Forgot your password?
typodupeerror
Security Communications Encryption Government Privacy The Courts

Ed Felten: Why Email Services Should Be Court-Order Resistant 183

Posted by Soulskill
from the it's-not-a-bug-it's-a-feature dept.
Jah-Wren Ryel sends this excerpt from Ed Felten at Freedom to Tinker: "Commentators on the Lavabit case, including the judge himself, have criticized Lavabit for designing its system in a way that resisted court-ordered access to user data. They ask: If court orders are legitimate, why should we allow engineers to design services that protect users against court-ordered access? The answer is simple but subtle: There are good reasons to protect against insider attacks, and a court order is an insider attack. To see why, consider two companies, which we’ll call Lavabit and Guavabit. At Lavabit, an employee, on receiving a court order, copies user data and gives it to an outside party—in this case, the government. Meanwhile, over at Guavabit, an employee, on receiving a bribe or extortion threat from a drug cartel, copies user data and gives it to an outside party—in this case, the drug cartel. From a purely technological standpoint, these two scenarios are exactly the same: an employee copies user data and gives it to an outside party. Only two things are different: the employee’s motivation, and the destination of the data after it leaves the company."
This discussion has been archived. No new comments can be posted.

Ed Felten: Why Email Services Should Be Court-Order Resistant

Comments Filter:
  • by Anonymous Coward on Wednesday October 16, 2013 @02:11AM (#45140315)

    So a court case that was created as a knee-jerk response to Snowden is arguing that organizations shouldn't take steps to prevent leaks like Snowden .....

    • by tchdab1 (164848) on Wednesday October 16, 2013 @02:21AM (#45140331) Homepage

      Or, put another way, the court cannot perceive how it is the same as an extortion ring.

      • by MrKaos (858439) on Wednesday October 16, 2013 @02:27AM (#45140355) Journal

        Or, put another way, the court cannot perceive how it is the same as an extortion ring.

        No, the court hasn't perceived it from the perspective of a citizen issue where the motivations are to commit a criminal act, such as fraud against citizens. They are currently blind to unlawful uses of what they consider to be legitimate access rights. The court has to be educated as to why this is a bad thing (tm).

        • Re: (Score:3, Insightful)

          by Anonymous Coward

          The courts need to be educated that if encryption is properly done it's like asking them to hand over the moon, You can order them to do it but that doesn't mean it's possible.
          Since encryption is legeal some things are beyond the court's grasp. That is the lesson that must be taught.

          • but they'll order to silently insert a backdoor/middleman access.

            this is why lava quit.

            so that system better be hosting and operating somewhere else than usa, china or number of other countries...

            • by Sun (104778) <shachar@shemesh.biz> on Wednesday October 16, 2013 @06:44AM (#45141217) Homepage

              Technically, the sequence was a little more complicated.

              They were ordered to insert a backdoor. They ignored the order. The government then asked to get the master key. At that point they consented to putting the backdoor in, but it was too late. When they were ordered to hand the master key, they quit.

              Shachar

              • by jkflying (2190798) on Wednesday October 16, 2013 @06:51AM (#45141249)

                Feds asked without a court-sanctioned warrant to insert a backdoor. When LavaBit didn't respond, Feds got a warrant, but this time to hand over the SSL private key. That''s when LavaBit decided that it was useless trying to fight, and quit instead.

                • by Anonymous Coward on Wednesday October 16, 2013 @10:36AM (#45142959)

                  Feds asked without a court-sanctioned warrant to insert a backdoor. When LavaBit didn't respond, Feds got a warrant, but this time to hand over the SSL private key. That''s when LavaBit decided that it was useless trying to fight, and quit instead.

                  and this is why the Lavabit Design was inferior. They held a Master Key to all of their users encryption, thus any government/employee could access what you considered private. The main point is that Lavabit held the Private Keys that could decrypt any/all messages sent through their system and this is what People need to scream about due to the security violations it created by design. A better use of the Defective by Design tag

                  One thing that folks haven't thought of though I doubt the Feds haven't missed is both the potential SarBox and Insider Trading issues. By Lavabit having a private key that could decrypt everything, they had the potential to scan any corporate mail for confidential information that could/would affect the share price - thus the insider trading issue. The SarBox issue comes from the same ability to decrypt information at will as it gave employees the oppurtunity to sell information that allowed a competitor an advantage, thus decreasing profits and they could be tied up in court for the rest of their lives while the sharks go through discovery.

                  Anyone that used Lavabit for any reason had better consider this as any and all information that was exchanged using their service will be decrypted and read by the Courts, Lawyers and everyone else. In other words, all Lavabit users are "Screwed, Blued and Tattooed".

                  Fast Turtle

                  • by jkflying (2190798)

                    Wrong. The SSL private key just allowed the Feds to snoop on any traffic that passed through. The only way the Feds could access the emails was if somebody logged in and unencrypted their emails while the snooping was happening.

