I'm willing to contribute but I'm interested in details before doing so. I'm aware that lavabit obviously can't go into details of what they're fighting against, but some breakdown on what the money will be used for would be nice - is it all for lawyer fees or does it cover other costs? How far is the sum expected to reach, will the 40k be enough to fight until the last round or will we get another fundraiser in a year? What happens to any money that's not being used up for the defense?
The lawyers setup a non profit and applied for status as a 501c3. All the donations are going towards legal expenses and any related travel...the team is spread out between San Francisco, NYC, DC and of course myself in Dallas.
So who are we actually (legally) donating to: You personally, lavabit as a company or the nonprofit? What does legal expenses include: are the lawyers paid full wages or are they working pro bono or at a discounted rate? Please note that I'm totally fine with all people involved being paid, they do have to earn a living. It might influence the amount of money I'm willing to give though.
Agreed, I donated without a second-thought. But for $30k, we should have a clear explanation (more than a one-liner on HN) on where the money is going exactly.
Online donations are notoriously lacking transparency. Nearly as bad as the FBI/NSA (:P).
As long as it's being done through attorneys, that's enough for me. What I cared about was knowing this was legitimate at all, vs. someone just impersonating him, but that seems pretty clear. No member admitted to the bar is going to fuck up something as simple as a legal defense fund, and certainly not over 40k. I'd feel comfortable up to 250k or so without more documentation.
The Rally.org page doesn't mention that this is a 501c3. Some of us would be able to get our donations matched if that was the case, not to mention tax-deductibility.
Is that an oversight, or is it just because the 501c3 has not been finalized yet?
It's looking like the district court appeal is going to cost between 70k and 100k. I'll need to raise allot more if the fight goes onto the supreme court. I'm told a typical supreme court case will cost 250k and up...
So is the 40k in the petition just the missing amount for the district court appeal - meaning that another party will cover the gap to 100k - or is that just what you thought was possible on rally.org? Is there any estimate what the chances are that the case will end at district court level?
Yeah, there is basically zero info on where the money is going, I don't know how people (especially people unfamiliar with Lavabit) are going to be encouraged to contribute.
I just donated $50 - to be honest, most of the stuff in your post is useless minutiae. I don't care how many dollars go to lawyer's fees versus court fees versus blah blah.
What I do care about though - how far in the appeals process will this take the case? Answer: $40,000 is not even 1/10th of what you'd need to make it to the supreme court, paying full freight. So assume there's going to be another fund raiser.
Should we just walk away from an opportunity to expose the demands of the FISA court in broad daylight at the behest of a superior court because they didn't present an itemized budget and an exact timetable dependent on a bunch of external circumstances beyond their control? Uhh, no - drop $5 and move on.
See, I care about where I donate my money to. If 40k is 1/10th of what's needed this fundraiser may be just wasted money - I could be better of donating the money to EFF directlyr. If the entity behind the fundraiser is lavabit, the US government could just shut down the company and freeze the funds, again wasted money. I'm not asking for an itemized list or a timetable, I'm just asking for a little information that goes beyond "we'll try and sue and we need money". I'm not assuming bad faith, but is that too much to ask for if somebody tries to collect north of 40k on the internet?
I understand your inner skeptic, but seriously, this investigative zeal might have been more appropriate elsewhere.
The guy could have easily folded, like hundreds of other companies, without a word. Instead, he shut down the service to protect its users. I would have given him $30k just for that as a bonus for being awesome.
He's a damn hero if you ask me. Along with Aaron and Snowden. They are a few and deserve every support we can give them. Even if they buy a pack of beer with fund money.
The question you should ask yourself is who you trust more. If it's the NSA then there's no basis for donating. Lavabit was trusted by many, I will trust them in this effort.
It's not about trust. It's about whether I believe that this is a good investment of money or whether I feel that donating to another entity is a better choice. There's many fights to be fought and so little money to go around. I trust them that they have only the best intentions, but what happens if they don't collect enough funds to go all the way? Did anybody win anything if they have to fold midways because money ran out? 40k wasted that could have been used somewhere else?
Super. I'll just neatly put my name next to a list of people (which the NSA has connected to) who oppose the surveillance state ... and hope I don't get black bagged to your fancy Cuban torture prisons if I ever cross into the USA.
You mean like (what I would call) illegal detainment and warrantless searches of David House, simply because he is a human rights activist and was raising money for Chelsea Bradley's defense? [1] The pigs stole his laptop and usb drive for more than two months, and took a copy of a supporters list. There was no reason to believe this man had anything to do with Chelsea or was doing anything but raising money for her defense.
