April 25, 2014

avatar

Lavabit and how law enforcement access might be done in the future

The saga of Lavabit, the now-closed “secure” mail provider, is an interesting object of study. They’re in the process of appealing a court order to produce their SSL private keys, with which a government eavesdropper would then have access to the entirety of all traffic going in and out of Lavabit. You can read Lavabit’s appeal brief and a general summary of their legal situation. What jumps out is that Lavabit tried to propose an alternative: giving access exclusively to metadata from the target of the investigation. Lavabit’s proposal:

  • The government would pay $3500 for Lavabit’s development costs and operations
  • The operations would provide a variety of email headers on the subject of the investigation, notably excluding the subject line
  • This surveillance data would be sent in daily batches to the government

It appears that the government wasn’t interested in negotiating this, instead going for the whole enchilada, which then led Lavabit to pull the plug on its service. The question I want to pursue is how this whole situation could have happened in a way that would have satisfied the government’s investigative needs without its flagrant violation of the Fourth Amendment prohibition against unreasonable search and seizure. Consider whether Lavabit might have adopted Google’s legal procedures. Google clearly spells out what they’re willing to divulge with a subpoena, court order, or warrant (and nicely defines each of those terms). In Google’s process, the government brings a written search warrant, Google’s legal team reviews it, and then they provide access to the targeted account, providing notice to the affected user when they’re allowed to. Seems reasonable, right?

If all the government needed was real-time traces of specific subjects, that would seem to be a reasonable point of negotiation between them and Lavabit. For the right price, Lavabit could certainly have engineered a solution to their needs. It appears that there wasn’t any serious attempt at negotiation. The government wanted much more than this, creating the dispute. (The Guardian claims that the government also wasn’t willing to pay $3500, calling it unreasonable. It’s hard to stomach that claim, given all the other expenses involved in a major criminal investigation.)

Lavabit used SSL to protect data in transit, and some other crypto derived from the user’s password to protect data on their hard drives. But when the user logs in, the necessary key material is necessarily available to present the data to the user. While users might be able to use stronger cryptographic means to protect their data against legal warrants (e.g., using Thunderbird with the enigmail OpenPGP plugin), ultimately the lesson of Lavabit is that technology cannot alone solve a legal problem. A future Lavabit needs to have its legal processes sorted out in advance, making reasonable promises to its users and making reasonable access available to the government. Likewise, it’s time for Congress to establish some clear limits on government surveillance to prevent unreasonable search and collection practices in the future.

Comments

  1. bode says:

    The other lesson is, in case you didn’t read closely enough: LavaBit had no problem handing over customer email. Just not in real-time. They handled a dozen or more subpoenas for email. So it’s not like they shut the whole thing down as soon as user privacy was breached. Not saying it wasn’t a good choice (you couldn’t buy better publicity) but I’m sure those dozen users in jail right now aren’t happy.

    Also, here’s a good legal analysis of their appeal:

    http://www.volokh.com/2013/10/11/lavabit-challenges-contempt-order/

  2. Tim H says:

    Your last sentence needs rewording Mr Snowden showed clearly that “…clear limits on government surveillance…” WILL NOT “prevent unreasonable search and collection practices in the future.”

  3. Alex says:

    What do you mean with

    > Consider whether Lavabit might have adopted Google’s legal procedures.

    Are you saying that you belief *every* legal action against Google makes it way through Google legal team?
    And are you saying that the legal team decides what Google will do?

    That’s bullshit.

    If an US authority really wants something from Google, they’ll get it. They won’t deal with Google legal team. All the transparency reports are a kind of distraction.

    Haven’t you heard about the non-public FISA courts? When Eric Schmidt or Marc Zuckerberg said they didn’t know that the NSA are reading their data I trust them. Not because they are trustworthy, but do you really belief NSA & Co. are going the official way? I mean they belief they have to protect your country.. they see enemies everywhere. So they should involve as few people as possible.

    Let 2+ agents ‘catch’ a sysadmin. Bring him somewhere… show her the FISA court and ask if she is willing to help the authority to fight against public enemies. What do you think will happen? :)

    Come one, wake up. You cannot trust any US company anymore.

