We Just Got Subpoenaed For User Info In A Criminal Harassment Investigation — Here’s How We Handled ItPosted by: siliconalleyinsider in 13
A few weeks back, the US government subpoenaed Twitter, demanding detailed information about users who follow WikiLeaks.
Twitter complied with the subpoena, but only after challenging the government on one point in court and winning.
Specifically, the government wanted Twitter not to tell the users whose information had been subpoenaed that the information had been subpoenaed. Twitter challenged that demand in court and won. Then it told the users that the info had been subpoenaed, and announced this news publicly.
Twitter’s handling of the subpoena, in which the company took its users’ interests into account but still complied with the judge’s order, differed from some prior cases, in which online companies have handed over user information to the government without making the subpoenas public. Twitter was praised for this, and for good reason.
The evolving standards in this arena–the way in which sites provide information to government investigators–are closely watched. So we figured we would relate a recent experience of our own.
THE COURT ORDER
Earlier this week, we received a court order from the Supreme Court of Connecticut asking us to provide information to the police in New Canaan, Connecticut, for use in a local harassment investigation.
The Court Order explained that the investigation concerns a financial journalist, Teri Buhl, who was arrested in November for allegedly harassing a local teenager. Buhl, a Forbes blogger and occasional contributor to Business Insider, contends that she was merely doing some research into underage drinking in New Canaan and is fighting the charges. We wrote about the arrest, the charges, and Buhl’s response here.
The Court Order asked for the “INTERNET RECORDS” and “BASIC SUBSCRIBER INFORMATION” for a reader who left a comment on one of our stories about the Teri Buhl case. According to the Court Order, the father of the 17-year old girl who Buhl allegedly harassed read the comment, believed it to have been left by Buhl herself under an assumed name, viewed it as ongoing harassment, and reported it to the police. The police then asked a judge to order us to divulge the information above, including the commenter’s IP address.
Ordinarily, when companies are ordered to provide user or customer information to the police, they are required to notify the users by mail within 48 hours from the time they provide the information.
In this case, however, in a parallel to the Twitter case, the police asked that we be ordered to DELAY NOTIFICATION of the user in question for 90 days because the police felt notification might “seriously jeopardize the investigation.”
When the Court Order arrived, we discussed it internally and with legal counsel. Because the order had been granted by a judge, we decided to comply with it. Another decision we need to make was whether to challenge the judge’s “DELAYED NOTIFICATION” order, the way Twitter had.
Before we made that decision, we did some research on the “user” in question. And we learned the following:
- The user who left the comment was not “signed in” when he or she left the comment, either via our login system or by Facebook or Twitter logins (which are integrated into the site)
- The user who left the comment provided no information other than a short user-name and email address (neither of which contained identifiable names, and both of which we assumed were created to leave comments anonymously on sites like this one).
- We checked the IP address via an IP-lookup service and found that the hostname was “anonymizer2.torservers.net,” which suggested that the user had taken steps to cloak his or her identity by using an IP-address “anonymizer.”
Our system stores no information for drive-by commenters other than the information above: user-name, email address, and IP-address. Thus, we had no way of determining the user’s physical identity–either for the purposes of providing that information to the police OR for notifying the user about the Court Order.
Now, our user had provided us with an email address, which we require from everyone who comments on the site, even anonymously. We sent an email to this address asking, “Is this a real email address?” We did not receive a reply. Given this, plus the lengths our reader went to to disguise his or her identity, we assumed that the email address had been created with the same IP-anonymizer used above and that the email box is not monitored by the person who created it.
In any event, we did not know the identity or address of the user–information that the user deliberately did not provide us with–so we decided not to challenge the judge’s “DELAYED NOTIFICATION” order. We also decided to publish the Court Order on the site, which we have now done.
Then we complied with the order and provided the user’s IP address and email address to the police.
* Police can and will try to use data stored by online sites in criminal investigations
* Sites like ours will comply with Court Orders requiring that we divulge such information. (To not do so, in our opinion, would be to protest the legitimacy of the United States’ legal system, and we do not regard the United States legal system as illegitimate. Importantly, the reader who left the comment was not a journalistic “source,” so no shield laws or source-confidentiality agreements applied).
* People who wish to disguise their identities when leaving comments on sites like this one appear to have tools at their disposal to do so, including IP-address “anonymizers”
HERE’S THE COURT ORDER: