Note that this opinion rests almost entirely on the fact that Lavabit/Levinson failed to raise any of his legal arguments before the trial court. Any lawyer can tell you that, if you want a court of appeals to consider a legal issue, you have to raise it before the lower court first to give them a chance to rule and to develop a record for the court of appeals to review. I'm sure there are those out there who will want to make this into a major privacy ruling, but it just isn't.
Levison should have hired a competent and experienced attorney the day the FBI contacted him. The errors and failures cited in the appellate opinion are ones that nearly any attorney that passed a Bar Exam wouldn't have made.
The more I read about the case, the less happy I am about having donated to Levison.<p>Pages 8-12 of this decision convey a narrative about Levison's handling of the FBI requests. In particular, they detail an escalation that Levison himself provoked:<p>* The DOJ reached out demanding metadata regarding (presumably, and let's just stipulate) Snowden's use of Lavabit.<p>* Levison rejected the request, on the auspices that Snowden had enabled the "storage encryption" feature of Lavabit.<p><i>Here it's worth knowing that Levison had previously complied with similarly narrow requests.</i><p>* Levison confirmed to the DOJ that he had the ability to circumvent the storage encryption.<p>* The DOJ responded to that concession by doing exactly what anyone would have expected them to do: they escalated their demand to include the decrypted Snowden data.<p>* The DOJ spent <i>eleven days</i> trying to meet with Levison, who stonewalled them; Levison "ignored the FBI’s repeated requests to confer".<p>* Only upon being threatened with a contempt citation did Levison actually enter a productive discussion with the DOJ.<p>* Four days after being threatened with contempt, Levison presented the DOJ with a proposal to charge the DOJ $2000 to design and implement his own pen/trap system which would provide data to the DOJ <i>only at the conclusion of the order's time window</i>, with timely updates being provided only at Levison's discretion and only with an additional charge attached.<p>* Only <i>after</i> this sequence of events does DOJ demand the TLS keys that would have compromised all Lavabit users activities.<p>Levison's attorneys and the DOJ litigated the question of whether the pen/trap order required him to cough up his TLS keys. But that only happened after Levison did his best to deter the DOJ from collecting information about Snowden. As evidence for this: the DOJ eventually did install a pen/trap device of some sort, without the TLS keys, and attempted to use it to collect evidence. Had Levison complied with the DOJ productively from the beginning, he probably could have worked with them to produce the information they required without compromising the rest of his users.<p>I already had a problem with Lavabit as an inept and dangerous privacy solution (you can obviously see that it was; Levison was trivially able to subvert the privacy of all of his users, and was eventually forced to do so).<p>But almost as bad as that is his handling of the legal situation here. Read the language of the decision carefully and you'll see that had Levison simply began this process with his proposal, minus the time lag problem, but perhaps even including the price tag, he might have had that solution accepted! Instead, he seems to have seized an opportunity to poke a giant bear with a stick. The bear then ate him and his users.<p><i>Later: Also, bad facts make bad law. Great to see that we now have more case law establishing that pen/trap orders demand TLS keys.</i>
Sigh.<p>Why does every landmark case involving online privacy have to involve incompetent, unsavory, or sometimes even downright despicable people (e.g. child pornographers) on the defense side?<p>In order to force the legal system to take a serious look at the core issues (whether the Feds can compel a company to produce its SSL private keys, whether they can compel a man to produce the password to his TrueCrypt drive, etc.) instead of getting distracted by all sorts of procedural bullshit, the case needs to have a competent defendant and even more competent counsel who make no serious mistakes throughout the course of the trial. That's the only way we're going to get a clear, decisive precedent, because otherwise the procedural blunders will dominate the legal result.<p>Levison's failure to contact the EFF or ACLU the moment he received the first pen/trap order has led us all to waste a lot of time and resources litigating mostly peripheral issues, and probably caused a lot more hardship for Levison himself than he ever needed to get into. Meanwhile, we still don't have a clear idea of what the U.S. legal system thinks about forcing the disclosure of SSL private keys.<p>Of course, hindsight is 20/20, so maybe there are adequate explanations for why he thought it was a good idea to wave a middle finger in the face of the DOJ.<p>But in the grand scheme of things in the battle for internet freedom, I think we just missed a golden opportunity to get the courts to tackle some serious constitutional issues. Just like in all those other contempt cases where TrueCrypt drive in question obvious contained CP, or all those other surveillance cases where the defendant was a heavy uploader. Assholes, pirates, and child pornographers have rights, of course, but they usually don't make effective crusaders.
"Levison provided the FBI with an 11-page printout containing largely illegible characters in 4-point type, which he represented to be Lavabit’s encryption keys"<p>This made my day.
I see this as a cautionary tale about the limits of cloud-storage of anything. If you really care and you're facing an adversary with subpoena power over your ISP, the only solution is to ensure the ISP simply never sees the plaintext. Thus PGP, S/MIME, etc.
I don't see why the court couldn't 'refashion' Levison's statement ...<p>"[I object] to turning over the SSL keys because that would compromise all of the secure communications in and out of my network, including my own administrative traffic."<p>... into "anything remotely close to a statutory-text-based challenge to the district court’s fundamental authority under the Pen/Trap Statute"<p>As a lay person, it sounds like the court wasn't trying very hard.