0 Members and 1 Guest are viewing this topic.
Hands Off Encryption! Say New Amici Briefs in Lavabit CaseBy Jennifer GranickSaturday, October 26, 2013 at 12:26 PMThe Fourth Circuit Court of Appeals is in the process of deciding the first legal challenge togovernment seizure of the master encryption keys that secure our communications with websites and email servers. The case could decide the future reliability of encryption protocols toprotect all Internet communications. While the government wants these keys to decrypt userinformation, there is really no acceptable way for the Court to order a secure communicationsservice to break its encryption protocol. The danger to innocent users is too great, and thereare network effects that would shatter critical trust in SSL implementation as a whole.This dispute involves Lavabit, a now-shuttered encrypted email service provider, which thefederal court for the Eastern District of Virginia ordered to give to FBI investigators its SSL keyto assist in its investigation of one of Lavabit’s users. We do not know, but some have made aneducated guess that the targeted user is whistleblower Edward Snowden. SSL is a standardsecurity protocol for establishing an encrypted link with web or email servers to ensure thatyour communications over the network remain private and unadulterated. Turning over the keywould not only have given the FBI the ability to obtain information about the suspect, but alsoabout all 400,000 of Lavabit’s customers. Lavabit refused to turn over the key, and closed itsdoors instead. Now the District Court order is on appeal, and three groups, the ACLU, theElectronic Frontier Foundation and the start up Empeopled filed diverse amicus briefsyesterday.Aside from the danger to secured communications overall, nothing in our law requiresproviders of legitimate email services to turn over keys or otherwise dismantle the security ontheir systems to help out in a government investigation. Luckily, there’s an easy answer here.Lavabit offered to decrypt itself the data the FBI wants on the suspect and disclose it to thegovernment, and the government presumably can get a search warrant for that particular user.This is what the Fourth Circuit should order, rather than undermine cybersecurity for us all inthe hunt for one person.1. BackgroundThe U.S. government had obtained a federal district court order requiring Lavabit to turn overits SSL key to enable investigators to collect Internet transactional data on one of Lavabit’scustomers. Lavabit refused on the grounds that disclosing the key would give the governmentaccess to communications of all other Lavabit customers, as well as the targeted user. Ratherthan comply with the order, in mid-August Lavabit shut its doors. Other securecommunications providers, including Silent Circle (encrypted email) and CryptoSeal (VPN),soon followed suit, on the ground that these services could not longer promise customerssecurity if law enforcement could force disclosure of the master keys. Lavabit subsequentlychallenged its disclosure order in the Fourth Circuit Court of Appeals. Friday, the ACLU andACLU of Virginia (“ACLU”), the Electronic Frontier Foundation (“EFF”), and a start-updiscussion platform called “Empeopled” filed amicus briefs in support of Lavabit.Hands Off Encryption! Say New Amici Briefs in Lavabit Case : Just Security 2/11/13 7:42 PMhttp://justsecurity.org/2013/10/26/hands-encryption-amici-briefs-lavabit-case/ Page 2 of 5SSL stands for Secure Sockets Layer. It is the standard security mechanism for establishing anencrypted link between software on your computer and web or email servers on the Internet.SSL ensures that all data passed between the server and the software remain private andunaltered.A protocol describes how a cryptographic algorithm like SSL should be used. Trust is anessential part of the SSL protocol. “Certificate authorities” are organizations that validate webor email servers as being genuine and issue SSL certificates. Each SSL Certificate consists of akey pair as well as verified identification information. When client software attempts tocommunicate with an SSL secured site, the server shares the public key with the client toestablish an encryption method and a unique session key. The client software confirms that itrecognizes and trusts the issuer of the SSL Certificate. This is the “SSL handshake” and begins asecure communications session that protects message privacy, message integrity, and serversecurity. If an SSL key is compromised, the business is generally obligated to inform thecertificate authority that signed the keys.Our online security depends on the reliability of the SSL infrastructure — everything fromsocial networking to online banking depends on trust in SSL certificates.
They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.