And come on, there's no need to be pleasant the umpteenth-thousand time that someone mades a snide, ultra-paranoid remark about America that scrapes the bottom of Godwin's law.
It really doesn't though. The ease of consumption of the political topics is killing the depth of discussion on hackernews and forcing people elsewhere, especially when comments like "wow don't gitmo me bro" are now considered acceptable.
If it was only "being smug" that would probably be tolerable. The issue here is actively paying for them to challenge the legality of the NSA's actions - something that would really irritate the NSA, to say the least.
Because you're not dangerous or a threat. Not that I love the idea of someone awkwardly thumbing through content that my mind has created, but why would the NSA care to detain a foreign national over being smug?
Neither are most (all?) of the people who are detained at the airport, denied entry into America, or otherwise harassed by our government. What exactly is your point?
Stop trying to link the TSA and people denied at the border (there's no inalienable right to people coming into the country) with the NSA. What is your point?
The NSA might be greedy for info, but they're not stupid or act [as an agency] irrationally.
>What makes you believe that some individuals within the NSA are not of that type of person?
Because the NSA just records the information, they don't get to make the call on detention. Gitmo isn't full of people that called the government a bunch of jerks or complained about wiretapping/taxes/etc.
In my humble opinion, the greatest abuse that could come from this wiretapping is much more mundane and offensive - NSA employees cyberstalking and mining data of sexual interests/current partners.
gitmo is actually full of people whose crime was to piss someone in off, get handed in for a bounty, then get caught in the middle of Republicans rousing their inbred base by opposing trials.
From the wiki article: "The Center for Policy and Research's 2006 report based on DOD released data, found that most detainees were low-level people who were not affiliated with organizations on U.S. terrorist lists." [1] One example: "The U.S. offered $5,000 per prisoner and distributed leaflets widely in the region. A perfect example would be Adel, a Chinese Uighur and dissident who had been sold to the US by Pakistani bounty hunters"
We have already seen a much greater abuse of this data: cooperation between the NSA and law enforcement agencies, along with a conspiracy to lie to judges, defense attorneys, and even prosecutors about how evidence was collected. If this were limited to spying on former love interests, it would be creepy; "parallel construction" is dangerous.
>We have already seen a much greater abuse of this data: cooperation between the NSA and law enforcement agencies, along with a conspiracy to lie to judges, defense attorneys, and even prosecutors about how evidence was collected.
Link to where this was abused to punish an innocent person?
The right to challenge the evidence is not limited to innocent people. That includes the right to challenge the evidence on constitutional grounds, and includes the right to prevent evidence from being presented if it was improperly or unconstitutionally collected. That includes smoking gun evidence that unambiguously demonstrates that a person committed the crime they are accused of.
It makes no difference whatsoever if these tactics were ever used against an innocent person. These tactics are violations of civil rights across the board. Yes, guilty people have civil rights in this country. No, our justice system is not meant to ensure that every single guilty person is punished for their crimes.
So the NSA will not be the specific people to decide to detain me based on my pissing and moaning? that doesn't sound like much comfort.
I dont know how you know what kinds of people are detained in Gitmo and other more secret locations? I believe that information is specifically kept secret?
EDIT: I am thinking you meant that you hope that Gitmo and other similar but more secret places do not contain people who piss and moan about government surveillance?
I support the cause, as I believe all people should have the right to privacy. However, I'm not American, and we have our own battles. Increasing awareness and visibility however, is something we all can do.
One thing that really puts me off is the emphasis on protecting privacy for american people. Why should privacy be a luxury of people who just happened to be born in a particular piece of land? Why is it ok to spy on everyone else?
Easy enough: only american people (or people in america) enjoy the legal protection of the american constitution. So the only fight that can be fought here is for americans. You'll need to convince your own government to fight for your rights.
please note: IANAL, but that's what I gathered so far.
I'm not sure convincing my government would make any difference since I'm connecting to an american server right now just to type this (I'm also working in the US). It's like saying that if you're connecting to a german server and they're violating your privacy then you should fill a complaint with your own government.
Am I the only one who sees this and thinks, "Why are international borders so important on the Internet?" Maybe we need to be thinking in terms of protocols and designs that do not allow the government to violate privacy rights regardless of where particular computers happen to be located...
The US Constitution doesn't "protect" anyone except insofar as it mandates/prohibits actions of the Federal and State governments, and those mandates/prohibitions apply wherever agents of the state act under constitutional authority.
