[liberationtech] How Lavabit Melted Down

[Matt Johnson]

I read that as Levison being willing to work with law enforcement when
they were asking for information on one individual, but not when they
wanted a drag net. Levison also said he did not want to give law
enforcement access they could reconfigure on their own, without his
supervision.

That all seems reasonable to me. It may probably makes sense to work
with authorities when they do reasonable things, but not when they
exceed, or try to exceed, their authority.

--
Matt Johnson



On Wed, Oct 9, 2013 at 1:52 PM, Tom O <winterfilth at gmail.com> wrote:
> He seemed pretty ok with handing over user metadata for a rather small
> amount of cash though.
>
> http://www.theguardian.com/technology/2013/oct/09/lavabit-metadata-log-3500-offer
>
>
> On Thursday, October 10, 2013, Eugen Leitl wrote:
>>
>>
>>
>> http://www.newyorker.com/online/blogs/elements/2013/10/how-lavabit-edward-snowden-email-service-melted-down.html
>>
>> HOW LAVABIT MELTED DOWN
>>
>> POSTED BY MICHAEL PHILLIPS AND MATT BUCHANAN
>>
>> On August 8th, Lavabit, newly famous for being the secure e-mail service
>> used
>> by the National Security Agency whistleblower Edward Snowden, went dark.
>> Its
>> owner and operator, Ladar Levison, replaced its home page with a message:
>> “I
>> cannot share my experiences over the last six weeks, even though I have
>> twice
>> made the appropriate requests.” Levison could write only that he chose to
>> shut down the company rather than “become complicit in crimes against the
>> American people,” and he promised to “fight for the Constitution in the
>> Fourth Circuit Court of Appeals.”
>>
>> Court-watchers repeatedly checked the Fourth Circuit docket to see whether
>> Levison would follow through. While the Fourth Circuit kept the appeals
>> secret and placed them under seal, observers deduced that Levison’s
>> appeals
>> were the ones numbered 13-4625 and 13-4626. Last week, U.S. District Judge
>> Claude M. Hilton unsealed a hundred and sixty-two pages of previously
>> secret
>> documents related to two District Court orders issued against Lavabit, so
>> that Levison could have a public record of his appeals. These disclosures
>> fall short of the ideal of open justice, but they do give Levison’s ordeal
>> a
>> public shape.
>>
>> They also allow Levison to speak more openly now. This past weekend, in
>> Manhattan’s Bryant Park, his demeanor was steady, if clearly burdened; he
>> is,
>> after all, a man who was forced to destroy the business he had spent most
>> of
>> the past decade building, and who is locked in a legal and philosophical
>> battle against the United States government.
>>
>> Levison wore a white, starched collared shirt with thin gold cufflinks;
>> the
>> afternoon was warm, and sweat, mixed with the gel that fixed his hair in a
>> slightly spiked coiffure, dotted his forehead. He spoke sternly but
>> calmly—his tenor lacked the quiet frenzy of, say, Thomas Drake, the N.S.A.
>> whistleblower, even though most of what he had to say was bad news, if you
>> value electronic privacy or security. He doesn’t use e-mail on his Android
>> smartphone, for instance, because neither the software nor the hardware of
>> any commercial phone can be trusted; carriers and phone makers can push
>> malware onto the device, he said. Yet his views are far from radical.
>> While
>> he opposes the bulk collection of domestic communications, he has no such
>> strong feelings about the N.S.A.’s foreign-surveillance efforts. He is, if
>> anything, disappointed that the U.S. government would spy on its own
>> citizens
>> on such a grand scale, and with such impunity, even though Levison’s
>> decision
>> to build a privacy-oriented e-mail service in the first place, in 2004,
>> was
>> partly in response to the Patriot Act. Part of Lavabit’s mission, before
>> it
>> shut down, was that it would “never sacrifice privacy for profits.” One of
>> its most notable features was that, for paying users, it encrypted e-mail
>> messages and other files stored on its server so that they could not be
>> read
>> by third parties without a user’s password.
