Update on Lavabit
I’ve been trying to keep an eye on the public information about the government’s demand on Lavabit. And in a new interview with Ars Technica, Ladar Levison basically gives us a multiple choice guess on what the request was: either altering the source code or turning over the private key securing his HTTPS certificate.
Levison said he has always known Lavabit safeguards could be bypassed if government agents took drastic measures, or as he put it, “if the government was willing to sacrifice the privacy of many to conduct surveillance on the few.” For instance, if he was forced to change the code used when a user logs in, his system could capture the plain-text password needed to decrypt stored e-mails. Similarly, if he was ever forced to turn over the private encryption key securing his site’s HTTPS certificate, government agents tapping a connection could observe the password as a user was entering it. But it was only in the past few weeks that he became convinced those risks were realistic.
“I don’t know if I’m off my rocker, but 10 years ago, I think it would have been unheard of for the government to demand source code or to make a change to your source code or to demand your SSL key,” Levison told Ars. “What I’ve learned recently makes me think that’s not as crazy an assumption as I thought.”
I and others have suggested this (whichever of these options this demand took) is basically CALEA II — FBI’s repeated demands that it have a back door into anything — before its time.
But Congress has not yet authorized CALEA II. So why did the (presumably) FISA Court approve this demand?
Refresh my memory, what’s CALEA II? I can’t keep all these acronyms and program names straight! :)
The FISA Court isn’t an advocacy proceeding. So, if the government comes in and says: “we need this encryption key” and presents the long line of precedents that require people to turn over their keys, I’m betting this is a slam dunk, because there’s no one there to point out that this is qualitatively different than decrypting an individual’s hard drive.
[CALEA – Communications Assistance for Law Enforcement Act.]
@Saul Tannenbaum: Agreed, keep in mind also that the FIsa court has already accepted that “relevant to” applies to all communications. Thus in the ex-parte proceedings all the government has to do is argue that someone, anyone, on Lavabit could use it to do naughty things and therefore all of it must be open logic which applies to all communications. As an added bonus they can claim that since Snowden was using it then this is relevant to their communications with him.
This line of logic has a long history. Before CALEA II we had CALEA I and before that the Clipper Chip Proposal. In this case the argument has not changed rather the government changed the forum so that the argument would now fly.
@C: And before the Clipper Chip, we had “encyrption is a munition that needs to be controlled as carefully nuclear technology.” I still remember the t-shirts people wore with encryption source code and the label “this t-shirt is a munition”.
Uggh. After reading that, I had to recheck my reading of a previous bmaz tweet. What I initially thought I had read was:
…but the “h” had really just been in my imagination.
Time for a drink.
FISA is for foreign intelligence, has no conceivable authority over FBI. Reason no. umpteen why NSA is a red herring and what you should be paranoid about is closer to home.
The FBI is responsible for counterintelligence within the United States, and has plenty to do with FISA and NSA.
If you had bothered to read any of the FISC opinions that were released in the last week or so, you would have discovered FBI is indeed under the jurisdiction of the secret court. Included in the FISC rulings are mentions of FBI minimization procedures when dealing with NSA material, and when material can be shared with other agencies and entities by FBI.
Given the revelation that Microsoft got into bed with the NSA to give it a (presumably unencrypted) window into MS’s Skype service, and now this, that has to raise the question of whether Silent Circle’s action after the Lavabit closure (ie dumping its own encrypted email service) will suffice to keep the NSA at bay and Silent Circle’s other encrypted services secure. Those services might not be storing anything on Silent Circle’s own servers for the NSA to seize, but that would hardly matter if the NSA were (say) to tap into Silent Circle’s routers with the Internet equivalent of a beam splitter which diverted Silent Circle’s data streams into NSA archives for later decryption and analysis.
Having had some time to reflect and remember how viscerally elements of the US government hated encryption, I have a second possible answer to Marcy’s question about how this got through the FISA Court:
Having already approved the acquisition of the Google/Microsoft/Yahoo/etc keys, Lavabit was no big deal.
I really hate thinking this way. But the people who thought encryption was the equivalent of nuclear weapons are likely still making policy and they wouldn’t blink at this.
Clipper?! Nobody took that pink elephant even slightly seriously.
Ironic that Marty Hellman was my adviser back in the day. Nonetheless, I went Galt over the first CALEA data access directive. Kinda took the fun out of IT. OK, blame Clinton if you must.
Let’s see, CALEA VI should be a field readable implant…right? With the right genetic coding, some lucky virus could be beefed up and instrumented for remote access via government mind-er stations!
Except for a few exceptional websites (lookin’ at the Mopes in the wheelhouse), today’s digital ventures suffer much less from hard-science limitations than from public policy psychobabble. Well, I always enjoyed free-for-all mode best…
Chaos/Causal Entropy ’16 scores my vote… Sweet!
For Lavabit, there is one reason that I can think of. There is the claim that there was an email from [email protected]. That could have triggered the attempt to force Lavabit to create a backdoor for surveillance of any information to/from Snowden and journalists and just for convenience any other folks using Lavabit.
Agree with Saul Tannenbaum that Yahoo, Google FISA Court precedents made it almost automatic from the FISA Court.
@Clark Hilldale: One of the purposes of the PATRIOT Act was to joing NSA and FBI at hip. FBI requests orders of the FISA Court that are delivered directly to NSA. FBI then can look at NSA’s data for its own searches.
Yes, Marcy and many of us have been suggesting this.
I’d also like to suggest that people understand the camera that is installed in your computer and cell phones is all theirs too.
Earlier today, Marcy had a great catch on an ACLU document. It proves that what they have been doing is not only ILLEGAL, but that they continue to lie about it.
@TarheelDem: Let me be clear: I have no idea whether there’s a precedent for Google/Microsoft/Yahoo turning over their keys. But I’m increasingly concerned that there is.
No camera on my computer, and my cell phone is in a sock, generally off, and usually low on battery.
@Saul Tannenbaum: But, of course, it would be too sensitive for the citizenry to be apprised of it. Why, they might object. They might vote with their feet, seeking service providers less willing to cooperate so fully with the surveillance state. That might affect the share prices of cooperative providers, which would affect senior executive bonuses, and then we would hear corporations scream about an overreaching government.
@P J Evans: LOL! Good for you!
@Saul Tannenbaum: Ahh yes, that does take me back. Funny isn’t it how the FBI’s proposal to allow widespread use of encryption still treated it like a weapon with the goal of full registration. Perhaps if it was a munition the NRA would act to defend it too.
Considering whether an SCA violation caused the IC to go to computer generated court order to hold communications as they were generated since per a recent slate.com article, SCA warrantless court orders only can be used on existing communications, not prospective ones.