawyer.