I've donated. It's a very honorable thing to do, stand up for other peoples freedom in the face of personal losses and pain. Such an act should be supported and praised.
Although there is a very long way to go, America currently seems to be on path towards East Germany or China style surveillance.
”Every man should know that his conversations, his correspondence, and his personal life are private.“ - Lyndon B. Johnson
”Every man should know that his conversations, his correspondence, and his personal life are private.“ - Lyndon B. Johnson
But even professions that have confidentiality baked into their core (clergy, shrinks, doctors)* can be compelled to provide info to law enforcement. In some cases, they are legally required to report illegal conduct.
Actually, it varies from state to state (Just like doctor-patient) and, in fact, you could be compelled as an attorney to testify against a client in plenty of cases in plenty of states.
In a lot of states, for example, you can compel an attorney to testify about future or ongoing crimes, but not completed crimes someone is seeking legal advice for.
As an example, this is covered in california evidence code as section 956:
"956. There is no privilege under this article if the services of the lawyer were sought or obtained to enable or aid anyone to commit or plan to commit a crime or a fraud."
I thought the same thing as I typed that. But that would be an expensive email service. lol
EDIT: It kind of sounds like this is a grey area for attorney-client privilege[1]. I'm sure someone could successfully argue that privilege does not apply here because a) "LawyerBit" is not acting primarily as an attorney b) Email being email, the communications are disclosed to third parties
It wouldn't have to be. You can legally retain a lawyer for as little as $1. Even at a dollar a month, it would be nice for a third party email service to enjoy attorney-client privilege.
What if the messages were only ever internal to the system?
Or even constructed such that the lawyer was central to all communication.
So client A contacts the lawyer to advise client B of X. The lawyer dutifully complies (perhaps in an automated fashion).
Whenever Client A wishes to contact another party who is not a client of the lawyer, the lawyer is given a client lead from Client A. The lawyer emails (the only time when mail goes to 3rd parties) the party, inviting him to go on his retainer so he can advise him on Client A.
While such a system would have to be automated, the system could delete any evidence of this automation, or at least plausibly deny specific instances of the automation.
Thus, all involved could argue the lawyer was manually involved every step of the way in the process, which only ever occurred on the lawyer's system, and the client systems of his clients.
You are not the first person to come up with the idea of "let's have a lawyer sit in the room while we plan our conspiracy". I doubt it works as well in real life as on TV.
Is operating an encrypted email service a conspiracy?
You are doubtlessly right, though still fun to think about.
The law is (thankfully) not like code, and you can't always make a clever hack around the letter of it. When lawyers can, well, that' why they get paid well.
Insurance companies used to do this.
The attorney client privilege generally only protects the seeking of legal advice, not the use of an attorney as a go-between for other purposes :)
I guess the government could argue RICO at that point against the lawyer, but I think that still wouldn't abridge lawyer-client confidentiality. Maybe it would.
Then the lawyer couldn't delete the systems like Lavabit did because the government would have confiscated them as evidence of the conspiracy.
At that point, however, the 5th Amendment should apply, because the server provides evidence of a conspiracy the lawyer took part in, providing the encryption keys would also be providing evidence of the conspiracy; requiring the lawyer to testify against himself.
Some judges have tortured the 5th Amendment worse than this, so it's not entirely foolproof. Still, it's unlikely other lawyers would take this sort of abuse standing down, nor would the general public.
So even the most extreme legal logic I can think of would be unable to penetrate this arrangement, providing the computer security and encryption was all top-notch. Disclaimer: IANAL, though I'd be willing to be the IT employee for any legal firm that wanted to construct such a system.
John Gruber at Daring Fireball has been doing a lot of work to encourage people to donate. I think the latest uptick has been the fireball effect at work.
> Let's rally for Lavabit to fight for the privacy rights of the American people.
I find that limitation to "American" (surely meaning US american) people an incredibly embarrassing and nationalist call to action and it alone made me instantly close the tab.
I completely understand your frustration. Like you, I believe that every human being deserves the right to privacy regardless of their nationality or where they live or where they were born.
Unfortunately, the Constitution of the United States of America, the sacred document that Mr. Levison was attempting to preserve, does not guarantee that right to every human being -- only Americans.
I look at it at a first step. Once we've "restored" the Constitution and managed to guarantee the right to privacy for those covered by it, only then can we start to "expand" that to include every human being.
I have many friends from all around the world and I believe 100% that all of us should be afforded that same right to privacy that the Constitution gives me, but we've got to start somewhere...
(Disclosure: I'm an American and I have and do donate to the EFF, EPIC, the Tor Project, and I happily gave to Mr. Levison's defense fund immediately after it was announced a few weeks ago.)
I want to help, and am not afraid of the consequences. The government is not going to go after an individual for funding another's defense fund, and if they do, I guess I used my life for the right reasons.
A lot of people did not donate either to Wikileaks for the very same reasons. Not necessarily on HN, but there was a lot of name calling and WL were evil etc etc. How times change.
1) Select an amount (I picked $25 as a test)
2) Advance to 'Step 2'
3) Go back to Step 1
4) Pick an amount again
5) Go to 'Step 2'
6) Fill out the form in detail
7) You'll be unable to hit the 'Continue' button
Like I said in the thread [0] linking to this crowdfunding campaign, I'm normally I'm hesitant to post one word comments like that, but in this case showing your donation breaks conformity behavior in large anonymous groups like the innocent bystander effect.
"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized." http://en.wikipedia.org/wiki/Fourth_Amendment_to_the_United_...
"particularly describing the place to be searched, and the persons or things to be seized"
Clearly this is a violation of the 4th Amendment as such a key would give them the ability to conduct unfettered and "unparticular" searches. A more targeted, and constitutionally legal, approach would have been to order lavabit to use, but not disclose, the private key to decrypt specific emails from specific people. Given that the police know the public key, they could verify that lavabit had supplied correct decryptions.
Hmm.. the FBI had probable cause to believe Snowden's email contained incriminating data. Furthermore, targeted pen registers/trace orders aren't exactly unconstitutional, but combine the way Lavabit is architected with the scope of the search, and you've essentially given them the keys to the kingdom.
Are there any older physical parallels to this? What happens if the police, in the process of securing a lawful warrant, require access to a physical master key or combination or etc. which would open a great deal more than access to the suspect's belongings?
It appears that the FBI's original request was narrowly targeted to Snowden and completely above board, warrant and all. It didn't give them the keys to the Kingdom.
