For months, the US government has played legal tug-of-war with DreamHost, the hosting company used by disruptj20.org: a site that helped co-ordinate the protest against the inauguration of Donald Trump as the 45th President of the United States.
Now, the fight is over, and DreamHost is claiming victory: it got what it was after. Namely, limits on a search warrant that it said had a serious problem with overreach.
On Tuesday, Washington, DC Chief Judge Robert E. Morin issued a revised order (PDF) that said government prosecutors have no right to “rummage through the information contained on DreamHost’s website”:
…while the government has the right to execute its Warrant, it does not have the right to rummage through the information contained on DreamHost’s website and discover the identity of, or access communications by, individuals not participating in alleged criminal activity, particularly those persons who were engaging in protected First Amendment activities.
They do, of course, have the right to demand details about lawbreakers. Specifically, about disruptj20 members who plotted premeditated rioting, which in this case means those who violated D.C. Code § 22-1322: DC’s rioting statute. On Inauguration day, some rioters were armed with hammers, crow bars, wooden sticks and other weapons. The government says that both civilians and police officers were hurt in the riot.
As we reported in August, DreamHost had initially refused to comply with the warrant, which it received in July, given that compliance would involve handing over the IP addresses of 1.3m visitors to the site, their contact information, their email content, and photos of thousands of people, all “in an effort to determine who simply visited the website”.
In an opposition motion (PDF), DreamHost said at the time that the warrant’s breadth violated Fourth Amendment protection against unreasonable search because it failed to describe with “particularity” the items to be seized. Instead, it demanded “all records or other information” pertaining to the site, including “all files, databases and database records.”
Complying with the warrant would also have First Amendment implications, DreamHost had argued, given that it would give the government information on protesters and thus might lead to a chilling of free speech and association.
In August, Chief Judge Morin had agreed with DreamHost’s arguments – at least, to the point that he scaled back the government’s data demands.
Morin, who will oversee review of the data, said at the time that the government has to specify what protocols will be put in place to keep prosecutors from seizing the data of “innocent users”.
Because that’s what the original warrant was in fact after: details about any user who visited the protest site, regardless of whether the government had reason to suspect that they were involved in illegal protest.
DreamHost has been awaiting Chief Judge Morin’s final order, which would spell out the exact nature of the data that DreamHost will be required to hand over while mulling over a decision to appeal the court’s general order. On Tuesday, that’s what Morin provided.
The results have DreamHost “elated,” it said in a blog post:
We’re elated to see significant changes that will protect the constitutional rights of innocent internet users worldwide.
The revised order gives DreamHost the ability to redact all identifying information and to protect the identities of users who interacted with disruptj20.org before the company hands over any data to the court.
DreamHost says that every scrap of this “drastically reduced amount of data” will be scrubbed to remove identifying information that relates to non-subscribers of the Disruptj20 site.
The order requires that before the Department of Justice (DOJ) gets its hands on the redacted data, it has to submit its proposed search protocols and procedures. Then, the court will review and approve them before giving the go-ahead.
Next, the DOJ will need to file an itemized list of information that it believes constitutes evidence of premeditated rioting. Prosecutors will also need to provide the court with specific reasons why the data is relevant to their investigation.
Think you can get the data then, DOJ? Sorry, there’s one more hurdle: the court then has to find probable cause that the requested data is “evidence of criminal activity” without identifying innocent users of disruptj20.org.
Only then will the DOJ be able to get non-redacted data from DreamHost.
With all of those stipulations, the requested data now more closely aligns with the other government requests for data that DreamHost has received and complied with.
…all of which leads to the end of the battle, DreamHost said:
We do not intend to appeal the court’s ruling.
It’s a win for the innocent people who DreamHost has been fighting to protect from the start, the company said, while still ensuring that the law can do its job by bringing violent protesters to justice:
We applaud this course of action as it goes a long way toward negating any fears of a “digital dragnet” and targets individual, specific users to whom probable cause has been found by the court. The contact information of simple website visitors, journalists, historians, and any other users who may have interacted with the DisruptJ20 website with innocent intentions is now explicitly protected.
DreamHost stressed that no government employee will lay eyes on user information until the company has “personally gone over it with a fine-toothed comb.”
It’s an “absolute victory,” say DreamHost – not just for the company itself, but for all of the country’s online service providers and for “internet users around the world.”
As a result of this ruling, internet users retain the ability to simply browse the internet without fear of being swept up in a criminal probe.