>>
>> As the Times reported last week, the unsealed documents reveal that the
>> first
>> chapter of Levison’s “tangle with law enforcement” began in May—well
>> before
>> the first Snowden leak of the N.S.A.’s massive database of call logs broke
>> in
>> June—when an F.B.I. agent left his business card on Levison’s doorstep. On
>> June 10th, the government secured an order from the Eastern District of
>> Virginia. The order, issued under the Stored Communications Act, required
>> Lavabit to turn over to the F.B.I. retrospective information about one
>> account, widely presumed to be that of Snowden. (The name of the target
>> remains redacted, and Levison could not divulge it.) The order directed
>> Lavabit to surrender names and addresses, Internet Protocol and Media
>> Access
>> Control addresses, the volume of each and every data transfer, the
>> duration
>> of every “session,” and the “source and destination” of all communications
>> associated with the account. It also forbade Levison and Lavabit from
>> discussing the matter with anyone.
>>
>> Levison now says that while that particular investigation “escalated,” it
>> was
>> not the only one to land at his doorstep in recent years. He believes that
>> even if he hadn’t hosted the e-mail account of the target, Lavabit would
>> eventually have found itself in the position that it’s in now because it
>> “constitutes a gap” in the government’s intelligence. The broader
>> implication—as shown by the N.S.A.’s efforts to attack the anonymous Tor
>> network—is that intelligence agencies will try to crack any service
>> designed
>> for privacy and used at scale.
>>
>> On June 28th, the Eastern District Court of Virginia issued another order,
>> “authorizing the installation and use of a pen register and the use of a
>> trap
>> and trace device” on all electronic communications being sent from or to
>> the
>> account. The term “pen register” is a relic of Morse’s telegraph; it
>> refers
>> to the mechanical pen that recorded the electrical pulses that routed a
>> telegraph. Today, the term is used to refer to any device or process that
>> records outgoing routing information, such as phone numbers dialed or
>> e-mail
>> addresses typed. A “trap and trace device” does the inverse, and records
>> incoming phone numbers, e-mail addresses, and other connections. A court
>> may
>> issue this kind of order if the information likely to be captured is
>> “relevant to an ongoing criminal investigation.” This order also forbade
>> Lavabit from discussing the matter.
>>
>> The unsealed documents describe a meeting on June 28th between the F.B.I.
>> and
>> Levison at Levison’s home in Dallas. There, according to the documents,
>> Levison told the F.B.I. that he would not comply with the pen-register
>> order
>> and wanted to speak to an attorney. As the U.S. Attorney for the Eastern
>> District of Virginia, Neil MacBride, described it, “It was unclear whether
>> Mr. Levison would not comply with the order because it was technically not
>> feasible or difficult, or because it was not consistent with his business
>> practice in providing secure, encrypted e-mail service for his customers.”
>> The meeting must have gone poorly for the F.B.I. because McBride filed a
>> motion to compel Lavabit to comply with the pen-register and
>> trap-and-trace
>> order that very same day.
>>
>> Magistrate Judge Theresa Carroll Buchanan granted the motion, inserting in
>> her own handwriting that Lavabit was subject to “the possibility of
>> criminal
>> contempt of Court” if it failed to comply. When Levison didn’t comply, the
>> government issued a summons, “United States of America v. Ladar Levison,”
>> ordering him to explain himself on July 16th. The newly unsealed documents
>> reveal tense talks between Levison and the F.B.I. in July. Levison wanted
>> additional assurances that any device installed in the Lavabit system
>> would
>> capture only narrowly targeted data, and no more. He refused to provide
>> real-time access to Lavabit data; he refused to go to court unless the
>> government paid for his travel; and he refused to work with the F.B.I.’s
>> technology unless the government paid him for “developmental time and
>> equipment.” He instead offered to write an intercept code for the
>> account’s
>> metadata—for thirty-five hundred dollars. He asked Judge Hilton whether
>> there
>> could be “some sort of external audit” to make sure that the government
>> did
>> not take additional data. (The government plan did not include any
>> oversight
>> to which Levison would have access, he said.)
>>
>> Most important, he refused to turn over the S.S.L. encryption keys that
>> scrambled the messages of Lavabit’s customers, and which prevent third
>> parties from reading them even if they obtain the messages. The
>> pen-register
>> order required Levison to permit the F.B.I. to install the pen register
>> and
>> provide “technical assistance necessary to accomplish the installation.”
>> Levison argued that the “technical assistance” provision did not require
>> that
>> he surrender the S.S.L. keys, especially because he was willing to write
>> intercept code for the information the government desired. Giving up the
>> keys
>> “would compromise all of the secure communications in and out my network,
>> including my own administrative traffic,” he told Judge Hilton. The U.S.
>> Attorney’s Office, for its part, insisted that without the S.S.L. keys,
>> “the
>> data from the pen register will be meaningless,” an analysis shared by
>> others. But the pen-register data may not have been “meaningless” if the
>> government took up Levison’s offer to write his own intercept code.