When lavabit refused to comply,the FBI got more aggressive. Which seems like exactly what would happen. Think about it. What if the FBI subpoenaed financial records from a Bank who refuses to open the safe they were in. Well, the US Marshals are going to show up at the bank with a court order,break open the vault, and get access to all the records and take the one they want. It's not an unreasonable search provided there are checks that they only get the one record they are looking. In fact, arguably the Bank breached it's duty to it's customers by forcing the US Marshals to go through all their records rather than the Bank doing it self.
Obviously, it's not so clear in this case since Lavabit apparently finally did offer to hand over some data, but it is along those lines.
At first I was more on the Lavabit side on this. But it is looking more like they started the whole thing when they defied the initial court order to provide connection info for that one specific user that was the target of an FBI investigation. When served with a warrant, you can't just tell them to fuck off and expect the matter to be over. They will simply go harder... and not go home. I'm concerned that our outrage over "mass surveillance being used for fishing expeditions" has clouded our judgment when it comes to "law enforcement legitimately gathering evidence for an active case against one specific person." Once they have a person of interest, their job is to continue to find evidence to bolster their case. That evidence will take different forms and come from different sources. I have no problems with companies complying with search warrants and court orders by providing evidence regarding illegal activity of a particular suspect. This is different than providing back doors for law enforcement to go looking for suspects.
A commenter on that story makes a good point: Forget for a moment that the user they were looking for was Snowden. If the FBI had been looking for info for a case against a serial killer or a child porn ring, would we still hold Lavabit as heroes for not following the court order?
> A commenter on that story makes a good point: Forget for a moment that the user they were looking for was Snowden. If the FBI had been looking for info for a case against a serial killer or a child porn ring, would we still hold Lavabit as heroes for not following the court order?
I would, because it's impossible to forget for a moment about Snowden. The context cannot be ignored; this is about Snowden. It's better to let 1,000 guilty men go free than 1 innocent man behind bars. As far as I'm concerned Snowden did the right thing and if protecting other criminals is the only way to ensure Snowden's protection... so be it. To quote Armin from Attack on Titans: "If you aren't willing to sacrifice anything, you can't change anything". In this case, sacrificing the chance to punish the guilty is worthy of protecting the innocent.
"If you aren't willing to sacrifice anything, you can't change anything"
Oddly enough, this is why I have issues with the way in which people now protest against unjust laws.
The effectiveness of civil disobedience comes from putting authorities in a position where they must enforce an unjust law to the letter, thus demonstrating to the general public the injustice of the law itself and rallying support to change the law.
This means that civil disobedience effectively requires the person engaging in it to suffer the consequences of disobedience. If a law is unjust, but violators who attempt to demonstrate this can simply walk away relatively unscathed, then it's a lot more difficult to make the case to the public at large that the law is unjust. After all, that guy jumped up and down on the law, and got away with it! How bad could it really be?
But it seems that what we have now is a generation of people who are willing to take the step of declaring the law unjust, and willing to take the step of breaking it to make a point, but unwilling to suffer the consequences which would demonstrate the injustice to the public. Which accomplishes little.
I think Lavabit's owner and Snowden are suffering consequences for the choices they've made; more than they should be. I'm happy to ease that pain in whatever little way I can.
They shouldn't be allowed to go harder. It should have ended with contempt of court. Coming at him asking him for the SSL keys protecting 400,000 people should be illegal. Under what grounds can they arbitrarily increase the scope several order of magnitude with the intent to intimidate? It should have ended with fines, which eventually lead him to shut down the business because it was no longer possible. Fines are a cost of doing business that previously had not factored in. Trying to force his hand by compromising the entire service when none of the other 399,000 other people had anything to do with the crime of 1 is wrong and shouldn't even be an option on the table.
Furthermore, contempt of court should come with the ability to renounce your citizenship and be deported as a political refugee. In fact, that should be the punishment if fines don't work, not jail. Contempt of court is simply a statement that "Previously I lived in this country and supported its laws, but I've committed no crime and am now asked to support some aspect of this nation's laws that I don't agree with. I am now choosing to reject those laws as my own, even if that means that I will be deprived of the right to live in this nation." I really don't understand how jail time eventually become the punishment for rejecting laws but having committed no crime.
That being said, anyone who is in jeopardy of having to give up their citizenship should have due process in a court of law before being forced to do so.
But they knew they were protecting someone under investigation for violations of the Espionage Act and theft of government property. It seems kind of shitty to not help find that person.
Yeah, because in the time frame this was going down, it would have been a totally unreasonable assumption that someone matching those particular crimes described Edward Snowden.
Of course they knew who they were looking for - it was necessary for that to be disclosed in order for the government to even demand the information in the first place. That's what a warrant is.
For as much was wrong with the government's request, it's first request was at least reasonable: specific knowledge on Edward Snowden. The inherent architecture of Lavabit rendered this request unreasonable, and things escalated from there.
Sure enough, the court documents and transcripts clearly have "target" followed by blacked out spaces just wide enough for Snowden, spoken by both lawyers and Mr. Levison. This happens dozens of times throughout the recently unsealed documents.
I didn't say they did or did not know who it was. I don't know if they knew or not. I responded to someone who claimed they didn't know as if that was an excuse. Whether they knew or not isn't even relevant for me. At a minimum, they at least knew what the person was under investigation for... which should have been enough.
That's like saying the bankers in the Cayman Islands don't know who they're a tax haven for. The only difference here is that Lavabit is under US jurisdiction.
It appears that in this case the difference was that rather than ask Lavabit to turn over information they already had, Lavabit would have had to actively modify their system to record the information that the FBI wanted.
That's why the FBI changed tack and asked them to turn over the SSL private keys - because that was information that Lavabit already had, and the FBI could use those keys to record the information they wanted for themselves.
Lavabit defied the initial court order that would give FBI access to all user's data and content as they demanded to install their own equipment: https://news.ycombinator.com/item?id=6487778
It's interesting to apply that same logic to Lavabit itself. Perhaps, knowing the Snowden was the target of the subpoena, the Lavabit founder thought of himself as a member of a modern day underground railroad, intentionally disobeying the FBI to give Snowden time to find safe passage.
When Lavabit first shut down, they claimed that they have no problem complying with individual court orders, but refused to be complicit in crimes against humanity. Perhaps they protected Snowden to enable him to publicize those crimes, and that if the target was a serial killer, Lavabit would have complied.
