DreamHost disrupts U.S. DOJ plan for mass spying. Others should do the same.

The U.S. Department of Justice (DOJ) is after the personal information of over a million people who browsed a website used to coordinate protests during President Trump’s inauguration. The expansive order stands in contravention of our fundamental rights to privacy and freedom of expression. We know about this attempted mass intrusion of our privacy thanks to the web hosting company DreamHost. Access Now is proud to be a DreamHost customer for the Fly Don’t Spy campaign. We at Access Now are more than happy to support DreamHost and any other company in their efforts to enhance transparency.

Earlier this year, the DOJ ordered DreamHost to turn over all records, including computer IP addresses and other visitor details, for the website disruptJ20.org. DreamHost is now challenging the order in court. In standing up for the rights of its users, DreamHost is demonstrating how companies should respond to orders that fail the fundamental requirements under international human rights law and standards. These requirements include that governments demonstrate a legitimate interest in the requested data and craft surveillance orders proportionately.

In July, a D.C. Superior Court judge approved the government’s order requiring that DreamHost turn over 1.3 million IP addresses along with names, email addresses, communications content, and photos for thousands of people. The DOJ evidently expected to be able to comb through those records for details about the people it was most interested in. In practical terms, this would be the equivalent of seeking personal details about the population of an entire town, on the pretext of investigating a few people who may or may not have committed a crime there. That breadth and lack of specific aim are not permitted under the First and Fourth Amendments of the U.S. Constitution, nor does it pass muster under human rights law. DreamHost filed legal arguments opposing the DOJ’s motion to compel the company to produce information and a hearing is scheduled for this Friday, August 18 in the Superior Court.

The DOJ order does not accord with the International Principles on the Application of Human Rights to Communications Surveillance, also known as the “Necessary and Proportionate Principles,” which show how existing human rights law applies to modern digital surveillance. The order fails the “legitimate aim” requirement that any demand for personal information be based on a legitimate aim necessary under a democratic society. Surveillance based on political opinion, for instance, is not a legitimate aim. Moreover, due to the sheer scope of the request, the order also fails the test of “proportionality,” since it implicates the records of millions of people.

In addressing their challenge to the order, DreamHost described the search as “a clear abuse of government authority.” That is an especially apt description, and we’re relieved and encouraged to see the company stand up for its users. Companies in similar situations can be proactive about government demands by regularly publishing transparency reports. DreamHost released one in 2014. Posted on the company’s blog, the report is prefaced with a powerful statement, “We’ve said it before, and we’ll say it again: We take your privacy seriously.” The report covers requests for access to users’ data as well as requests for content removal. The data are international and comprehensive, and the report reflects a strong commitment to user privacy. However, this was the first and only report DreamHost has released. DreamHost’s court challenge of the DOJ order is an excellent opportunity to refresh and renew its commitment to user rights. We recommend publishing a transparency report for the first two quarters of 2017. Disclosing any other recent government or third-party requests, and informing customers of current privacy standards, would cement DreamHost’s growing reputation as a leading company for respecting human rights online.  

We anticipate that the D.C. Superior Court will deny the government’s request upon review. In the current political climate, other companies may face similar pressure, and we hope they will follow DreamHost’s example and show they are willing to fight back to protect users. We are reaching out to other web hosting companies to offer guidance on push-back and transparency to any company that needs it. We also take seriously our own commitments to users who browse FlyDontSpy.com and our other websites. Many people have begun to fear that the government will not uphold their rights, so it is critically important that the companies that hold their data take a stand for them.