You need a warrant, but honestly we don't know if that isn't the case here. It's come up before that the NSA, FBI et al, serve warrants for encrypted data and can demand it be decrypted. Otherwise, services like lavabit are equivalent to Swiss bank accounts that are unreachable by any means, legitimate or otherwise. Realistically, this service was almost certainly hosting a ton a illegal activities.
In this case the government is probably trying to pull a hushmail: getting the service provider to install spying equipment targeted at their users, and then sharing the spy data with the government.
1. The government should not be able to force this kind of spy equipment to be installed.
2. If we had good privacy laws it would be illegal for the company to even willingly share this data without a warrant.
I think the trick here is that lavabit can't share data even with a warrant. Their inability to do so is pretty much their entire business model. That protects people from unwarranted intrusions, but it also insulates people from legitimate investigation. If they build a backdoor for only duly authorized warrants, they are no more or less obligated to comply with an NSL.
I would hope that if they've received an NSL ordering them to wiretap their own email, that the NSL is at least limited to specific targets of an investigation.
But some people do strongly believe in throwing out the whole bathtub if that's what it takes to keep the data safe, and to those people I will certainly tip my hat, even if I disagree myself.
I can accept a company complying with a warrant and divulging data for some customers.
I will not accept a company that promises complete security and then sends a trojan to customer computers. Anyone that betrays the security promises made to the entire user base (eg. hushmail) should be ostracized.
I'm thinking now that if he had just been ordered to turn over some data, shutting down his service wouldn't let him off the hook. They must have asked for a back door or some other ongoing intrusion.
Here, yes I agree that's what it sounds like (and that it's an overreach in general, unless there's something I don't know).
I wonder though, whether this presumed requirement to install spying software is being done by only an executive-level NSL or by a court order/warrant.
Google, Yahoo, MS, etc don't encrypt their data and they had the same choice to make when served with a NSL or whatever. They fought through legal channels to some degree before caving. Shutting down operations was technically possible, though infeasible. They could have spoken out publicly and accepted the consequences. I doubt they think twice about handing over data requested in a warrant nor should they.
I personally wouldn't have expected Google/Yahoo/MS/etc. to cave, but that's because I would have naturally assumed that as U.S.-based providers that they may eventually be served with a U.S. subpoena and simply wrote it off as a valid possibility.
I think most people expect that the Fourth Amendment would have applied to email hosted at these places, but that's because they don't understand how the case law has been applied to things like this.
If people really just want cloud-based email they can check from multiple devices, that does have "normal court protections", and without having to host on their own PC this kind of thing is a possible solution. There are existing turnkey software frameworks to make it work too (e.g., Kolab, which is developed by some of my fellow devs in Europe).
