Note that this opinion rests almost entirely on the fact that Lavabit/Levinson failed to raise any of his legal arguments before the trial court. Any lawyer can tell you that, if you want a court of appeals to consider a legal issue, you have to raise it before the lower court first to give them a chance to rule and to develop a record for the court of appeals to review. I'm sure there are those out there who will want to make this into a major privacy ruling, but it just isn't.
Levison should have hired a competent and experienced attorney the day the FBI contacted him. The errors and failures cited in the appellate opinion are ones that nearly any attorney that passed a Bar Exam wouldn't have made.
With emphasis on experienced - Levison was represented for a bit by a business attorney. He may have passed the bar, but he was completely inexperienced in federal criminal cases.
The more I read about the case, the less happy I am about having donated to Levison.
Pages 8-12 of this decision convey a narrative about Levison's handling of the FBI requests. In particular, they detail an escalation that Levison himself provoked:
* The DOJ reached out demanding metadata regarding (presumably, and let's just stipulate) Snowden's use of Lavabit.
* Levison rejected the request, on the auspices that Snowden had enabled the "storage encryption" feature of Lavabit.
Here it's worth knowing that Levison had previously complied with similarly narrow requests.
* Levison confirmed to the DOJ that he had the ability to circumvent the storage encryption.
* The DOJ responded to that concession by doing exactly what anyone would have expected them to do: they escalated their demand to include the decrypted Snowden data.
* The DOJ spent eleven days trying to meet with Levison, who stonewalled them; Levison "ignored the FBI’s repeated requests to confer".
* Only upon being threatened with a contempt citation did Levison actually enter a productive discussion with the DOJ.
* Four days after being threatened with contempt, Levison presented the DOJ with a proposal to charge the DOJ $2000 to design and implement his own pen/trap system which would provide data to the DOJ only at the conclusion of the order's time window, with timely updates being provided only at Levison's discretion and only with an additional charge attached.
* Only after this sequence of events does DOJ demand the TLS keys that would have compromised all Lavabit users activities.
Levison's attorneys and the DOJ litigated the question of whether the pen/trap order required him to cough up his TLS keys. But that only happened after Levison did his best to deter the DOJ from collecting information about Snowden. As evidence for this: the DOJ eventually did install a pen/trap device of some sort, without the TLS keys, and attempted to use it to collect evidence. Had Levison complied with the DOJ productively from the beginning, he probably could have worked with them to produce the information they required without compromising the rest of his users.
I already had a problem with Lavabit as an inept and dangerous privacy solution (you can obviously see that it was; Levison was trivially able to subvert the privacy of all of his users, and was eventually forced to do so).
But almost as bad as that is his handling of the legal situation here. Read the language of the decision carefully and you'll see that had Levison simply began this process with his proposal, minus the time lag problem, but perhaps even including the price tag, he might have had that solution accepted! Instead, he seems to have seized an opportunity to poke a giant bear with a stick. The bear then ate him and his users.
Later: Also, bad facts make bad law. Great to see that we now have more case law establishing that pen/trap orders demand TLS keys.
I am not a lawyer, but having read through the decision it still seems to me that the fact someone is an asshole is strictly immaterial to the issue of weather or not it is reasonable/constitutionally allowable to issue a warrant of any kind that would:
1) Compromise the presumed privacy of any parties in addition to the target, much less every one of a businesse's clientele. (If you have a search warrant for a apartment, do you get to search all the apartments in the building? No, unreasonable search and seizure on the face of it.)
2) Cause material damages as to completely destroy the core business of an unrelated and presumed innocent business owner. Albeit asshole.
The government argued successfully that the warrant was “very narrow, specific”, but while that may be true in intent it is not true in effect. If in order to tap one suspected criminal it is necessary to undermine the right to privacy of one or more innocent bystanders (much less many) law enforcement and the court's hands must necessarily be tied.
That a citizen would be resistant to this seems reasonable. So what is left should only be a question as to how much being an asshole to the FBI constitutes contempt of court.
The DOJ spent eleven days trying to meet with Levison
You emphasized eleven days as if it is some astronomical figure. In normal court proceedings, the simplest act like scheduling a deposition for questioning a witness takes months.