> [The] government’s clearly entitled to the information that they’re seeking, and just because you-all have set up a system that makes that difficult, that doesn’t in any way lessen the government’s right to receive that
information just as they could from any telephone company or any other e-mail source that could provide it easily
I find the sense of entitlement the FBI had quite disturbing. Perhaps it is technically true, but they clearly had an attitude not just that they were legally authorized to access such information, but that nobody should be allowed to stop them having it, and any personal cost involved or moral objection is not part of the equation. For me the two do not connect that way - I am entitled to buy a house but nobody is required to help me do it, and if I don't have the money, I'm screwed. It doesn't allow me to murder the guy down the street so that I can take his money to buy the house I want.
The question is, is the FBI allowed to recruit any civilian to do anything they think is necessary to get at some information they are authorised to acquire? Can they go to your grandmother and tell her to prostitute herself if that will help them? At what point does technical ability to accomplish something render you at the mercy of the state to do whatever they tell you? It is one thing to demand someone actively stop obstructing something. But to demand they actively assist goes a step further. The notion of conscientious objection has been accepted and even honoured and respected, even in times of war.
I don't know where this line is. But I know I'm very uncomfortable with the attitude that law enforcement showed in this case.
No it isn't. The government isn't entitled to jack shit. They can demand whatever they want, and they may be able to take it through force, or threat of force, in 99.99999999% of cases, but if the request is bogus, it's bogus, and an individual certainly has the right to take a moral stand and say "no, fuck off".
Now, that individual will probably have their name drug through the mud, be bankrupted, and wind up spending the rest of their life at Gitmo, but they can say "no" if it's important enough to them.
Some people are willing to die for causes they believe in, so it's not such a stretch to think that somebody, somewhere, would tell the govt. to fuck off in a case like this.
No it isn't. The government isn't entitled to jack shit. They can demand whatever they want, and they may be able to take it through force, or threat of force
Your claim here appears to be that the government has only power, not authority (i.e. power + some sort of legitimacy or moral right to use that power). Is that your position? If so, under what, if any conditions do you believe the use of power against other people is legitimate?
If so, under what, if any conditions do you believe the use of power against other people is legitimate?
Self defense. I hold basically the same position as Bastiat, in thinking that government can only legitimately be considered the "collective extension to our individual right to self defense".
The FBI is not allowed to break the law, and the Constitution is the law.
If Snowden showed that some people in government were violating the Constitution, and other people in government were trying to suppress his evidence, would that not mean that the people trying to suppress the evidence are complicit with the violators?
Even if these people didn't swear an oath to protect and defend the Constitution, it is still the law, and they are still bound to obey it.
So, what's the penalty for helping someone violate the US Constitution? And who enforces that?
Participating in a drug deal to convict someone of the crime is certainly one example of them breaking the law. IMHO, they should only be allowed to arrest someone in a drug deal between two bona-fide drug dealers. Participating as one of the two parties in a transaction should be illegal.
I wouldn't be sure, I'm pretty sure legal entities are allowed to employ entrapment in a lot of cases. Watch episodes of Cops, for example, they will attempt to buy drugs and arrest the dealer, or attempt to get people to solicit prostitution from an undercover (female) officer.
Basically, people should stick to the law; dealing drugs or soliciting paid sex are both crimes, no matter who you do it to/with.
Suppressing evidence sounds like something that would have happened considerably later, after they had reviewed Snowden's email records. Reviewing Snowden's email records seems like a reasonable means for the FBI to determine if they are dealing with a whistleblower or a saboteur. We are all convinced Snowden is a whistleblower, but the FBI isn't likely to believe that just because he says so.
Uh, it didn't exactly look like they were trying to figure out whether he was a whistleblower. It rather looked like they wanted to capture him and put him in solitary confinement, with little intention of going after those who apparently violated the law, to silence him, to stop him from embarrassing the United States government.
Yeah, but even if it was proven beyond a reasonable doubt what's the likelihood they would get anything more than a slap on the wrist when they state it was to "defend your freedom"?
I doubt they'd get a slap on the wrist. Maybe a sticky note saying "don't do that again, mmmkay?" Take a look at 20 years of FBI shootings without a single unjustified shooting: http://rt.com/usa/fbi-justified-every-shooting-report-035/
Awesome decision. It's easy to say it was the right call from the sidelines but it's also easy to underestimate the personal cost that must have been involved with walking away from his company, especially with the gag orders making it impossible to discuss his reasons.
There was more than a personal cost. The staff of Lavabit had no idea what was happening as the servers were being shut-down, until they were told to go home.
I apologize; it was not my intent to mislead (though it appears that I did so inadvertently). I was told that the outage was related to maintenance regarding the storage system
> In a work-around, Levison complied the next day by turning over the private SSL keys as an 11 page printout in 4-point type. The government called the printout “illegible” and the court ordered Levison to provide a more useful electronic copy.
How illegible? I'm really curious about this part.
Yes. It's interesting that the feds didn't just apply their surely sufficient technical skill to decode it and type it in. Even manually with a magnifying glass one could do it in a day or two of work. Hardly significant in the context of the wider investigation they were engaged in. It makes it seem to me like they'd basically decided at that point to make it a point of principle - they demand not just compliance but proper complete submission to their authority.
They go on to say that it was 2,560 characters. That many chars at 4pt type should not have taken 11 pages. That is roughly 233 chars per page. Even at normal point size, 1 page will hold more than 233 chars. at 4pt I would expect it to all fit on one page. Am I missing something here?
That is what I don't get. If 4pt gives you 130 lines per page, you would only need to fit 20 chars per line to fit the entire thing on one page. With 2560 chars on 11 pages means 233 chars per page at 130 lines per page, we end up with roughly 2 chars per line.
We already know he was basically giving them the middle finger by printing it AND printing it very small. He would clearly need to do something extra odd to make it do this.
Without taking a stance on this statement, I think it's important to realize how alarming it is that simply trying not to betray the trust of your users has become such a difficult, dangerous, and unusual task as to be called heroism.
The intelligence community has put us in such a bad spot that anyone who actually tries not to do something unethical, which should really be the default, is now exceptional and lauded.
Lavabit stood up, and that's admirable. That it's this admirable is a really bad sign.
Well the founder pretty much had to throw away his livelihood as well as part his dream to do something that could land him in jail, for someone he had never met.
He could have easily quietly given them the key (if he had it?), and then live the rest of his life with success and guilt.
Very, very few people would throw themselves in front of a bus the size of the US government to save an honest stranger. Those people are worthy of calling heroes.
Very, very few people would through themselves in front of a bus the size of the US government to save an honest stranger.
That's exactly my point. This is not a situation he should have been in. In our current political environment, absolutely, his actions were heroic. But all he did was what he should have done. That the potential consequences for that are so horrifying is what makes this entire situation incredibly wrong.
Jump to conclusions often? The MUCH simpler, obviously far more likely sequence of events, is:
1) June 28th: FBI/DoJ obtains lawful court order for a pen register trace on Snowden's email account.
2) June 28th-July 9th: Lavabit fails to comply.
3) July 9th: Lavabit held in contempt, which is clearly appropriate as they did not respond to a lawful court order.
4) July 9 - August 1: FBI obtains search warrant for Snowden's email. Lavabit challenges warrant on the irrelevant technical grounds that they encrypt all users' email with same key.
5) August 8: Lavabit shuts down, because it turns out that hosting email for the criminal class carries real risks and isn't terribly lucrative.
You can't wave off court orders just because you think the Internet is some kind of libertarian cyber-paradise where mortal laws do not apply. Court orders and search warrants are lawful means of investigation. Lavabit's business was not compatible with US laws or probably the laws of any country more developed than Zimbabwe.
You sound awfully authoritarian. Just because its lawful doesn't mean it's morally right and that it should be blindly followed no questions asked.
In Nazi Germany it was lawful and mandatory to report on Jews, communists and minorities and the inability to do so or aiding them in any way would often end in the death of the person involved.
You can't throw out common sense and basic decency just because something is "the law".
So you're saying that complying with a pen register order in a federal case is the same as reporting jews to the ss? I ask because there's another guy in this thread who equated pen registers with anti-interracial marriage laws. You guys should get together.
I see no suggestion of equivalency in either post, unless you think such examples represent the lower-bound of how out of line the law must be before you can reject it. Surely you don't think that...
These examples establish that there is a limit to blindly pinning morality and the law. These examples to not make statements about where that limit is, nor do these examples serve to equate any of the governments' actions.
Well, there were zero mentions of Nazis before we started. Then you brought Nazis into the picture. I can imagine, based on how you've brought up a completely unrelated topic, you must be drawing some sort of comparison. Otherwise why mention them?
Even if you're not saying they're identical, they aren't even on the same order of magnitude. Compare this to Soviet surveillance, or some other oppressive regime if you must. Don't bring the murder of millions of innocent people into the discussion just to prove a point. It trivializes a horrible event.
I would argue that actively avoiding to mention a horrible event will cause it to be forgotten and wouldn't help prevent a similar event from happening again.
Both of the posts indirectly imply that complying with this specific pen register order would have been evil on the hitler/mlkjr scale, because they are both made in the context of this article. It would be pointless to say "One must not comply with evil laws, but this law isn't evil, so cool, nevermind what I was saying about evil."
A comment that implies this specific court order was evil, or even moderately wrong, needs to be accompanied by supporting rhetoric about _why_ it was wrong, some indictment of our system of due process. Without such supporting arguments the comments are just disposable invocations of Godwin.
> "Both of the posts indirectly imply that complying with this specific pen register order would have been evil on the hitler/mlkjr scale"
That is an implication you invented. The person who quoted MLK has in fact already very explicitly and painfully clearly stated that he thinks no such thing[1]. If you continue to think that he was implying that, then you are the one that's got an issue.
This "mock offense at historical allusions" shit has no place on HN. It is transparent as hell and does nothing but gum up the discussion.
Yeah, but he didn't clarify what he actually meant by invoking the MLK quote. As I said, it was a disposable invocation of a historical quote.
I've read every comment in this thread and I don't see anybody making even a semi-cogent argument about how due process was violated in this case. Remember, the US Constitution does not guarantee your privacy. It guarantees that you won't be deprived of it without due process of law. That process appears to have been followed here, by the government at least. People like the Lavabit founder who refuse to comply with the results of due process are as guilty of undermining our system of laws as any corrupt law enforcement agency.
He could not have possibly given you a more exact and clear response to your request for clarification.
I was previously giving you the benefit of the doubt and leaving myself open to the possibility that you simply had not seen it (since it is technically in response to himself) but if you really did read his response, then continued to misrepresent his comment that way, then you are doing nothing but shitposting.
All he did was provide an example to debunk your notion that something should be obeyed simply because it's the law. I have no idea how you arrived at such an extreme conclusion that he's implying that both laws are equally evil.
I feel sick when I see people taking analogies as equations, because I like doing analogies myself. Analogies are intentionally exaggerated (but still being logically valid) to make the point stand out. I thought Hacker News readers were better than that.
You can't wave off court orders just because you think the Internet is some kind of libertarian cyber-paradise where mortal laws do not apply.
The story we've heard so far is that Lavabit had routinely complied with warrants and cooperated with targeted investigations against specific individuals. There are court records documenting at least some of these cases.
The details given here are beyond sketchy. Your characterization is hyperbolic and as far as I can see, unwarranted.
> The filings show that Lavabit was served on June 28 with a so-called “pen register” order requiring it to record, and provide the government with, the connection information on one of its users every time that user logged in to check his e-mail.
How is that different than previous warrants? How is that sketchy?
That warrant was different because it was for Edward Snowden.
Lavabit clearly feels he is a legitimate whistleblower. There is a reasonable argument that protecting a whistleblower from surveillance is morally valid (especially when his opposition to surveillance is the core of ).
Whether or not one thinks Lavabit should have done this probably depends on one's views on what Snowden did.
No it was not different because it was for Edward Snowden, but because even if Snowden was named in the order, the FBI wanted the access to everything by installing their own device on the point where nothing is encrypted: https://news.ycombinator.com/item?id=6487778
Here's the thing. Whistleblowers do get protection... but mostly protection from retaliation for their whistleblowing. But if a proper investigation is obstructed, how are we to be certain they are a legitimate whistleblower (there are rules that need to be followed) and not just some guy spilling classified info? I would maintain that it was not Lavabit's place to render a verdict of not guilty and defy the court order. If the cops show up at my house with a search warrant for my wife's closet, I don't get to just tell them I don't think she did it and close the door on them.
I guess the question is "at what point is it morally correct to resist government powers, even if those powers are legally granted?".
All would agree it comes at some point (insert references to morally repugnant dictatorships etc).
Even democratically elected governments cross the line (insert historical references to 1930's Europe).
