Battle Between DreamHost and the Justice Department Exposes Gaps in Privacy Protections
August 30, 2017
A federal judge ruled last Thursday that a Los Angeles-based hosting company must provide prosecutors with digital data from a website used to organize protests against Donald Trump’s inauguration in January.
D.C. Superior Court Chief Judge Robert E. Morin ordered DreamHost to comply with a federal warrant requiring it to hand over records, including email accounts, from the disruptj20.org website, which it hosts. The government requested the records in connection with an ongoing investigation into vandalism and violence that occurred during the January 20 demonstrations.
More than 200 people were arrested as a result of clashes that erupted during the mostly peaceful protests. Participants have been charged with a variety of crimes, including felony rioting, inciting to riot, conspiracy to riot and destruction of property.
The ruling is a victory for the government, albeit with some limits. The Justice Department must outline a set of protocols it will use to protect the privacy of innocent users. Additionally, the government must identify each individual who will be reviewing the data and submit a plan for how it will approach its search.
The warrant will be executed in two phases. First, officials will sift through the entire collection of data to identify relevant records. Information not related to alleged criminal activity will be turned over to the court and sealed.
Judge Morin said the court would oversee the search to ensure the government only seizes data pertinent to its investigation.
DreamHost is still weighing whether it will appeal, but has hailed the ruling as an “enormous privacy win” for internet users and hosting providers.
Raymond Aghaian, an attorney for DreamHost, believes the limits imposed by the court are a victory for privacy advocates, but is still troubled by the ruling. Aghaian claims that handing over user data to the government could have a “chilling effect” on internet speech or activity.
"Providing the information outright to the government for the government to review and identify who the individuals are and what they said in relation to political expression, speech and exercising their right of association is entirely problematic," Aghaian said.
Judge Morin denied DreamHost’s request to stay his ruling until the company could decide whether to appeal the decision. DreamHost must begin turning data over to the court, although it will not immediately be shared with prosecutors.
The case has sparked renewed debate over the competing interests of privacy and security regarding government access to sensitive digital information, and the role the First Amendment can play in protecting online speech and association.
The Department of Justice initially filed for a search warrant on July 12 to compel DreamHost to turn over a wide swath of data from the disruptj20.org website.
The original warrant asked for “each account and identifier” associated with the entire website, which, if executed, would have required DreamHost turn over almost everything connected to the site, including the IP addresses of 1.3 million visitors, email content, contact information and photos.
This data could potentially be used to identify millions of people, the vast majority of whom have done nothing illegal, and who were, according to DreamHost, simply exercising their right to free speech and association.
DreamHost refused to comply with the warrant, claiming that the government's request was overly broad and unconstitutional. “This is, in our opinion, a strong example of investigatory overreach and a clear abuse of government authority,” the company wrote of the request.
DreamHost went public with its fight, creating an outcry over the government’s perceived attempt to invade the privacy of so many Americans. Critics claimed that the Justice Department simply wanted to collect information on political dissenters, regardless of their connection to a crime. Innocent people, critics claimed, would be caught up in a witch hunt.
“The initial request was a true dragnet, and fell far short of the constitutional requirement that warrants identify clearly what the police are after,” said Rottman. “It also raised serious First Amendment questions. At base, the argument was that because some bad guys may have visited this site, every visitor to the site is suspect. That turns the Fourth Amendment on its head, and implicates basic First Amendment rights to gather information.”
The case caught the attention of the Electronic Frontier Foundation (EFF), which provided DreamHost with professional support, although it did not represent the company directly.
Stephanie Lacambra, a criminal defense attorney with the EEF, said that the original warrant may have been overly broad because the government did not know exactly what data it needed.
“The Fourth Amendment requires them to be able to identify specifically what it is they are looking for and why they are looking for it — that’s what probable cause means. And the fact that they are identifying an entire class of people, anyone who clicked on the website, that to me highlights the fact that they don’t actually know who to charge with what.”
Narrowing the scope
On August 22, the Justice Department wrote a letter to the court that amended the scope of its warrant to more narrowly target user data. The government dropped its request for the IP addresses of website visitors and for any copy and photographs from unpublished blog entries.
The government claimed it did not initially realize “the extent of visitor data” managed by DreamHost. In its filing, the government wrote, “Contrary to DreamHost's claims, the Warrant was not intended to be used, and will not be used, to ‘identify the political dissidents of the current administration.’”
DreamHost hailed the government’s action as a win, but said it would continue to fight the warrant, which it still saw as overly broad. The Department of Justice was still seeking all email accounts affiliated with disruptj20.org. The company’s lawyers claimed that the warrant should cite the accounts of specific users who were under investigation, rather than asking to look through all email data.
“Even with the narrowing, the warrant is still overly broad and could suck in information pertaining to entirely lawful, and constitutionally protected, protest activities,” said Rottman. “It's a good thing that this debate is playing out in public.”
In the August 24 hearing, Judge Morin indicated he was sensitive to DreamHost’s concerns. “I’m trying to balance the First Amendment protections and the government’s need for this information,” Morin said. “My view here is that this best protects both legitimate interests.”
Electronic data searches present unique challenges
The DreamHost case highlights an ongoing legal debate over how warrants should be composed and executed in a 21st century digital era.
In a traditional search warrant, officers may enter a specified area to look for and seize specific physical property. In theory, the same limits can apply to digital searches if law enforcement is given permission to look through specific data, or search specific devices, for clearly limited pieces of information.
But investigators increasingly need to search data that is not located on a physical device owned by a suspect, but rather is stored by a third party, as is the case with DreamHost.
Searching electronic records is not as easy as conducting a search of physical property due to the volume of data available in many cases. Searches can take days or even weeks. And officials may not know what is hidden in the data until they see it.
A search of digital data also has a greater potential to reveal sensitive information than does a physical search. Evidence of a crime often exists in the same digital space as personal items unrelated to criminal activity.
To address these issues, courts have generally allowed a two-step approach to digital searches in which authorities are initially allowed to see a large amount of data in order to sift through it for relevant items.
Michael Vatis, a partner at Steptoe & Johnson LLP, says this approach can be controversial when applied to digital records.
"What's really different about digital searches is that the amount of information that can be found on a computer or an email account is much greater, which greatly increases the risk that the government is rummaging through a lot of irrelevant material, far more than is the case with the searches of a house or some other physical location," said Vatis.
According to the plain view doctrine, police may not search outside the scope of a warrant unless the evidence is in plain view. If evidence is in plain view, the government may seize it and use it to prosecute a separate crime.
This doctrine can be troublesome when applied to digital searches because of the sheer amount of data available to the government. What constitutes plain view in these cases, and what limits can be placed on warrants to prevent all digital searches from becoming phishing expeditions? In theory, law enforcement officials should discard all material unrelated to a criminal investigation of specific person or persons, but what safeguards exist to ensure that will happen?
“Government data demands to web hosting companies such as DreamHost are much more frequent and more extensive than people think,” David Horrigan, e-Discovery Counsel and Legal Content Director at Relativity, told BLF. “One of the reasons many don’t know about these government data demands is that U.S. law often prohibits companies from informing customers their data has been seized.”
“Although the facts and legal arguments differ slightly, the EFF also assisted Cloudflare in its efforts to limit government data requests,” said Horrigan. “Earlier this month, the U.S. Court of Appeals for the Ninth Circuit rejected Cloudflare’s argument that government prohibition on informing users their data were being seized violated the First Amendment.”
“With the government often arguing national security or crime prevention, protecting data from these government demands is difficult,” Horrigan added.
By nature, everything seen during the execution of a digital search could be considered to be in plain view. Judge Morin tried to deal with this in his ruling through “minimization” requirements.
Ashwin Krishnan, Senior Vice President of Products and Strategy at HyTrust, does not see “minimization” as an adequate protection for users’ privacy. The order “to handover the ‘minimal’ data is deemed as a win by DreamHost,” said Krishnan. “But as end users, we have no control over this nor can we influence the outcome. We are the mercy of the provider.”
Richart Ruddie of online reputation management company Profile Defenders, told BLF that while the original request in the DreamHost case “was far too wide,” the government may still have a legitimate interest in the data.
“If this is a public safety issue then we need to look at it from both sides of the table not just one side,” said Ruddie. “I don’t think this will have an effect of chilling free speech because people will still find ways to go online and promote their feelings and opinions no matter what.”
“When it’s a security risk or in the best interest of the general public, ISP's and Hosting companies should take into consideration these factors,” he continued.
The answers to the questions surrounding digital searches are at this point ambiguous, and courts are still attempting to provide clarity. Aghaian believes the issue of how to balance Fourth and First Amendment rights with legitimate security and investigative concerns will ultimately be decided by the Supreme Court at some point in the future.