I think a lot of people who read my comments on these stories think I'm bringing these points up because I'm on DOJ's side on this issue. It's true that I'm more on their side than the average HN reader, but I share most of HN's perspective on the actual disclosures in the Snowden documents.

But that's neither here nor there, because my issue in this case isn't that Levison was on the wrong side of a controversy with DOJ.

My issue is that Levison never should have been running this particular service. Like many other short-sighted developers, Levison built a site that made expansive claims about its security capabilities which anyone familiar with the actual technology could see were preposterous.

The framing of the "debate", such as it is, about Lavabit seems to take as a given that DOJ or NSA can compromise secure messaging services, and that our only reasonable response is outrage directed at the USG (or "Five Eyes" or whoever) in the hopes of effecting policy changes. No. It is more than possible to build services that thwart the kinds of orders Levison received. It's not even difficult to do that. Levison could have built a service that would not have provided him the capability of furnishing the FBI with Snowden metadata.

Levison didn't not build that system because that was hard to execute technically. I think he did it because it was hard to execute as a business. Users want communications tools that work like the ones they already have, and, in particular, they want tools that interoperate with Internet email. Like virtually everyone on HN, Levison probably understands that such a tool is virtually impossible to implement as a web application. But Levison also knows that building native applications is expensive, and getting users to install things is more expensive still.

So instead of building something that protected his users, he appears to have built something that didn't, and then pretended that it did. He may have "gotten away with it" so long as the court orders he apparently quietly complied with didn't pertain to the highest-profile target on the Internet. But once that happened, the game was up.

If all of that's true, I'm not sure from where I'm supposed to find sympathy for people who play those kinds of games with people's secrets.

If Levison was the only person doing this, my complaint might be less relevant. But he's not; he's at the vanguard of a trend, and is our best cautionary tale about what happens when people chase that trend.

Maybe that's where you hit the wrong note then. Most of your writing here seems to be directed at Levinson particularly, not in the general sense as a cautionary tale aimed at the potential users of such a service.

I don't understand. Levison did something objectionable. Who am I supposed to direct my complaint at?

Are you suggesting that I should instead reserve my complaints for the users of these services? That empirically does not work; there are millions of users, and none of them research the tools they use to communicate privately.

Levinson did something stupid (possibly maliciously stupid, I'm not qualified to judge), the users did not do due diligence on the claims made by the service and from the looks of it Levinson is paying a price.

But that ship has sailed. He fucked up, he tried hard to limit the damage and as far as I can see he's been punished just about enough. So if you're upfront about using this as a cautionary tale then that would start with either educating users of such services or with pointing out similarities between Levinson's flawed approach and other offers of services like that. Further dumping on Levison is pointless, it's like kicking a guy that is already down.

Compare this with Karin Spaink taking on scientology knowing full well that that would bring down a lot of trouble, but doing society a great service in warning people of the dangers of that particular organization.

For users of Lavabit any kind of warning is a bit late and I think they have learned their lesson (or at least, I would hope they did).

Snake oil peddlers have been making money for years, the farmaceuticals or the broken-crypto ones look all the same from where I'm standing, they are playing with people's lives. But the ones that get caught are as far as I'm concerned neutralized, it's the ones that remain that deserve our attention, and their users as well.

What does "due diligence" by laypeople for crypto providers look like? I don't understand where you're going with this.

If you buy a climbing harness because you're going to go mountain climbing and you can't tell a good one from a piece of junk then maybe you shouldn't be climbing on mountains, no matter what the maker of the product claims.

In the end, the responsibility for your life is yours and you can't outsource that. So looking over the product you buy is a minimum requirement for things that your life depends on, just going on claims absent independent verification of those claims is for want of a better word, terribly stupid.

By analogy, if you're say, some technically adept guy that decides to screw over the NSA just using a service because it claims to be secure is probably not a good idea. In cases like that you either do it yourself or you assume that you are taking a risk.

I can't really see Snowden, working for the NSA as a layperson in this context, just as I can't see a mountaineer as a layperson when it comes to evaluating mountaineering gear.

Case in point, I worked on some pretty high structures in the gray past and I've rejected multiple 'definitely good' safety harnesses and clamps simply because they did not pass my personal standard for quality of such important gear. If I had chosen to continue and used them, and something would have happened to me because of the device failing then I would have partly blamed myself.

If crypto is of life saving importance to you then you have to know at least enough to evaluate the service and if you can't do that then either you knowingly take a risk or you should probably not be doing what you plan on doing.

My personal take on anything internet related is that since I can't predict the near future (let alone the far one) I assume that anything stored on my computers will become public one day. I suppose that even the most secure implementation available to us today is only one bug away from being wide open after all. Call me pessimistic.

One last thing about lavabit, I can see at least one very obvious way in which lavabit could have been broken that would not require Levinson's cooperation at all (but would have required a lot more foresight on the part of the NSA). In a way it is reassuring that Levinson was able to do that he did, that lowers my estimate of the NSA being able to record and store at will considerably. After all, if they can't even afford to tap the ingoing and outgoing traffic of a service that offers secure email then either they are not very good in their target selection or their resources are spent on more interesting targets and so 'little fish' like Snowden can get away with their deeds. I'm pretty sure that that hole is now plugged and I would hope that the users of similar services now know that as soon as you hit 'send' your secret is no longer.

You are trying to shift the blame to the users vs. the guy who purposefully weakened his encryption service to make it easier for end users, and also antagonized the government thus harming more users than if he wouldn't have done so. You are blaming the wrong group of people.

If you want 'ease of use' and 'bullet proof encryption' you will have to leave empty handed. Even a noob like me knows that, it's always a trade off.

So, Levinson is wrong for doing what he did, his users are wrong for believing his claims. I note that Moxie Marlinspike's critique of Lavabit was written post-takedown, it is not proven in my opinion that Levinson acted maliciously, though it is very well possible that this is the case. Even if he was only negligent there is plenty of blame for him, and by the looks of it that's hitting home hard enough for what he has done and then some.

That still does not relieve his users from their own responsibility for their part in all this. Giving data that you wish to keep from the government to a service that you are not qualified to audit and that you did not pay some service that is qualified to audit is simply dumb. No matter what the guarantees such a service is making.

Consider for instance that such a service could be set up as a front or a honeypot.

I'm sure that in your book every claim made in advertising ever was always true but I'm a bit more cynical than that.

A better argument to make is to blame the guy who acted extremely stupidly and turned over the emails of every account on his service, when he could have only exposed one.

Yes; my argument is also that Levison started with a bad hand, and then went all in with his users accounts as collateral in what was, essentially, a ludicrous bluff.

> After all, if they can't even afford to tap the ingoing and outgoing traffic of a service that offers secure email then either they are not very good in their target selection or their resources are spent on more interesting targets and so 'little fish' like Snowden can get away with their deeds.

I suspect they got trapped up in that pesky policy requirement to not wiretap American citizens on American servers hosted in American soil. I'm sure they could have figured out the technical aspects quite easily.

I'm sure the NSA is capable of wording their employee contracts in such a way that they would have a legal right to snoop on the communications of those in their employ.

Regular employers do this with impunity, for sure the NSA can do likewise. You have to be aware of the use of the service first and one reason why people a lot smarter than me suspect that that key was so important was in order to be able to decrypt past communications using the same service on captured traffic.

> I'm sure the NSA is capable of wording their employee contracts in such a way that they would have a legal right to snoop on the communications of those in their employ.

If it were that simple then the NSA would simply have provided that documentation to Levison, no?

Or, as I already said, simply scooped up his data going to/from Lavabit's servers anyways, if they felt they had the legal authority.

> Regular employers do this with impunity, for sure the NSA can do likewise.

Regular employers do this on their own systems, sure, just like every U.S. government IT system warns about the various (but not total) authorities they have to monitor your usage of government computers in many settings. But do regular employers subpoena a third-party email provider under the same IT use agreement expecting that email information to be turned over?

> You have to be aware of the use of the service first

The USG was obviously aware, otherwise they wouldn't have issued a specific subpoena to the operator of the Lavabit email service.

> people a lot smarter than me suspect that that key was so important was in order to be able to decrypt past communications using the same service on captured traffic.

Then maybe Levison should have complied with the first batch of specific warrants, where the topic of the SSL key didn't come up at all?

I mean, I can also give a self-deprecating comment but I don't think anyone has to be very smart to figure out that the SSL key wasn't even asked for until Levison made it impossible for the USG to perform their "good old fashioned police work" in any other way.

The NSA is very much not interested in directly disclosing their capabilities. It could be they already had the information but wanted parallel evidence construction.

I think the NSA farts magical bunnies, but they don't want people to know, so they breed stage magicians.

> The government effectively killed his business the second they first coerced him into undermining his clients.

The problem is, in the U.S. and I'd imagine most other countries, your business cannot be built on refusing to follow court orders to protect your clients. Specifically, refusing to furnish relevant information despite being able to do so without excessive burden.

We're not talking about some new erosion of civil rights. The power of courts to compel witnesses to provide relevant evidence and testimony dates back to the origins of jury trials in the middle ages: http://en.wikipedia.org/wiki/Subpoena_ad_testificandum.

>The problem is, in the U.S. and I'd imagine most other countries, your business cannot be built on refusing to follow court orders to protect your clients.

What about churches offering confessional services? I know, that's a case where the law specifically protects the (priest/penitent) relationship. (Nor are they "businesses" in the conventional sense of the term.) Nevertheless, they are open about how they're willing to violate a court order asking them to (in their judgment) break the confessional seal.

Third caveat: if all you meant was that the "confession protector" can still expect to go to jail for this, that's still not a counterexample to what you said. But the point is that, unlike with Lavabit, the court would not shut down the entire church when priests violate such court orders, no matter how systematically they do it.

A church isn't a business, nor is it built on refusing to follow court orders. A clergyman doesn't have to violate a court order to protect someone's confidences: he can invoke a legal privilege that's creates an exception to the general subpoena power. The same is true of a lawyer or a spouse. They don't have to violate the court order--they are protected by special exceptions to the rule. They simply need to invoke the exception in a motion to quash.

In general, however, a business will not be protected by any evidentiary privilege. In order to avoid complying with a court order, they will have to violate it.

Did you see the "in their judgment" bit? (Or the "not technically a business" bit, for that matter?) A court can still order testimony if the judge feels it doesn't qualify for the immunity, even as the priest feels that his duty is to protect it.

You can't dismiss the scenario by acting like a priest will never protect a confessional in violation of a court order.

There are a number of explicitly allowed privileges, like with lawyers. Society sees value in letting people be able to discuss very personal matters with people, and the conversations would not be happening without the explicitly granted privilege. Can't be compelled to testify against your spouse, for that matter (that's by Constitution, not by statute).

(Even then, priests and lawyers have rules about when to break confidentiality. If someone said they committed a murder, nope. If someone said they are going to commit a murder tonight, then yes.)

If you want a new kind of privilege, you should lobby your legislators, not try to start a for-profit business.

I was showing how rayiner's claim about "promise to break the law" businesses was wrong, not claiming a particular defense for Lavabit.

The fundamental rule is that the government is entitled to evidence.

If a church, for some insane reason, kept written records about what was said in the confessional, and a court order was somehow granted to order the church to turn over their records (ignoring privilege), they would need to turn those over.

If someone destroyed them, the DOJ would not need to shut down the church. They would charge the person who destroyed them with the appropriate crime, and then everyone would move on.

If they refused to turn them over, but the DOJ believed they were still on premises, eventually the DOJ would get the local sheriff to physically enter the building and take the records. There would be no need to shut down the church.

In that situation, ideally the records are all in individual files, and the constable only needs to take one. If the head priest said "nyah nyah, we mixed them all up, ha ha!", then all would be seized, and someone would need to go through and find the relevant information.

By keeping all the secrets of their "clients" written down, the church has put them all at risk. If one priest knew the secret only in his head, the government could compel him to testify, and that still wouldn't require shutting down the church.

The nature of computers is that they are simultaneously typewriter, gold bars, and file cabinet -- they are needed for work, they are valuable, they contain lots of information. When the government needs to seize evidence, they cannot slice out the "file cabinet" component from the other components. The fundamental rule is that the government is entitled to evidence.

EDIT, and maybe this is what I should have said instead of all the stuff above: Lavabit's only defense against seizure of its keys if a court order demanded them was to refuse to provide them. I.e., break the law. I don't know how else that can be read except as a promise to break the law on behalf of their clients.

Second edit: And fundamentally an unkeepable promise. I could, in theory, promise to not repeat the secret you told me and that I hold only in my brain, no matter how long I sit in jail. I cannot promise that the DOJ cannot seize my written record of that conversation, because they can bust down the door to get it.

Those are great points, but I don't see how they're applicable as a reply to anything I said.