A test case fought by the Electronic Frontier Foundation (EFF) has shown the extent to which the US government is willing to bend the law in its quest for data it wants.
Indymedia is a news aggregator for left-wing and libertarian writers and on January 30 one of its volunteer administrators Kristina Clair received a grand jury subpoena from the Southern District of Indiana federal court.
The subpoena demanded all IP traffic to and from the site for a particular date, including "IP addresses, times, and any other identifying information". It also included a gagging order to prevent Indymedia from discussing the request.
The subpoena was made under the Stored Communications Act (SCA), but after Indymedia went to the EFF for help it discovered that the SCA does not allow such broad searches, or the gagging order that accompanied the request.
“In sum, without any legal authority to back up their purported gag demand, the government ordered Ms Clair not to reveal the existence of the subpoena, a subpoena that as already described was patently overbroad and invalid under the SCA,” said the EFF in its report on the matter.
“This is exactly the kind of unjustified demand of silence that creates a fog around the government's often-overreaching surveillance activities. How many other subpoena recipients have remained silent over the years in response to such bogus demands, and how many of them violated their users' privacy by handing over data that the government wasn't entitled to?”
When contacted, the government first threatened to go to court to enforce the gagging order, before backing down and dropping the subpoena. It's not clear who was responsible for the request, as the subpoena was issued before the Obama administration was fully sworn in.
The case highlights not only the government's tactics but also its ability to trawl databases in the country for information that it wants. Under US law, the government can access any information on servers within national borders.
This raises serious questions about the future of cloud services in the US. For example, with all Google's main server facilities in the US, users of Google Apps may not have the security they expect.