  4. tz says:

    Do you really believe that Google (and Apple, Microsoft, Yahoo and the rest) haven’t received something like national security letters and have not fought them and that the FBI, NSA and who knows who else has their SSL private keys?

    Lavabit was private so could pull the plug, These others have boards and shareholders and work closely with and cooperate with the government.

    • Dan Wallach says:

      We don’t know enough about what’s happened with Google and other large services like them. We know they wanted to speak out in the wake of the Snowden revelations and weren’t allowed. This suggests they wanted to defend their records rather than allowing the public to unnecessarily dismiss them as untrustworthy.

      Google has demonstrably, at least once, gone to bat against an overbroad government request for it to produce a bunch of internal search data (http://www.nytimes.com/2006/01/20/technology/20google.html), and Google won where other vendors apparently capitulated immediately.

      If there were an NSL requiring Google to divulge its SSL master private keys, you’d never know whether there was an epic legal battle or a immediate capitulation. Instead, you have to read the tea leaves. One important tea leaf being that Google sped up its rollout of encryption between data centers (http://www.datacenterknowledge.com/archives/2013/09/09/google-boosts-encryption-between-data-centers/). All the tea leaves suggest that Google is trying to do the right thing for the bulk of its users while also having a formal process for dealing with legal requirements.

      • Nathan T. says:

        Dan what tea do you drink that your tea leaf reading “suggest[s] that Google is trying to do the right thing for the bulk of its users while also having a formal process for dealing with legal requirements?”

        Everything you have just said between your analysis of Lavabit and what has been going on with many other places such as Google suggests the opposite to me. Suggests that Google is actually been cowed into sending its users packing with a false sense of security in the wake of obvious government breach.

        What do we know from Snowden and others? A few facts to contemplate

        1. Lavabit was ordered by a court to give master keys to their encryption
        2. Lavabit was ordered by a court to give the court contents and metadata of e-mails (both live on the fly, and stored)
        3. NSA has actively sought master encryption keys; worked to weaken the making of such keys; and the introduction of other backdoors from many companies to many technologies (hardware and software).
        4. NSA had “rolling” general warrants for ALL cell phone records from ALL US cell phone providers for months on end.
        5. All of the above were secrete until it was made light by a whistle-blower.

        6. As for the general phone warrants not one single person within the corporations targeted ever blew the whistle to what was obviously an unconstitutional “general warrant;” one that was not specific in nature; one that did not identify the items to be searched or seized or give probable cause as to what crime the phone records would be evidence of. One that by all accounts no one should have ever fulfilled; and the entire corporations should have been in court fighting them as well as faxing all those secret “court orders” to every media company in the world; but they did not. They happily complied with the demands of the government to turn over ALL phone records for EVERYONE of their customers including EVERYONE who their customers had contact with. And yet not a SINGLE whistle-blower stepped up.

        This tells me that the government can and does compel people within large corporations to act against their very customers. And they are so good at it that whomever it is that knows about these secrete court orders never blows the whistle.

        This tells me that Google whom has identified that they have indeed been a target by the NSA and other government agencies to do all sorts of harm and “evil” to their users; even the “begging” the government to let them tell about what they have done, tells me plain as day 100% assured that they have also been so compelled to harm their users AND to keep it a secret.

        All the tea leaves I read show that Google and many other companies are one way or another colluding with the U.S. government to give the government any and all data that they want; which from the logical analysis would indeed include the high probability that Google has already given their SSL master private keys to the government an now are quickly rolling out their encryption so that the government has access to all the data; while the users believe they are still safe.

  5. BBald says:

    Hi I am a student in a Ethics on Technology class and am required to reply to a blog post. This week I have chosen yours.

    I find it interesting that you finish your post by stating that congress needs to “establish some clear limits on government surveillance” when according to the 4th Amendment to the constitution they already have a pretty clear limit. I would say the problem lies more in the government staying within the bounds it already has and for the people (companies) to make sure the government stays in it’s bounds as well. However, I think another very important question is wither or not there is ever an ethical time or need for the government to, possibly secretly, step outside of it’s boundary when it comes to acquiring email or other data stored on the web about a person. To put it another way for the sake of protecting the country is it right for the government to “monitor” a currently innocent citizen who is plotting or suspected of plotting an attack on the country?

    Thanks