In the real world, people just aren't sitting around doing nothing waiting for a subpoena from the FBI to come in. Sometimes they're in the middle of a big push for a project, sometimes they're shoring up security for the latest 0-day exploit, sometimes they're in Tahiti sipping drinks on a beach for two weeks without access to email or a phone.
Sure, time sensitive criminal cases would be great if it went faster but eleven days is not out of line by any stretch.
I agree that legally, Levison probably made a mistake by stonewalling DoJ.
However, I worry about what losing this case means in the grand scheme of things. DoJ's argument was that they should be able to get the key to decrypt all e-mails for all of Lavabit's users, and the Court says that's fine because the government "wouldn't" use the key for anything other than the "target" - which seems like a ridiculous and incredibly reckless argument post-Snowden.
Would Google just hand over the key to all of their Gmail users? Let's imagine they weren't using PFS - or let's imagine they were asking Microsoft for the Outlook key, instead.
I'm unhappy that Levison's overbearance on email caused Pamela Jones to quit Groklaw. Ordinarily these are exactly the kinds of cases PJ would be able to demonstrate some of her expertise on, by explaining how longstanding legal principles apply to problems in the tech sector.
She was never a coder though, and so her expertise on tech was limited to what was explained to her. I don't think Levison was making his claims about all emails everywhere being read by the goons at Minitrue in order to scare PJ in particular, but that was the net effect.
I disagree with the entire 'very little cause required to compel disclosure of metadata'; essentially, the third-party doctrine should only apply if users are consciously giving their data to a third party for the purpose of redistribution, and not purely incidentally to a service.
If they can argue something like a copyright banner in a ROM is "a mere instrumentality", there's no reason the defense side shouldn't be able to argue giving calling information to a cell provider, or mail headers to a mail server, aren't essentially the same instrumentalities.
(I've talked to lawyers who agree, but they all also agree this ship has sailed for many decades.)
That said, yes, he's both technically and legally incompetent. It's sad, and has made bad law for everyone else.
I guess you're just taking it as a given that resisting the DOJ's persecution of Snowden was an error. I'm not really surprised, given your history of cheerleading for the NSA, but anyone who doesn't agree with that is going to find the rest of your reasoning a bit wanting.
It was military-grade sec with valley-grade marketing.
The problem of a company providing a privacy service being a SPOF necessitates a more distributed approach that can "route around" attempts to shut it down. Any current or future entrant in privacy app space needs to also consider that one of several lessons to avoid the same fate as Lavabit.
For now, even with GPG are there any good/cheap email services that just don't log anything, don't append IPs or correct time headers and are outside US jurisdiction? (Friend's server in Thailand doesn't count... More than one box plz)
Why does every landmark case involving online privacy have to involve incompetent, unsavory, or sometimes even downright despicable people (e.g. child pornographers) on the defense side?
In order to force the legal system to take a serious look at the core issues (whether the Feds can compel a company to produce its SSL private keys, whether they can compel a man to produce the password to his TrueCrypt drive, etc.) instead of getting distracted by all sorts of procedural bullshit, the case needs to have a competent defendant and even more competent counsel who make no serious mistakes throughout the course of the trial. That's the only way we're going to get a clear, decisive precedent, because otherwise the procedural blunders will dominate the legal result.
Levison's failure to contact the EFF or ACLU the moment he received the first pen/trap order has led us all to waste a lot of time and resources litigating mostly peripheral issues, and probably caused a lot more hardship for Levison himself than he ever needed to get into. Meanwhile, we still don't have a clear idea of what the U.S. legal system thinks about forcing the disclosure of SSL private keys.
Of course, hindsight is 20/20, so maybe there are adequate explanations for why he thought it was a good idea to wave a middle finger in the face of the DOJ.
But in the grand scheme of things in the battle for internet freedom, I think we just missed a golden opportunity to get the courts to tackle some serious constitutional issues. Just like in all those other contempt cases where TrueCrypt drive in question obvious contained CP, or all those other surveillance cases where the defendant was a heavy uploader. Assholes, pirates, and child pornographers have rights, of course, but they usually don't make effective crusaders.
