By Nathan A. White
Can the government force the hosting service of an activist website company to turn over vast amounts of user data in order to track down political protesters? According to a federal court ruling, the answer -- Yes, but let’s slow this train down a little bit. On Thursday, August 24, 2017, District of Columbia Superior Court Chief Judge Robert E. Morin ordered DreamHost to comply with a search warrant issued by the Department of Justice on July 12, 2017 seeking IP addresses and other data of visitors to “disruptj20.org” website hosted by DreamHost. Disruptj20 is an organization whose stated mission is to protest the inauguration of Donald Trump. The ruling narrows the scope of the government’s initial search warrant and sets up protections to ensure judicial supervision of the government’s search process. Before proceeding further, the government must be able to show why data, once reviewed, is critical to the government’s case in prosecuting Inauguration Day criminal activity. Any irrelevant data must be safeguarded from further use by the government.
As part of its ongoing efforts to identify and prosecute individuals involved in riots that occurred on Inauguration Day, prosecutors sought to gather data on individuals who visited disruptj20.org. Prosecutors contend that disruptj20.org provided a forum for coordination and communication of illegal activity. That illegal activity resulted in several police injuries and considerable property damage around Washington, D.C.
In the weeks following the events of January 20, 2017, the government issued a grand jury subpoena and preservation notice to DreamHost as part of its initial investigation. Prosecutors then sought a warrant on July 12, 2017 and filed a motion to show cause on July 28, 2017. The government’s Motion and DreamHost’s August 18, 2017 opposition brief paint conflicting narratives of the ongoing dialogue between counsel for the government and DreamHost leading up to the motion to show cause. Interestingly, following DreamHost’s opposition filing, the government replied on August 21, 2017 and included a motion to modify the scope of the original July 12, 2017 search warrant. The government modified the scope upon learning through DreamHost’s opposition filing and press releases how much data preserved by DreamHost would fall within the scope of the initial search warrant, particularly the IP addresses of 1.3 million website visitors. The government went to great lengths to emphasize it “has no interest” in this data. Instead, prosecutors said the government is singularly focused on criminal activity occurring on January 20, 2017 and how disruptj20.org may have been a means to facilitate coordination of criminal activity on Inauguration Day. DreamHost continued to oppose the modified search warrant in its August 23, 2017 sur-reply the day before the hearing.
At the hearing, Chief Judge Morin ruled from the bench granting the government’s amended motion, along with “added protections” focused on reducing government access of third-party visitors to the website who were not involved in rioting on Inauguration Day. First, the ruling included a time limitation: only data from October 2016 to Inauguration Day would be responsive. Second, Chief Judge Morin directed DreamHost to submit the responsive data to the Court, directed the government to provide its intended search protocols for reviewing the data, and identify the persons who will conduct the review. Chief Judge Morin ruled that he would hold the data until DreamHost made its decision to appeal. If there is no appeal, or an appeal is filed and denied, Chief Judge Morin will turn the data over to the government. Prosecutors, however, will need to explain to him how the information produced is “critical” to the government’s case. Any third-party data unrelated to Inauguration Day rioting will be sealed and cannot be shared with other government agencies.
The most interesting aspect of the case is the differing government and DreamHost perspectives on the “dialogue” that occurred in the months following issuing the search warrant. DreamHost viewed its efforts as part of a proactive attempt to comply with the terms of the search warrant while limiting the scope of data responsive to the request. It is telling that the government modified the scope of its subpoena based on DreamHost’s filings and press releases. The government viewed its efforts as being more proactive in striking the right balance, but sought the motion to show cause based on indications from DreamHost that the search warrant was invalid on grounds such as extraterritoriality and lack of particularity. The government even went so far as to include e-mail correspondence with DreamHost’s counsel following its filing of the motion to show cause demonstrating DreamHost conditioned its cooperation on withdrawal of the search warrant and motion.
While most government prosecutors would like to “decide for themselves” what is or is not responsive upon receipt of the data, this case highlights how counsel representing a company facing a government request can limit the scope of the subpoena informally by helping prosecutors understand the full effect of their requests for certain data. As happened here, albeit upon initiation of litigation, this could lead to a modification of the terms of any government request to reduce the amount of irrelevant data that would be captured by the request and reduce the burden on the company (and associated costs) in complying with the government request.
From a Fourth Amendment perspective, this case highlights how judges continue to be mindful of the need for companies to protect the privacy interests of individuals who access websites and the Fourth Amendment’s safeguards to protect individuals from unreasonable search and seizures by the government. As will be the case with future search warrants focused on seizing server-hosted data, the government will need to carefully tailor search warrants and articulate its search review protocols to the court on how it will identify relevant data and provide safeguards for any irrelevant server data falling within the scope of the search warrant.
[*] This hook is nothing more than a gratuitous quote of Lee Corso of ESPN’s College GameDay now that college football season is once again upon us.
About Data Points: Privacy & Data Security Blog
The technology and regulatory landscape is rapidly changing, thus impacting the manner in which companies across all industries operate, specifically in the ways they collect, use and secure confidential data. We provide transparent and cutting-edge insight on critical issues and dynamics. Our team informs business decision-makers about the information they must protect, and what to do if/when security is breached.
Data Points: Privacy & Data Security Blog Updates
- The Consumer Financial Protection Bureau Stakes Out Its Enforcement Authority Over Unfair Information Security Practices
- Maryland Amendments to Data Security and Breach Notification Law
- The Devil Really is in the Details: The SEC Proposed Rule on Cybersecurity Risk Management for Investment Advisors, Registered Investment Companies and BDCs
- Will the U.S. Finally Pass Comprehensive Data Privacy Legislation?