[tptacek]

The more I read about the case, the less happy I am about having donated to Levison.

Pages 8-12 of this decision convey a narrative about Levison's handling of the FBI requests. In particular, they detail an escalation that Levison himself provoked:

* The DOJ reached out demanding metadata regarding (presumably, and let's just stipulate) Snowden's use of Lavabit.

* Levison rejected the request, on the auspices that Snowden had enabled the "storage encryption" feature of Lavabit.

Here it's worth knowing that Levison had previously complied with similarly narrow requests.

* Levison confirmed to the DOJ that he had the ability to circumvent the storage encryption.

* The DOJ responded to that concession by doing exactly what anyone would have expected them to do: they escalated their demand to include the decrypted Snowden data.

* The DOJ spent eleven days trying to meet with Levison, who stonewalled them; Levison "ignored the FBI’s repeated requests to confer".

* Only upon being threatened with a contempt citation did Levison actually enter a productive discussion with the DOJ.

* Four days after being threatened with contempt, Levison presented the DOJ with a proposal to charge the DOJ $2000 to design and implement his own pen/trap system which would provide data to the DOJ only at the conclusion of the order's time window, with timely updates being provided only at Levison's discretion and only with an additional charge attached.

* Only after this sequence of events does DOJ demand the TLS keys that would have compromised all Lavabit users activities.

Levison's attorneys and the DOJ litigated the question of whether the pen/trap order required him to cough up his TLS keys. But that only happened after Levison did his best to deter the DOJ from collecting information about Snowden. As evidence for this: the DOJ eventually did install a pen/trap device of some sort, without the TLS keys, and attempted to use it to collect evidence. Had Levison complied with the DOJ productively from the beginning, he probably could have worked with them to produce the information they required without compromising the rest of his users.

I already had a problem with Lavabit as an inept and dangerous privacy solution (you can obviously see that it was; Levison was trivially able to subvert the privacy of all of his users, and was eventually forced to do so).

But almost as bad as that is his handling of the legal situation here. Read the language of the decision carefully and you'll see that had Levison simply began this process with his proposal, minus the time lag problem, but perhaps even including the price tag, he might have had that solution accepted! Instead, he seems to have seized an opportunity to poke a giant bear with a stick. The bear then ate him and his users.

Later: Also, bad facts make bad law. Great to see that we now have more case law establishing that pen/trap orders demand TLS keys.

[joshuak]

I am not a lawyer, but having read through the decision it still seems to me that the fact someone is an asshole is strictly immaterial to the issue of weather or not it is reasonable/constitutionally allowable to issue a warrant of any kind that would:

1) Compromise the presumed privacy of any parties in addition to the target, much less every one of a businesse's clientele. (If you have a search warrant for a apartment, do you get to search all the apartments in the building? No, unreasonable search and seizure on the face of it.)

2) Cause material damages as to completely destroy the core business of an unrelated and presumed innocent business owner. Albeit asshole.

The government argued successfully that the warrant was “very narrow, specific”, but while that may be true in intent it is not true in effect. If in order to tap one suspected criminal it is necessary to undermine the right to privacy of one or more innocent bystanders (much less many) law enforcement and the court's hands must necessarily be tied.

That a citizen would be resistant to this seems reasonable. So what is left should only be a question as to how much being an asshole to the FBI constitutes contempt of court.

[tptacek]

I'm not a lawyer either, but if you reread my comment, you'll see that my issue here is that Levison had an opportunity to work with the DOJ without compromising all of his users: the production of his TLS keys wasn't litigated until after he had stonewalled DOJ over narrower requests.

[joshuak]

That is difficult to assert since as soon as the DOJ finally did install the tap and got encrypted traffic (as he had told them they would from the beginning) they immediately insisted on the keys.

I can't imagine they would not have demanded the keys if only he had been more cooperative from the beginning. And it is not unreasonable to believe he was fearful of that outcome from the beginning. In fact as part of the tap order he objected to he was required to "assist" which even the court noted was an ambiguous requirement (although avoided a decision on that issue).

[tptacek]

Look back a page, and check out my original comment. Levison offered a solution where he'd provide the decrypted information the DOJ wanted, but it was rejected, because:

* By the time he suggested it, he had demonstrated hostility to DOJ's cause

* He refused to provide timely updates, instead dictating that information would be provided only at the conclusion of the monitoring window

[joshuak]

The original order allowed law enforcement to [“capture all non-content dialing, routing, addressing, and signaling information . . . sent from or sent to” the target’s account.] (note "non-content")

Levison told the FBI when first contacted that he could not do this because of the encryption mode the target used. He told the FBI [“Lavabit did not want to ‘defeat [its] own system.’”] presumably by disclosing it's private keys for the ssl traffic. Only later did he come up with a way that he could comply with this order without disclosing Lavabit's private keys, but by the next day that was already too late because:

That very same day as the first order the FBI got a new broader order that [instructed Lavabit to “provide the [FBI] with unencrypted data pursuant to the [Pen/Trap] Order” and reiterated that Lavabit was to provide “any information, facilities, or technical assistance . . . under the control of Lavabit . . . [that was] needed to provide the FBI with the unencrypted data.”]

