Sparkfun Explains Why It Provided Customer Info In Response To Subpoena
from the tough-situations dept
When you receive an official law enforcement document/request, like a subpoena, it can actually be pretty scary. An official-looking document from a court in association with law enforcement may leave many people with the impression that they absolutely have to comply. While there are circumstances in which you do need to comply, you can often fight back. Tragically, many companies don’t. They just roll over and hand over the info, even if it violates their own policies (and sense of right and wrong). There are (unfortunately few and far between) cases like Twitter, who has shown a willingness to fight for user privacy, but it’s still a tough issue for many companies.
Shawn Sims points us to the interesting story of how the popular electronics company Sparkfun publicly explained how it dealt with a very broad subpoena demanding all sales information on sales made to addresses in Georgia over a six month period. The reasoning was that a Sparkfun device was found as a part of a credit card skimmer device.
Sparkfun CEO Nate Seidle explains that the subpoena came after an initial call requesting the same info, where the company politely refused to provide the info, noting its support of the privacy rights of its consumers. As Seidle noted, no one supports card skimming, but there are issues of principle here:
I want to be very clear: creating devices that steal credit card numbers are illegal and cause pain for a lot of people. We know our parts can be used for good or for evil. We have zero tolerance for those who use them for evil. I will offer our technical services to any law enforcement that may need help reverse engineering a device. It is obvious the law enforcement agency is requesting this information to put a stop to this activity. However, I also believe strongly in the right to privacy and the protection of personal data.
After talking to their lawyers, and realizing that you don’t have to fully comply with a subpoena — but also that a subpoena can turn into a warrant which you do have to comply with — the company worked with the law enforcement to try to limit the type of information requested, and eventually came to a compromise:
Please read the subpoena carefully. The request for ‘all orders’ seemed like they were casting a very wide net without cause. Discussing this issue with our counsel and working with the law enforcement agency, we agreed to obtain the orders that had the product on it, not all orders as required by the subpoena. This ended up being about 20 orders. In my opinion, one order is too much information. While I believe this legal process protects us all from wrong doing, turning over any piece of data goes against every fiber in my being. But without any further legal options, I made the decision to turn over the sub set of data.
I want everyone to know that we take your data and privacy extremely seriously. We guard it with the highest levels of security and confidentiality. If we are legally forced to turn over data, we promise you we will work with the law enforcement agency to do everything in our power to limit the amount of information released.
This is a tough position to be in — and you can certainly argue that the company could have (or perhaps should have) continued to fight the subpoena. But in the end, it’s likely that it would have to turn over the info eventually no matter what. At the very least, you have to respect the company for being totally transparent and open about what happened and why (and how Seidle personally felt). Plenty of other companies would hand over the data and then never discuss the issue publicly ever.
Filed Under: nate seidle, privacy, subpoena, transparency
Companies: sparkfun
Comments on “Sparkfun Explains Why It Provided Customer Info In Response To Subpoena”
Message to the Corporate States of America:
You are evil. Fuck off.
Haha Agreed.
Haha Agreed.
credit card numbers
they requested full credit card numbers … obviously a scam. I’d wait for the warrant…
Re: credit card numbers
Unless Sparkfun has a valid business reason to keep the full card numbers around, I would hope like crazy that they’re only storing enough info to help identify the card for the customer. It’s fairly widely accepted that the first 6 digits + the last 4 + expiry date are enough to do this with.
Storing credit card info long-term without good cause is enough for me to completely avoid a company. If they’re doing that, it’s quite possible they’re breaking other credit card security guidelines. The payment card industry has card-handling standard for a reason!
credit card numbers
Yes, because you can magically track orders without a credit card number.
Cash
Here we have at least 19 innocent people who are now going to be investigated because they bought something.
Another reason to use cash whenever you can (and of course get the things you need in person). That’s best way to avoid ending up on a list of suspects just because you bought something that some criminal also bought.
Re:
Haha Agreed.
Spelling is not strong with them…
It helps not annoy the company when you describe and item not bearing the companies actual name.
I think Sprakfun is in a deep pile of crap thou.
It is amazing a court saw no problem with handing over a ton of unrelated data.
They were tracking a single piece of the unit, and created a window when they thought it was purchased that could be completely incorrect.
Thankfully this owner found a way to protect a majority of their clientele from unneeded harassment with their purchase history ending up in some database somewhere because someone thinks they should keep it in case they have a use for it someday.
When you take protecting privacy too far
There was a robbery here in Las Vegas a little while ago. Its a private safety deposit company. They operate on complete anonymity, no private info required. They can’t tell what or from whom items were stolen. Seems like the best location to rob.
Re: When you take protecting privacy too far
Wasn’t that an episode of Numb3rs?
Re: Re: When you take protecting privacy too far
Yes it was
credit card numbers
Yes do they need all the credit card information from all the transactions ever done in that company for the last six months to track down a handful of criminals?
credit card numbers
Of course, then they put you on domillenisextuple-secret-probation.
