The social and economic benefits of the Internet cannot be realized without users’ ability to communicate and organize privately, and, where appropriate, anonymously. Data collection warrants must strike a balance to protect these benefits without impeding law enforcement’s ability to enforce the law. In recent weeks, the United States Department of Justice’s (DoJ) conflict with DreamHost, a website hosting service, has underscored the importance of this balance.
A week after the 2017 U.S. presidential inauguration, the DoJ issued a warrant to DreamHost to gather evidence for almost 200 cases related to violence that occurred during Inauguration Day protests. DreamHost had provided services to a website used to coordinate protests during the presidential inauguration.
The initial warrant was broad in scope; DreamHost stated that compliance would mean handing over records relating to 1.3 million IP addresses. This July, the DoJ went even further, issuing a new warrant asking for “Files, databases, and database records” regarding the website in question. DreamHost’s filing with the court specifies that the DoJ sought: the IP addresses of visitors to the website; which website pages were viewed by visitors; and a description of the software running on visitors’ computers.
The DoJ itself appears to have conceded that the warrant was disproportionate, stating it did not know when it sought the warrant “the extent of visitor data maintained by DreamHost that extends beyond the government’s singular focus in this case of investigating the planning, organization, and participation in the January 20, 2017 riot.”
This week, the DoJ filed a brief narrowing its demand for information concerning visitors to the website. The DoJ refined its demand, stating that “The government has no interest in records relating to the 1.3 million IP addresses.” The Department also pledged to set aside any information DreamHost provides that is outside the scope of its warrant and incidentally included. The revised warrant would also limit the records collected to those within the window of July 1, 2016 to January 20, 2017. However, the DoJ still demanded information about private messages, membership discussion lists, and unpublished material such as draft blog posts.
Everyone has the right to privacy online. This right ensures users’ trust in the Internet, and ultimately enables the success of the Internet.
When law enforcement makes data collection requests, consideration must be given to factors such as necessity, legitimacy, proportionality. The DoJ’s initial warrant was neither proportional nor necessary. There is also little to suggest a connection between the scope of their request and the alleged criminal conduct by specific individuals.
On August 24th, in response to a legal appeal by DreamHost, a judge ordered the company to comply with the revised warrant. However, Chief Judge Robert Morin ruled that the DoJ is required to specify which individuals will have access to the data and the process they will use to search the data for evidence. The DoJ must also develop a “minimization plan” to minimize the search of material unrelated to the criminal investigation. In addition, the judge will oversee the use of the data.
While these measures are a step in the right direction to protect American’s constitutional rights and adhere to the principle of proportionality, actions like the DoJ’s original demands threaten privacy, freedom of expression and association, and the free flow of information.
The Internet’s ability to support mass self-expression requires user trust. Surveillance undermines the trust that users have in the Internet as a global, interoperable and resilient platform of communication. Users will hesitate to communicate and organize privately if their privacy could be compromised due to the inappropriate actions of others with which they loosely associated online. In order to protect a free and open Internet, exceptions must not be made to allow unfettered surveillance. Governments worldwide must resist the temptation to fall back on security rationalizations that endanger their citizens’ political freedom online.