Last week, NPQ reported on the Department of Justice’s efforts to collect information from the online hosting site DreamHost about a webpage allegedly used to coordinate disruptive activity on the day of Donald Trump’s inauguration. The initial warrant was sweeping in scope, calling for “all records or other information pertaining to [DisruptJ20’s] account or identifier, including all files, databases, and database records stored.” By the strictest reading, this would have required DreamHost to turn over the IP addresses for everyone who had visited the site—potentially identifying 1.3 million people. DreamHost filed an opposition motion and let the world know about the DOJ’s actions through a blog post.
The matter has come to a measure of compromise over the past two days. First, the Department of Justice amended its demand; apparently, no one at DOJ was aware just how many people would be potentially exposed. Prosecutors wrote, while defending the original warrant,
What the government did not know when it obtained the Warrant—what it could not have reasonably known—was the extent of visitor data maintained by DreamHost that extends beyond the government’s singular focus in this case of investigating the planning, organization, and participation in the January 20, 2017 riot. The government has no interest in records relating to the 1.3 million IP addresses that are mentioned in DreamHost’s numerous press releases and Opposition brief.
The government said it would exclude and seal any of the data that didn’t fall inside the parameters it had hoped to set up. Chief Judge Robert Morin, in his decision from the bench, went a step further and “directed the government to submit information to the court about its method for searching through the data and minimizing data on innocent third-party visitors to the site.” However, in the face of this amended request, the judge instructed DreamHost to start turning over information immediately rather than waiting for their decision as to whether to appeal. (The judge did instruct the government to wait for the potential appeal before reviewing the information, and forbid them from disclosing the information to any other government agency once they were done.) The hosting service said they would comply.
DreamHost, as seen in a second blog post, views this as a victory for user privacy. Although they contend the warrant still threatens the First and Fourth Amendment rights of the users and owners of DisruptJ20.org, and may be fought on those grounds in court, the changes in the warrant that their motion and the response of the public brought forth are still a benefit to the public:
If we had simply remained silent and handed over the data at the first sign of a warrant, investigators would today be sitting on a pile of information that could be used to track down and identify tens of thousands of individual web users who are themselves accused of no crime but would have found their personal browsing habits included and associated with this investigation.
As a result of our challenge, the DOJ ended up severely restricting the scope of data which was included in their original records request, effectively preventing them from fishing for evidence in a sea of unfiltered data extracted from our servers.
This is an enormous privacy win for all internet users and for any service providers that host user-generated content online.
We look forward to working with the Department of Justice and the Court as we hand over data that is an extremely limited subset of the original request.
While we’ve been compelled by the court to share this (still) large cache of data (and will do so in the next few days), the DOJ will not gain access to it immediately. We are considering an appeal which would deny the government the ability to access that data temporarily and potentially forever if our appeal is found to have merit.
DreamHost expressed its gratitude for the outpouring of support through email and social media. Of course, it wasn’t long before they were facing a distributed denial of service (DDoS) attack, which overwhelms an online site with a barrage of requests in an attempt to crash it. The source and motivation of the hacking attempt remain unconfirmed at the time of this writing.—Jason Schneiderman