Even "good" governments cross the line (insert reference to numerous examples of legal persecutions of minority groups in most democracies).
Sometimes civil disobedience is a the morally correct thing to do. Was it in this case? Personally, I'm not sure either way.
While I agree 100% that Lavabit's actions were unlawful, just saying "there are rules" isn't enough to convince me that those same actions were "wrong".
I think a better question is "at what point does anyone get to tell anyone else that their morals must match?"
I'm glad we can agree that Lavabit's action were unlawful... but please don't quote me out of context. "There are rules" was with regard to there being certain rules that need to be followed in order to qualify as a legitimate whistleblower. If you would like to argue that those rules need not be followed then I'll respectfully decline.
Yes. Lets. Oh... we already do. Why not this time? Should we let 4chan or Reddit define it? Who then? Not every single person in every single department in every single 3-letter org is a corrupt asshole just waiting for their chance to stick it to some innocent.
Of course they are not. That is not how tyranny works. It works by everyone doing there part, asshole or not. The tyranny is ingrained in the system itself so its seems just normal.
And we can all see what is normal in the US today.
Well, if everyone decided that "happens later" he'd most likely be dead or in Guantanamo Bay right now, so... Someone has to make a decision based on their own values at some point.
Not everyone completely lacks conviction and ideals, you know.
When was the last time somebody was shipped off to Guantanamo Bay? And seriously, dead? The first warrant the FBI requested was dated June 28th. Snowden was already in Moscow. How would Lavabit cooperating with the warrant have resulted in dead?
I don't know. Maybe if we knew all the details of this case and the previous cases, we could say. Maybe it has something to do with the architecture of the service. Maybe Levison felt that turning Lavabit into a real-time tracking device crossed a line he hadn't crossed before.
I just don't think it's right to call Levison rude names and all but convict him on these vague reports.
On the other hand, it seems like a poor idea to say he is a hero. It certainly seems like he decided that in this case of a legitimate court order(Snowden, right wrong or otherwise, did break a bunch of US laws) he wasn't going to comply --- though by his own admission he could comply for just one account --- and is using the fact that there is a gag order to in fact make his actions seem nobler than they were.
> It certainly seems like he decided that in this case of a legitimate court order(Snowden, right wrong or otherwise, did break a bunch of US laws) he wasn't going to comply --- though by his own admission he could comply for just one account
Why do you think that makes it a bad idea to call him a hero? Far from being a reason not to appreciate him, it seems to me that what you describe is the very action that people are describing as heroic.
Im reasonably sure they are saying he is heroic for standing up to warrantless surveillance, not refusing to hand over data pursuant to a legitimate and specific warrant that he objected to. He's certainly made it sound like that. So first, I'd say he is being very dishonest (if the article is accurate)
Second, a critical point in arguing against warrantless surveillance is that there are legitimate legal channels through which to get the necessary information when it's really needed and that those same channels make the NSA's conduct completely and totally illegal. Failing to abide by those mechanisms makes it hard to make that argument.
It's like having the EFF sticker that says "come back with a warrant" and then a "Fuck the police" sticker next to it.
> "Im reasonable sure they are saying he is heroic for standing up to warrantless surveillance, not refusing to hand over data pursuant to a legitimate and specific warrant that he objected to."
I cannot speak for anybody else, but feel free to consider me among those who consider the later to be heroic. He stuck his neck out for people that he doesn't know, but for whom he feels an obligation to protect. He gave up his business to do it.
Legalities never play a role in my considerations of heroism (except in cases where something being illegal actually serves to make it more heroic, due to the personal sacrifice that typically implies).
Do you really think that the SSL private keys turned over for this legitimate and specific warrant wouldn't have found their way into the warrantless wiretapping program?
No I don't at all, not at least without serious oversight by a federal judge and even then I'd prefer not to have to rely on that. But according to the article, they didn't originally ask for SSL private keys. They asked for Lavabit to give them Snowden's password the next time he logged in. They only resorted to that after they decided Lavabit couldn't be trusted for delaying and refusing to comply with the original court order.
Suppose Lavabit was a bank who got a court order to hand over the contents of a safety deposit box belonging to Snowden and refuses. The FBI demands Lavabit now open the safe that contains all the safety deposit boxs so they can go throw and find Snowden's box and open it. <Edit> and you just have to "trust" them they won't open everything</edit>. This is roughly what happened.
Lavabit is basically claiming that the FBI started out with the break open everything tactic. They are, if the article is true, lying.
No I don't at all, not at least without serious oversight by a federal judge and even then I'd prefer not to have to rely on that
If the data is being acquired under EO 12333, they don't have to report anything to the FISC nor Congress. Where do you see "serious" oversight occurring?
Lavabit had already defied court orders BEFORE they were asked for SSL keys. So it is kind of a moot point. Had they complied with the initial order, SSL keys likely would not have been requested.
Uh... in the document you linked to. Exhibit 2 (bottom of page 1, top of page 2) says this, exactly:
> IT IS ORDERED, pursuant to 18 U.S.C. § 3123, that a pet/trap device may be installed
and used by Lavabit and the Federal Bureau of Investigation to capture all non-content dialing,
routing, addressing, and signaling information (as described and limited in the Application), sent
from or sent to the SUBJECT ELECTRONIC MAIL ACCOUNT, to record the date and time of
the initiation and receipt of such transmissions, to record the duration of the transmissions, and to
record user log-in data (date, time, duration, and Internet Protocol address of all log-ins) on the SUBJECT, ELECTRONIC MAIL ACCOUNT, all for a period of sixty (60) days from the date of
such Order or the date the monitoring equipment becomes operational, whichever occurs later;
The difference is that FBI this time wanted to install their own equipment inside of his facilities (at the point where everything of every user is decrypted):
"shall furnish agents from the Federal Bureau of Investigation, forthwith , all information, facilities, and technical assistance necessary to accomplish the installation and use of the pen/trap device."
Before, they would really demand only the information of the user named in the court order. This time it was "just let us install this thing inside and don't ask."
Is that true? As I understood it, the original request was for pen/trap on Snowden alone; when that was refused and Levison threatened with contempt, he relented, only to be rebuked by DOJ with a new demand for blanket surveillance.
But as I understand it, Levison could have complied with the earlier demand for surveillance narrowly targeting Snowden.
Your understanding is not accurate from my read of the court docs. They wanted their black box (you know the ones), called a pen/trap device in the documents, to be installed on the network. It won't work without the SSL keys, so they wanted those. He offered to modify his software to intercept a single user's email, but they said no.
