How Lavabit Melted Down

The integrity and bravery he has shown in this fight is impressive. He has definitely earned enough "cred" to restart this business outside the US and be very successful.

The most scary quote in the whole article is this:<p>THE COURT: You want to do it in a way that the government has to trust you &#x2F;...&#x2F; THE COURT: And you won’t trust the government. So why would the government trust you?<p>It was that the whole idea on which US is built on - the Constitution and other founding ideas - was based on trusting the government only with very little that is necessary for it to function and no more, and having the ultimate power reside in the hands of the citizens. Now it comes to trust in the government being implied and if the citizen doesn&#x27;t trust the government, he is not to be trusted and must be subjected to coercion. And that&#x27;s coming from courts, that are supposed to be protecting the constitutional rights. America has come a long and very sad way since its noble origins.

The fact the government wanted the SSL keys is obvious they wanted to get at all his customers, not just the one they were targeting.<p>Levison offered multiple times to write a specific script for the single user that would do what they wanted and at a minimal cost to the government - and they refused. A pretty clear indication they wanted unfettered access to his client base and his network.<p>Then you add in the lack of ANY oversight on either Lavabit&#x27;s or the government&#x27;s, and you have to praise him for what he did.

I am blown away by the bravery, I know I&#x27;d never be so bold.<p>Also confused why he didn&#x27;t end up in prison on mysterious &quot;pervert&quot; charges out of the blue or even dead. And don&#x27;t lecture me that is far fetched after this past year.

The more I read the more sympathy I have for the government here. They had a (presumably lawfully obtained) warrant against a specific user; it&#x27;s not they who designed lavabit such that it was impossible to execute this without obtaining access to every other user. The proposal that Levison would extract the information himself rather than turning over the keys strikes me as completely unrealistic - any information so obtained would be quite rightly thrown out of court, because there&#x27;s no reliable evidentiary chain, only (in effect) Levison&#x27;s word. Even if he had turned over the SSL keys, the US still has a fairly strong &quot;fruit of the poison tree&quot; doctrine: any information the government happened to obtain on other users would be invalid for prosecution because it wouldn&#x27;t be covered by their search warrant.

&gt; While he opposes the bulk collection of domestic communications, he has no such strong feelings about the N.S.A.’s foreign-surveillance efforts.<p>As a non-American, I have a problem with this seemingly widespread idea even among privacy advocates in the USA that only Americans are entitled to the protection of their rights from the American government.

Of wonderful note:<p><i>At approximately 1:30 p.m. CDT on August 2, 2013, Mr. Levison gave the F.B.I. a printout of what he represented to be the encryption keys needed to operate the pen register. This printout, in what appears to be four-point type, consists of eleven pages of largely illegible characters. To make use of these keys, the F.B.I. would have to manually input all two thousand five hundred and sixty characters, and one incorrect keystroke in this laborious process would render the F.B.I. collection system incapable of collecting decrypted data.</i><p>I tip my hat to this magnificent bastard.<p>EDIT:<p>The core issue is summed up nicely thereafter:<p><i>Levison believes that when the government was faced with the choice between getting information that might lead it to its target in a constrained manner or expanding the reach of its surveillance, it chose the latter.</i>

For the fortitude he has shown in fighting the good fight, please consider donating to his defense fund: <a href="http://lavabit.com/" rel="nofollow">http:&#x2F;&#x2F;lavabit.com&#x2F;</a> (link at the end).

There is a huge disconnect between the &quot;justice&quot; system and technology which needs to end. You&#x27;ve seen it before if you&#x27;re in IT, that glazed eyes look when explaining why their Word document is missing…<p>Anyone with judicial experience know if judges have trusted advisory panels that can help wrap their heads around technology to better rule on cases such as this?

I still don&#x27;t get one thing about this story:<p>&gt;&gt; To make use of these keys, the F.B.I. would have to manually input all two thousand five hundred and sixty characters, and one incorrect keystroke in this laborious process would render the F.B.I. collection system incapable of collecting decrypted data<p>Don&#x27;t FBI have some ultra DPI scanner with advanced OCR software? Let&#x27;s say they live under a rock, it&#x27;s still not so hard to manually type ~2k characters using magnifying glass. If so, what was the point to shut down Lavabit AFTER turning in printed keys?<p>P.S. I still highly respect Lavabit and people behind it, but this point in a story doesn&#x27;t make sense at all.

News outlets keep repeating &quot;11 pages of 4-point type totaling 2560 characters&quot;, which just doesn&#x27;t match up since that number of characters fits on one page in a fairly normal font size. Also, RSA keys just aren&#x27;t that big, so the 11 pages must have either been many keys or some other data.<p>As I understand Lavabit&#x27;s architecture, there is no &quot;master&quot; key. Instead, incoming mail is encrypted using an asymmetric per-user key. All the key pairs were created by Lavabit and stored on-site, but locked by a password to be provided over TLS. Since Levison probably didn&#x27;t compromise his system to store users&#x27; passwords, presumably the keys that he was handing over in 4-point type were still locked with a password.

I&#x27;ve been skeptical of LavaBit, chalking it up to the general deification that HN gives to its heroes du jour, but he really seems to have made a highly principled stand while still allowing the government to intercept any individual for which it had a warrant.

Demanding the SSL keys to the entire database was clearly an insane overreach on the FBI&#x27;s part, a mistake that they compounded if it&#x27;s true that they refused to work with Lavar on the more targeted approach he suggested. I would like to kick in some bucks towards Ladar&#x27;s defense, but I&#x27;d rather do it through the EFF (where I&#x27;m already a member) rather than rally.org, which I&#x27;ve never heard of.<p>Does anyone have any experience with (or thoughts about) rally.org -- or, for that matter, any knowledge of why the EFF isn&#x27;t running point on this case?

Is anyone else thinking that their systems should include a self-destruct button? (for LavaBit I&#x27;d imagine a process that e-mailed each user the SSL key used to encrypt their mailbox, then deleted the key from the system. A user could still decrypt their mailbox by downloading it and using the key).

The amount of support for Levison and ire toward the government in this case is absurd. The FBI followed the Constitutional process of obtaining a warrant for the information of the &quot;one user&quot;.<p>I suspect that the only reason anyone cares about this case is because Lord Snowden the Infallible deigned to grace Lavabit with his email traffic.<p>Would the internet outrage be the same if the targeted user was found out to be a Goldman Sachs executive or a Westboro Baptist Church minister?