It seems pretty clear to me (Occam's razor):<p>1) he was told he had to use the same monitoring process all the other providers were using<p>2) as a state secret, he couldn't reveal he was doing it ever to his users<p>3) if he complied he would totally undermine the nature of his service<p>Anything else is superfluous.
So long as uninformed speculation is running loose...
Lavabit's comment that "If you knew what I know about e-mail, you might not use it either." points in a email specific direction as opposed to simple sniffing of traffic.<p>Perhaps he is referring to the Stored Communications Act ( <a href="http://en.wikipedia.org/wiki/Stored_Communications_Act" rel="nofollow">http://en.wikipedia.org/wiki/Stored_Communications_Act</a> ). I haven't seen it referenced in coverage of this but the gist is under the right circumstances email that is older than six months and stored on a server that you don't own can be accessed without a warrant. Lavabit's encryption process as described would interfere with that. Not being able to comply AND being unwilling to take steps to comply in the future is the sort of thing that feds don't like.<p>This wasn't a big deal when it was passed in 1986 and small mail quotas were the norm but now with IMAP, multiple devices, and archiving it becomes a pretty big issue as you are talking about someone's electronic life instead of abandoned mailboxes.<p>AFAIK the issue of Fourth Amendment issues and SCA hasn't made it to the Supreme Court yet so interpretations vary depending on circuit.
"In reality all it would take is a few lines of code code to log the user’s original password which allows you to decrypt the private key which in turn allows you to receive and send mail as that user as well as access any stored messages."<p>Is this any different to writing a few lines of code to sniff the PreMasterSecret or even just a plain ol' MitM attack?
Hypothetical question:<p>What if the founder of Lavabit took the documents that the US government sent him and gagged him with and put them somewhere where they could be stolen or illegally accessed? For example, what if he put them on a computer with a public facing ip address, or even left them on his desk in his office? If he could have plausible deniability couldn't they get stolen and leaked without him really getting in trouble?<p>This may seem like a stretch, but when you consider the government is using secret interpretations of laws how is it any different than what they are doing?
As long as we don't have a statement from either the government or Lavabit, we can only speculate. The most reasonable thing is then of course to assume the worst - complete surveillance of all customers. The rest is pretty much details.
Kickstarter idea: $xxx,xxx for the network operator who sniffs network traffic that discloses the basis for the Secret TSA ID law. Goose, gander, etc. I'd happily kick in 1%.
A device or piece of software designed to sniff the mail server to mail server connections would also be an option for broad based surveillance. Only a handful of mail providers (like Google) have the option to encrypt traffic server to server. Most mail servers transmit messages in the clear to each other and only encrypt the server to client side.
This article gives no new information, it is stupid.<p>Now i will speculate:<p>As long as he does not know his customers passwords he can't retroactively view the customers mails, once the mails have been encrypted and the plain-text thrown away the stuff is unreachable.<p>So the US gov probably wanted him to save his customers passwords when they logged in.
This article seems to speculate on things that are not necessarily true. It's possible that the government simply told him that he had to be able to supply information arbitrarily on demand without an explicit warrant. This does not mean that they required him to install their own software on his machines.<p>Of course, one certainly still argue that this a line that the Government should not cross - I'd wholeheartedly agree with that. However, statements such as “We’ve had a couple of dozen court orders served to us over the past 10 years, but they’ve never crossed the line,” do not imply that the government required him to install software or otherwise compromise his security in a way that he was not already able to do.