>>
>> Prior to the hearing on July 16th, the U.S. Attorney filed a motion for
>> civil
>> contempt, requesting that Levison be fined a thousand dollars for every
>> day
>> that he refused to comply with the pen-register order. Earlier in the day,
>> Hilton issued a search-and-seizure warrant, authorizing law enforcement to
>> seize from Lavabit “all information necessary to decrypt communications
>> sent
>> to or from [the account], including encryption keys and SSL keys,” and
>> “all
>> information necessary to decrypt data stored in or otherwise associated
>> with
>> [the account].” On July 25th, Lavabit petitioned to cancel the subpoena
>> and
>> warrant, arguing that if the “government gains access to Lavabit’s Master
>> Key, it will have unlimited access to not only [the account], but all of
>> the
>> communications and data stored in each of Lavabit’s 400,000 e-mail
>> accounts.”
>> Lavabit also asked the court to unseal its records and permit Levison to
>> speak.
>>
>> It was the government’s insistence on collecting the S.S.L. keys that most
>> deeply disturbed Levison, and led to the shutdown of Lavabit. He believes
>> that not only would the F.B.I. have had unfettered, secret access to the
>> communications of his four hundred thousand customers—without being
>> required
>> to give Levison a log of what it accessed—but putting his encryption keys
>> in
>> the hands of the government would have opened Lavabit to a more profound
>> exploitation of his service’s communications. Levison worried that if he
>> turned the keys over to the F.B.I., the N.S.A. would have been able to
>> obtain
>> them without his knowledge through a Foreign Intelligence Surveillance Act
>> court order. We know now that the N.S.A. has been systematically cracking
>> encryption across the Web, and it has built a database of encryption keys
>> that automatically decode messages; this is dangerous, Levison says,
>> because
>> it allows the N.S.A. to read encrypted communications as they flow past
>> the
>> agency’s taps of the broader Internet infrastructure by simply observing
>> them, leaving no trace of the surveillance, unlike a traditional
>> “man-in-the-middle” attack. This vulnerability, he insists, is not
>> sufficiently understood. And, while the Times’s initial reporting
>> indicates
>> that the N.S.A.’s method of obtaining the keys for its database is
>> “shrouded
>> in secrecy,” Levison suggests that his case also illustrates one of the
>> ways
>> in which it collects them: by secretly compelling companies to turn them
>> over.
>>
>> The F.B.I., Levison says, “sold its soul” to the N.S.A. to acquire its
>> technologies and become a “counter-intelligence agency” rather than a
>> domestic police force. The result is an agency with somewhat stunning
>> technical capabilities—it was the F.B.I. that used malware to identify
>> users
>> of the Tor network in the course of its investigation of Freedom Hosting,
>> the
>> anonymous service provider, an incident that disturbed Levison because it
>> put
>> legitimate users at risk, even if he doesn’t agree with the illegal
>> content
>> that Freedom Hosting was allegedly housing. Before the Bureau demanded
>> Lavabit’s S.S.L. keys, in fact, he was asked “half a dozen times” about
>> any
>> point in the system where information flowed through unencrypted so that
>> the
>> F.B.I. could tap it. One result of this newfound expertise, however, is
>> that
>> Levison believes there is a knowledge gap between the Department of
>> Justice
>> and law-enforcement agencies; the former did not grasp the implications of
>> what the F.B.I. was asking for when it demanded his S.S.L. keys.
>> (According
>> to Levison, the F.B.I. agents who came to his house were surprised that he
>> hadn’t seen one of the sets of documents that had been e-mailed to him
>> demanding Lavabit’s information; they pointed to his phone and said he
>> could
>> look up the information right there. He responded, “You know better than I
>> do
>> why I don’t have e-mail on my phone.”)
>>
>> On August 1st, Lavabit’s counsel, Jesse Binnall, reiterated Levison’s
>> proposal that the government engage Levison to extract the information
>> from
>> the account himself rather than force him to turn over the S.S.L. keys.
>>
>> THE COURT: You want to do it in a way that the government has to trust
>> you—
>> BINNALL: Yes, Your Honor.
>>
>> THE COURT: —to come up with the right data.
>>
>> BINNALL: That’s correct, Your Honor.
>>
>> THE COURT: And you won’t trust the government. So why would the government
>> trust you?
