Government

U.S. Justice Dept. asks for all IP traffic to your site: How would you respond?

If a government request for information about traffic to one of the site's you support appeared in your mailbox or in your email inbox, what would you do first?

CBS News reporter Declan McCullagh has written an interesting article about a the U.S. Department of Justice request sent to Indymedia.us, a news aggregation site, that ordered one of the site's admins to provide details of all visitors on a specific day. McCullagh wrote:

"Kristina Clair, a 34-year old Linux administrator living in Philadelphia who provides free server space for Indymedia.us, said she was shocked to receive the Justice Department's subpoena. ... The subpoena (PDF) from U.S. Attorney Tim Morrison in Indianapolis demanded "all IP traffic to and from www.indymedia.us" on June 25, 2008. It instructed Clair to "include IP addresses, times, and any other identifying information," including e-mail addresses, physical addresses, registered accounts, and Indymedia readers' Social Security Numbers, bank account numbers, credit card numbers, and so on."

Instead of immediately turning over the requested data (which according to the article, Indymedia.us didn't actually have), Clair turned to the Electronic Frontier Foundation (EFF), who agreed to take on her case. After a series of letters, telephone calls, and faxes between EFF and the U.S. Justice Department, the subpoena was withdrawn and the issue appears to have been dropped. For a more detailed description of the event, Kevin Bankston's, a senior staff attorney with EFF, description of the exchange.

While this article raises a host of legal and privacy issues, I'm most interested in how most IT professionals  respond when presented with a similar request. If a government request for traffic or visitor information for one of the site's you support appeared in your mailbox or in your email inbox, what would you do first?

About

Bill Detwiler is Managing Editor of TechRepublic and Tech Pro Research and the host of Cracking Open, CNET and TechRepublic's popular online show. Prior to joining TechRepublic in 2000, Bill was an IT manager, database administrator, and desktop supp...

40 comments
sdavis4fun
sdavis4fun

For those of us who can produce most of this type of request, HR and the corporate lawyers are usually available. IP logs would be easy. Providing the personably indentifiable information internally is enough to get a write up, or even fired in some security instances. It seems that the scope of this warrant could not have been issued without breaking some kind of privacy law. It should have been recinded!!!

driftair
driftair

Even Lawyers sometimes ask for data they think they have a right to view, but in actual fact is completely irrelevant to meet their requirements. As for Governmental agencies one might ask; Why? Am I being tested as to whether or not I know how to get the data you already probably have in your possession under homeland security 'tracking' records? ! LOL The average American knows very little about what the Government and Military are doing anymore. And Political posturing is not reliable information.

rhmercer
rhmercer

Exercise my rights to use the delete button in my email programme!

santeewelding
santeewelding

Handcuffs, the other command to appear, don't work virtually, either. They are delivered in person.

PlexusSage
PlexusSage

The subpoena came as a PDF, presumably via email? In that case it would have been dumped into the spam folder along withe other emails from Mr. Oom Foo Foo Bango of Kenya who wants to share his millions with me. A real supoena will be hard copy delivered by a process server. In that case, it would go to corporate counsel. Charlie www.plexus-it.com

The Admiral
The Admiral

What we are forgetting here is that the government does not send official documents through email. The subpoenas need to come in a nice envelope with an official stamp. When opened, then it gets immediately sent to the corporate lawyer. But a subpoena via email equals a shunt into the trashcan as SPAM.

warren
warren

I'm in Australia and they do not have jurisdiction. If they want information then go through the Australian Federal Police.

illusionbuster
illusionbuster

where is the contract? Since ALL LAW is contract, sorry folks there is no exception to this, contrary to what you may have been taught. Where is the contract I entered into, with full disclosure, to provide the requested information by the DOJ? No contract? then no need to provide the request. All law is contract. All contract is by consent. All consent is by intent. All intent is by will. Only man has a will. Government has no will as it is paper creation, a fiction, and you cannot ask it any questions nor get any response from it itself. So where is the contract you entered into with another entity that possesses a will? NONE can exist!!! Go bother some other unknowing entity.