                  • by yacc143 (975862)

                    Go, get yourself some education.

                    They wanted the master SSL private key.

                    That would have allowed the Feds (or anyone that gets his hands on it), to do a Man-in-the-middle attack. Plus depending on the browser used and server, it would have allowed them to decrypt passively intercepted connections. (the reasoning for that is that depending on the configuration of SSL client/server, the symmetric key used for the connection is passed on the wire or not)

                    In near field that means SSL can be intercepted and decrypt

                • by whoever57 (658626)
                  Actually, Lavabit did hand over their private key. On paper. In the smallest font they could use.
        • It's not the court so much as legislators that need to be made aware of just how this is a bad thing. They actually write laws, while courts make them up as they go.

    • by Anonymous Coward on Wednesday October 16, 2013 @03:53AM (#45140603)

      That's self-consistent and consistent with the way lawyers and judges view the world. In their view, the rules of society aren't defined by the way the world is, but by the way the legislative wants them to be. In their view, upholding the rules is not the job of engineers. It's the job of the police, and justice is the job of lawyers and judges. Lawyers and judges have no problem with telling you that you're wrong to say that 3+2 equals 5 if the law says that it's wrong. By making a system which is resistant to court orders, you're making it impossible for them to uphold the law, and even if you do so to prevent a violation of the law (an illegal leaking of information), that's still wrong, because upholding the law is their job, not yours.

      • Unless it's a civil liability lawsuit, in which case exactly the same thing amounts to negligence.
      • by Golddess (1361003)

        By making a system which is resistant to court orders, you're making it impossible for them to uphold the law, and even if you do so to prevent a violation of the law (an illegal leaking of information), that's still wrong, because upholding the law is their job, not yours.

        1) The system is not resistant to court orders. It is resistant to the court going to the wrong party to get at the data.
        2) Restricting the ability of a 3rd party to access the data has nothing to do with upholding the law. At most, you could say it is about keeping the government honest, which is the job of everyone.

  • Good model (Score:5, Insightful)

    by gweihir (88907) on Wednesday October 16, 2013 @02:23AM (#45140341)

    This model describes the problem pretty well. Of course it can be extended: What if the judge or (given an over-broad wiretap order) the police is in league with the attacker, freely or by coercion? That is not unheard of either.

    • Re:Good model (Score:5, Insightful)

      by Jane Q. Public (1010737) on Wednesday October 16, 2013 @02:31AM (#45140367)
      Besides: the court has another, arguably "more American" avenue: it can order the defendant to turn over the information. (If, that is, it doesn't violate his 5th Amendment rights.)

      I never did buy this concept that just because you have a business deal with someone, the court could order THEM to turn over personal papers related to you. Seems to me, the same standard of getting a warrant should apply. Otherwise, the whole purpose of warrants is being subverted.

      Let the courts criticize. There's not a damned thing they can do. They have no legal authority to order people to make their websites police-friendly.
      • Re: (Score:3, Insightful)

        Um, a warrant is a court order. The investigators explain to the judges what they suspect, why they suspect it and what and where they need to look to get more evidence. The judge then issues the warrant. Legality of the source of the evidence used to obtain the warrant can be challenged in the future case and will affect the chain of admissibility.

        Warrants don't just apply to the defendant directly, and are issued on a one-sided basis to prevent destruction of evidence by the defendant.

        • by brainboyz (114458)

          You missed the court case news earlier this week.

        • Re:Good model (Score:5, Insightful)

          by Anonymous Coward on Wednesday October 16, 2013 @03:15AM (#45140499)

          But, as the story yesterday showed, only the company the warrant is issued against can challenge it, not the person they want to collect information about.

          So they may well violate your 5th amendmend rights, but the only ones who can do anything about it, is a company whose primary purpose is to minimize cost and maximize shareholder value. Not to protect your rights.

          So, adding 2 and 2 together, you don't have any rights.

          • by khallow (566160)

            So they may well violate your 5th amendmend rights

            I don't see it since the primary aspect of the Fifth Amendment is constraints on forcing self-incrimination. Evidence provided by other parties just doesn't qualify, even if it originally came from you, unless it requires you to register evidence of a crime (say a federal law requiring Facebook users to register with Facebook any illegal drug trades they conduct via Facebook). Maybe you're speaking of the Fourth Amendment which is about constraints on searches and seizures?

            • I don't see it since the primary aspect of the Fifth Amendment is constraints on forcing self-incrimination. Evidence provided by other parties just doesn't qualify, even if it originally came from you, unless it requires you to register evidence of a crime (say a federal law requiring Facebook users to register with Facebook any illegal drug trades they conduct via Facebook). Maybe you're speaking of the Fourth Amendment which is about constraints on searches and seizures?

              But I think you're both missing the point I was making. If I have a private business deal with someone else, and it requires a probable-cause warrant to get information about it from ME, why should it take any lower standard of evidence to get it from someone else? Where is the justification for that?

              Completely aside from the 5th Amendment, it appears to me to be a rather blatant attempt to get around the "probable cause" requirement.

              • But I think you're both missing the point I was making. If I have a private business deal with someone else, and it requires a probable-cause warrant to get information about it from ME, why should it take any lower standard of evidence to get it from someone else? Where is the justification for that?

                Completely aside from the 5th Amendment, it appears to me to be a rather blatant attempt to get around the "probable cause" requirement.

                There really isn't a lower standard that says you don't need a warrant to force disclosure. The prosecution can ask you to turn over information, if you refuse, they get a warrant. Voluntarily giving information doesn't require a warrant, no matter who does the giving. Now, we can question what is a minimal standard for "probable cause" and does the fact you used a particular email service constitute probable cause that you may have sent incriminating emails and thus warrant a judge issuing a warrant; but t

                • "There really isn't a lower standard that says you don't need a warrant to force disclosure... Voluntarily giving information doesn't require a warrant, no matter who does the giving. "

                  You make a good point. But it still seems to me to be an end-run around the warrant requirement, voluntary or not. What right does someone else have to disclose a private deal you made?

                  The argument tends to go: once you have made a deal with someone else, you have waived any "reasonable expectation of privacy". BUT, I disagree with that basic concept. If you have agreed to keep it private, you have waived nothing. In my opinion, therefore, "voluntarily" giving it to the authorities violates my privacy ri

                  • "There really isn't a lower standard that says you don't need a warrant to force disclosure... Voluntarily giving information doesn't require a warrant, no matter who does the giving. "

                    You make a good point. But it still seems to me to be an end-run around the warrant requirement, voluntary or not. What right does someone else have to disclose a private deal you made? The argument tends to go: once you have made a deal with someone else, you have waived any "reasonable expectation of privacy". BUT, I disagree with that basic concept. If you have agreed to keep it private, you have waived nothing. In my opinion, therefore, "voluntarily" giving it to the authorities violates my privacy rights in exactly the same way a warrantless search would. This DOES presume, however, that it was something you had agreed to keep private.

                    You make a good argument for maintain privacy when there is an explicit agreement to do so.

                    To me, the question is at what point does an individual's right to a fair trial or the public's interest trump such an agreement; and how should courts treat private information while still allowing it's use in court proceedings. It's a tough line to draw since you are weighing each set of rights against the other.

                    • "To me, the question is at what point does an individual's right to a fair trial or the public's interest trump such an agreement; and how should courts treat private information while still allowing it's use in court proceedings. It's a tough line to draw since you are weighing each set of rights against the other."

                      Agreed, but I would argue that this has already been weighed and decided, in favor of privacy, in the case of your personal effects. I'm simply saying that I feel the same argument should apply to your personal effects which happen to be in the possession of others. IF, that is, those others had agreed to keep them private.

                    • "To me, the question is at what point does an individual's right to a fair trial or the public's interest trump such an agreement; and how should courts treat private information while still allowing it's use in court proceedings. It's a tough line to draw since you are weighing each set of rights against the other."

                      Agreed, but I would argue that this has already been weighed and decided, in favor of privacy, in the case of your personal effects. I'm simply saying that I feel the same argument should apply to your personal effects which happen to be in the possession of others. IF, that is, those others had agreed to keep them private.

                      Sounds like we're pretty much in agreement here. The issue I see is do we treat tangible personal effects such as a letter, a journal, etc. differently from those which exist primarily electronically and as a result can be in many different locations at once; some of which may be third party locations that are not parties to the original privacy agreement. I would argue they should be treated the same with the same protections, but clearly there are those who argue otherwise.

                      In addition, since the argument

              • by Eskarel (565631)

                They can always ask, Lavabit refused, so they came back with a warrant.

                The problem in reality is that society has an interest in ensuring that criminals are caught and prosecuted. It also has an interest in ensuring that impacts to privacy are minimized. It's a fairly difficult balance to strike at the best of times, but encryption, as it stands anyway, is kind of an all or nothing deal.

                It's patently absurd to give the federal government the keys to the kingdom, but it's also patently absurd to say that cri

                • by zzsmirkzz (974536)

                  It's patently absurd to give the federal government the keys to the kingdom, but it's also patently absurd to say that criminals should get away with it because they used encryption.

                  Only one is patently absurd. In the US, the decision was made at the beginning when the legal/justice system was designed. It was designed on the basis that: "it is far better that 1000 criminals go free than one innocent be wrongfully imprisoned". That concept is the corner stone of our system and spirit of it. If every "difficult balance" were viewed through this lens it would be crystal clear than the intent was that "is is far better that 1000 criminals go free than violate the rights of one innocent".

                  • "Only one is patently absurd."

