All the versions of this article: [English] [français]
Le 12/3/2014, 20:14 Ladar Levison (Lavabit) at the European Parliament
A few month ago, Ladar Levison, founder of Lavabit, an American highly secure email company, was interviewed by the European Parliament to talk about his story against the FBI about his company’s private keys and his user’s confidentiality.
Listen to this video, its really short, and really insightful on the problem of surveillance of private communications, the right to privacy, how he fought against a request from the FBI to massively spy on his users without any control etc.
Ladar Levison at the European Parliament
Privacy defined by Levison
Levison has a quite clear definition of privacy and why it is important. He describes the chilling effect that surveillance have on people, and that when we don’t have privacy, we can’t talk about the other freedom we lost, and how we can organize ourselves to get them back.
He describes the concept of SSL keys, why it is a crucial asset of Internet companies.
He also describes how he refused to give a uncontrolled access to the data of his users, asking the FBI what they need exactly. He proposed to audit the surveillance device they wanted to put into his systems, and keep half the password of it, so that he is sure the machine is only doing what the FBI was allowed to do by the law.
Obviously, the FBI refused, and eventually, Levison was forced to shutdown his company.
He also explains that he was believing that the USA was the best country to host his service, and now he thinks its the worse, if not before China...
(I created the english subtitles for this video, if you want to translate it to english, go to La Quadrature du Net’s mediakit to get the original subtitle to be translated)
The Entire speech below
There we go
For those of you who don’t know who I am I will start up by giving a little bit of background.
My name is Ladar Levison and I was the owner and still am the owner operator of Lavabit. An email service that hopefully one day will be able to stand on its own without any references to Snowden.
I thought that was great there was a time right after the shutdown when my lawyer was talking to the press and he didn’t say the word Lavabit when asked to who he was working for he said Snowden’s email provider and I had to explain to him that "you were not working for Snowden or Snowden’s email provider you are working for Lavabit." So hopefully one day I’ll step back from that shadow and let the issue that I’m fighting for stand on its own and that is
the right to privacy.
For those of you who don’t know It’s actually only been in the news about a week now because I’ve only been able to disclose it for about that long. Precisely what I’m fighting for in court is the right to protect a company’s SSL keys. For those of you who don’t know SSL It’s the little lock icon in your browser that protect your ecommerce transactions. It’s a core cryptographic technology or protocol that really protects communications on the Internet
and establishes trust in a persons’ identity.
Quite simply you encrypt something with somebody’s public key and you know that only that company or at least in theory only that company can decrypt it. It guarantees that when you send your username and password for example
to your bank, that only your bank can decrypt that information.
And effectively what was going on is the FBI wanting to usurp my online identity, usurp my private key and use it to masquerade as my business on the Internet intercepting all communication coming in and out of my network. And of course I wasn’t comfortable with that to say the least. More disturbing was the fact that I couldn’t even tell anybody that it was going on.
How do you have a debate how do you discuss something publicly when nobody even knows that a particular law exists? Or that it is being applied in a certain way? So that’s quite simply my fight.
We filed our brief in the appeal last week. So now we sit back and we wait for a ruling and hope that it will be favorable.
When I first started Lavabit 10 years ago I thought the United States would be the perfect country for it. After all we are, you know... "the home of the brave
and the land of the free" Our constitution is supposed to protect freedom at his most basic level and as it turned out, I probably picked the worse if not the second worse country on the planet for hosting the service. China being the other one. But rather than pack up my bags and head to Europe I decided that as an American it’d be important for me to stay and fight to try to change the laws that I disagreed with.
Like I said, I’m sitting and waiting If I win my battle in court, I reopen Lavabit
and business will continue, and if I loose I’ll probably have to turn over my business to somebody in Europe who can run it for me. While in my place I’ll go off and be a farmer, something like that.
What we have here today is a debate on to what length a government and its law enforcement officers should be allowed to go when it comes to conducting
investigations. It’s the simple question of "surveillance versus privacy" and a lot of people have accused me of being anti-government because I was anti-surveillance and that’s simply not true I’m not anti government I’m simply pro freedom. Think about that. I believe in the rule of law I believe in the need
to conduct investigations. But those investigations are supposed to be difficult for a reason. It’s supposed to be difficult to invade somebody’s privacy because of how intrusive it is. Because of how disruptive is is.
If we don’t have a right to privacy how do we have a free and open discussion?
What good is the right to free speech if it’s not protected in the sense that you can have a private discussion with somebody else about something you disagree with. Think about the chilling effect that that has Think about the chilling effect it does have on countries that don’t have a right to privacy? It’s one thing for us to give up our rights for what we guaranteed is the ability to talk about the rights that we’ve lost in the hope of regaining them and if we can’t have that discussion we will never be able to regain any of the freedom that we may have given up. So that’s why I take such an hardened view of how important it is to protect the right to privacy. And that’s why I developped the service that I did.