It's the US and UK governments mainly that are sh*tting on everyone else's rights within their own country that is the problem. Taking a singular view on this will not solve the problem, your government will just shift the processing to one of their "partner" countries.
Is it only "the American people" who this person wants emails to be private? That's what they're title says, and they talk about the US Constitution whose privacy restrictions only apply to US citizens (AFAIR). Go beyond the fourth amendment.
Personally I think bulk collection is wrong regardless of where a person is, or what passport they carry. But the constitution only protects our right to privacy on American soil...
Since Lavabit operates in the US and we can't tell which of our users is an American, and which are foreign, I'm of the opinion they all have the same rights.
The contents of e-mail hosted by third parties will always be subject to legal demand.
Even if Mr Levinson wins his action against NSLs, that will remain true. Non-NSL warrants conform to the Constitutional protections and will continue to be served and fulfilled.
Oh, come now. It's not as simple as that and you know it (or you should know it). The Lavabit design - its entire premise -was that the service stored all the emails in an encrypted form that even Lavabit couldn't access. It was especially constructed that way to be different from other services, at the cost of considerable time and expense. The Lavabit threat is universally considered to be a government order to (in essence) stop running the service that way. This is different from previous government demands in which Lavabit did turn over information which they had.
So the question is: should encrypted-hosting service designs be illegal unless they have a backdoor for the government and the service provider to get in?
I wish I could mod up because fennecfoxen has succinctly stated the crucial point.
We really don't even need the NSA shut down, or for it to stop the mass surveillance, in order to have secure and confidential communications. Mass wiretapping is evil but it is not such a threat as long as we are legally and practically free to work around it.
The latter freedom is what the government is now attacking. Th US currently has no statute prohibiting "encrypted-hosting service designs [without] a backdoor for the government and the service provider", nor is there any statute commanding individual 'A' to enable the government to cryptographically impersonate 'A' online to deceive 'B'. But now, the USG has practically effected these policies by secret orders approved only by secret courts, with threats of prison for even revealing the existence of such orders, and preventing the subjects from challenging the legal basis in public courts according to Constitutional principles.
This really has profound implications. Do you have a right to run software of your own choice on your own server, to provide a service that enables the fundamental human right to confidential communications? This is an important measure of the descent into fascism, totalitarianism, police state, or whatever you want to call it, and further trashing of the rule of law.
That ship sailed with CALEA. It's going to be relatively straightforward for the government in secret court to argue for an expansive reading of CALEA with respect to other authorized missions, and thus require individual VPN, email, etc. providers to comply with the same "lawful intercept" requirements as CALEA, I fear. It won't be a blanket thing like CALEA is for voice PSTN, but individual orders with respect to providers of interest (due to size, or like paltalk or lavabit, clientele), not very difficult.
It is as simple as that. If you are not encrypting your email locally you are relying on the service provider to be honest. Claiming that Lavabit could not access your email is silly; Lavabit could easily access it, at the very least when you next log in (presumably this is why the service was shut down). There is no meaningful difference between Lavabit's design and Hushmail's design, and both services had responded to previous government requests.
If you want private email, you need to encrypt locally before the message is sent and decrypt locally after the message is received -- end of story.
You state a natural consequence of information theory. The original poster states that "non-NSL warrants conform to the Constitutional protections and will continue to be served and fulfilled." Both these statements are true.
But does that mean that because you can compromise a system then the government is allowed to force you to compromise your systems to utterly betray the purposes for which they are designed and then lie about it?
This is vague and I apologize... but it has to be that way... for now.
I couldn't compromise the system... but as it turns out the feds have a few secret capabilities the public doesn't about... they still need certain things in order to break the security though and that's what I'm fighting. Both for the ability to tell people what those secret methods are and the right to not be forced into helping the feds compromise my system/service...
It is not about what the government is allowed to do, it is about what is technically possible. If eavesdropping is technically possible, it is bound to happen, and constitutional protections will not be much help. The NSA revelations should tell you as much: the constitution is only tangentially relevant to the day-to-day decisions at the NSA about who to spy on or how to conduct surveillance.
The reality is that laws can change, and that when we create systems that are technically easy to abuse, there will be people who push for the law to change so that the system is legally easy to abuse. The police are always look for more power, and if you have something like Lavabit, the police will want to have on-demand access to it -- and they will want to reduce the barriers to getting a warrant, or even remove the requirement to get a warrant in the first place (like, say, if the emails are older than 180 days). By having a back door inherent in its design, and by positioning itself as the gatekeeper for that backdoor, Lavabit invites abuse and its users were lucky that the founder is a man of principles.
