Edward Snowden's a bad, bad man. Or so the US government says, bad enough to merit wiretaps and search warrants and seizure of his email "metadata".
And thus, Lavabit.com was served with a sealed court order, demanding details surrounding e-mail correspondence conducted by Edward Snowden's account. Not the content of the e-mails, mind you, but just IP addresses, durations of e-mail sessions, and names and addresses of people that he had communicated with. They specifically excluded email messages and subject lines from their request--that was content, and a strict no-no.
Lavabit is in the business of providing highly secure e-mail services to people who value privacy. Unsurprisingly, its clients are occasionally the subject of legal investigations. In an interview with Democracy Now, Lavabit's founder noted that he has always complied with previous requests by law enforcement:
Yeah, we’ve probably had at least two dozen subpoenas over the last 10 years, from local sheriffs’ offices all the way up to federal courts. And obviously I can’t speak to any particular one, but we’ve always complied with them.These were likely also benign requests for metadata, not content, of the email. What made this request different was how the government wanted to achieve its goal of metadata collection: not with a fine-toothed comb, but with a vacuum cleaner.
Keys to the Kingdom
Lavabit's founder was subpoenaed to provide his website's public and private SSL keys to facilitate the government's monitoring. He balked at this. Turning over the keys would permit the government to see who Snowden was e-mailing, but it would also:
* Compromise his company's 400,000 other clients' privacy
* Permit the government to sniff the user's passwords, which were used to encrypt their email content and thus, compromise every clients' email content
To use a bad analogy, the government was approved to see the labels of boxes in the storage bin marked "Snowden", but they asked for the tools to open up every storage bin, read every label on the boxes inside, and then open up those boxes, too, and have a poke around.
This is not to say that they asked for the right to do that, only the tools to do it. Lavabit argued that they should not be forced into a position where their clients had to trust the US government's restraint.
THE COURT: You want to do it in a way that the government has to trust youThe US attorney pinky sweared that they'd behave:
MR. BINNALL: Yes, Your Honor.
THE COURT : - - to come up with the right data.
MR. BINNALL; That's correct, Your Honor.
THE COURT: And you won't trust the government. So why would the government trust you?
MR. BINNALL: Your Honor, because that's what the basis of Fourth Amendment law says is more acceptable, is that the government is the entity that you really need the checks and balances on. Now, my --
THE COURT : I don't know that the Fourth Amendment says that. This is a criminal investigation.
MR. TRUMP: We can assure the Court that the way that this would operate, while the metadata stream would be captured by a device, the device does not download, does not store, no one looks at it. It filters everything, and at the back end of the filter, w'e get what we're required to get under the order. So there's no agents looking through the 400,000 other bits of information, customers, whatever. No one looks at that, no one stores it, no one has access to it. All we're going to look at and all we're going to keep what is called for under the pen register order, and that's all we're asking this Court to do.And as smoothly as that, the founder of Lavabit was in a bit of a pickle. He believed that the US government could not be trusted with the keys to the kingdom. He was right to be suspicious, as it turns out. Perhaps Mr. Trump and the FBI would not abuse the access they were given, but who would guarantee that they would keep their access safe from the probing eyes of the NSA? After all, only 3 weeks ago, the Snowden leaks revealed that the NSA used a man-in-the-middle attack, likely with a hacked SSL certificate, to spy on a Brazilian oil company.
THE COURT : All right. Well, I think that's reasonable.
Throughout the process, Lavabit was under a gag order and the documents were sealed. Their case could not attract amicus briefs from industry and civil rights heavyweights. The Lavabit founder had to fund his opposition out of his own pocket. He handled some of his hearings by himself, presumably to save money. This little exchange highlights how out of his league he is:
THE COURT : Okay . Now, did you want to say anything else?Ultimately, Lavabit was forced to hand over their keys.
MR. LEVISON: Well, I mean, I've always maintained that all the government needs to do is contact me and set up an appointment to install that pen register. So I don't know why there has never been any confusion about my willingness to install it. I've only ever objected to the providing of those keys which secure any sensitive information going back and forth. But my motion, and I 'm not sure if it's relevant or not because it deals more with the issue of the subpoena demanding the keys and for what will be the forthcoming search warrant, would be a continuance so that I can retain counsel to address
that particular issue.
THE COURT : Well, I mean, there's nothing before me with that . I've issued the subpoena. Whatever happens with that, that 's -- you're trying to get me to do what Mr. Trump wanted to do and to arrange this beforehand .
MR . LEVISON : Well, I don't know if I have to appear before that grand jury right now and give the keys over or face arrest. I'm not a lawyer so I don't understand the procedure.
THE COURT : I don't know either. You need to have --- it would be wise to have a lawyer.
MR . LEVISON : Okay .
THE COURT : I don't know what's going to happen. I don't know. They haven't served the warrant yet . I have no idea. Don't know what's going to happen with it. You'll just have to figure that out, and it be wise to have a lawyer to do it, I would think.
Key Exchange
Couldn't read that? It said: "Lavabit's founder acquiesced and provided the US government with their private keys."
Which they did: in four-point font on a crappy quality printout that spanned 11 pages.
The US clarified their request to specify that the keys be provided in digital form on a CD in the PEM exchange format.
At which point Lavabit provided the keys in the desired form and turned off their servers. Silent Circle, another secure e-mail service, closed their doors a few weeks later rather than be put in the same position.
Summary
Lavabit's case exemplifies why the world should stop storing data in the US.
The government claimed to seek narrowly-defined monitoring capabilities, but refused a proposal that would grant them only that narrow monitoring. They did this under a veil of secrecy that ensured it was the full might of the US government vs the legal defense afforded by the pockets of a small business person.
That's disgusting. They are now appealing and have successfully unsealed the previous court documents. I wish them the best of luck in winning their appeal.
No comments:
Post a Comment