Quite simply Lavabit was designed to remove the service provider from the equation by not having logs on my server and not having access to a person’s emails on disk I wasn’t elimitating the possibility of surveillance I was simply removing myself from that equation. In that surveillance would have to be conducted on the target either the sender or the receiver of the messages.
We have a very important case in our history over in the United States it’s "Smith vs Maryland". I learned about it myself quite recently. But basically what it says is that any information you trust to a service provider is no longer protected. All of the meta information associated with a phone call or an email information is no longer protected. And effectively what it means is that if you want to have a communication if you want to communicate with anybody electronically that that discussion is not protected, because you are untrusting
a service provider out there in the cloud, in the ether with those communications. And it shouldn’t be that way. Simply using a service shouldn’t mean giving up your rights to privacy. And that’s what my service was designed to do. It was to remove me from the possibility of being forced to violate a person’s privacy.
Now I lived happily for about ten years until recently. At which point I was approached and told that because I couldn’t turn over the information I would be forced to give up those SSL keys or let the FBI collect it themselves. And again I tried to cooperate. I tried to modify my systems to provide the information myself for that one particular user. And the governement’s response was "but we want it in real time!" you mean you want to be able
to log into a device onto my network and change the collection programs
in real-time without anybody knowing? They didn’t have any answer to that.
When I offered to let them put the device on my network, but stipulated that
I’d be able to audit it that I’d be able to configure it with them and that I will hold 10 characters of the password and they will hold 10 characters of the password so that we’d know that this device was only collecting the information that they were legally authorized to collect, they declined as well.
Effectively what they wanted
was unfettered access to every
communication on my network
without any kind of transparency.
And that was simply a situation
I couldn’t live with
something I was not comfortable with.
In fact it was such
a disturbing prospect
that I was having trouble sleeping.
So finally I decided
If I didn’t win the fight to unseal my case,
if I didn’t win the battle
to be able to tell people what was going on
Then my only ethical choice left
was to shut down.
Now I didn’t expect anybody
to even notice my shutdown
sends the 400 000 or so people
who were using my servers.
maybe a little bit of cover
in the tech blogs.
But if there is one thing
the summer of Snowden
has done for all of us
it’s focus the debate on privacy.
And as a result
I got a lot more covers than I expected.
That’s part of the reason I’m here today
because the people on this audience
heard about what was going on
they may wanted to hear more.
But the discussion doesn’t mean anything
if it doesn’t lead to action.
So while my lawyers can win the battle
for SSL keys
There is a larger debate
about whether or not service providers
can be forced to give up
password, encryption keys,
their intellectual property
their crown jewels
just in the aid in an investigation.
Or that the burden
should fall back on the investigators?
Like I said
surveillance is not supposed
to be easy.
It is supposed to be difficult.
And what’s happening is
the methods that are being employed
are creating effectively an arms race
forcing people who want
to have private conversations
to develop better and better ways
or more secure ways
and unfortunately what that means is
that both the citizens and the criminal
are using the same methods of communication.
And that secure method of communication
is become harder and harder
to decipher for law enforcment.
And it’s a prospect that effectively
is been brought on by themselves
and it’s unfortunate
but it’s a reality
and I think I’ll leave it to that.
Welcome on Benjamin Sonntag's blog, web entrepreneur, Linux expert and free-software-savvy half-geek.
Here you will find geek tuff, tricks and tips and friendly ads, personal histories and a bunch of politics ...
On the same topic ...
In the Octopuce boat ...
- 15 February 2016 – Accélérer votre réponse SSL/TLS avec l’OCSP Stapling
- 9 February 2016 – Débugger PHP en CLI avec Xdebug & Vim
- 14 September 2015 – Analyser une attaque avec les logs d’Apache2
- 30 April 2015 – Conditions générales de vente
- 7 April 2015 – Testing Augeas lenses with augparse on Debian GNU/Linux
La Quadrature du Net
- 13 February – Lettre ouverte aux eurodéputés : pas de marchandage sur la vie privée
- 10 February – Censure du délit de consultation de sites terroristes : victoire pour la liberté d'information !
- 10 February – Finissons-en définitivement avec CETA !
- 24 January – Chiffrement, sécurité et libertés, positionnement de l’Observatoire des libertés et du Numérique
- 20 January – Journée internationale de la protection des données - Reprenons le contrôle de nos données !
Old stuff ...
- 22 février 2014 – Compilation d’un paquet debian à partir des sources
- 31 janvier 2015 – DDOS sur La Quadrature du Net, analyse
- 11 juin 2015 – Signature antivirus & Clamav
- 3 octobre 2015 – Projet de loi pour une République numérique
- 12 March 2014 – Ladar Levison (Lavabit) at the European Parliament