"Levison provided the FBI with an 11-page printout containing largely illegible characters in 4-point type, which he represented to be Lavabit’s encryption keys"
I see this as a cautionary tale about the limits of cloud-storage of anything. If you really care and you're facing an adversary with subpoena power over your ISP, the only solution is to ensure the ISP simply never sees the plaintext. Thus PGP, S/MIME, etc.
I don't see why the court couldn't 'refashion' Levison's statement ...
"[I object] to turning over the SSL keys because that would compromise all of the secure communications in and out of my network, including my own administrative traffic."
... into "anything remotely close to a statutory-text-based challenge to the district court’s fundamental authority under the Pen/Trap Statute"
As a lay person, it sounds like the court wasn't trying very hard.
It's clear to me, even as a lay person, that Levinson's statement does not refer to any statutory text. Or any legal procedure, etc. On what grounds was he objecting?
"A party does not go far enough by raising a non-specific objection or claim"
pdabbadabba|12 years ago
ISL|12 years ago
otterley|12 years ago
elliotz|12 years ago
tptacek|12 years ago
Pages 8-12 of this decision convey a narrative about Levison's handling of the FBI requests. In particular, they detail an escalation that Levison himself provoked:
* The DOJ reached out demanding metadata regarding (presumably, and let's just stipulate) Snowden's use of Lavabit.
* Levison rejected the request, on the auspices that Snowden had enabled the "storage encryption" feature of Lavabit.
Here it's worth knowing that Levison had previously complied with similarly narrow requests.
* Levison confirmed to the DOJ that he had the ability to circumvent the storage encryption.
* The DOJ responded to that concession by doing exactly what anyone would have expected them to do: they escalated their demand to include the decrypted Snowden data.
* The DOJ spent eleven days trying to meet with Levison, who stonewalled them; Levison "ignored the FBI’s repeated requests to confer".
* Only upon being threatened with a contempt citation did Levison actually enter a productive discussion with the DOJ.
* Four days after being threatened with contempt, Levison presented the DOJ with a proposal to charge the DOJ $2000 to design and implement his own pen/trap system which would provide data to the DOJ only at the conclusion of the order's time window, with timely updates being provided only at Levison's discretion and only with an additional charge attached.
* Only after this sequence of events does DOJ demand the TLS keys that would have compromised all Lavabit users activities.
Levison's attorneys and the DOJ litigated the question of whether the pen/trap order required him to cough up his TLS keys. But that only happened after Levison did his best to deter the DOJ from collecting information about Snowden. As evidence for this: the DOJ eventually did install a pen/trap device of some sort, without the TLS keys, and attempted to use it to collect evidence. Had Levison complied with the DOJ productively from the beginning, he probably could have worked with them to produce the information they required without compromising the rest of his users.
I already had a problem with Lavabit as an inept and dangerous privacy solution (you can obviously see that it was; Levison was trivially able to subvert the privacy of all of his users, and was eventually forced to do so).
But almost as bad as that is his handling of the legal situation here. Read the language of the decision carefully and you'll see that had Levison simply began this process with his proposal, minus the time lag problem, but perhaps even including the price tag, he might have had that solution accepted! Instead, he seems to have seized an opportunity to poke a giant bear with a stick. The bear then ate him and his users.
Later: Also, bad facts make bad law. Great to see that we now have more case law establishing that pen/trap orders demand TLS keys.
joshuak|12 years ago
1) Compromise the presumed privacy of any parties in addition to the target, much less every one of a businesse's clientele. (If you have a search warrant for a apartment, do you get to search all the apartments in the building? No, unreasonable search and seizure on the face of it.)
2) Cause material damages as to completely destroy the core business of an unrelated and presumed innocent business owner. Albeit asshole.
The government argued successfully that the warrant was “very narrow, specific”, but while that may be true in intent it is not true in effect. If in order to tap one suspected criminal it is necessary to undermine the right to privacy of one or more innocent bystanders (much less many) law enforcement and the court's hands must necessarily be tied.
That a citizen would be resistant to this seems reasonable. So what is left should only be a question as to how much being an asshole to the FBI constitutes contempt of court.
300bps|12 years ago
You emphasized eleven days as if it is some astronomical figure. In normal court proceedings, the simplest act like scheduling a deposition for questioning a witness takes months.