                    Agreed. Please see my own response above, in which I argue the same thing from a slightly different angle. The central principle is the same.

                  • by Eskarel (565631)

                    Except that it was never actually designed that way. It was designed to protect you from self incrimination, but that's not precisely what this is, nor is it looking like an issue of letting 1000 criminals go free rather than imprison one wrongly.

                    The issue we're facing at the moment is one where if we follow this to it's conclusion we are saying it's better to let every criminal go free than let one man's privacy be invaded because a legally enforceable warrant found nothing. The investigation of Snowden's

                • "I don't have an answer, but "nuh uh I used encryption" sure as hell ain't it."

                  Actually, yes it is.

                  You have a RIGHT to privacy, and to private and anonymous speech. (The Supreme Court ruled years ago that we do have this Constitutional right, because without it none of the other rights can exist. The logic is sound.)

                  Yes, society does have an interest in seeing that criminals are caught and prosecuted. BUT... the real, important question is: given that these two things are in conflict, which one shall trump the other?

                  Given that without privacy rights (as ruled by the Supreme C

          • by ATMAvatar (648864)
            There is a market solution to the above scenario. Stop doing business with companies who do not go to bat for their customers.
            • by yacc143 (975862)

              Well, you do not know that.

              Court orders seem to come nowadays quite often with a gag order.

              So basically, you only learn when the companies go bat and that somehow leaks (the gag order gets lifted).

              The other extreme is, you might get to know if they go and prosecute you.

              Now you've got a situation where the huge majority of events (guess in 99% range) is not observable, hence it's not an option to use these events to guide your
              behavior.

              For practical purposes, all companies (and especially big companies with s

        • Re:Good model (Score:5, Informative)

          by Jane Q. Public (1010737) on Wednesday October 16, 2013 @05:11AM (#45140867)

          "Um, a warrant is a court order. The investigators explain to the judges what they suspect, why they suspect it and what and where they need to look to get more evidence. The judge then issues the warrant. "

          You are nitpicking, and not even doing it well.

          While a warrant is technically a kind of court order, there are other kinds as well. What is commonly referred to as a "court order", a "search warrant", and a "subpoena". They are ALL court orders, but they differ in the standards of evidence that is required for each.

          What is commonly called a "court order" has a very low evidence threshold, or even none at all. You are "ordered" by the court to appear on a certain date. You are "ordered" by the court to pay reparations to someone you defrauded. Etc.

          A subpoena also has fairly low standard of evidence. You can be subpoenaed by courts for a number of reasons, and there are a great many situations in which a subpoena has no force or can be quashed.

          In order to issue a warrant, on the other hand, the court must be shown probable cause. This is a higher standard than either of the other examples above.

          However, a defendant's 5th Amendment rights override both warrants and subpoenas. No court in the nation has the authority to violate the 5th Amendment, for any reason.

      • Re: (Score:3, Insightful)

        by Anonymous Coward

        The Feds have justified warrentless wiretapping on the basis that an -mail is like a post card, that everyone can read. The courts have ruled that an e-mail stored on a server unencrypted in like a postcard, and thus is not entitled to consitutional privicay protections. A system set up to avoid leaving an unencrypted copy on the mail server requires no further justification than preserverving constitutional rights to privacy that exist in oridnary snail mail.

        • Exactly. The outside of the server itself can conceptually serve as the "envelope" beyond which the government may not go without a warrant.

          We need to remember that the concept of "intrusion" has nothing to do with the difficulty of gathering certain information. After all, opening an envelope is not difficult. It has to do with reasonable expectation of privacy, and an agreement with a carrier of email can reasonably be said to be such an expectation. It is the conceptual envelope the government must no
      • Re:Good model (Score:4, Informative)

        by pla (258480) on Wednesday October 16, 2013 @09:45AM (#45142471) Journal
        They have no legal authority to order people to make their websites police-friendly.

        You sure about that? [wikipedia.org]

        In fairness, CALEA requires backdoors from telecom firms, not independent website operators - Yet. But it already crossed that exact line, of requiring non-governmental entities to actively undermine their own best interests solely for the possible future convenience of the government.


        / Hand me my fiddle.
        • "You sure about that? ... CALEA ..."

          Remember that laws can be and have been overturned. The fact that a law exists does not automatically prove that the lawmakers had the legal authority to make it. Look at the Real ID Act, for example. 26 States have passed resolutions saying they will not comply, because it oversteps constitutional federal authority.

          This is called "state nullification", which is another way laws eventually get overturned. And despite lots of rhetoric to the contrary, usually from liberal-leaning media, it has a long and

    • by Yaur (1069446)
      One missing piece: Auditing. At the organisation that I'm writing software for (which handles fairly sensitive data) no one, not the NSA, not a drug cartel has the ability to access data without leaving a trace.
    • Extending the model (Score:4, Interesting)

      by davecb (6526) <davec-b@rogers.com> on Wednesday October 16, 2013 @09:23AM (#45142201) Homepage Journal

      Imagine that one wishes to prevent subversion by drug cartels but honour (or appeal) court orders. This is the problem that public libraries have dealt with since their creation. Someone always wants to know what person X has been reading, in hopes of using it against them....

