ACLU: Lavabit Was 'Fatally Undermined' By Demands For Encryption Keys

An anonymous reader writes "When encrypted email provider Lavabit shut down in August, it was because U.S. authorities demanded the company release encryption keys to get access to certain accounts. Lavabit's founder, Ladar Levison, is facing contempt of court charges for his refusal to acquiesce to their demands. But now the ACLU has filed a 'friend of the court' brief (PDF) in support of Levison, saying that the government's demand 'fatally undermined' the secure email service. 'Lavabit's business was predicated on offering a secure email service, and no company could possible tell its clients that it offers a secure service if its keys have been handed over to the government.' The ACLU added, 'The district court's contempt holding should be reversed, because the underlying orders requiring Lavabit to disclose its private keys imposed an unreasonable burden on the company. Although innocent third parties have a duty to assist law enforcement agents in their investigations, they also have a right not to be compelled "to render assistance without limitation regardless of the burden involved."' Lavabit is also defending itself by claiming a violation of the 4th amendment has occurred."

duty to assist law enforcement agents??

[fustakrakich]

Fuck that! I have no such obligation

Re:duty to assist law enforcement agents??

[Impy+the+Impiuos+Imp]

Corporations are voluntary associations of people who do not give up their rights associating that way.

Re:duty to assist law enforcement agents??

[msauve]

You don't when that warrant is ethically and Constitutionally wrong, doubly so when it infringes on the rights of innocent others. Just because the Emperor says he's wearing clothes, doesn't make it so.

Sure, they'll get pissed and come at you - but that doesn't change the fact that it's the right thing to do.

Re:duty to assist law enforcement agents??

[pla]

A corporate employee not liking how he's being used by law enforcement can, as a general matter, simply get up and walk away from the company if he wants.

In this case - Apparently, no, he cannot.

When a court can effectively order you not to close up shop or face contempt, we have slavery for the convenience of the police, in a very real, material sense.

And y'know? I don't feel okay with that.

Re:duty to assist law enforcement agents??

[epyT-R]

The due process involved in getting a valid warrant has been stripped of most of its teeth.. Cops can now get warrants over the phone in a matter of minutes. This should not be, but that's how it is now. As a result, a warrant is no longer a guarantee that law enforcement has done any legwork before hassling anyone. Effectively, we are now all guilty until proven innocent.

Re:duty to assist law enforcement agents??

[__aaltlg1547]

Is there a difference between what you can legally be compelled to do and your duty?

Re:duty to assist law enforcement agents??

[msauve]

I disagree. Corporations gain special tax and liability advantages - requiring them to give up rights is a a reasonable cost for that. That in no way prevents people from associating in other ways which lack such legal advantages while retaining their rights.

Re:duty to assist law enforcement agents??

[Jane+Q.+Public]

"Is there a difference between what you can legally be compelled to do and your duty?"

Yes, definitely.

In the same way that "treason" is betrayal of your people and your country, as opposed to failure to obey your government. This is the fundamental failure made by the German people which allowed the Nazis to come to and maintain power.

You have a duty to be honorable and ethical. You have an obligation to do what is legal. They are not the same things.

Re:duty to assist law enforcement agents??

[icebike]

You do when they have a warrant.

Well that is the issue being contested here, so you can't say for certain that a warrant is sufficient.

The government may get a warrant for the contents of one safe-deposit box, but they don't have
the right to a warrant for the combination to the bank's vault.

The idea that one person must surrender all of his possessions so that law enforcement can capture another person
is what is at issue here.

Re:duty to assist law enforcement agents??

[Jane+Q.+Public]

"Is there a difference between what you can legally be compelled to do and your duty?"

In fact, not only are they not the same things, it is not unusual (especially in recent years) for them to be in conflict.

Re:duty to assist law enforcement agents??

[Xicor]

the problem isnt that the warrants arent signed, the problem is that they are signed by a make-believe judge in a make-believe court. the government claims this court exists, but we have no actual proof that any real judging goes on in this "court"

Re:duty to assist law enforcement agents??

[Jane+Q.+Public]

"Corporations are voluntary associations of people who do not give up their rights associating that way."

HOWEVER, neither does that association transfer constitutional rights to the corporation. Those rights belong to the INDIVIDUALS that make up the corporation, not to the corporation, which is a "fictitious legal entity".

Hence, a corporation can't vote, for example.

Re:duty to assist law enforcement agents??

[phantomfive]

If a bunch of people get together, they still have the right to freedom of speech. What difference does it make if they collectively get a tax refund?

Re:duty to assist law enforcement agents??

[Jane+Q.+Public]

No, even the FISA court issues signed warrants and court orders. It's just that the subjects of the searches are also issued a gag order, which prevents them from talking about it.

An unsigned warrant, or no warrant, will still get people shot.

"Warrantless searches" by the NSA, etc. are not home-invasion-type searches.