The system was only designed to protect data at rest. I followed the NIST secure coding guidelines when processing sensitive data. That should have made it difficult to compromise the system without changing the code.
...but it is easy to change the code, and easy to change it without alerting your users, and that is the point. I do not want to be rude to you, but the reality is that no matter how you designed the system there is a gaping and exploitable back door. The fact that secret keys are ever processed by your servers means that you have absolute power to decide if your users have any privacy at all.
To be clear, I think it is fantastic that you took a stand on this issue, and I wish more people had that kind of spine. The problem is that your system depends on you being a man who sticks to his principles.
Imagine the existence of a guy called Madar Mevinson, who runs a company Mavabit... that publicly shuts down over privacy concerns, but then reopens in triumph after a court battle... but little did we know, Madar was a government operative the whole time! (Or a non-state-actor criminal. Or just a creepy stalker. Whatever.)
And, because this is the internet, I'll mention that I am absolutely not suggesting that these things are true of Mr Levinson and Lavabit. But it's a bad security model to trust the ethics of a stranger, and from what I understand of Lavabit, that's required here. Maybe I misunderstood Lavabit?
PS: even so, 'mad props' to Mr Levinson, for taking a brave and productive stand
and the only problem with this is that unless you can unequivocally prove that the public key you are encrypting with is for the intended recipient, you're stuck. Until we have an infrastructure that can allow truly secure proof of identity, you can be assured, email (end every other form of internet communication) is insecure. The only secure email is the one you never sent... or if you're using webmail, it's the one you never wrote. If you want truly secure email, only use a public key to encrypt it if you can prove beyond a shadow of a doubt that the public key you are encrypting with is for the person you intend to write to. Internet delivery of the public key by the standard methods aren't foolproof.
Active MITM attacks are not easy by any stretch, certainly not against email. On top of that, if you do not begin the attack before the first messages are sent, you will not get another chance, at least not easily. It would also not be enough to control just the mail server; you need to control every communications channel available to the target, which is a substantial effort and far beyond the scope of what we are trying to achieve with email privacy. Frankly, anyone who can pull that off could more easily break into your home and install a keystroke logger somewhere.
PGP's model works pretty well. You get the key from a key server, you communicate through a (presumably different) mail server, and if you need more protection you use the web of trust. Imperfect, sure, but no security system is perfect, and at least with this the barrier to spying is high enough to stop mass surveillance (not true of Lavabit, whose users just have to be thankful that the service was shut down over such a request).
The WoT concept is flawed but it is the lesser evil. Also it is not the critic's place to dictate what standard of assurance anyone else should accept.
All schemes to verify identification of an entity with a key are probabilistic and in some degree unreliable. Even if the correspondent is your best friend and you exchange keys in person, there is the possibility that one of you will fail to maintain exclusive control over his/her secret key. The question is which methods are best in a relative sense - and what qualifies as "good enough" is for each operator to decide.
Of the two major alternatives, the CA system (and other schemes of similar design, relying on trusting third parties) and the web of trust based on individuals' estimations - of these, the latter is clearly more reliable. It was hard to convince anyone of this years ago, but the tech world has (mostly) now recognized the folly of third-party systems after painful experience.
EDIT: Corrected "former" to "latter", per post below - thanks!
> Of the two major alternatives, the CA system ... and the web of trust ..., of these, the former is clearly more reliable.
That is, you wrote "the CA system is more reliable than the WoT".
I'm pretty sure you didn't mean what you wrote. It seems to contradict the rest of your post.
Elaborating for the benefit of other readers: we have lots of evidence that the Certificate Authority system has been repeatedly compromised, certainly by state actors and probably also by (other) criminals. There are semi-solutions, like certificate pinning. One alternative (the only alternative I know of) is not trusting any Authority to get good certs, but rather getting them yourself, or from people you trust, or from people trusted by people you trust, etc... thus the Web of Trust. This alternative is pretty poor, but it might be less broken than CAs.
Probably, but it would still be a huge win, if we could make it so they could only get e-mails with a normal warrant, from a normal Court (none of that secret courts/"millions of records-are-relevant nonsense).
Also, I don't know if it's currently "legal" or not to demand companies to keep encryption keys of what they're encrypting, but I'm pretty sure it's unconstitutional. So encrypting communications end to end should be constitutional/legal. The companies can still do that (if they have the will/customer pressure).