GSG
GSG

I used to be the custodian of medical records at my last hospital. What this means is that I was the poor slob who had to take records to court, etc... A subpoena is not necessarily issued by a court. The local podunk lawyer down the street could issue the same subpoena that the DOJ did, and it's signed by some clerk in an office. Just because you get a subpoena for something, doesn't mean that you have to produce it. We would get subpoenas for records all the time. In many cases, I would call the issuing lawyer, and in nice terms, tell them where to stick it and how far. Then they had the option of producing a court order, a search warrant, or a signed release from the patient. So, to move this out of the medical realm to the technology realm, I believe that you can reply to the subpeona with an official letter that says you won't produce it without a court order.

om
om

I live in Canada but considering the seemingly imminent collapse of all privacy (read: freedom) throughout the world, I would not be surprised if this happened here. This is terrorism to the extreme - but then I tend to get emotional about protecting my privacy and others'.

jlund
jlund

I live and work in Canada, even so I would pass this on to corporate counsel because we are SOX compliant.

sboverie
sboverie

This is a good example of unintended consequences in legislation. The EFF link ends with the suggestion that people concerned with abuse of civil rights should contact their congress critters to clarify the SCA. A good law is awfully hard to pass and keep but a bad law is easy to pass and stays on the books longer. The legislature was supposed to be a deliborative body but the current version is anything but deliborative. Congress considers bills with hundreds of pages of stilted legaleze and is prone to unrelated add-ons like earmarks and even exeptions to the law. It would be best if congress was limited to 100 bills to consider instead of the thousands, like the Japanese Legislature does. This is a more sure way to pass good laws that are not written in reaction to the headlines. It would be great if that a law could be written in one page in plain terms that are more widely understood. The lesson in the story is to get legal advice before responding to any governement demands. In this case the government over reached and may have been abusing the secrecy it insisted it tried to assert.

Slvrknght
Slvrknght

That's a load of the stinky leavings of a large male bovine. I was scared to death when I read about the attempts to give the President of the US the power to shut down internet access if deemed to be in the interests of National Security. It just goes to show that people in the US Government have no clue when it comes to the politics of the online world.

seanferd
seanferd

I'd probably run straight to the EFF as well, unless I had corporate guidelines to follow and attorneys to contact. Unreasonable search seems to just get more popular with time.

santeewelding
santeewelding

For providing a link to the EFF description. Says it all.

star_topology
star_topology

I didn't realize subpoenas were sent via e-mail in PDF format.

Bill Detwiler
Bill Detwiler

CBS News reporter Declan McCullagh has written an interesting article about a the U.S. Department of Justice request sent to Indymedia.us, a news aggregation site, that ordered one of the site?s admins to provide details of all visitors on a specific day. Blog post: http://blogs.techrepublic.com.com/itdojo/?p=1225 While this article raises a host of legal and privacy issues, I?m most interested in how most IT professionals respond when presented with a similar request. If a government request for traffic or visitor information for one of the site?s you support appeared in your mailbox or in your email inbox, what would you do first? Take the polls in in the above post or join this discussion thread.