>>
>> Ultimately, the court ordered Levison to turn over the encryption key
>> within
>> twenty-four hours. Had the government taken Levison up on his offer, he
>> may
>> have provided it with Snowden’s data. Instead, by demanding the keys that
>> unlocked all of Lavabit, the government provoked Levison to make a last
>> stand. According to the U.S. Attorney MacBride’s motion for sanctions,
>>
>> At approximately 1:30 p.m. CDT on August 2, 2013, Mr. Levison gave the
>> F.B.I.
>> a printout of what he represented to be the encryption keys needed to
>> operate
>> the pen register. This printout, in what appears to be four-point type,
>> consists of eleven pages of largely illegible characters. To make use of
>> these keys, the F.B.I. would have to manually input all two thousand five
>> hundred and sixty characters, and one incorrect keystroke in this
>> laborious
>> process would render the F.B.I. collection system incapable of collecting
>> decrypted data.
>>
>> The U.S. Attorneys’ office called Lavabit’s lawyer, who responded that
>> Levison “thinks” he could have an electronic version of the keys produced
>> by
>> August 5th. Judge Hilton ordered that Levison and Lavabit be fined five
>> thousand dollars for each day that they did not turn over the
>> electronic-encryption keys. On August 8th, rather than turning over the
>> master key, Levison shut down Lavabit. A week later, Levison’s lawyers
>> announced that they were appealing to Fourth Circuit Court of Appeals, an
>> announcement that nearly got Levison into further trouble; the appeal was
>> promptly placed under seal.
>>
>> Levison believes that when the government was faced with the choice
>> between
>> getting information that might lead it to its target in a constrained
>> manner
>> or expanding the reach of its surveillance, it chose the latter. The
>> documents, and Levison’s comments to us, suggest that although he is a
>> skeptic, he was willing to work with the government: he offered to write
>> intercept code himself to capture their target’s metadata, and
>> acknowledged
>> that the government might have a right to the person’s information. He was
>> willing to turn that information over, as he did in a case involving child
>> pornography; Lavabit’s archived site in fact explicitly states that one of
>> the reasons its most secure services are available to paying customers
>> only
>> is so that if an account “is used for illegal purposes that money trail
>> can
>> be used to track down the account owner.” But the government refused
>> Levison’s offer. It wanted the keys to everything, so he gave it nothing.
>>
>> Levison will be back in court on Friday to file his opening brief with the
>> Fourth Circuit. The brief is Levison’s principal opportunity to make his
>> arguments. Levison may appeal the orders on a technological basis, and
>> argue
>> that the pen-register order did not require the surrender of the S.S.L.
>> keys.
>> Or he may appeal on a broader constitutional basis, and push the Fourth
>> Circuit to evaluate the legality of back-door Internet-surveillance
>> programs.
>> On November 4th, the United States will file its response brief, after
>> which
>> oral arguments will follow. Due to the case’s sensitivity, the court may
>> hold
>> the arguments in secret. The United States and the court are waiting for
>> Levison’s brief, which could break one of at least two ways.
>>
>> When this is all over, he plans to reopen Lavabit, if possible, in the
>> United
>> States; he intends to stay in the country no matter what. If Lavabit can’t
>> operate securely in the U.S., he intends to hand off the project to
>> someone
>> in a country with more sympathetic laws, such as Iceland or Switzerland.
>> In
>> the meantime, he is beginning to think about the grander, harder project
>> of
>> creating a replacement for e-mail that can be truly secure and easy to
>> use,
>> although he’s not ready to say anything substantive about the project.
>> With
>> the muzzle largely removed, he is now reluctantly engaging in a media
>> blitz,
>> both to raise money for his legal defense through Rally.org and to boost
>> awareness of the grim nature of the surveillance state. When asked what he
>> was doing differently with his computing habits to protect his
>> communications, Levison offered an answer that’s becoming all too familiar
>> from people of his ilk: he wanted to keep it at least some of it a secret.
>>
>> Michael Phillips is an associate at a Wall Street litigation firm. Matt
>> Buchanan is the editor of Elements.
>>
>> Photograph by Mauricio Alejo.
>> --
>> Liberationtech is public & archives are searchable on Google. Violations
>> of list guidelines will get you moderated:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe,
>> change to digest, or change password by emailing moderator at
>> companys at stanford.edu.
>
>
> --
> Liberationtech is public & archives are searchable on Google. Violations of
> list guidelines will get you moderated:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe,
> change to digest, or change password by emailing moderator at
> companys at stanford.edu.