I don't know what's scarier, the idea that the FBI doesn't realize both the scope of the access what they were demanding would provide and the bodyblow that the order would deliver to trust in SSL encryption, or that they do realize it and either don't care or actively seek these things. Just about every bit of encrypted traffic on the Internet is secured via SSL certificates, and there are a lot of governments with a lot of power and not a lot of trustworthiness out there, mine included of late.Wired wrote:The U.S. government in July obtained a search warrant demanding that Edward Snowden’s e-mail provider, Lavabit, turn over the private SSL keys that protected all web traffic to the site, according to to newly unsealed documents.
The July 16 order came after Texas-based Lavabit refused to circumvent its own security systems to comply with earlier orders intended to monitor a particular Lavabit user’s metadata, defined as “information about each communication sent or received by the account, including the date and time of the communication, the method of communication, and the source and destination of the communication.”
The name of the target is redacted from the unsealed records, but the offenses under investigation are listed as violations of the Espionage Act and theft of government property — the exact charges that have been filed against NSA whistleblower Snowden in the same Virginia court.
The records in the case, which is now being argued at the 4th U.S. Circuit Court of Appeals, were unsealed today by a federal judge in Alexandria, Virginia. They confirm much of what had been suspected about the conflict between the pro-privacy e-mail company and the federal government, which led to Lavabit voluntarily closing in August rather than compromise the security it promised users.
The filings show that Lavabit was served on June 28 with a so-called “pen register” order requiring it to record, and provide the government with, the e-mail “from” and “to” lines on every e-mail, as well as the IP address used to access the mailbox. Because they provide only metadata, pen register orders can be obtained without “probable cause” that the target has committed a crime.
In the standard language for such an order, it required Lavabit to provide all “technical assistance necessary to accomplish the installation and use of the pen/trap device”
A conventional e-mail provider can easily funnel email headers to the government in response to such a request. But Lavabit offered paying customers a secure email service that stores incoming messages encrypted to a key known only to that user. Lavabit itself did not have access.
Lavabit founder Ladar Levison balked at the demand, and the government filed a motion to compel Lavabit to comply. Lavabit told the feds that the user had “enabled Lavabit’s encryption services, and thus Lavabit would not provide the requested information,” the government wrote.
“The representative of Lavabit indicated that Lavabit had the technical capability to decrypt the information, but that Lavabit did not want to ‘defeat [its] own system,’” the government complained.
U.S. Magistrate Judge Theresa Buchanan immediately ordered Lavabit to comply, threatening Levison with criminal contempt — which could have potentially put him in jail.
By July 9, Lavabit still hadn’t defeated its security for the government, and prosecutors asked for a summons to be served for Lavabit, and founder Ladar Levison, to be held in contempt “for its disobedience and resistance to these lawful orders.”
A week later, prosecutors upped the ante and obtained the search warrant demanding “all information necessary to decrypt communications sent to or from the Lavabit e-mail account [redacted] including encryption keys and SSL keys.”
With the SSL keys, and a wiretap, the FBI could have decrypted all web sessions between Lavabit users and the site, though the documents indicate the bureau still trying only to capture metadata on one user.
Levison went to court to fight the demand on August 1, in a closed-door hearing before Claude M. Hilton, Senior U. S. District Court Judge for the Eastern District of Virginia.
“The privacy of … Lavabit’s users are at stake,” Lavabit attorney Jesse Binnall told Hilton. “We’re not simply speaking of the target of this investigation. We’re talking about over 400,000 individuals and entities that are users of Lavabit who use this service because they believe their communications are secure. By handing over the keys, the encryption keys in this case, they necessarily become less secure.”
Courtroom sketch of Claude Hilton in federal court in Alexandria, Va. in 2004. Image: AP/Dana Verkouteren
By this point, Levison was evidently willing to comply with the original order, and modify his code to intercept the metadata on one user. But the government was no longer interested.
“Anything done by Mr. Levison in terms of writing code or whatever, we have to trust Mr. Levison that we have gotten the information that we were entitled to get since June 28th,” prosecutor James Trump told the judge. “He’s had every opportunity to propose solutions to come up with ways to address his concerns and he simply hasn’t.”
“We can assure the court that the way that this would operate, while the metadata stream would be captured by a device, the device does not download, does not store, no one looks at it,” Trump said. “It filters everything, and at the back end of the filter, we get what we’re required to get under the order.”
“So there’s no agents looking through the 400,000 other bits of information, customers, whatever,” Trump added. “No one looks at that, no one stores it, no one has access to it.”
“All right,” said Hilton. “Well, I think that’s reasonable.”
Hilton ruled for the government. “[The] government’s clearly entitled to the information that they’re seeking, and just because you-all have set up a system that makes that difficult, that doesn’t in any way lessen the government’s right to receive that
information just as they could from any telephone company or any other e-mail source that could provide it easily,” said Hilton.
The judge also rejected Lavabit’s motion to unseal the record. “This is an ongoing criminal investigation, and there’s no leeway to disclose any information about it.”
In an interesting work-around, Levison complied the next day by turning over the private SSL keys as an 11 page printout in 4-point type. The government, not unreasonably, called the printout “illegible.”
“To make use of these keys, the FBI would have to manually input all 2,560 characters, and one incorrect keystroke in this laborious process would render the FBI collection system incapable of collecting decrypted data,” prosecutors wrote.
The court ordered Levison to provide a more useful electronic copy. By August 5, Lavabit was still resisting the order, and the judge ordered that Levison would be fined $5,000 a day beginning August 6 until he handed over electronic copies of the keys.
On August 8, Levison shuttered Lavabit, making any attempt at surveillance moot. Still under a gag order, he posted an oblique message saying he’d been left with little choice in the matter.
“I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly 10 years of hard work by shutting down Lavabit,” Levison wrote at the time. “After significant soul searching, I have decided to suspend operations.”
Lavabit has raised approximately $30,000 in an online fundraising drive to finance its appeal to the 4th Circuit. Today the appeals court extended the deadline for opening briefs to October 10.
The complete document set follows. (At linked article, not plain text. Also one hundred and fifty two pages, which would make this a very long quote box.)
To put this in perspective, the FBI demanded the keys to the kingdom, the ability to read every bit of private, encrypted main sent through a service dedicated to ensuring that does not happen, because they wanted access to one person's email metadata and were told to get bent. Is telling the FBI that a bad idea? Sure. But 'someone thinks we are assholes, and is willing to risk criminal prosecution to show us that in no uncertain terms' is not a justification for attempting to tear down trust in one of the fundamental systems that allows non-public communication via the Internet. They originally went after Edward Snowden's metadata, which for some obscure reason they do not need to even show probable cause to acquire a warrant. They then attempted to parley that into access to all metadata and content for all users of the service, not just Snowden. Scout's honor, though, they'd only go after the metadata, and only for Snowden.
The irony of the FBI acting in an astoundingly untrustworthy fashion in support of an attempt to suppress someone who exposed the fact that the NSA was acting in an astoundingly untrustworthy fashion tastes bitter at best.