al
al

OK. Let's straighten some things out. 1. According to the EFF, the request was a written copy - not an email. A pdf of the document was posted by the EFF for our review. The fact that mail is misdirected every day lays a lot of "doubt" to the letter ever having been presented to the intended recipient. A hand delivered subpoena sounds better, and less likely to get tossed as "junk mail". 2. The subpoena was from a grand jury of the Southern District of Indiana Federal Court, not a single lawyer, or some single entity. Like it or not they have this ability, given to them by our elected representatives. Have you ever served on a Grand Jury? It is amazing what the attorneys get passed thru. Remember, they only need to show just cause to investigate, not the guilt of the subject. 3. The subpoena was written from a law that has been on the books for a while now. I don't like it personally, and quite often take issue with it, but it is there. I'd love to know who actually wrote the law, and better yet - how many of our representatives understood what they were voting on. Speaking of voting... (Does anyone know of anyone who is running on the "I'll review and try to squash unfair laws" slogan? Anyone?" So if we can all agree that the government side almost followed proper procedure, then the real horror of this is that the AG would even ask for this. With 19 years of practice in the public lawyer's seat, he should have known he was overstepping by a big stretch. I am not a lawyer, but even I can see this. You asked what I would do if presented with this. Just what the volunteer did. Get legal advise, FIRST. Get the facts, and keep good notes. In that process I would ask to read the law (and not the subpoena) that was forcing me to do this and find 1)the true length to which the government can go to; 2)the method that I would be reimbursed to perform this action; and finally 3)find any and all means to expose the requestor to the world. Any request to gag the fishing expedition is a sure sign that they are doing just that - fishing. With the help of my attorney, I would resist turning over the information without a court order, signed by a judge, and verified to being from a responsible court. I believe Jefferson just might have known a thing or two about keeping government in its place, after all he did put a lot of those words to paper in his time. Again - I am not an attorney, and not even a "spokesperson". I AM an interested citizen that must always keep his eye on both the "good guys" and the "bad". (You decide who is who.) So, of course all the above is just my opinion and should not be seen as advice, direction, or any of the other thousand words that disclaimers have to keep you or me from finding ourselves defending our rights to people in robes.

viralnexxus
viralnexxus

These questions have left me conflicted and two things come to mind. 1) If the US Dep. Justice explains why they need the information; ie: Terrorist suspects, Child Molesters, etc.. then I would gladly comply. 2) On the other hand..even if they were looking for said suspects, the privacy and rights of American citizens are being violated. Tough nut to crack!

thegreenwizard1
thegreenwizard1

I just ignore it. If in proper form, I'll ask my lawyer and send an invoice for the work before even doing it. Costs must be cover.

qwertyomen
qwertyomen

Did the Justice actually expect a response? Most spam filters would have caught this and it wouldn't have even gotten to the expected "victim."

da philster
da philster

Always willing to cooperate with duly certified officials who personally present the request IN PERSON. Otherwise the email request is filed away with Nigerian funds transfer emails, Microsoft security emails, and other such nonsense. Personal privacy is easy to give away; awfully hard to get back.

NotSoChiGuy
NotSoChiGuy

Go to the link Bill included, and you can read the subpoena, in all of its grisly horror, for yourself. Also, if you search, a few news agencies (CBS, for example) have picked up on the story. Total overreach by prosecutors. The real question is whether or not it was deliberate (trying to sneak one past people) or unintentional (unfamiliar with the proper handling and precedence for these sorts of requests)? Personally, I don't feel comfortable with either.

terry flores
terry flores

Be aware: the powers of Federal agents to punish disobedience are awesome. A simple misstatement to a federal agent can be a crime that gets you 2 years in prison. So if you say "I don't have this information" and it turns out you did have some of it buried in some log somewhere, your butt is toast. So the first step to any involvement with the Feds is to get a lawyer, one who is knowledgeable in this area. The site admin in the story did the best possible thing: contacting the EFF who has some of the best legal minds experienced in this field.

pcteky2
pcteky2

If received via electronic communication would be to immediately ignore it and then delete it. I've got enough to do without something like that AND any subpoena should be delivered IN PERSON. God knows the government should be the first to know and realize that electronic communications are not secure. Don't they? Maybe not!

