In considering this, remember that the record might sometimes be deficient in ways that the court of appeals cannot identify on its own. And it seems likely that inadequate development will cause courts of appeals to things wrong as often as it permits them to get things right despite the procedural "technicality."
(And vice versa, of course.)
Pages 8-12 of this decision convey a narrative about Levison's handling of the FBI requests. In particular, they detail an escalation that Levison himself provoked:
* The DOJ reached out demanding metadata regarding (presumably, and let's just stipulate) Snowden's use of Lavabit.
* Levison rejected the request, on the auspices that Snowden had enabled the "storage encryption" feature of Lavabit.
Here it's worth knowing that Levison had previously complied with similarly narrow requests.
* Levison confirmed to the DOJ that he had the ability to circumvent the storage encryption.
* The DOJ responded to that concession by doing exactly what anyone would have expected them to do: they escalated their demand to include the decrypted Snowden data.
* The DOJ spent eleven days trying to meet with Levison, who stonewalled them; Levison "ignored the FBI’s repeated requests to confer".
* Only upon being threatened with a contempt citation did Levison actually enter a productive discussion with the DOJ.
* Four days after being threatened with contempt, Levison presented the DOJ with a proposal to charge the DOJ $2000 to design and implement his own pen/trap system which would provide data to the DOJ only at the conclusion of the order's time window, with timely updates being provided only at Levison's discretion and only with an additional charge attached.
* Only after this sequence of events does DOJ demand the TLS keys that would have compromised all Lavabit users activities.
Levison's attorneys and the DOJ litigated the question of whether the pen/trap order required him to cough up his TLS keys. But that only happened after Levison did his best to deter the DOJ from collecting information about Snowden. As evidence for this: the DOJ eventually did install a pen/trap device of some sort, without the TLS keys, and attempted to use it to collect evidence. Had Levison complied with the DOJ productively from the beginning, he probably could have worked with them to produce the information they required without compromising the rest of his users.
I already had a problem with Lavabit as an inept and dangerous privacy solution (you can obviously see that it was; Levison was trivially able to subvert the privacy of all of his users, and was eventually forced to do so).
But almost as bad as that is his handling of the legal situation here. Read the language of the decision carefully and you'll see that had Levison simply began this process with his proposal, minus the time lag problem, but perhaps even including the price tag, he might have had that solution accepted! Instead, he seems to have seized an opportunity to poke a giant bear with a stick. The bear then ate him and his users.
Later: Also, bad facts make bad law. Great to see that we now have more case law establishing that pen/trap orders demand TLS keys.
1) Compromise the presumed privacy of any parties in addition to the target, much less every one of a businesse's clientele. (If you have a search warrant for a apartment, do you get to search all the apartments in the building? No, unreasonable search and seizure on the face of it.)
2) Cause material damages as to completely destroy the core business of an unrelated and presumed innocent business owner. Albeit asshole.
The government argued successfully that the warrant was “very narrow, specific”, but while that may be true in intent it is not true in effect. If in order to tap one suspected criminal it is necessary to undermine the right to privacy of one or more innocent bystanders (much less many) law enforcement and the court's hands must necessarily be tied.
That a citizen would be resistant to this seems reasonable. So what is left should only be a question as to how much being an asshole to the FBI constitutes contempt of court.
You emphasized eleven days as if it is some astronomical figure. In normal court proceedings, the simplest act like scheduling a deposition for questioning a witness takes months.
In the real world, people just aren't sitting around doing nothing waiting for a subpoena from the FBI to come in. Sometimes they're in the middle of a big push for a project, sometimes they're shoring up security for the latest 0-day exploit, sometimes they're in Tahiti sipping drinks on a beach for two weeks without access to email or a phone.
Sure, time sensitive criminal cases would be great if it went faster but eleven days is not out of line by any stretch.
However, I worry about what losing this case means in the grand scheme of things. DoJ's argument was that they should be able to get the key to decrypt all e-mails for all of Lavabit's users, and the Court says that's fine because the government "wouldn't" use the key for anything other than the "target" - which seems like a ridiculous and incredibly reckless argument post-Snowden.
Would Google just hand over the key to all of their Gmail users? Let's imagine they weren't using PFS - or let's imagine they were asking Microsoft for the Outlook key, instead.