      Library software is normally written to preserve privacy, and discard the record that "X has book Y" when the book is returned. It can be written this way because several of the countries where it is sold require privacy as part of their legal system. Purchasers in other countries get privacy as a side-effect.

      Countries prohibiting privacy would require a special version for a quite limited market, and the library software companies aren't motivated to deal with them: just doing an internationalization/localization to get into a small market is hard enough!

      When an individual library is served with a court order, they can honour it by doing a lookup once a day and writing X's new books down on a piece of paper. As this doesn't scale, and is also a credible cost, the willingness of courts to order it is reduced, and the damage to privacy is limited.

      Applying this to email, one wishes to keep routing data only until a message is delivered to the next host and we get a "250 OK" from SMTP. If a court wishes to collect that metadata, they can station an officer with a laptop at the ISP and gobble up the packets routed to/from him. This is onerous, and in Canada at least requires a "wiretap warrant", which the courts restrict more than ordinary search warrants.

      The person wishing to provide this kind of information to a drug cartel has the same hard task, and is also more likely to be detected by the ISP.

      To oversimplify, we're keeping far too much information about email: an author or vendor should take notice of the privacy laws of their preferred markets and discard debugging/diagnostic information at the end of a successful delivery. If they wish to cover themselves against customer complaints, they might send delivery notices that the customer can read or filter out at their convenience.

      --dave

    • Not really. The accepted way to track live data is installing a device that copies relevant data, which was requested of lavabit. A rogue employee would have a hard time sneaking that in, making it much easier for legitimate eavesdropping. That negates the whole argument for live capture.
      For static capture, encryption per person has always been more attractive than using sitewide keys, but leaving the user in charge of the keys is the only option for security minded users.
      Lavabit objected to the live captur

  • by OhANameWhatName (2688401) on Wednesday October 16, 2013 @02:30AM (#45140365)

    Only two things are different: the employee’s motivation, and the destination of the data after it leaves the company

    The government won't generally kill you, just lock you up. The cartels won't generally lock you up, they just kill you. Not much difference really.

    • Yeah, I'd like to appeal my murder...

      • by Anonymous Coward on Wednesday October 16, 2013 @03:16AM (#45140501)

        Yeah, I'd like to appeal my murder...

        Yeah, lots of others would like to appeal theirs' too.

        http://en.wikipedia.org/wiki/Wrongful_execution#United_States [wikipedia.org]

        Cameron Todd Willingham was executed February, 2004, for murdering his three young children by arson at the family home in Corsicana, Texas. Nationally known fire investigator Gerald Hurst reviewed the case documents, including the trial transcriptions and an hour-long videotape of the aftermath of the fire scene and said in December 2004 that "There's nothing to suggest to any reasonable arson investigator that this was an arson fire. It was just a fire."[12] In 2010, the Innocence Project filed a lawsuit against the State of Texas, seeking a judgment of "official oppression".[13]

        Statistics likely understate the actual problem of wrongful convictions because once an execution has occurred there is often insufficient motivation and finance to keep a case open, and it becomes unlikely at that point that the miscarriage of justice will ever be exposed. In the case of Joseph Roger O'Dell III, executed in Virginia in 1997 for a rape and murder, a prosecuting attorney argued in court in 1998 that if posthumous DNA results exonerated O'Dell, "it would be shouted from the rooftops that ... Virginia executed an innocent man." The state prevailed, and the evidence was destroyed.[14]

        Johnny Garrett of Texas was executed February, 1992, for allegedly raping and murdering a nun. In March, 2004, cold-case DNA testing identified Leoncio Rueda as the rapist and murderer of another elderly victim killed four months prior.[15] Immediately following the nun's murder, prosecutors and police were certain the two cases were committed by the same assailant.[16] In both cases, black curly head hairs were found on the victims, linked to Rueda. Previously unidentified fingerprints in the nun's room were matched to Rueda. The flawed case is explored in a 2008 documentary The Last Word.

        Jesse Tafero was convicted of murder and executed via electric chair May, 1990, in the state of Florida for the murders of two Florida Highway Patrol officers. The conviction of a codefendant was overturned in 1992 after a recreation of the crime scene indicated a third person had committed the murders.[17]

        Carlos DeLuna was executed in Texas in December 1989. Subsequent investigations cast strong doubt upon DeLuna's guilt for the murder of which he had been convicted.[18][19]

        Thomas and Meeks Griffin were executed in 1915 for the murder of a man involved in an interracial affair two years previously but were pardoned 94 years after execution. It is thought that they were arrested and charged because they were not wealthy enough to hire competent legal counsel and get an acquittal.[20]

        Chipita Rodriguez was hanged in San Patricio County, Texas in 1863 for murdering a horse trader, and 122 years later, the Texas Legislature passed a resolution exonerating her.