So this is where I make my point above, that this seems over reaching, and Levison's reactions from that point forward are understandable if argumentative. It is only after this point that one could argue he "demonstrated hostility".

--

However, it should be noted here that this appeals court decision does not ratify the magistrate judge's approval of a wire tap or the original court's decision against Levison and Lavabit. This decision even notes that Levison fails to make the arguments I made above so cannot consider them.

[drewcrawford]

Let's stipulate for the purposes of this thread that he broke the law, was a jerk, and did a morally wrong thing.

None of that is justification to violate the privacy of innocent third parties.

[tptacek]

You have no evidence that any such violation occurred, and neither do I.

[300bps]

The DOJ spent eleven days trying to meet with Levison

You emphasized eleven days as if it is some astronomical figure. In normal court proceedings, the simplest act like scheduling a deposition for questioning a witness takes months.

In the real world, people just aren't sitting around doing nothing waiting for a subpoena from the FBI to come in. Sometimes they're in the middle of a big push for a project, sometimes they're shoring up security for the latest 0-day exploit, sometimes they're in Tahiti sipping drinks on a beach for two weeks without access to email or a phone.

Sure, time sensitive criminal cases would be great if it went faster but eleven days is not out of line by any stretch.

[higherpurpose]

I agree that legally, Levison probably made a mistake by stonewalling DoJ.

However, I worry about what losing this case means in the grand scheme of things. DoJ's argument was that they should be able to get the key to decrypt all e-mails for all of Lavabit's users, and the Court says that's fine because the government "wouldn't" use the key for anything other than the "target" - which seems like a ridiculous and incredibly reckless argument post-Snowden.

Would Google just hand over the key to all of their Gmail users? Let's imagine they weren't using PFS - or let's imagine they were asking Microsoft for the Outlook key, instead.

[mpyne]

> Would Google just hand over the key to all of their Gmail users?

No, Google would comply with the narrow, specific warrant the first time. Again, it bears repeating that the only reason DoJ asked for the master key in the first place is because Levison refused to comply with the narrow requests. If Levison wouldn't do it, then the government would figure it out on their own, but the only reason this situation even came up is because Levison wouldn't do it.

Not complying with a narrow and specified warrant is highly hypocritical, especially in this case since Snowden's initial claims were entirely about wanting the NSA to have to have specific warrants for their searches instead of using broad search authorities. But when push came to shove and the government presented a narrow and specific warrant, of a type Levison had previously honored, all of a sudden that was no longer good enough for this particular privacy advocate.

[higherpurpose]

Wasn't it his right to fight a court order (don't think it was warrant) like that? I think Twitter has fought court orders in the past, while refusing to give the data in the mean time.

I think Levison's mistake was that he did it all by himself, instead of hiring a lawyer and following the proper procedure for doing that. The government escalated with a broader request, which I guess was also their right to try (even if it's wrong), and then Levison tried to fight that with a lawyer, but I guess it was a little too late for that, and what he did initially complicated things for his case.

[anigbrowl]

Wasn't it his right to fight a court order (don't think it was warrant) like that?

It's his right to fight the government request, or to appeal the court order to a higher court. But it's not his right to evade compliance. Yes the court is part of the government but it's not the executive part - courts can and do reject the arguments of the government (qua legal entity) all the time.

[tptacek]

He didn't simply fight the order; he deliberately antagonized the DOJ.

Presumably Twitter's lawyers avoid brinksmanship, knowing that they'll inevitably lose and, in the process, lose credibility with the court.

[jethro_tell]

It is, but at this point he didn't have a lawyer (via a quote from his lawyer in the most recent court proceeding), so instead of going to court with the DOJ, a Lawyer, and a Judge, and explaining the technical issues, he just hoped they would go away or something. When you get a note of this nature from the DOJ that you aren't interested in complying with, you should probably carve out some time on the same day to call your lawyer, or the ACLU or EFF.

[chc]

I think the crux of the DOJ's argument is that they should be able to get the key because less intrusive methods they might have employed have been blocked, so it has become the least intrusive method available.

Google wouldn't hand over the key to all of their Gmail users — they would offer a better option, which Levison did not.

[pdabbadabba]

It means almost literally nothing precedent-wise. The court affirmed the district court because Levinson either failed to raise his arguments before the district court and, in fact, conceded "that the [G]overnment [was] entitled to the [requested] information." It does not reach the substantive propriety of the warrant and order and cannot properly be cited for any such proposition.

