Lavabit has revealed something incredibly important.

The US Government has no problem with seizing your private keys. It claims the right to impersonate you without your permission.

It no longer matters which system you use, Sovereign Keys, PGP web-of-trust, traditional PKI, they're all the same. Services based in the US can be MITM'd without leaving any traces.

If this is allowed to continue uncontested there will no be no way to stay secure online. The only solution is a partial solution, to create decentralized services. This, at least, will require the government to seize the private keys of each individual they want to track.

Amazon already offered the login feature (this was launched earlier this year), and they already offered an API-based payments platform (Amazon Flexible Payments, launched in 2008). Rather than just allow you to pass login tokens to Flexible Payments, however, they have decided to provide a completely incompatible API with a new set of endpoints, a completely incompatible accounting system, and even completely new terminology to describe the same set of steps. As someone who has invested heavily in Amazon Payments solution over the last four and a half years (for a long time I had been their largest customer doing mobile payments, and when jailbreaks come around I still leap upward in their charts), I frankly look at this as a massive "fuck you", and not any kind of reasonable step forward :(.

Seriously: integrating payment processing is never the hard part; instead, it is integrating all of the accounting backends from different providers so you have all of the charges, fees, fines, refunds, disputes, etc. all being calculated and scraped in a way such that despite processing millions of transactions you are in a position to, for example, file things like VAT and income tax. It can take months of experience to figure out "oh, this API is failing to correlate chargebacks in these specific circumstances, but I can work around the issue like this" or to learn what all the different kinds of error messages that a user can end up seeing so you can provide support. It might even be worth it occasionally to rewrite everything if the new services always provided a superset of the functionality from the old ones and there was some kind of migration path, but Amazon just keeps making entirely unrelated solutions.

After the way Amazon has treated their FPS platform (they seem incapable of making even trivial changes: even just fixing wording in e-mails that they agree is flawed and confusing to users), I cannot imagine ever investing in another Amazon Payments product again (and I have tons of more reasons why I've come to this position, which I'm probably going to be putting together into a blog post soon, largely having to do with the lack of any reasonable payment fraud prevention model for third-party products). I honestly get the impression that they outsource all of their development for Amazon Payments and no longer have any expertise in-house required to actually maintain the software once deployed. (If nothing else, from having the opportunity to speak with a couple Payments developers working out of Amazon's India offices, I know that they are not running development for these products out of Seattle; the time zone differences might just be horribly brutal attempting to coordinate?)

To be clear: I tried very hard to work with them, having tons of meetings with greater and greater numbers of people on their side, putting together more and more detailed descriptions of what is going wrong on their end (even teaching them some things about payment fraud, which simply should not happen: I should not ever have anything insightful to say about payment fraud that they haven't already spent years thinking about... I'm just a tiny merchant, whereas they are either one of the world's largest merchants or a payment processing firm depending on which angle you are looking at them from ;P), before finally giving up a few months ago (I've just resolved to remove them entirely from my stack and replace them with more reasonable solutions).

Somehow PayPal manages, every few months, to provide interesting new functionality--even provide entirely new API layers--and it all maps back to the same accounting backends, old code continues to work with minimal changes, and the UI keeps improving (slowly, but surely). Amazon FPS in 2008 far surpassed similar offerings, but in the last five years PayPal simply built up the same functionality (better) while Amazon let theirs rot. It isn't even clear how this new Login and Pay with Amazon service is connected with Amazon Payments: they mention a random subset of the now-numerous Amazon payments-related products in the documentation as being incompatible with this (including Checkout by Amazon), but they don't even bother to mention a whole host of others (including Flexible Payments and Simple Pay). I've found an older version of the documentation (using Google Cache) that references Amazon Payments Advanced (another Amazon Payments offering that seemed targeted, ironically, at less advanced use cases), but the new integration guide limits the scope to just payments made via this service. They seriously have so many incompatible solutions now that it doesn't even seem worthwhile attempting to document how they relate :(.