The appellant’s brief on behalf of Ladar Levison and Lavabit was filed yesterday (10/10/13) in the Fourth Circuit, seeking to clean up the mess left behind by the government’s sledgehammering the “secure” email provider into cooperation. It tells a shocking story of how the government sought to strong-arm Levison into giving up the Lavabit encryption key, what the brief calls the “private key” because it was the “master key” held only by Lavabit that enabled access to every account, every customer, every email, everything.
The government, of course, only wanted (or so it said) access to one customer, one account, which is redacted in the brief but bears a remarkable likeness to Edward Snowden. On his own, Levison sought to negotiate a deal with the feds, to give up Snowden by doing the decryption on his end and handing everything “Snowden” over.
The government wasn’t satisfied, as this denied them “real time” access to Snowden’s emails. They wanted it all, and they wanted it now. As for unfettered access, the government argued that it needed access to everything to make sure it obtained access to the one customer it wanted, because you can never be too thorough and Levison might not have given up everything he had of Snowden’s the target.
Levison tried another way around the order, printing out the encryption key, which took eleven pages at 4-point type. Tricky, but not tricky enough. While the government probably could have used this to do its dirty work, it would have required a couple hours of intense effort. Talk about contemptuousness.
So instead, they sought and obtained a contempt order for Levison’s failure to comply with three separate processes to obtain the desired private key: subpoena, pen register (trap and trace) order and a warrant under the Stored Communications Act.
To make matters worse (for Levison), whose company existed to provide “secure” communications from the government, the order forbid him from informing his other customers of the government’s demands, and that their communications would be revealed. As for the targets of the government’s ire, Levison had already given their privacy away as he was ordered. The Lavabit TOS covered compliance with court orders.
The brief, whose primary author I’m told is Marcia Hofmann (though my info could be wrong), does two basic things. It attacks the nuts and bolts of the various government efforts to obtain the private key, arguing that it does not fall within the scope of things the government is entitled to by fiat.
The second is that it argues (in a surprisingly low key fashion and at the back end of the brief) that obtaining access to the information of Lavabit’s 400,000 customers to get the content of just one is wrong.
At Volokh Conspiracy, Orin Kerr parses the technical arguments made in the brief, and finds them lacking. As he notes, Lavabit has to prevail in all its technical arguments in order to survive contempt; if the government wins one, it wins. So, Orin begins with the weakest of the points, the attack on the subpoena:
Lavabit’s weakest argument is its claim that the government couldn’t just subpoena the key from Lavabit. Surprisingly, the brief spends less than two pages on this issue at the end of the brief. I think it’s the argument that Lavabit should be the most worried about, however. Here’s the problem. The government can subpoena pretty much anything before the grand jury unless the request is overly burdensome, abusive, or oppressive.
He then offers the counter. “Lavabit argues that it would be “abusive” and “oppressive” to effectuate that because it would make it impossible to offer an email service that the government cannot monitor.” which he promptly knocks down:
This strikes me as a really weak argument. Lavabit is essentially claiming that its anti-government business model trumps the subpoena power. That is, it is arguing that the subpoena is “oppressive” precisely because it would work: It would allow the government to conduct the surveillance it is allowed to conduct under the Pen Register statute. That’s a curious argument in light of the traditional understanding of the grand jury subpoena power:
Citizens generally are not constitutionally immune from grand jury subpoenas[,] and . . . the longstanding principle that the public has a right to every man’s evidence is particularly applicable to grand jury proceedings.
This isn’t really a fair characterization of Lavabit’s point. Initially, the argument is that revelation of the private key would be the ruination of the business. By exposing every customer to government disclosure, and covert disclosure at that, the government would take a viable business, making money and delivering a service as businesses are allowed to do in America, and destroy it. Poof, company gone. Business gone. Revenue gone. Wham, bam, thank you, Ladar.
Abusive and burdensome isn’t limited to too many pages and too much work. The ruination of a lawful and viable business is pretty darned abusive as well. The destruction of a business that took ten years to build is awfully burdensome.
Regardless of whether Lavabit’s business model is “anti-government,” which is also a troubling characterization unless one equates pro-privacy with being a government-hater, there remains a right to engage in lawful business pursuits without the government destroying them with a sheet of paper and only an attenuated excuse for why it’s oh-so-important to the government to get its bit of info.
But Lavabit argues that it’s like subpoenaing Coca-Cola’s secret formula. The analogy isn’t perfect, but analogies never seem to work great when using real world things to argue technological issues, a point I’ve tried to make about a thousand times already and a good reason for everybody to stop trying to use analogies.
Orin concludes that the failing of the argument is that Lavabit’s business model doesn’t trump the government’s subpoena power:
In light of that standard, I don’t know of any authority for the view that a private company can announce an ideology or business strategy and then say that a subpoena that interferes with that strategy is “abusive” or “oppressive.” The reference point for what is “oppressive” can’t be the personal ideology or the business model of the subpoena recipient. Any other rule would nullify the subpoena power that the Supreme Court has gone out of its way to protect.
This strikes me as a by-product of the mischaracterization of the Lavabit argument, that it’s merely a business model argument, when my read is that this is more a substantive due process argument, incorporating a plethora of rights ranging from search and seizure to the takings clause, particularity to overbreadth, all of which would be ripped to shreds because the government demanded its “evidence,” even when it wasn’t actually evidence in the first place. Unfortunately, my characterization of this point isn’t quite what the brief offers either, as it doesn’t go nearly as far and barely taps, no less pounds, at the point.
And why does anybody other than Ladar Levison (and 400,000 of his best former customers) care? Because this could happen to any business that you think is protecting your confidences, and you wouldn’t even know about it as the government leisurely rummages through every private communication you make, not because of anything you’ve ever done but because one customer is in its crosshairs.
There are many lessons to this pathetic tale, not the least of which is that it demonstrates the need for new law, rather than rehash of real world law applicable by whoever can come up with the analogy that strikes a judge’s fancy, to deal with issues that never existed before the digital world.
But it also teaches that all those happy entrepreneurs starting up internet businesses need to have both the will and the funding to protect the privacy of their customers from governmental attack. If you lack the guts or funds to fight, then you’re a fraud to claim to offer privacy. Excuses don’t protect anyone or anything, and nobody said you get to have a successful business built on excuses.
Finally, it’s a reminder that not everyone on the internet wishes to give up every bit of personal information to enjoy the shiny glory of the iWorld. The sad truth is that what the government doesn’t do to us, we do to ourselves and each other, and do it happily.
I often wonder about government lawyers who do all they can to undermine the Constitution. Do they not realize that the consequences of their actions is a less-free society for their children and grandchildren? Or do they think their assaults on our rights and freedoms somehow won’t affect them and their offspring? Or, maybe we have allowed our government to be infiltrated by totalitarians intent on the destruction of our society as we know it? Somehow, I’m inclined to believe the latter…
The government lawyer’s usual justifications are: myopic short term gain for themselves and, in a broader sense, if you have done nothing wrong you have nothing to worry about (unless I should decide I don’t like you, in which case I will accuse you of having done something wrong).
It looks to me that there should be some self-destruct mechanism for a system with such purposes as Lavabit’s. This could be told to prospective users. Users would understand what had happened if the system disappeared. Of course. this would have to be done in such a way that destruction of evidence wasn’t committed. The system would have to be designed to destroy itself upon certain circumstances. I suppose there’s an algorithm that could be done. Let the government arrest the algorithm.
That would be one approach. Of course, the destruction of evidence would have subjected Levison to prosecution, so while it might have saved his customers from exposure, it really wouldn’t have been a great solution for him.
What I’m getting at is that the system destroys itself if certain circumstances arise. Lavabit has nothing to do with this beyond incorporating this into his business model at the beginning. It’s as if, let’s say, state security comes to your house to get some evidence in the refrigerator. They open the refrigerator, only to find what they were looking for has decomposed not because of any actions you took, but because of circumstances that have come about. The decomposition was out of your hands–it was in the hands of–caused by–actions taken (circumstances created) by state security.
Whether that will suffice to beat the prosecution is a question. That it would result in prosecution is pretty much a certainty.
I think what HB was suggesting was to have an automated program set up to automatically delete data if the system became compromised. Thus, any evidence destroyed would not have been destroyed intentionally or knowingly, but rather automatically. Such a program would have been set up before knowledge of any subpoena (or whatever process is used to compel the information) is ever obtained and be so integral to the system as to be impossible to disarm.
Probably similar in idea to the “doomsday device” from “Dr. Strangelove” (and I would love to link to that scene, but… rules).
I understood that. Building in a doomsday program, even in advance of a request, to destroy evidence if and when sought is like begging for prison. I realize its allure, but it’s just not as good an idea as it may seem.
As a general rule, Kubrick is not the best source for legal ideas.
I agree. Practically speaking I don’t know that such a thing could even be done such that it couldn’t be “disarmed.” I also wrote that before the other replies had posted.
It would also be pretty bad advice to give a client looking to make a secure system. But, it is an interesting thought experiment. Which means I’m sure a law professor somewhere has already written a law review article about it that no one has read.
Or the lawprof could combine it with a Harry Potter law rev article (always popular) and leave the technical details to the Ministry of Magic.
“Doomsday machine” or mechanism is a relevant metaphor, though limited I think. Going further with my thoughts, what comes to mind is something like a Fifth Amendment response. One is not obliged to tender to the government evidence possibly incriminating oneself. One has the right to remain silent. I see no reason why such silence would not extend to conversation and communications one had online. In using a subpoena re: Lavabit, the government acknowledges it seeks evidence, otherwise there is no justification for the action. I understand at this preliminary stage, the government is apparently seeking evidence of evidence. In any event, an individual under investigation at any stage or in any form has a Fifth Amendment right, is my understanding. Thus, in my argument, one would be able to deny the government knowledge of one’s online conversation and communication in more or less the same way one has the right to remain silent. With all of this state security snooping, I’m also seeing some disregard of the right of assembly and association. For example. to my mind, in its prosecution/persecution of Lavabit, state security is unwarrantedly suspicious of a set of individuals and their collective online activity, thus flagrantly disregarding their right of assembly and association.