Yes. It's a multiplier of bad laws like Jim Crow. If these capabilities had existed at the time of Jim Crow, the damage that this would have done compared to what was done would have been far worse.
TBH, the fact that black people at the time were poor and had less access to ubiquitous communication probably protected them greatly.
I hate to invoke Godwin's law, but also imagine if communications for everyday conversations and the surveillance thereof had existed in 1939.
That quote would have read “One has a moral responsibility to disobey unjust laws so long as those laws are of equal or greater unjustness than Jim Crow.”
In essence yes at least in the context of this case, as it is essentially segregating those who wish to expose the illegal activity of the government, and those that wish to turn a blind eye.
Remember, the NSA lied to congress, which is not only illegal but immoral in itself. Think about it, you get to sleep in your bed tonight, Snowden who knows where ?
Well, yeah, he can do whatever he wants. He coulda put out a hit on the agents investigating him and significantly delayed the proceedings. In terms of free will, possible. In terms of practicality, a really bad idea.
And sure, millions of people could have his back, but unfortunately those aren't the people with the guns or militaries, they're the people who tend to stay home posting comments on the internet.
>That's terrible, I can't believe you would suggest that.
Yeah, FSM forbid we actually think arguments through to their logical conclusions. How dare I!
I am pointing out the absurdity and irrelevance of your argument with respect to the discussion at hand. You offered the laser-sharp insight that hey, people can ignore the rule of law, so don't say they can't! It's a semantic distinction and I am taking it to the extreme where while it is still valid, it is ridiculous. Anyone can put out a hit on Federal agents, there are no physical laws to prevent one from doing so. However anyone who values continued survival within civilized society functionally cannot.
I'm not sure if you're being dense as a rhetorical device or what, but I can't believe I'm having to spell this out. On HN of all places. I'd expect this level of discourse from /r/eli5 or similar, not here.
> You offered the laser-sharp insight that hey, people can ignore the rule of law, so don't say they can't! It's a semantic distinction and I am taking it to the extreme where while it is still valid, it is ridiculous.
I don't know. Do remind me, how many US government officials got punished after being caught doing illegal warrantless wiretaps?
You can ignore the rule of law, as long as you are the government, that's not an issue as long as you can bleat "national security" enough times.
Technically that does not imply that all customers are criminals.
Consider this transformation of your quote: "It turns that a bar serving beer to minors carries real risks and isn't terribly lucrative"
Now, this doesn't imply that a bar in only serves minors, though it does imply that the bar knowingly served minors (possibly among others).
(This said, the quote is obviously a rather inflammatory way to describe their business, and Snowden was plainly not a member of some sort of "criminal class" (whatever that is).)
The resistance to the initial request was likely because it targeted a whistleblower attempting to expose the NSA's unconstitutional surveillance, not a member of the "criminal class" (nice framing attempt). It was a courageous act of civil disobedience.
At the time when Lavabit defied the initial court order, had Snowden been classified as a legitimate whistleblower (by the people who actually have the authority to make such a decision)?
"it turns out that hosting email for the criminal class carries real risks and isn't terribly lucrative."
The criminal class? Do you really think that only criminals want private email? I have shocking news for you: some of us use email encryption to protect ourselves from the criminal class.
"Lavabit's business was not compatible with US laws"
Actually it was entirely compatible with US laws. There is nothing illegal about encryption of any kind in this country. The hacker and cypherpunks communities fought throughout the 80s and 90s for the public's right to use strong encryption without back doors, and we, the people, came out winners.
Would have been great with a bit more transparency on the chain of events. Most countries more developed than Zimbabwe would have provided that as a service to its citizens.
Why would court records be sealed at all, and why would there be any speculation about the chain of events if you were given the very basic information about a case?
Throwaway accounts usually mean throwaway opinions. Do something more important with your life.
Warrants in cases under investigation are often sealed because if they weren't the targets would be immediately alerted by services like Lexis/Nexis that their names have popped up in a court record.
(I will remember for the future that "throwaway" users have invalid opinions but "numberwang" is a source of erudition and, apparently, productivity.)
That said, I agree that throwaway users can have very valid opinions, and furthermore agree that warrants are frequently sealed.
I do have a concern of perpetually sealed warrants, and worry that in this case the government would have preferred to seal the case forever.
Also, the seal should never have prevented Lavabit from talking to Congressmen about general concerns regarding forced SSL key delivery. The documents make it clear the judge considered even mentioning the possibility of this occurrence would be a violation of the seal.
This is absurd, because being forced to give up an SSL key for a popular service is unprecedented, and he absolutely should have been able to discretely contact his representatives.
Everybody note that the SSL key demand came only after Lavabit declined to turn over information on one user. I can understand the logic of this from the feds' perspective; they tried to do it the "right" way but Lavabit refused to cooperate so then the feds starting trying progressively more aggressive approaches to get the data.
From the feds' perspective, sure, but the feds' perspective is equivalent to "If he'd only paid the protection money like I told him to, I wouldn't have had to burn down his restaurant. I tried to be peaceful, but he just wouldn't cooperate!"
In other words, they did not expect him to act with integrity. They expected him to turn over the SSL key, then continue offering something that he knew he was no longer in a position to provide.
Their expectations of others reflect poorly on themselves.
I'm sure, but that's not really better. That just means the mobster in my analogy is befuddled that the restaurant owner chose close up shop and leave town after being threatened with arson.
That's true. But then, engage with the question of whether those promises were reasonable. "Even if we have the capability of complying with a request for information on a specific user, we will resist the courts". There's a reason providers tend not to make that promise: keeping it can involve going out of business.
That's not the promise they made, rather it was that they had not developed and would not develop any means to circumvent the protection/encryption for paying users' accounts.
The 'not complying' is only a side effect, and is more so tantamount to a refusal to do work for the government in opposition to lavabit's own business promises. I'm not sure the government in any instance has a right to compel work to meet their specified ends.
Here my biases as a secure software engineer may be coloring my comments, because to my mind, building an architecture which solicits sensitive data from clients but fails to preclude the disclosure of those secrets without enormous engineering effort is the same thing as conceding that such disclosure is possible.
Imagine a mail service that operated solely as a Tor hidden service and required all users to use PGP --- for instance, by checking the contents of mail messages to ensure they were encoding them, and rejecting them if they weren't. That's a service that might reasonably make a promise not to cooperate with a court order.
Lavabit didn't have that system and instead had to make a difference promise: that they would shutter the enterprise before cooperating with a court. And so they did.
That's retarded though. The absence of getpeername calls in their frontend does not constitute an inability to comply with a pen register order.
There are costs of doing business and one of the costs is the ability to comply with lawful court orders. You are completely wrong about the government lacking the means to compel compliance.
Do you think it's more common for businesses to studiously avoid making promises that they might one day be unable to keep, or to make promises for temporary competitive advantage without worrying if 'unforeseen exigent circumstances' might require these 'promises' to be broken? I think your conclusion is correct, but my assessment would be: personal integrity or business success, choose one.
Edit: To tone that down a bit, "Moral Mazes" by Robert Jackall is an excellent although academic work on the ways in which corporate and government ethics differ from commonly espoused personal ethics. I find it a valuable key to trying to understand attitudes toward conscientious leakers such as Snowden. I am implying a value judgment, but realize the details are complex.
"Moral Mazes" seems to have become a cultural signifier, meant to evoke a whole series of positions and beliefs about the trustworthiness of large organizations. When someone drops "moral mazes" in a conversation, I read that as a shorthand; a more intellectually credible way of saying "the whole system is out of order!"
Generally: I think that when the core promise of your business is that you'll do everything you can to resist incursions on user privacy, then yes, it should be pretty common for those promises to be scrutinized.
> "Moral Mazes" seems to have become a cultural signifier
I'm sure it's that too, but I've currently got it checked out as an interlibrary loan serving as my bedtime reading, and I'm finding it really insightful. But perhaps this is because I'm starting from a point of bewilderment as to what motivates most people to act as they do.
> a more intellectually credible way of saying "the whole system is out of order!"
But the miracle is that rather than being out of order, the system mostly works, and tends to keep working. What I like about the book is that it strives to explain the situation from the inside as a mostly coherent belief system, rather than critiquing it from outside as untenable.
Except that per the article they already had that code written so they couldn't credibly claim that they weren't able to do it: "The representative of Lavabit indicated that Lavabit had the technical capability to decrypt the information, but that Lavabit did not want to 'defeat [its] own system,'" the government complained.
"Technical ability" means that yes, it's doable if someone does work. It's doesn't mean that they 'already had the ability' other than in a theoretical sense.
And even so, it still doesn't change the fact that it would have turned all their business claims into giant lies, possibly even exposing them to suits for false advertising, etc.
I think you're reading the sentence incorrectly. The way I read it, it's not saying that they "technically had the ability", which is what you're suggesting as having the ability in a theoretical sense. It's stating that they "had the technical ability", i.e., they had the technical prowess, knowledge, etc.
""Technical ability" means that yes, it's doable if someone does work. It's doesn't mean that they 'already had the ability' other than in a theoretical sense."
That is a meaningless distinction. It is the difference between having to type a large number of characters (not even that large -- how hard is it to capture a password?), or a small number of characters. Lavabit, as designed, could access any user's email the moment that user logged in. That is obvious to anyone who understands what encryption is. It is an inherent vulnerability in every system that does what Lavabit/Hushmail/etc. do.
"And even so, it still doesn't change the fact that it would have turned all their business claims into giant lies, possibly even exposing them to suits for false advertising, etc."
If Lavabit advertised itself as an email service that cannot read your email, then that suit could have happened regardless, because the claim is untrue. If, on the other hand, it was advertised as a service that will not read your email and that protects your email while it is stored, that is different and would not have been affected by their cooperation with the FBI's demands.
Strictly speaking, Lavabit always had a back door. Writing the code to exploit it does not in any way change the truth or lack of truth in any of Lavabit's business statements. At some point the secret keys of each Lavabit user were sitting in some part of the server's memory, in the clear, there for the taking.
At best Lavabit only ever provided security between logins i.e. when the data is "at rest." Any claims of security beyond that are, to be polite, overstated.
If you start from the premise of not accepting an answer like "no, not under any circumstances", then the request certainly seems like the logical escalation.
Hence the need to develop systems for which the first "no" is the only "no": "no, we don't have the client-side encryption keys, and there's no way for us to give them to you, nor is there any way for you to surreptitiously insert them into the Open Source client software without being noticed, nor are we obligated to accept your patches introducing security holes which will effectively destroy our entire business/project credibility".
It needs to be more difficult to use your project as a tool for surveillance than it is to personally compromise a specific end-user system.
(That's not to say we shouldn't pursue legislative solutions eliminating the requests in the first place: we need to fight surveillance capabilities on both fronts, legal and technical.)
I spent two years working on a secure, web-based email provider. In order to actually make it secure, you have to abandon all aspects of usability. In order to use it, you have to have native client-side code (javascript is not secure). The user has to be responsible for her key, and if she loses it (or forgets the password, if using generating keys from passwords), her email is gone. Before the user can send a message to somebody else, the other person has to install and configure everything so keys can be swapped. All of this, and you get paid squat because email is seen as a "free" service.
And, to really make it secure, you need to go outside of the smtp world, because all smtp has some amount of meta-data that gets transmitted in the envelope. And that meta-data can be just as damning as the contents of the messages.
I don't expect there to really ever be a truly secure email service, unfortunately.
True, but if widening the scope of a warrant ends up invading the privacy of others completely uninvolved with the investigation, it just isn't right. And that is where the government messed up.
I don't follow. The inference we're meant to draw here is that DOJ wanted pen/trap information for Edward Snowden --- one specific person very much the target of the investigation. And what this article communicates is that Lavabit had that capability, but deliberately chose not to make it available to DOJ.
The goverment is very, very good at bad PR. I don't think any institution in the world is as good at making people (who didn't previously care) hate them as the US govt is. Self-fulfilling prophecies, in a way. They think everbody hates them, so they react in a paranoid manner and violate the entire world's privacy and civil rights, and they're surprised (or feel vindicated, I suppose) when it is precisely that that makes people hate them.
No, under the pretext of a "single user" FBI wanted to install their own equipment inside of his facilities (at the point where everything of every user is decrypted):
"shall furnish agents from the Federal Bureau of Investigation, forthwith , all information, facilities, and technical assistance necessary to accomplish the installation and use of the pen/trap device."
Like half a dozen people have tried to argue that, because the order was lawful and Levison had complied with previous lawful orders, he has no moral justification for refusing this one.
Let's not beat around the bush. You're willfully missing the point. The lawfulness of the order is not at issue; the target of the order is. I would happily obey a lawful order to turn in a fugitive rapist hiding in my basement; I would not willingly obey a lawful order from the same authority to turn over an escaped slave, even if I lived in a slave-holding nation.
If you don't think that Snowden should have broken the law to inform the public of massive, unsupervised, hidden government surveillance and lies about same, that's fine. But say so, don't go making disingenuous sidewise arguments and thinking you're sly. Yes, Levison disobeyed a lawful order. Laws should be obeyed because they are just, not because they are laws.
No, the difference this time is that FBI demanded to install their own equipment inside of Lavabit facilities, having access to all users' data: https://news.ycombinator.com/item?id=6487852
I'm not taking sides against Lavabit here, but it's worth considering the situation here without the Snowden context.
A search warrant was signed by a court for federal agents to retrieve/collect evidence for a specific target. How is what the FBI (and prosecutors) demanded different than a normal wiretap?
edit: If the FBI's order could not be completed in a way that would NOT compromise ALL users, then of course Lavabit should have resisted. My question is based on the assumed validity of this statement in the OP:
> The July 16 order came after Texas-based Lavabit refused to circumvent its own security systems to comply with earlier orders intended to trace the Internet IP address of a particular Lavabit user.
Because of what handing over the data would necessarily entail. (If I understand corectly.. someone please correct me if I have this wrong).
The data the FBI wanted wouldn't have just unearthed Snowden's emails, but everything by every Lavabit user. And if you believe that information wouldn't have made its way to certain other 3 letter agencies...
Why not hand in the characters in 4pt on a single page each? Make it double sided to make it a little more feasible. 233 characters per page is just about nothing at that size, I don't get why they decided to stop at 11 pages.
I think it was to avoid being too obviously non-compliant.
Delivering the information this way could be construed as merely avoiding paper-costs while using formats the hide-bound government officers would be most familiar with (paper). It's somewhat facetious, but you can almost say it with a straight face, and a tech-illiterate judge might even accept it (especially if you did something just slightly more legible at 5 or 6 points).
It would be impossible for anyone to claim with a straight face they complied if they did as you described. Lavabit can claim they provided the keys in a fairly digestible format, and it bought them a few days worth of time.
Also, a single character at 4 pt surrounded by whitespace is much, much easier to decode.
Finally, most courts would charge you for delivering that much paper. For similar reasons, paying court fees in pennies is not accepted by all jurisdictions.
The NSA is older than most voters. When talking about the Stasi there is no meaningful difference between the Republicans and Democrats, Labour and Conservatives, etc. They're all politicians and they're all the same.
I guess Lavabit figured that giving access to the data of one user in the requested way could compromise other users' privacy/security so that would be equal to warrantless wiretapping. Otherwise, what was the problem with following that?
The problem was that following it would be a violation of the privacy of Edward Snowden (well, of the user whom we presume to be Snowden) and of the trust which he had placed in Lavabit.
Violation of his privacy under warrant is what the law would expect in that case. Violating privacy without a warrant (and probable cause and etc.), that what is unconstitutional. Or you are saying that there can be no investigation at all?
Lavabit even admitted, they already assisted investigators in the past for investigation on a specific user. Apparently that request was legal in the view of the Lavabit owner, so there should be something different here.
From the article:
> With the SSL keys, and a wiretap, the FBI could have decrypted all web sessions between Lavabit users and the site.
It sounds like he was incurring some significant fines as well, so he was left with the choice of undermining his entire business model, or closing down.
It looks from the article, that they didn't request keys right away, but wanted some other kind of access to target Snowden. There are no details however what that was. SSL keys request already came when Lavabit refused the first one.
I was talking about that unclear first request above.
Circumventing their whole system's security is a step beyond "wiretapping." It opens all customer communications of a supposedly secure service to inspection by an agency that doesn't recognize legal bounds. LI interfaces are usually rate-limited (IIRC the legal requirement in most places is 1% of traffic).
There is no way this is not a "general warrant". If it's not overturned in appeal, the US is no longer an acceptable place to host anything or conduct any business operations for anyone (except the USG or regulated entities).
I'm hopeful it will be overturned at the 4th Circuit, rather than waiting for SCOTUS. There are so many ways to challenge it. The only way we'd be fucked would be if Ladar didn't have the money to appeal, but it's a super tempting case for anyone at EFF/ACLU/etc. Funding the appeal to the max would also be in the self interest of any cloud business in the USA.
Is there a bug in HN right now? Why is this story which was posted 4h ago ranked #7 with 436 upvotes, when U.S. Opposes Tech Companies... is ranked #6 with 169 upvotes while it was posted 8h ago and the Google acquisition of Flutter ranked #3, also posted 4h ago, whereas it only has 96 upvotes.
Did the HN ranking algorithm change or did I miss something?
It just means that at least in some possible cases, the way that SSL is broken is by demanding the private keys and installing a transparent proxy or tap outside of the network.
So while it might not be broken in the way we usually expect crypto to be broken, it continues to be broken from a trustability point of view.
I commend him him for shutting down Lavabit instead of giving in. It was one of those epic moments where one chooses to take a principled stance on something no matter what the cost.
(Reminds me of a Howard Roark moment to be honest)
A service that used a separate subdomain and SSL certificate per user could have avoided such a situation. Though this is an unreasonable burden for a service provider to bear for operating in the US.
Huh? You'd still have a private key per certificate. You might have one key for all of them or one key per cert, but you'd still have a private key for each of those certs.
And giving up the SSL key for Snowden wouldn't give them anything useful, since he's probably not checking his US-based email anymore. (And SSL should be in perfect forward secrecy mode, so the private key can't be used to decrypt past sessions.)
The good news here is that Lavabit only started to suffer when the feds came calling for Snowden. Another email provider "Mavabit" could provide a quality encrypted email service for a while as well, as long as we have a supply of trustworthy operators.
Am I the only one busting a gut that he printed out the SSL key over 11 pages in 4pt font for them to re-key? Hahahaha that's fucking hilarious... though the kind of OCR software the FBI has access to would no doubt have made short work of this.
Given the reported "accuracy" of HP scanners and others on the market - i.e. see recent posts on HN - I think that would be worse than typing it out by hand with a magnifying glass.
https://rally.org/lavabit
EDIT: Since I posted the link 30 minutes ago, there is roughly $1200 more in fund and I'm guessing that it's mostly from HN. So keep it up.