[mpyne]

I'm unhappy that Levison's overbearance on email caused Pamela Jones to quit Groklaw. Ordinarily these are exactly the kinds of cases PJ would be able to demonstrate some of her expertise on, by explaining how longstanding legal principles apply to problems in the tech sector.

She was never a coder though, and so her expertise on tech was limited to what was explained to her. I don't think Levison was making his claims about all emails everywhere being read by the goons at Minitrue in order to scare PJ in particular, but that was the net effect.

[ballard]

Her quitting was like a superhero retiring.

[chimeracoder]

> I'm unhappy that Levison's overbearance on email caused Pamela Jones to quit Groklaw.

Can you explain?

I may be wrong, but my misunderstanding is that Groklaw shut down because there is no way of knowing whether or not the privacy has been compromised.

In other words, this incident revealed information that was already true; Groklaw shut down in the light of the new knowledge, but not because the previously-private communication was suddenly vulnerable.

[mpyne]

> I may be wrong, but my misunderstanding is that Groklaw shut down because there is no way of knowing whether or not the privacy has been compromised.

And that was true since POP3 was invented. When you're sending the digital equivalent of postcards to each other then you can never know if your privacy has been compromised.

It's unclear to me what PJ really thought about the privacy of email before Levison, but what is clear is that Levison and SilentCircle's hysterical actions are what convinced PJ to close up shop.

[rdl]

I disagree with the entire 'very little cause required to compel disclosure of metadata'; essentially, the third-party doctrine should only apply if users are consciously giving their data to a third party for the purpose of redistribution, and not purely incidentally to a service.

If they can argue something like a copyright banner in a ROM is "a mere instrumentality", there's no reason the defense side shouldn't be able to argue giving calling information to a cell provider, or mail headers to a mail server, aren't essentially the same instrumentalities.

(I've talked to lawyers who agree, but they all also agree this ship has sailed for many decades.)

That said, yes, he's both technically and legally incompetent. It's sad, and has made bad law for everyone else.

[gamblor956]

Not even remotely similar. A copyright banner isn't even a mere instrumentality because copyright law already protects the ROM; the banner is redundant. (see http://www.copyright.gov/circs/circ03.pdf. Notice was required by the 1976 Copyright act but after the US adopted the Berne Convention notice became optional.)

On the other hand, mail headers and other such meta are frequently necessary to provide the service. The very act of using email requires giving one or more headers to one or more third-party email providers; the very act of making a phone call requires giving phone number information to one or more phone service providers.

[rdl]

I was referring to https://en.wikipedia.org/wiki/Sega_v._Accolade

[gamblor956]

I'm not sure how that case is relevant to your point. In that case, Sega used a TMSS file as a hardware check to make sure games were properly licensed. Acclaim copied this file and included it in their games after reverse-engineering some demo games. This was eventually found to be fair-use since it was required to run their games but there was no technical reasons for the use of the TMSS file.

That's different from the point you were trying to make. The provision of email addresses and phone numbers are inherently necessary for an email provider or telephone service provider to provide those services. They aren't just incidental data--they're a fundamental part of the service transactions at issue.

[bradleyjg]

I agree that Smith v. Maryland, 442 U.S. 735 (1979) and its progeny are not great, and it's possible, though unlikely, that the Supreme Court will eventually revisit the issue. But Levison's actions in no way helped make that any more likely. On the contrary he completely failed to preserve the issue. His mistakes were in large part due to the repeated efforts to act as his own attorney. I'm sympathetic regarding the high cost of legal representation but he could have at least tried to reach out to one of the fairly well funded public groups that do work in this area early on.

[deciplex]

I guess you're just taking it as a given that resisting the DOJ's persecution of Snowden was an error. I'm not really surprised, given your history of cheerleading for the NSA, but anyone who doesn't agree with that is going to find the rest of your reasoning a bit wanting.

[chc]

I wouldn't describe anything tptacek has done as "cheerleading for the NSA". He is less apt to get riled up than a lot of people, but "cheerleading" implies more active support than just not being convinced that somebody is the Devil.

[tptacek]

None of the logic in the comment you're replying to has anything at all to do with NSA, so your objection to it says more about your biases than mine.

[ballard]

It was military-grade sec with valley-grade marketing.

The problem of a company providing a privacy service being a SPOF necessitates a more distributed approach that can "route around" attempts to shut it down. Any current or future entrant in privacy app space needs to also consider that one of several lessons to avoid the same fate as Lavabit.

For now, even with GPG are there any good/cheap email services that just don't log anything, don't append IPs or correct time headers and are outside US jurisdiction? (Friend's server in Thailand doesn't count... More than one box plz)

[guelo]

Maybe Levison didn't want the FBI to track down and capture Snowden and throw him in jail for the rest of his life.