As for coerced backdoors, like they tried with Lavabit, that's just disgustingly immoral, and definitely unconstitutional.
I agree it would be a monumental victory against secret demands, but if a non-sysadmin layman read that rally.org page he might believe that the result that all e-mails would be 'safe' forever.
You make an interesting point about encryption keys; it is unconstitutional to demand that an individual hand-over his keys in a speculative manner, but is not considered self-incrimination if the prosecutor knows that the relevant document is encrypted. for example, if the individual boasts that 'The Man can't read my encrypted tax evasion plan'.
But I have no idea how that reads-across to a corporation.
The question is whether our government can access the private data of people not involved in an investigation and whether companies can be forced to surrender their own sensitive info... or be forced to help subvert the security of their own products and services.
What strikes me odd is the notion, that I as a foreigner do not have any rights and nearly nobody in your country seems to care (at least so it seems to me).
Even the Lavabit-Founder just wants to fight for the "rights of the American people".
Don't the American people get it, that what this form of Chauvinism really brings is bringing the world up against your country? Until America recognizes, that it is not the pride of creation, this sentiment will only grow and Americans worldwide will be regarded critically.
With every politician, that promotes this chauvinism, being elected, everyone in the US is seen once more as a supporter of these views. Not the best idea in the long term I fear.
Domain Name:LAVABIT.ORG
Created On:21-Jul-2005 21:45:20 UTC
Registrant Name:Ladar Levison
Registrant Organization:Lavabit LLC
Registrant Street1:3930 McKinney Ave #576
Registrant City:Dallas
Registrant State/Province:Texas
Registrant Postal Code:75204
Registrant Country:US
Mail him a check if you want to help and don't want to use electronic means. Sure, it could in theory be a scam or waste of money. But we KNOW the NSA is a scam, a waste of money, and a danger to our values.
Personally, I trust him. I received a hand-written note thanking me for a donation. Good luck Ladar!
Because constitutional protection and human rights are greater causes than the few bucks you lost. Lavabit didn't have to shut down, they could have handed over your private emails, but they didn't. I'd say they've more than earned what you paid.
There's no part of "constitutional protection and human rights" that forbade them from refunding customers' money for a service the customers paid for that they then stopped offering.
(NB: I have no idea if they did/did not refund any money; I'm taking it as a given for this comment but I'm completely relying on the comment chain for the unverified story.)
In lieu of what's going on, I think anyone expecting their money back should re-examine priorities. Clearly Lavabit needs the money for a cause that, frankly, trumps anyone's concerns about getting their money back. I completely support them taking any cash that's available, risking the anger of the people who would dare to be upset about it.
In short, I think making the OP upset is a negligible problem compared to the USgov to getting their way.
Saying that handing over money to them somehow = human rights isn't much better than the people who say that PRISM = protection. Just because LavaBit's shtick and rallying cry is around freedom doesn't mean that they aren't a crap company or that they are telling the whole truth about what has gone down. For all we know the founder is just some wacky libertarian taking an opportunity to give the gov some bad press.
> Saying that handing over money to them somehow = human rights isn't much better than the people who say that PRISM = protection.
I think it's MUCH MUCH BETTER.
> For all we know the founder is just some wacky libertarian taking an opportunity to give the gov some bad press.
Needless FUD. For all I know you're an alien from outer space, for all I know we're all in The Matrix, for all I know everyone here is an automation-script and HackerNews is an experiment in how long they can keep me, smtddr, believing that I'm talking with real humans. You can't live life in FUD. I think it's more likely that you're a NSA/USgov shill who just created this account to post this comment... than the Lavabit founders set up all this encryption to a point that even Snowden trusted them, just to turn around aand give the government some bad press. And seriously, "wacky libertarian"? Define that for me. And "just to give gov some bad press?" Why? What do libs have to gain by giving USgov a bad name just for the sake of it? The USgov has given itself a bad enough name just by the NSA leaks, they don't need any help from any "wacky libs".
Can you link me to any examples of customers who didn't get any refunds? I'm only finding overwhelming support for his shutdown from previous customers...
I did not receive a refund for my lavabit service that was interrupted, but after seeing the situation I really did not mind (I may not have received a prorated $3 of my $8 yearly subscription fee - I think there are much bigger issues at stake here). The lavabit shutdown is even more of a reason to give a privacy-respecting company support. Godspeed lavabit!
