If you’ve been following along with major news outlets over the past few months, DreamHost has been in something of a deadlock with the Department of Justice.
At risk is the personally identifiable information of many, many thousands of internet users who chose to visit or otherwise interact with DisruptJ20.org, a website created and maintained by one of our customers.
While we regularly work with law enforcement and hand over certain types of data as part of various ongoing investigations, this particular request for customer data was overly broad, and we objected to it on those terms.
The court chose, in this case, to act as an intermediary between DreamHost and the Department of Justice to ensure that user rights remained protected and that First and Fourth Amendment protections were respected.
We had been awaiting Chief Judge Morin’s final order, which would spell out the exact nature of the data that DreamHost would be required to hand over while mulling over a decision to appeal the court’s general order.
Today Chief Judge Morin of the Washington D.C. Superior Court issued the court’s final order, and we’re elated to see significant changes that will protect the constitutional rights of innocent internet users worldwide.
Under this order, we now have the ability to redact all identifying information and protect the identities of users who interacted with disruptj20.org before handing over any data to the court. Chief Judge Morin acknowledged that the government “does not have the right to rummage through the information contained on DreamHost’s website” to “discover the identity of . . . individuals not participating in alleged criminal activity.”
The new order is a far cry from the original warrant we received in July and validates our decision to raise questions about the original order.
We Saw Something, so We Said Something
We are now required to hand over a drastically reduced amount of data to the government and will redact any identifying information from every scrap of it that relates to non-subscribers.
The Department of Justice will have to submit proposed search protocols and procedures (and the court will have to review and approve these) before the DOJ can begin a detailed review of the redacted data.
The DOJ will then have to file an itemized list of information which it believes constitutes evidence of D.C. Code §22-1322 (DC’s rioting statute) and call out the specific reasons why the data is relevant to the DOJ’s investigation with the court.
Finally, the court must find probable cause that the requested data is “evidence of criminal activity” without identifying innocent users of disruptj20.org. Only then will the DOJ be able to obtain non-redacted data from DreamHost.
We applaud this course of action as it goes a long way toward negating any fears of a “digital dragnet” and targets individual, specific users to whom probable cause has been found by the court. The contact information of simple website visitors, journalists, historians, and any other users who may have interacted with the DisruptJ20 website with innocent intentions is now explicitly protected.
Absent a finding by the court that probable cause of criminal activity exists, the government will not be able to uncover the identities of many thousands of website users. There are also quite a few modifications within the court’s order that further reduce the government’s ability to review unrelated data.
As it stands today, the sum total of requested data in this case very closely aligns with hundreds of other government requests that DreamHost has received, and complied with lawfully, in the past.
We do not intend to appeal the court’s ruling.
There’s really no need. Any sweeping requests for data that could personally identify website visitors not directly related to an ongoing criminal investigation are now off the table. It’s sort of a moot point!
The law makes it clear that the Department of Justice does have a right to request some customer information throughout the course of ongoing criminal investigations. We respect that right and appreciate the court’s oversight in this case as a step to help protect users and reign in what we considered to be a problematic, overly-broad records request.
We’re preparing to compile the mass of data requested by the court.
As part of that effort, we plan to pore over every single email and scrap of data that we’ve collected to redact any information that could be used to identify anyone who may have visited or otherwise used DisruptJ20.org. This excludes, of course, our own customer who is a confirmed subject of an ongoing investigation.
To be clear, DreamHost has been deputized to redact sensitive information. No government employee will see this data until we’ve personally gone over it with a fine-toothed comb, and our commitment to user privacy is strong and unwavering.
We see this as an absolute victory not just for DreamHost, but for online service providers throughout America and for internet users around the world. As a result of this ruling, internet users retain the ability to simply browse the internet without fear of being swept up in a criminal probe.
Thank you for your very vocal support over the last few weeks.
Members of the media seeking comment, please email firstname.lastname@example.org with questions or requests.