No, Google would comply with the narrow, specific warrant the first time. Again, it bears repeating that the only reason DoJ asked for the master key in the first place is because Levison refused to comply with the narrow requests. If Levison wouldn't do it, then the government would figure it out on their own, but the only reason this situation even came up is because Levison wouldn't do it.
Not complying with a narrow and specified warrant is highly hypocritical, especially in this case since Snowden's initial claims were entirely about wanting the NSA to have to have specific warrants for their searches instead of using broad search authorities. But when push came to shove and the government presented a narrow and specific warrant, of a type Levison had previously honored, all of a sudden that was no longer good enough for this particular privacy advocate.
Google wouldn't hand over the key to all of their Gmail users — they would offer a better option, which Levison did not.
She was never a coder though, and so her expertise on tech was limited to what was explained to her. I don't think Levison was making his claims about all emails everywhere being read by the goons at Minitrue in order to scare PJ in particular, but that was the net effect.
Can you explain?
I may be wrong, but my misunderstanding is that Groklaw shut down because there is no way of knowing whether or not the privacy has been compromised.
In other words, this incident revealed information that was already true; Groklaw shut down in the light of the new knowledge, but not because the previously-private communication was suddenly vulnerable.
If they can argue something like a copyright banner in a ROM is "a mere instrumentality", there's no reason the defense side shouldn't be able to argue giving calling information to a cell provider, or mail headers to a mail server, aren't essentially the same instrumentalities.
(I've talked to lawyers who agree, but they all also agree this ship has sailed for many decades.)
That said, yes, he's both technically and legally incompetent. It's sad, and has made bad law for everyone else.
On the other hand, mail headers and other such meta are frequently necessary to provide the service. The very act of using email requires giving one or more headers to one or more third-party email providers; the very act of making a phone call requires giving phone number information to one or more phone service providers.
The problem of a company providing a privacy service being a SPOF necessitates a more distributed approach that can "route around" attempts to shut it down. Any current or future entrant in privacy app space needs to also consider that one of several lessons to avoid the same fate as Lavabit.
For now, even with GPG are there any good/cheap email services that just don't log anything, don't append IPs or correct time headers and are outside US jurisdiction? (Friend's server in Thailand doesn't count... More than one box plz)
Why does every landmark case involving online privacy have to involve incompetent, unsavory, or sometimes even downright despicable people (e.g. child pornographers) on the defense side?
In order to force the legal system to take a serious look at the core issues (whether the Feds can compel a company to produce its SSL private keys, whether they can compel a man to produce the password to his TrueCrypt drive, etc.) instead of getting distracted by all sorts of procedural bullshit, the case needs to have a competent defendant and even more competent counsel who make no serious mistakes throughout the course of the trial. That's the only way we're going to get a clear, decisive precedent, because otherwise the procedural blunders will dominate the legal result.
Levison's failure to contact the EFF or ACLU the moment he received the first pen/trap order has led us all to waste a lot of time and resources litigating mostly peripheral issues, and probably caused a lot more hardship for Levison himself than he ever needed to get into. Meanwhile, we still don't have a clear idea of what the U.S. legal system thinks about forcing the disclosure of SSL private keys.
Of course, hindsight is 20/20, so maybe there are adequate explanations for why he thought it was a good idea to wave a middle finger in the face of the DOJ.
But in the grand scheme of things in the battle for internet freedom, I think we just missed a golden opportunity to get the courts to tackle some serious constitutional issues. Just like in all those other contempt cases where TrueCrypt drive in question obvious contained CP, or all those other surveillance cases where the defendant was a heavy uploader. Assholes, pirates, and child pornographers have rights, of course, but they usually don't make effective crusaders.
This made my day.
But this is the story of a guy without good legal representation pissing off the judge and setting bad precedent that could affect all of us.
"[I object] to turning over the SSL keys because that would compromise all of the secure communications in and out of my network, including my own administrative traffic."
... into "anything remotely close to a statutory-text-based challenge to the district court’s fundamental authority under the Pen/Trap Statute"
As a lay person, it sounds like the court wasn't trying very hard.
"A party does not go far enough by raising a non-specific objection or claim"
That he didn't cite the chapter and verse which this contradicts seems like an situation where he needed a real defense lawyer.