        The list of wrongly jailed for life is too long to list.

        • by shentino (1139071)

          Wow.

          The fact that the state would be embarrassed was actually used as evidence to keep things hush hush?

          Not too far from getting hanged for insulting the king.

          I have a much better idea:

          Anyone knowingly provoking a false execution is guilty of murder. Gives an incentive to people not to botch a capital case, and as a face saving measure the state can shift the blame off of itself and retain its dignity.

          • by Sun (104778)

            The law already has this (IANAL). If you fudge evidence to support your case, and then ask and recveive the death penalty, you are already committing murder.

            The probelm isn't so much that a prosecutor would be breaking the law, as the fact that prosecutors are completely and utterly immune to any misconduct perfromed while performing their duty. It is all but impossible to even sue the DA office for damages, even if you prove your case.

            Shachar

    • by gweihir (88907)

      You must be unaware of what the US administration is currently doing with drones...

      • by Sarten-X (1102295)

        ...the same thing they've always done with raiding parties, spies, bombers, and strike fighters, but now they're doing it more accurately and with no risk to the pilots?

  • by 10101001 10101001 (732688) on Wednesday October 16, 2013 @02:50AM (#45140429) Journal

    Commentators on the Lavabit case, including the judge himself, have criticized Lavabit for designing its system in a way that resisted court-ordered access to user data.

    What next? Complaining about hidden compartment in desks?

    They ask: If court orders are legitimate, why should we allow engineers to design services that protect users against court-ordered access?

    Oh, I don't know...because of "life, liberty, and the pursuit of happiness"? I don't know about you, Mr. Judge, but I personally don't want a court, court-ordered or not, snooping on my life--such inherently is a big way to disrupt my happiness. But, even if we forgo the DoI and move to the CotUS, it's "life, liberty, and property". Well, whether you view it as the user's property or Lavabit's property, they sure as fuck can do what they want with it. What part of any of that should be to make the court's job easier? Why would they seek to bend over backwards for any court?

    Of course, the big one is liberty. The biggest liberty of all is exploring the possibilities of math and the universe. And that heavily flows into attempts to make functionally unbreakable encryption resistant to even the US government. And is also flows from the point of just being a general asshole, which God Bless the United States of America, is very much recognized as a Creator given right. Clearly the judge is exercising it when he shows contempt for other people daring to live their lives in ways he doesn't like.

    Honestly, though, I do not try to be too much of an asshole. And I do recognize that there does need to be a means for courts and court-orders to function. The problem the judge seems to realize--and honestly why the NSA keeps getting the go ahead--is that criminals are most inclined to use those sorts of tools to hide their activities. The good response should be the obvious: most criminals don't go through the bother because they don't think they'll be caught and the rest are almost always found before the court-order (after all, you have to have evidence to get that far) or the court-order is a very inappropriate fishing expedition. All a court-order is there for is to solidify a case, not to make one. And so the very notion that there's something wrong with efforts to make their case inherently harder to prove is, well, fine by me. It almost always just means the prosecutor and the police have to work a bit harder to prove their case, if they care enough to go through the effort. The real limit of justice then is not the strength of encryption or the willingness of first or third parties to comply with handing over incrimination evidence. It has almost everything to do with running a decent investigation in the first place.

    PS - *sigh* The NSA part was probably unnecessary, but it reeks of the same stupidity and with the same sorts of results. Trying to find a needle in a haystack is easier because at least then you know you're looking for a needle. And if, by analogy, you know you're looking for a specific terrorist plot in a general time frame with certain people, you're already 90% of your way towards having a prosecutable case and a pathway to find accomplices.

    • by Hatta (162192)

      What next? Complaining about hidden compartment in desks?

      Complaining? There's at least one man in jail for building hidden compartments [wired.com].

      "I built these compartments just like any other business that I had, doing stereo business, customizing needs to peopleâ(TM)s needs in their vehicles, and I admit there was probably some irresponsibility of building these things, but I was onlyâ"I just figured it would be, like, as long as I didnâ(TM)t know what was going onâ"and donâ(TM)t want to

  • by mosb1000 (710161) <mosb1000@mac.com> on Wednesday October 16, 2013 @03:03AM (#45140467)

    Only two things are different: the employee’s motivation, and the destination of the data after it leaves the company.

    Actually, the employee's motivation is likely the same as well. And the destination seems to getting more similar every day.

