They did indeed have a warrant for the info. The problem was how they chose to pursue obtaining the info- that is, installing a MitM black box that could read all customer email going through it, not just the citizen for whom they had the warrant. I'm not sure if they promised or not to only snoop on that one individual, but even if they did you would have no way of knowing if they're telling the truth or not. From what I read, he wasn't necessarily trying to protect Snowden, but protect the rest of his userbase.
What other options were there? There was only one SSL key. Once you can MitM one user in that scenario, you can MitM them all.
To my understanding Lavabit didn't have a system in place for separating out one user like that, and the feds would likely have been disinclined to wait for the development of one.
So perhaps we should take this as a lesson in designing systems to be as secure as possible even with legitimate warrants rather than as a sign of warrants being abused.
My understanding was that he offered them his programming services to create a method to do exactly what they wanted- pull the email info out for just one user. True, he was going to charge them for it, but it was only $2000. A laughably small sum for the people he was dealing with. Supposedly, they denied this offer because they couldn't control it. From my perspective, $2k and a couple day wait is a paltry sum to pay to not trample over the constitution.
According to Wikipedia, just one month prior, Lavabit had complied with a search order for one user suspected of child pornography. I'm not exactly sure what the difference was between these two cases, but it does show he had at least some capability to do what they asked.
I do agree that "one SSL key to rule them all" is perhaps not the best practice. That said, the design of the system doesn't matter as much to me. Reality is that the system was designed in the way it was, and when offered two methods of getting their data, the feds decided to take the wrong one. (In my opinion.)
It wouldn't surprise me if the feds are sharply limited in what they can pay for warrant-wise. There's a good chance they simply didn't legally have the option of waiting and paying $2k. Understandably, the government does not want "I have a warrant" to become the sound of a cash cow begging to be milked.
If I were to guess, I would say control is actually a huge issue. If it's their equipment and software that's certified for this use, it probably satisfied chain of custody and certification requirements. If it's someone else's, who knows? It's almost certainly not certified and so it might not stand up in court at all. Certification is a big deal in the government and a court is likely to be skeptical about the use of an unproven and uncertified magic software black box in executing a warrant.
So what it comes down it is that the feds may not have actually had a choice of how they got that data.
However, I'll ask you this: is it constitutionally agreeable to trample the rights of others for the sake of gathering evidence? I would say no. Just like how I would say searching all personal mail coming from a certain zip code because you know of someone sending secrets would be, in my viewpoint, wrong. I can chalk up the initial issue of a warrant to the judge not understanding technology, but as soon as it was explained in a courtroom how it was tied together, he should have told the feds to seek evidence elsewhere.
I think it's about collecting evidence in the least invasive way possible. To me, the priority is limiting damage while still allowing law enforcement to function. One of the key privacy advantages of how LE access to phone companies or gmail or similar is implemented that it allows them to be granted access to just the data in question and little more.
What really becomes a problem is when the evidence in question is only available from one source and there's no way to do it that doesn't run the risk of what I'm going to term information bycatch. At that point there are really only two viable options - allow the collection with bycatch or disallow the collection due to bycatch.
The first is a significant privacy risk. That said, it's also not a new one. As long as people have kept records or written letters, a search has run the risk of exposing the private information of other unrelated people. Certainly, the same concern applies to tapping phone calls, and that's permitted by courts.
The second runs the risk of hobbling law enforcement entirely. Without perfect knowledge of what a given document, packet, phone call, etc. might contain, it's impossible to say that a search will or will not invade the privacy of another person in addition to the subject.
My understanding is that a warrant is for information or items because it's known and understood that information bycatch isn't always avoidable. This is considered unfortunate but unavoidable, as there cannot always be assumed to be other and better options.
I think this goes back to my earlier point about design. If a system isn't designed to contain any breach, then any breach - legal or otherwise - will be uncontained. I think this is less a constitutional problem than it is a technology one.
