Kafka, meet Orwell: Lavabit's founder explains why he shut down his company

Writing in the Guardian, Lavabit founder Ladar Levison recounts the events that led to his decision to shutter his company in August 2013. Lavabit provided secure, private email for over 400,000 people, including Edward Snowden, and the legal process by which the FBI sought to spy on its users is a terrifying mix of Orwell -- wanting to snoop on all 400,000 -- and Kafka -- not allowing Levison legal representation and prohibiting him from discussing the issue with anyone who might help him navigate the appropriate law.

Levison discloses more than I've yet seen about the nature of the feds' demands, but more important are the disclosures about the legal shenanigans he was subjected to. In fact, his description of the legal process is a kind of bas relief of the kind of legal services that those of us fighting the excesses of the global war on terror might need: a list of attorneys who are qualified to represent future Lavabits, warrant canaries for the services we rely upon; and, of course, substantive reform to the judicial processes laid out in the Patriot Act.

Read the rest

How NSA-proof is your VPN?

In an excellent Torrentfreak feature, representatives from several prominent privacy-oriented VPN provider explain whether, and to what extent, their services are safe from NSA spying. They cover the state of crypto, the structure of their companies, and the jurisdictional and legal questions they've resolved since the news broke that Lavabit shut down because it was ordered to redesign its service to make snooping possible.

Read the rest

VPN company shuts down after Lavabit case demonstrates threat of state-ordered, secret self-sabotage

Cryptoseal has shut down Cryptoseal Privacy, a VPN product advertised as a privacy tool, citing the action against Lavabit, the privacy-oriented email provider used by Edward Snowden. Court documents released in the wake of Lavabit's shut-down showed that the US government believes that it has the power to order service providers to redesign their systems to make it possible to spy on users. Cryptoseal had been operating under the assumption that since it had no way of spying on its users, it was immune to wiretap orders, and the revelation that they may be forced to break their system's security was enough to put them off altogether. Like Lavabit, Cryptoseal was unwilling to advertise a service that was immune from snooping if they might someday be forced to secretly redesign their systems to make snooping possible.

Read the rest

Why email services should be court-order resistant

With admirable clarity and brevity, Princeton's Ed Felten explains why Lavabit's owner was right to design his email service to be resistant to court orders. The whole piece is good and important, but here's the takeaway: "At Lavabit, an employee, on receiving a court order, copies user data and gives it to an outside party—in this case, the government. Meanwhile, over at Guavabit, an employee, on receiving a bribe or extortion threat from a drug cartel, copies user data and gives it to an outside party—in this case, the drug cartel. From a purely technological standpoint, these two scenarios are exactly the same."

As Felten goes on to point out, insider attacks are brutal -- just look at what happened to the NSA when insider Edward Snowden decided to go after it.

Read the rest

Lavabit files opening brief in important online privacy case

Kevin Poulsen, Wired News: "Secure email provider Lavabit just filed the opening brief in its appeal of a court order demanding it turn over the private SSL keys that protected all web traffic to the site."

'How Lavabit Melted Down'

There's an excellent tick-tock of the Lavabit saga in the New Yorker, by Michael Phillips and Matt Buchanan. Lavabit founder Ladar Levison says he believes even if he hadn’t hosted an email account for Edward Snowden, "Lavabit would eventually have found itself in the position that it’s in now because it 'constitutes a gap' in the government’s intelligence." And that should worry all of us. Read: How Lavabit Melted Down : The New Yorker.

Silk Road prosecution: how does the US criminal justice system actually work?


Popehat's Ken White (a former federal prosecutor) uses the arrest of alleged Silk Road founder Ross "Dread Pirate Roberts" Ulbricht to explain how the criminal justice system works, including the difference between a grand jury indictment and a criminal charge, and how to understand sentencing guidelines and "maximum possible sentences." It's a great way to use current events to deepen your understanding of important, complicated systems.

If you enjoy that, you should also check out Ed Felten's post that contrasts the Silk Road story with the shut down of Lavabit to explore how crypto does -- and doesn't -- change the criminal justice system.

Read the rest

Unsealed Lavabit docs show that Feds demanded SSL keys


Lavabit founder Ladar Levison speaking at the 2013 Liberty Political Action Conference (LPAC) in Chantilly, Virginia. Photo: Gage Skidmore.


Edward Snowden. Photo: The Guardian/Reuters.

Ever since Lavabit, the privacy-oriented email provider used by whistleblower Edward Snowden, shut down abruptly in August, we've been wondering what, exactly, the Feds had demanded of founder Ladar Levison. As he wrote in his cryptic note, he felt that he was facing an order that would make him "complicit in crimes against the American people" but he was legally unable to say more.

But now, thanks to unsealed records, we're able to get some insight into what the NSA and the Feds demanded of Lavabit (and, presumably, of other companies that have not shut down): first they asked him to decrypt the communications of one of their customers (almost certainly Edward Snowden). When they were told that this wasn't technically possible, they demanded that the system be modified to make it possible, and when Lavabit balked, they got a court order requiring that Lavabit turn over its SSL keys, compromising all of the company's users' communications. Funnily enough, Levison "complied" with this court-order by turning over the keys as 11 pages of 4-point type, but the court didn't go for that.

Read the rest

Schneier on NSA intimidation, and the expanding surveillance state

Internet security expert Bruce Schneier writes about Lavabit founder Ladar Levison's "extreme moral act in the face of government pressure," in closing the security-focused email service rather than complying with a US government order to share user data. "It's what happened next that is the most chilling. The government threatened him with arrest, arguing that shutting down this e-mail service was a violation of the order."

How, technically, might the US have snooped on Lavabit?

Ars Technica interviews Ladar Levison, founder of the recently-shuttered secure-er email service. They focus on the logistics and architecture of fed snooping. Levison: "I don't know if I'm off my rocker, but 10 years ago, I think it would have been unheard of for the government to demand source code or to make a change to your source code or to demand your SSL key. What I've learned recently makes me think that's not as crazy an assumption as I thought."

Lavabit's owner threatened with arrest for shutting down rather than spying on customers


NBC reports that senior US Attorney James Trump sent Lavabit founder Ladar Levison and his lawyer a veiled arrest threat when Levison shut down his private email service (used by NSA leaker Edward Snowden) rather than comply with a secret order to spy on his customers. Nothing more can be said definitively, because the order to Levison came with a gag order prohibiting Levison from discussing it. Everyone is pretty sure that Levison was served with a National Security Letter.

This gives additional context to the decision of Lavabit competitor Silent Circle to pre-emptively shut down its own private email service as well, in advance of any sort of court order. If a secret court can issue a secret order requiring you to spy on your customers, and if shutting down the service will land you in jail, then simply not operating the kind of service that spooks find snoopworthy is the only option.

Read the rest