  • by YesIAmAScript (886271) on Wednesday October 16, 2013 @03:07AM (#45140481)

    As to his comment about turning over the master key, it would have made no difference if they had protections on their master key. They didn't turn over their master key anyway. They did shut down, and they would have had to shut down either way. Because if they didn't shut down and had their key secure (say in an RSA box), the government would have just compelled to give them access to their key to sign stuff or to present as a credential. In other words to impersonate them.

    The only way to avoid all this was to just shut down so there could be no mistake. If that key is used again, you know it's the NSA doing it, not Lavabit.

    I would love to hear how Ed Felten thinks a private key can be both kept inaccessible and used tens of thousands of times a day to secure SSL connections.

    Even if you keep it in a box, if the box will gleefully operate on the key thousands or millions of times a day, then you can just virtualize the key to a remote location (like say NSA HQ) by forwarding any requests to use the key to the box across the net. No need to even have the key at all in that case.

    • As to his comment about turning over the master key, it would have made no difference if they had protections on their master key

      If they had designed the system to not have a master key, such that each user had their own keypair and each user had sole possession of their specific decryption key then they would have been immune to the insiders - cartels or DoJ.

  • Bottomline... (Score:2, Insightful)

    If you don't want someone else to see it, stop putting it on the internet.

    Internet was NEVER EVER a means of private communication.. we've tried to make it that way for what, 20 years now? It's not going to happen. Keep your personal tidbits off the net if you don't want others finding them.

    Try using the tried and true encryption method. A piece of paper inside an envelope, with a stamp and an address. It's slower, but it's a lot more private than you'll EVER GET on the internet, now or in the future.

    • by ttucker (2884057)

      Try using the tried and true encryption method. A piece of paper inside an envelope, with a stamp and an address. It's slower, but it's a lot more private than you'll EVER GET on the internet, now or in the future.

      Said no cryptographer ever. Sending your communique in plain text is never encryption. You might argue it is stenography... but the mail, pretty fucking obvious. Each piece of mail is scanned, metadata is kept, pieces of interest are opened. That is not the least of your problem either. Do you think wifi is insecure? What about the mailbox? Mail theft is a real problem. If someone wants specific information about you, the cheezy lock on your mailbox is not going to do shit.

    • Re:Bottomline... (Score:4, Insightful)

      by oodaloop (1229816) on Wednesday October 16, 2013 @07:04AM (#45141303)

      Try using the tried and true encryption method. A piece of paper inside an envelope, with a stamp and an address.

      That has got to be one of the dumbest comments I've ever heard on the internet. Wow. Just, wow.

    • by Hatta (162192)

      GPG on a clean machine with an airgap is pretty much unassailable.

  • by ttucker (2884057) on Wednesday October 16, 2013 @03:31AM (#45140539)

    They ask: If court orders are legitimate, why should we allow engineers to design services that protect users against court-ordered access?

    The real answer question is, in what fucking world is it appropriate for courts to say what a private company programs?!? If the encryption is not illegal (it shouldn't be either way, but encryption is still legal in the US) the judiciary has no business saying whether it should be used or not.

    • The real answer question is, in what fucking world is it appropriate for courts to say what a private company programs?!? If the encryption is not illegal (it shouldn't be either way, but encryption is still legal in the US) the judiciary has no business saying whether it should be used or not.

      The court _can_ tell a private company to give information about a customer, or hand over information or things that belong to the customer and are in possession of the company. A company that rents out physical storage can be ordered to hand over the items that a suspected criminal has stored, and if they don't have a key they may have to unlock the storage with physical force which may damage the company's property. So you should ask what happens if they rent out safes, and have no expertise at all how to

      • by shentino (1139071) on Wednesday October 16, 2013 @06:28AM (#45141173)

        Even if you make something impossible, you still have to convince the court that it's impossible in order to avoid being locked up for 13 years on a contempt charge.

        Which means the court can use the mere threat of a perpetual contempt sentence to coerce you to make things easier for them ahead of time...just in case.

      • by ttucker (2884057)
        Software companies in the US are not currently legally required to provide encryption with backdoor access. It is concerning to think that a company would consider it to be in their best interest to provide such a back door to avoid abuse by the judicial system at some unforeseeable date in the future.

        The court _can_ tell a private company to give information about a customer, or hand over information or things that belong to the customer and are in possession of the company. A company that rents out physical storage can be ordered to hand over the items that a suspected criminal has stored, and if they don't have a key they may have to unlock the storage with physical force which may damage the company's property.

        What if a storage locker or safe contains pages of uuencoded data which appears random, but might be encrypted. Is it incumbent on the storage space to help law enforcement decrypt that data? Is this not s

  • the fuck? (Score:2, Informative)

    From a technological standpoint, shooting someone who is about to rape your daughter is the same as shooting someone because you want to drive the car they're in: the bullet punctures the skin and causes internal damage, temporarily (or permanently) disabling the person being shot. Therefore ban all guns.

    • I think the way they put it was pretty silly, but the point is that if it is possible for the government to demand the raw data and get it, it's possible for an 'evil' attacker to get that data as well. You can't even assume the government isn't evil.

