What most users don't understand, and I've run into this when speaking with Lavabit supporters, is that there are basically two types of encryption. There is encryption at rest, and encryption in transit. SSL provides encryption in transit, the data sent between two nodes is not viewable by a third party. Lavabit provided encryption at rest. If you weren't using it, it was encrypted. When you sent or received email, it was decrypted (if read from disk) and sent via SSL. SSL is essentially a 'tunnel' - anyone on either end can see what's going in and out, when the data is in plain text. A solution to that problem is PGP - encrypt your data before it's sent, and it will be encrypted at rest and in transit (whether it's via SSL or not).
What's curious is this apparently 'successful service' actually stopped accepting new users in May, 2013. That's very odd. Someone may think that's related to the FBI Probe, but that didn't start until June 10th. Now, I run own and operate VFEmail.net - the subpoena on pages 2 and 3 is nothing out of the ordinary. They always have a 'gag order' attached. The FBI is just as paranoid about the target finding out about the order, as many users are paranoid about the NSA reading their email.
On June 28th, Lavabit received a wiretap order. This is the 'pen/trap' device. Having received this sort of order in the past, using a 3rd party device IS NOT REQUIRED. In fact, Page 7 states use of a trap and trace device or process ("pen/trap device") The ('pen/trap device') is a legal notation to say that from here on, this entire sentence will be referred to as 'pen/trap device' - not that a physical device absolutely will be installed.
At that time, Lavabit could have implemented it's own data duplication system. An email archive feature, and grepping of the log files is all that's needed to comply.
On June 28th (Page 12), we see The representative of Lavabit indicated that Lavabit had [he technical capability to decrypt the information but that Lavabit did not want to 'defeat [its] system.' . Here Levison admits to being able to decrypt data, but is hiding behind Company Policy to state "We just don't do that". I dare you to find anyone in InfoSec who thinks Company Policy is a valid security method.
On July 9th, (Page 20) we see that Levison is compelled to appear before the court to explain why he simply can't decrypt email for a single account - or for those of us who know how email works - why mail received via SMTP for/by the target account simply wasn't archived prior to encryption.
On Page 31 we see the actual summons, Levison is to appear in the Virginia court on July 16th - this summons includes the request for the SSL key. This is because Levison is defying a lawful order to simply archive SMTP communication - which is in clear text on his system.
On July 16th, (Page 34), we see all the dirty details of what the FBI needs to do to accomplish a simple thing that Levison could have done.
We also see on Page 46 - Levison had caved to this simple request, but demands $2000 to provide the information requested, and then another $1500 after 60 days. We also see that the government has paid for his expenses to travel to VA.
(edit:) Why didn't the FBI pay $3500 for that, and instead opt for the SSL key? Here's an example of how to use Capsa Professional to save emails. Once that content is saved, it's trivial to grep each text file for the target's address. I'm sure the FBI has software that includes the filtering. This isn't magic or hocus pocus, it's simple network sniffing that anyone with a basic background in InfoSec can do. There's no reason, other than complete lack of familiarity about how it's done, that Levison couldn't provide the requested information at a reasonable reimbursement rate.
Beyond that it's all about the SSL key. The entire episode was CAUSED by Levison's failure, and flat-out incompetence, to implement a simple SMTP archive feature and then his attempted fleecing of the American taxpayer by charging $2000 to provide that information.
(Edit) Some people have said the 'archive' is very complex to implement or the email would have been encrypted. Actually, neither are true. First, Levison was already 'up to date' by manually decrypting the mailbox, just new mail needed to be sent in an automated fashion. Second, SMTP is very simple - it's basically 4 commands. You connect, say HELO, MAIL FROM, RCPT TO, DATA. What you see in an email all follows DATA. MAIL FROM is only for return mail, and RCPT TO is the destination. A simple archive feature would merely read the RCPT TO, do a text match, and programatically add 'fbi' as another RCPT TO. For outgoing mail, you just do the match on the AUTH (or MAIL FROM) line instead. Levison claims to have written the entire Lavabit code, so adding this option should have been a trivial exercise.(/Edit)
If you think that's bad - remember Levison's original version of 'security': "We just don't do that". Apparently that's a good enough answer for him, but when the FBI requested his SSLKeys, all of a sudden 'we apply filters per policy' is no longer an acceptable answer. So now, supposedly, everyone's data is at risk.
Levison wasn't able to make $3500 off the FBI, but the gullibility of the public has earned him over $200,000 on Kickstarter, and $100,000 on Rally. Who knows how much he's taken in on Bitcoin, Paypal or other direct methods. He may not be much of a tech, but he's good at marketing.
VFEmail has no interest in supporting this person or DarkMail - another marketing ploy to target the non-technical public. If someone does come out with an untainted open source, encrypted, SMTP replacement that still allows AV Scanning, Spam Scanning, and User Filtering on the server - we'd love to hear about it.
Who knows why the media won't cover this angle of the story. I understand USA Today or NYT not having proper staff to understand tech issues at this level, but Ars? It's a sad state of affairs. Frankly, I've thought about shutting down VFEmail because of Lavabit. Not because of 'NSA hacking', or 'Subpoenas for SSLKeys' but because Levison and Silent Circle are trying to manipulate the public into using a solution that won't ever be able to meet their demands.
(Edit 2/24/14) I was subscribed to the Dark Mail Alliance email list - JUST IN CASE they were to release something of substance. Apparently it's nothing more than a marketing list for Silent Circle's products.(/Edit)
If you would like to support me or VFEmail, you may donate to firstname.lastname@example.org or via Bitcoin to: