CBS News reporter Declan McCullagh has written an interesting article about a the U.S. Department of Justice request sent to Indymedia.us, a news aggregation site, that ordered one of the site’s admins to provide details of all visitors on a specific day. McCullagh wrote:
“Kristina Clair, a 34-year old Linux administrator living in Philadelphia who provides free server space for Indymedia.us, said she was shocked to receive the Justice Department’s subpoena. … The subpoena (PDF) from U.S. Attorney Tim Morrison in Indianapolis demanded “all IP traffic to and from www.indymedia.us” on June 25, 2008. It instructed Clair to “include IP addresses, times, and any other identifying information,” including e-mail addresses, physical addresses, registered accounts, and Indymedia readers’ Social Security Numbers, bank account numbers, credit card numbers, and so on.”
Instead of immediately turning over the requested data (which according to the article, Indymedia.us didn’t actually have), Clair turned to the Electronic Frontier Foundation (EFF), who agreed to take on her case. After a series of letters, telephone calls, and faxes between EFF and the U.S. Justice Department, the subpoena was withdrawn and the issue appears to have been dropped. For a more detailed description of the event, Kevin Bankston’s, a senior staff attorney with EFF, description of the exchange.
While this article raises a host of legal and privacy issues, I’m most interested in how most IT professionals respond when presented with a similar request. If a government request for traffic or visitor information for one of the site’s you support appeared in your mailbox or in your email inbox, what would you do first?