In the case of a "secret" search by the government, the government still has to present the presiding judge with its warrant(s), probable cause, and evidence. It's just that it does so in secret.

So don't misunderstand me: I'm not saying these things are legal or justified. But even as unconstitutional as they've gotten, they still do have rules and procedures. No "fictitious" judges or courts allowed.

Re:duty to assist law enforcement agents??

[shentino]

Even FISA itself admits it's pretty much rubber stamping everything.

Re:duty to assist law enforcement agents??

[TapeCutter]

Non-American here, but I believe that the law that protects a sysadmin's keys is the same law Dick Cheney relied on to protect the combination to his infamous office safe. I understand these laws need to be balanced against people simply obstructing justice, but it's pretty clear and there seems plenty of precedent that what's in your head is protected information. So why don't courts simply dismiss these case with prejudice? Why do they have to drag it on for years, only to come up with the same fucking answer after a couple of million dollars and a handful of shattered lives?

There's something broken with the public prosecution system in the US. It seems to me that prosecutors are basically promoted by comparing how much jail time they have scored in court, rather than their overall cost / benefit to the well being of society. For example a prosecutor who gives a token fine for smoking a joint in public is more valuable to society than one who insists on jail time for all drug offenses.

The appalling US jail statistics are very strong evidence that prosecutors are systematically making the wrong choices.

Re:duty to assist law enforcement agents??

[Jane+Q.+Public]

I meant a literal rubber stamp. Sometimes court clerks have been known to, on order from a judge, use a REAL rubber stamp of the judge's signature on paperwork.

There was a case here a long time ago (actually more than one case IIRC), in which warrants were served that were literally rubber stamped. Turned out the police had made a deal to stamp signatures on illegal warrants. The state Supreme Court ruled that a warrant must be signed in the judge's "own hand". In other words... no rubber stamp allowed.

Re:duty to assist law enforcement agents??

[demonlapin]

Ah, so you're in favor of muzzling the speech rights of political parties and nonprofit watchdogs? How do you think the ACLU, political parties, Brookings, AEI, the NRA, and everything else down to local churches are organized? As corporations.

Re:duty to assist law enforcement agents??

[Jane+Q.+Public]

"Ever heard of a No-knock warrant?"

Yes, of course. But they are the exception, not the rule. They require special circumstances (if, of course, the legal system is operating properly).

Some states, like Indiana, have laws that specifically say it is LEGAL to resist an unlawful search or detention. The Indiana police really went apeshit when that law was passed. To read their rabid rants on the webpages, you'd get the impression that every grandmother and small child was inherently a cop-killer, and the only thing that prevented them were resisting-arrest charges.

Re:duty to assist law enforcement agents??

[Jane+Q.+Public]

"Ah, so you're in favor of muzzling the speech rights of political parties and nonprofit watchdogs?"

No. For the moment let's leave aside Citizens United, which was grossly flawed, and which overturned centuries of precedent in order to reach an absurdly bad conclusion.

Citizens' Unions and political organizations are different from "normal" business corporations, in that they are voluntarily formed for the purpose of furthering a common goal of the members. Often (but not necessarily) a political goal. Therefore, it is valid to say that the organization or corporation represents the interest of all the people involved.

Now take a more "normal" business corporation: not all the people are there for the same reason. Some are CEOs. Some are janitors. Many of them are there for nothing but employment in their particular niche. This is DIFFERENT than the former example, because political money is being spent out of the profits of the corporation (not donations), and the money is spent in a way that only the board or CEO approves. There is nothing in this picture that suggests that the political money the corporation spends even remotely represents "the people" who make up the majority of the corporation. On the contrary, it is easy to see that a CEO might spend the money on lobbying to keep wages low, for example. There is nothing "representative" or "voluntary" about it, on the part of MOST of the people who make up the corporation.

See the difference? SCOTUS erred -- that's putting it extremely mildly -- by not, at the very least, distinguishing between incorporated citizens' organizations, and business corporations. Yet the purposes and consequences are far different.

Re:duty to assist law enforcement agents??

[Jane+Q.+Public]

It pains me to agree with you but agree with you I must. :) In general, prosecutors in the U.S. have had too much discretionary power. We had problems in my own community with a prosecutor that unquestionably abused his position.

But at the same time, I must also say that a lot of the problem is the laws themselves. Politicians do not want to be perceived as "soft" on crime, so the penalties for transgressions get every tougher, and more and more formerly-frowned-upon behaviors become actually illegal.

This process MUST stop at some point, and be reversed back to the point of sanity. Right now, our legal system is broken.

Re:duty to assist law enforcement agents??

[Jane+Q.+Public]

"So, you're claiming that commercial corporations are involuntarily formed?"

I believe I explained my meaning adequately, if someone were to read my whole comment. I doubt the majority of readers will have any trouble understanding.

Re:duty to assist law enforcement agents??

[meerling]

Not all laws are 'legal', even if they are still on the books and being enforced. (Perhaps 'constitutional' is the more appropriate term.)
Perfect case in point, the various anti-black laws that used to be around before the supreme court finally shot them down.
Even the supreme court screws up.

Also, laws often exist and are used for some time, often many decades, before someone starts perverting them and employing them in ways they weren't supposed to be used. There has been a huge upswing in abuse of various laws against the public in the past appx 20 years. Unfortunately politicians assume everything it won't be their problem and say if there's any issue, the courts will sort it out. Far too often, that not only takes way too long, sometimes in excess of 60 years, but there are all the people that are 'harmed' during it's period of abuse. The truth is that it's not 'if' a law will be abused, but rather 'when' a law will be abused.

Re:duty to assist law enforcement agents??

[Jane+Q.+Public]

"Only as long as it doesn't get in the way of lining their own pockets."

That's pretty much the point I was getting at.

Re:lavabit should have helped the first time

[shentino]

The argument is that lavabit was asked to sabotage it's prime selling point.

Re:lavabit should have helped the first time

A government cheerleader licking the government's boots? Why, who would have thought!?

when the FBI wanted access to only a few accounts. instead they blew them off and brought this on to themselves

Well, that doesn't seem very appropriate. Why is the government focusing on revenge?

Re:lavabit should have helped the first time

[king+neckbeard]

Except for the fact that they couldn't do that by virtue of the site's design. As another article explained on /. explained, that design choice was good security practice because the government exploiting you is not any different technologically than any other insider attack. The problem is that the NSA got exposed, and they got pissed. The answer was to nuke the NSA from orbit. It's the only way to be sure.

Re:Why do they have users' keys anyway?

[CRCulver]

Even if you encrypt your messages yourself, you must still push those messages through a service to its recipient. So, you are inevitably at risk of traffic analysis, and in Snowden's case the NSA was just as interested in who he was communicating with as what exactly was being said. So, laugh at users of Lavabit all you want, but it's not like plain e-mail with both sides PGPing their messages is any better.

Re:lavabit should have helped the first time

[auric_dude]

Lavabit Appeal EFF Amicus Brief http://cryptome.org/2013/10/lavabit-eff-amicus-13-1024.pdf, Lavabit Appeal ACLU Amicus Brief http://cryptome.org/2013/10/lavabit-aclu-amicus-13-1024.pdf & Lavabit Appeal Empeopled Amicus Brief http://cryptome.org/2013/10/lavabit-empeopled-amicus-13-1024.pdf might offer some insight into the legal advice sought and deployed via http://cryptome.org/.

where does it say have to give them my keys?

[rewindustry]

what happens if i don't know, if i forget, for instance, or my key store is set to autodestruct? what happens in a distributed system like (toad's) freenet, where the keys are unknown? and can anyone explain how this might apply in canada? also - off topic - for pity sake, why will slashdot not recognise simple linefeeds?

Re:where does it say have to give them my keys?

[mcgrew]

for pity sake, why will slashdot not recognise simple linefeeds?

Select "Plain Old Text" and it will, and you can still use HTML (and the < still takes an &lt; to display).

<b> Bold</b>
<i> italic</i>
<a href="http://slashdot.org"> Link</a>

Line feeds used, no <P> or <br>

Re:lavabit should have helped the first time

[king+neckbeard]

There is no such thing as 'access to a few accounts' in their model. And the feds weren't involved in a legitamite operation anyway. They were trying to track down someone who had exposed their crimes.

Re:Third amendment challenge?

[penix1]

That's really grabbing at straws. Several things would have to be resolved for that to stick.

1. Is the FBI and / or the court considered "soldiers"?
2. Is an email service considered "home"?
3. Is the Supreme Court likely to make such a broad interpretation especially since they tend to take a very narrow view on just about everything?
4. And lastly, is it even likely to make it that far?

Blatantly wrong

[Okian+Warrior]

In the case of Lavabit, the government demanded, and was given, a warrant for the HTTPS private key to monitor the online actions of a couple of defendants. This would allow the FBI to monitor not only the specific defendants, but all Lavabit customers.

And I want to be totally clear about this: The government asked to install a pen trap device *and* have the private keys which would have allowed it to monitor all Lavabit customers.

(Unlike phone companies, E-mail providers are under no legal obligation to make surveillance easy, or even possible, by the government.)

Third parties have a duty to assist law enforcement, but that duty does not extend "regardless of the burden involved". The ACLU argument is that giving over the private keys would have completely destroyed the Lavabit business, which was an unreasonable burden to take in assisting law enforcement.

You do when they have a warrant.

Just saying "You do when they have a warrant" is no longer sufficient. There's ample evidence that judicial oversight has been compromised by the FISA court et al., and this is a particularly strong case of government overreach.