    • by BlueStrat (756137)

      From a technological standpoint, shooting someone who is about to rape your daughter is the same as shooting someone because you want to drive the car they're in: the bullet punctures the skin and causes internal damage, temporarily (or permanently) disabling the person being shot. Therefore ban all guns.

      Seriously, did you even think this through at all before posting?

      It's more like forcing people to use only easily-defeat-able locks and/or send the government a copy of the keys to all locks because criminals sometimes use locks and the government may need easy and quick access to prevent/halt a crime or execute a search or arrest warrant in a timely manner.

      Secret government-mandated backdoors and unreported zero-days don't care who exploits them, either.

      Maybe the daughter in your example would not have bee

      • So, you agree that it is absurd to proscribe a particular action simply because "from a purely technological standpoint" that action can come with good or evil intentions and/or results. IOW, you have as much problem with my absurd consequence as I do.

        Yet you say, "Seriously, did you even think this through at all before posting?" Maybe your sarcasm detector is broken.

    • This obligatory XKCD [xkcd.com] now seems surprisingly relevant.
  • by Charliemopps (1157495) on Wednesday October 16, 2013 @05:03AM (#45140833)

    "If court orders are legitimate..." -- see there Mr Judge, you've answered your own question.

    • by BlueStrat (756137)

      "If court orders are legitimate..." -- see there Mr Judge, you've answered your own question.

      [sarc]
      But...but...if a (secret) judge in a (secret) court (secretly) orders it under (secret) rulings/precedents, it *must* be legitimate by definition!

      The government consulted with itself and assured itself that it was.

      Secretly, of course.
      [/sarc]

      Strat

  • Governments are supposed to have the ability to compel disclosure of confidential information, subject to legal protections. If you don't like the Snowden example, consider a less controversial criminal example, like a kidnapping in process. The point is that the 4th amendment allows for reasonable searches and seizures. Claiming that all searches and seizures are attacks is to deny the legitimacy of even uncontroversial law enforcement. Incidentally, even Lavabit complied with other government requests for [docketalarm.com]
  • by AJH16 (940784) <[moc.efaccg] [ta] [ja]> on Wednesday October 16, 2013 @09:47AM (#45142499) Homepage

    As much as I may not like invasions of privacy, the fact is that this summary provides a bullshit excuse for the need of making court order resistant services. This kind of issue has been addressed numerous times in the past and is actually quite easy. You just have to have a system that breaks the files up through multiple keys required to unlock it. It's called separation of duties and has been done in any good security system for decades (centuries?) This way, a legitimate order can be processed because everyone is on board with a legal order, but an illegal action, such as a bribe can not happen without having to get numerous people on-board with the action.

  • by sribe (304414) on Wednesday October 16, 2013 @10:22AM (#45142811)

    Or alarm systems? Safes? Etc? The exact same logic would apply. Why is this not blindingly obvious to everyone???

  • Lavabit/Guavabit (Score:4, Insightful)

    by PPH (736903) on Wednesday October 16, 2013 @10:31AM (#45142915)

    How many government employees combing through Lavabit's customer data are delivering it to the drug cartels?

    Court orders help because it forces crooked government employees to go before a third party to explain themselves.

    The primary problem most people have with the NSA data dragnet is that there is no system of checks to prevent such access. Once the data has been scooped up, nothing can stop an insider from misusing it. Look at Snowden. Only his motives differed from those of crooked employees.

  • Elsewhere, at Favabit, an employee receiving a court order for user data takes the encrypted user data to the three trusted employees who each know part of the decryption key. Together they verify the court order, decrypt the data, and pass it on to the court. A week later, one of the three trusted employees is forced to refuse a cartel bribe to get user data, because she does not have the power to unilaterally hand it over.

    If you can't think of a way to allow legitimate access while protecting against i
    • by Urza9814 (883915)

      Well sure there's plenty of middle ground between the two. All of which are worse security policy, from the end-user's perspective, than just keeping the keys with the user. How do I know the keys are with three separate people? How do I know Frank didn't email his key unsecured to John that one time they got a request while he was on vacation? How do I know there isn't a building security camera pointing at the keyboard as they type the passwords in so the entire security staff now has all three components

  • The analogy is far off the mark.

    From a purely technological standpoint, these two scenarios are exactly the same: an employee copies user data and gives it to an outside party.

    Looking at something from only one standpoint does not give a complete picture of the situation. There might be issues from other standpoints that make the view very different. Taken from a technical standpoint the following are equal;

    Speeding tickets vs extortion. (They both require payment of money on demand)
    Incarceration vs kidnapping (both are restrictions on liberty)
    search warrant vs burglary (both entail unwanted entry and removal of property)
    public service vs slavery (

I use technology in order to hate it more properly. -- Nam June Paik

Working...