Your understanding of the 5th is way off. Levison had no privilege here whatsoever. He was not the target and turning over the key would not have incriminated him under any circumstances. Nor is there any association issue. They had a target. His name was
Snowdenredacted. There is no issue.Do you really think one redacted person was their *only* target? Call me paranoid, but can’t you imagine there were many other accounts that they’d loved to have kept secretly sniffing, at least until they found something, anything, to hang ’em?
Think of this as the electronic equivalent of stop & frisk. “Hands on the wall, Punk, if you have an account here, you must be guilty of something……. we’ll decide what later….”
You’re paranoid. Sorry, had to do that.
You may be right, and I have no doubt that rummaging through the other customer’s emails wasn’t exactly an unpleasant side effect, but to speculate the way you do based on no evidence is nothing more than speculation. That doesn’t make it wrong, but doesn’t make it right either.
I think the big thing here is lessons for competitors and those who’d enter the field to replace lavabit. First have a good privacy attorney on speed dial, particularly one who is either an experienced trial lawyer, or knows his/her failings at trial and knows a good one to call and when to call them. Second, don’t use a master key for all accounts, but one for each account separately. From what I understand, the Lavabit issue does have some workarounds, but tend to be complicated or expensive.
I hope Lavabit wins, but it sounds doubtful.
Two words: Offshore servers. Seriously, it’s a big problem and needs law to preserve privacy. Whether that will be forthcoming, either from the courts or congress, is another matter. Like you, it seems doubtful to me, but then let’s not sell secure email if it’s not secure, or only as secure as the owner’s will or pocketbook will allow.
Yes, off-shore servers came to my mind. But I wonder what off-shore will mean in this age of globalization and the wavering and possible implosion of the nation-state. We saw how easily the US intimidated Panama into hastily releasing the convicted war criminal Lacey when he was apprehended there. And we saw how readily France, Portugal, and other European countries hopped to do US bidding in bringing down the Bolivian president’s plan on the (mistaken) hunch that Snowden was aboard. I expect the privacy, security, and autonomy implied by “off-shore” now has or will soon have meaning only to accounts by the US and international financial elite.
Well for my own needs, I do PGP. But that requires the other party to also do PGP. Works fine if you’re doing work with European firms, less fine with potential clients.
If there’s one lesson to be learned about the digital world, it’s trust nothing and no one. There is always a weak link somewhere.
Truth. Even PGP is only as good as the end user security. Fortunately my type of work is not one that has the NSA or law enforcement interested unless something really odd happens.
According to the NSA’s internal documents, if something’s encrypted, they’re interested. They grab it, they keep it, and they try to decrypt it.
I’m thinking of running a bunch of lolcat pics through PGP and uploading them to Dropbox, with file names like jihadnuke or dieforallah. It should give them something fun to do. And who doesn’t like kitteh pics?
That would be a real knee slapper, especially after about the third or fourth day of interrogation.
You don’t think it would be pleasant to have a conversation with someone who clearly reveres the Constitution?
Or reveres lolcats?
Pingback: In The Digital Age, What Is Privacy? | Philly Law Blog
They don’t need more laws. They need people with more backbone.
The correct response to the first govt agent to show up should have been!
“Sorry but absent a warrant signed by a real court. Get off my property.”
Then call up the media and inform them of what the govt just tried to pull. Then destroy the servers.
SHG as for your criminal supdiity that he was not the target therefore he does not deserve 5th amendment protection. Sorry your full of shit. He was the one handed the papers. His business was the one they destroyed. Sorry that gives him all the damn standing in the universe.
As any normal (non-lawyer) american would agree.
Since your comment doesn’t include your usual insanity involving shooting cops, but actually says something that warrants a response, I’ve allowed it to post.
The 5th Amendment prohibits the government from compelling a person to give testimony against himself. Not against other, but himself. Legal words and concepts do not mean whatever “any normal (non-lawyer) American” thinks they mean, but what the law says they mean. People don’t get to make this stuff up, no matter how entitled they think they are to do so. This gets a lot of “normal (non-lawyer) Americans” into a lot of trouble. You have no right to make stuff up. You have no right to believe whatever you want to believe.
There is no virtue in ignorance. It doesn’t make you a bad person to be stupid, but it may well land you in prison. If you don’t want to be there, try not to be stupid rather than insist on your right to be stupid. Just because you decide, somewhere in the dark and ugly regions of your mind, that something should be so does not make it so.
Pingback: When You’re A Hacker, Everything Looks Like Code | Simple Justice