337
337

This reminds me of the nice little postcard everyone got who was registered with CJ (valueclick) and such like. It basicly stated that all involved with companies mentioned were getting dragged into a class action if memory serves. This came as a rude shock to anyone thinking they would innocently setup banner ads and recieve hopefully some payment for displaying them on websites in question. Everyone including first time webmasters were mortified at the fact that something so innocent could land so many in hot water. Moral of story anything publicly available and not legally disclaimed to the hilt with a fleet of lawyers on standby to counteract such nonsene well be very carefull what you put online for all to see. In the above mentioned case it would no doubt have been argued that most of the people on CJ's lists had no idea what was allegedly going on and it was certainly no fault of theres if anything untoward was going on as that was not what they signed up for it only became known to most of us when we got this nasty postcard. And i'm guessing that most of us had nothing to do with it in any case because we never even got to putting banners on our sites or suchlike. Most just wanted to see what it was all about and try recoup any costs incurred from setting up and maintaining they're websites. But it was frightening to think that something i had put my name to possibly years before and have had no involvement was able to seek me out in the hope of claiming me in a class action for people with more money than sense. Due to someone elses stupidity or fallouts with companies we all had to suffer. This dinged up the credibility of click ad banner companies substantially. Conclusion: Don't signup to anything you don't fully understand the implications or ramifacations if need be seek legal advice first. Unfortunately this makes most things unviable :) Stay safe everyone. * edit was basic typos Regards.

jck
jck

Make the federal agent walk in the door with the court order, present proper identification, and let me verify their identity independently of their personal identification. I would surrender no information via an open, transmission medium. They can bring a flash drive or external drive into my NOC if they want that sort of data. But, I'm not tying up paid-for bandwidth from my users, and I wouldn't fulfill the request remotely. If I have to give them something, they can get off their keister and come get it.

jmcgachey
jmcgachey

something to do with an extended finger.

john.lamb
john.lamb

I've just finished reading Al Gore's "The Assault On Reason" Same stuff.

davidt
davidt

...or cougar, or whatever the name of their super-spy system was called. We are a privately-held company and unless they included an open-ended credit card in the email with the request, then they'll have to do all the work themselves.

SAStarling
SAStarling

I'm glad you posted this here. I really enjoy your work.

Tony Hopkinson
Tony Hopkinson

F**k off you nosy yank. ROFLMAO, last bastion of freedom my arse. Course if the British government demands I would have less appealing options.

Ed Woychowsky
Ed Woychowsky

I agree, it needs to be in person. Faking an e-mail origin address is easy enough, so unless presented by a warm body carrying an appropiate badge all requests will be considered bogus. Oh, don't try the flip the badge out for two nanoseconds, I'd like to see it, not glimpse it. Also, I'd like onion rings on the side with my subpoena.

SAStarling
SAStarling

...was when they told them not to TELL anyone about the subpoena, and threatened them that bad things would happen if they did! And they did that even AFTER they withdrew the subpoena due to its illegality. I would have made a bee-line for the nearest news outlet, are you kidding me? "When the people fear their government, there is tyranny; when the government fears the people, there is liberty." - Thomas Jefferson

Joy Phillip
Joy Phillip

First verify the legality of the subpoena and the identification of the person submitting it, neither of which can be done via electronic media, which means that they would be coming physically to where I am. Then take the data they want and back it up in about six places, zip it and encrypt it with something, and add a digital signature to it so that it can't be tampered with. Second, once that was verified, time to talk to the legal eagles and find out how much of it I have to submit. Third find out just what I can give them, because I'm not psychic and I probably don't have credit card numbers and social security numbers for people who browse my site. Fourth, once all that is done, get them to get over to my office so I can copy the archived data to their device to take it home, make a tape back up and lock that back up away someplace to keep it safe, and then purge all but one of the copies of the encrypted archive off my systems. That means there will be only three copies of this (four if you figure the unencrypted source data), the one I have, the one my lawyers have and the one they have. That's the best I could do. But they would work for it if they wanted the data.

jmarkovic32
jmarkovic32

My first thought would be: "How do I even begin to capture all that data?" What idiot thinks that I can just press a few magic buttons and provide them with all that info. To be a smart-ass I would just send them a bill for all of the software and hardware needed to accomplish that task.

felinehart
felinehart

I think I would've taken it seriously until reading they wanted SSN's. At that point, I would've thought it spam, reported it as such, & deleted it. With all the phishing scams being passed around, an official office really shouldn't expect anyone to take this kind of thing seriously via e-mail.

NotSoChiGuy
NotSoChiGuy

...those "men in black" stories ufologists recount. Not good!

Editor's Picks