In the real world, people just aren't sitting around doing nothing waiting for a subpoena from the FBI to come in. Sometimes they're in the middle of a big push for a project, sometimes they're shoring up security for the latest 0-day exploit, sometimes they're in Tahiti sipping drinks on a beach for two weeks without access to email or a phone.
Sure, time sensitive criminal cases would be great if it went faster but eleven days is not out of line by any stretch.
higherpurpose|12 years ago
However, I worry about what losing this case means in the grand scheme of things. DoJ's argument was that they should be able to get the key to decrypt all e-mails for all of Lavabit's users, and the Court says that's fine because the government "wouldn't" use the key for anything other than the "target" - which seems like a ridiculous and incredibly reckless argument post-Snowden.
Would Google just hand over the key to all of their Gmail users? Let's imagine they weren't using PFS - or let's imagine they were asking Microsoft for the Outlook key, instead.
mpyne|12 years ago
She was never a coder though, and so her expertise on tech was limited to what was explained to her. I don't think Levison was making his claims about all emails everywhere being read by the goons at Minitrue in order to scare PJ in particular, but that was the net effect.
rdl|12 years ago
If they can argue something like a copyright banner in a ROM is "a mere instrumentality", there's no reason the defense side shouldn't be able to argue giving calling information to a cell provider, or mail headers to a mail server, aren't essentially the same instrumentalities.
(I've talked to lawyers who agree, but they all also agree this ship has sailed for many decades.)
That said, yes, he's both technically and legally incompetent. It's sad, and has made bad law for everyone else.
deciplex|12 years ago
ballard|12 years ago
The problem of a company providing a privacy service being a SPOF necessitates a more distributed approach that can "route around" attempts to shut it down. Any current or future entrant in privacy app space needs to also consider that one of several lessons to avoid the same fate as Lavabit.
For now, even with GPG are there any good/cheap email services that just don't log anything, don't append IPs or correct time headers and are outside US jurisdiction? (Friend's server in Thailand doesn't count... More than one box plz)
guelo|12 years ago
kijin|12 years ago
Why does every landmark case involving online privacy have to involve incompetent, unsavory, or sometimes even downright despicable people (e.g. child pornographers) on the defense side?
In order to force the legal system to take a serious look at the core issues (whether the Feds can compel a company to produce its SSL private keys, whether they can compel a man to produce the password to his TrueCrypt drive, etc.) instead of getting distracted by all sorts of procedural bullshit, the case needs to have a competent defendant and even more competent counsel who make no serious mistakes throughout the course of the trial. That's the only way we're going to get a clear, decisive precedent, because otherwise the procedural blunders will dominate the legal result.
Levison's failure to contact the EFF or ACLU the moment he received the first pen/trap order has led us all to waste a lot of time and resources litigating mostly peripheral issues, and probably caused a lot more hardship for Levison himself than he ever needed to get into. Meanwhile, we still don't have a clear idea of what the U.S. legal system thinks about forcing the disclosure of SSL private keys.
Of course, hindsight is 20/20, so maybe there are adequate explanations for why he thought it was a good idea to wave a middle finger in the face of the DOJ.
But in the grand scheme of things in the battle for internet freedom, I think we just missed a golden opportunity to get the courts to tackle some serious constitutional issues. Just like in all those other contempt cases where TrueCrypt drive in question obvious contained CP, or all those other surveillance cases where the defendant was a heavy uploader. Assholes, pirates, and child pornographers have rights, of course, but they usually don't make effective crusaders.
xcyu|12 years ago
This made my day.
marshray|12 years ago
But this is the story of a guy without good legal representation pissing off the judge and setting bad precedent that could affect all of us.
gonzo|12 years ago
marshray|12 years ago
"[I object] to turning over the SSL keys because that would compromise all of the secure communications in and out of my network, including my own administrative traffic."
... into "anything remotely close to a statutory-text-based challenge to the district court’s fundamental authority under the Pen/Trap Statute"
As a lay person, it sounds like the court wasn't trying very hard.
peterwoo|12 years ago
"A party does not go far enough by raising a non-specific objection or claim"
igl|12 years ago