You can't take warrants at face value any more.

Re:Third amendment challenge?

[penix1]

Then you would still have to overcome the "but in a manner to be prescribed by law." part. Since the "national security" part (I am assuming at least in the Patriot Act and / or Homeland Security Act) would satisfy that.

No, a better way would be to take back our Congress and get them to revoke those acts that allow stuff like this. Of course, that requires a ground swell against the established parties and is likely to not succeed because of the campaign financing / media control mess.

Lavabit did offert to help

The FBI was not interested unless the could get access to his private SSL key. He offered several times to help them install their pen tap and trace device but the FBI was not interested unless they could load it with his private SSL key.

He was also found in contempt of court after he provided his private SSL keys.

This was a case of the FBI picking on someone so hard they figured they had to carry guns to meetings with him when he was being cooperative.

This was the actions of an individual who honestly thought there was a mix up and once everything was explained to everyone (ie the Judge or the FBI officiers) this nonsense would have gone away. It didn't.

And do you want to live in a world where a secret court can compel any and every secret private key? It totally defeats the entire security architecture of the internet as it now stands. This is bad juju.

Re:Question

[TheNumberSix]

The entire story is given by this in-depth interview with Ladar himself. http://twit.tv/show/triangulation/125 I highly recommend this if you are interested. He also explains that he was personally cited in the warrants, so even if Lavabit gos away, Ladar himself is still liable to give up the info.

Re:lavabit should have helped the first time

[king+neckbeard]

The government of the UK CLAIMS is has suffered enormous damage to its security. That doesn't mean they actually think that to be the case. There's this behavior known as 'lying', and government have done this in the past, especially when dirty laundry has been exposed.

Wait a second...

[FuzzNugget]

As I recall, each paying Lavabit customers' email storage was encrypted using a key of the respective customers' choosing. Lavabit did not have these keys and could not, themselves, read customers' email, even if they wanted to.

So, I'm to believe that you can be charged with contempt for not providing something that you don't have?

Re:Wait a second...

[ArbitraryName]

So, I'm to believe that you can be charged with contempt for not providing something that you don't have?

No. They wanted Lavabit's SSL keys.

Civil disobedience has a cost ...

[perpenso]

You don't when that warrant is ethically and Constitutionally wrong ...

You are mistaken, there is nothing in the Constitution that says you can pick and choose which warrants issued by a valid court you will obey.

What you are thinking of is called "civil disobedience", and civil disobedience often has a cost. Precisely the sort of thing we are seeing with respect to the contempt charge in this case. Civil disobedience is not an end run around the law nor a get out of trouble free card. What it is is a way to preserve your personal sense of ethics and a way to draw attention to and raise public awareness of an unjust law with the goal of amending or repealing the unjust law.

Re:lavabit should have helped the first time

[king+neckbeard]

The problem is that you don't get to pick when what you view as a "credible" enemy shows up. If you compromise security ahead of time, its too late when it does show up.

You actually can to quite a bit. Nazi Germany was largely the result of the Treaty of Versailles. Pearl Harbor was the result of us not being neutral in the war, and it wasn't hard to see something along those lines coming. Most terrorist acts in the last 50 years could be tracked to US dickery of some form or another if you are willing to put in a bit of work.

There also seems to be evidence that the Russians didn't know everything since they are makings some adjustments based on Snowden's revelations [smh.com.au]. If they knew it all before, they would have done it before. Snowden provided them a blueprint they could access, as well as the operational methods. And they won't have the constraints of the US Constitution to inhibit them.

They announced a change in policy. That doesn't mean there actually was a change in policy, or that it was due to changes in knowledge. At best, it was an opportunity to act upon knowledge that has now become public but was already private. How naive are you?

The security needs of the US and UK require signals intelligence of one sort or another.

Perhaps, but not anywhere near as much as it needs us to stop being assholes. Not being assholes will do far more for our safety. And signals intelligence often ends up creating threats, and is used as a crutch that allows for poor human intelligence, which is already inept enough.

Except they don't

[dutchwhizzman]

They don't because of terrorists. Once the USA government pulls the "terrorism trump card" all rights are null and void. Your government managed to get a few very un-American laws instated and you need to work on getting those reversed. Fighting terrorism doesn't work this way, 12 years after 9-11 none of these laws have made a significant change in USA domestic terrorism attacks but they have greatly influenced daily life. It's time to end these laws and mend the country and it's people.

the solution is so simple it almost hurts

[slashmydots]

They have more publicity than they could ever pay for in marketing and they're playing the victim. Hmmm what should they do. IT'S OBVIOUS! Relaunch with a user self-signed system or some sort of peer to peer thing where they don't hold the keys. They just relay the encrypted gibberish and some client software makes a randomized key. That's so idiotically simple, they could throw it together in a heartbeat.