When you take protecting privacy too far
There’s no reason the authorities or the company need to know what or from whom the items were stolen. It’s almost certain that the customers know what was stolen and if they feel the need to inform the police, they’re free to.
credit card numbers
Not only that but they wanted all data for 6 months to try to find one person who may have bought one item from this site.
Looking at the site it appears that Sparkfun doesn’t manufacture the items it sells. So who says the item was bought there?
Re: credit card numbers
SparkFun does manufacture some things, and not others. As a rule of thumb, as you browse the store, anything with a bright red circuit board is probably a SparkFun product. If it has the flame logo, then it definitely is a SparkFun product.
More details can be found at: http://www.sparkfun.com/news/308
Why was the subpoena censored?
This is the public’s document, issued by a public official acting in a public capacity. So why obscure the names/phone/fax numbers/etc.? These are all the property of the public, not private information.
Beholdeth ye olde language
Favorite part of the notice: “Herein fail not under penalty of law.” It’s amusing anachronisms like this that help us decide to keep you lawyers around.
Why was the subpoena censored?
Your new to the interwebs aren’t you?
The originally posted document might have been done by the company who believes in privacy and might like the court to accept more reasonable terms by not being the source of a buncha pizzas and hookers showing up for the Judge.
credit card numbers
Nobody ever makes use of things like purchase order numbers or tracking numbers …. so yeah, in order to track these evil doers they will probably need SS numbers too.
When you take protecting privacy too far
FrySquintFace: Not sure what point is.
They want the credit card numbers so they can contact the card provider and see what else was purchased and from where. I can see that this might be useful pursuant to the case although without further information specific to the case it’s hard to tell.
There is a problem where the subpoena was granted to recover such broad information, information that clearly has nothing to do with the case. That it was requested speaks of the laziness of the officer writing the subpoenaing officer and of the rubber-stamp mentality of our judiciary that approves these broad requests.
Re:
“They want the credit card numbers so they can contact the card provider and see what else was purchased and from where”
Have you not been paying attention? One does not need the CC# in order to accomplish your stated task.
Not sure whether ignorant or troll.
“This ended up being about 20 orders. In my opinion, one order is too much information. While I believe this legal process protects us all from wrong doing, turning over any piece of data goes against every fiber in my being. But without any further legal options, I made the decision to turn over the sub set of data.”
I realize a lot of people here feels the same way (or would say say if asked), but, uh, really? Are one’s orders to some elctronic company sacrosanct, kind of like confession to a priest, or asking your doctor about that weird rash you got? I appreciate that the owners of Sparkfun care about their customers’ privacy. That’s a good thing, and makes me want to patronize them instead of some other place that doesn’t car eat all. But if you acknowledge that police somewhere, sometime, might have a legitimate interest in investigating crime, you also need to acknowledge that they’re going to need evidence, and they need to be able to obtain it. Using a subpoena to require a person to produce evidence for a court or grand jury is a process older than the United States. If there’s some special privilege or reason not to produce the evidence, a personc an challenge the demand in court.
Many of the commenters seem to misunderstand what was going on. It wasn’t that people can used stolen CC #s to buy stuff from Sparkfun, it was that the skimmers police had discovered had used Sparkfun parts of a certain type. So police were looking to see who bought these particular parts from Sparkfun. Of course, there is every reason to believe that the vast majority of those customers were doing nothing wrong. And perhaps they would rather not be “investigated.”
But for those who seem to be suggesting that either the police should never be able to obtain records from third parties, or that they should not be able to obtain records about people who aren’t involved in crime: do you have any ideas on how police ought to investigate a case like this? And if your answer is, for example, “find the people who used stolen CC#s obtained formt he skimmers,” I understand, but it’s possible that those people are (a) outside th US, and (b) don’t know who made and placed the skimmers themselves. What would be a good approach to investigating a case like this that would be sufficiently respectful of privacy rights, in your view?
Re: Re:
if you have the device in question, depending on where it was found, would it not have some type of video camera around? (ATM Machine)
what if the sparkfun device was stolen? then the question is moot as to who originally bought it.
See there ARE two side to almost every question, yes it does make law enforcement’s job harder, but there ( as far as I know of )is no law that says it has to be “easy”
the Rights of the Individual are (in my mind) always Paramount to the Rights of the state, That’s what “used” to make this country Great, it HAS eroded in that past few decades, and look what has happened.
Re: Re: Re:
This isn’t a question of simply making it “hard” or “easy”. The comments from Sparkfun and from many commenters here suggest that they don’t think law enforcement should be able to get access to these records at all – not just that a subpoena makes it “too easy.”
According to the article, the skimmers were installed on gas pumps. And you’re right – many gas tations have video surveillance as well. Maybe that sort of evidence is available. Maybe not (most businesses don’t keep those recordings, and video at gas stations tends to be targeted at drive-offs and robberies, so there may be no need for a gas station to save video for more than a day or a week, or to point video cameras the pumps, as opposed to cars). But even if it were, what does that get you? Perhaps one can see the face of the person who did it. But they won’t be wearing a name tag. Maybe it’d be possible to grab a license plate. Maybe not.
And maybe the Sparkfun devices used in those skimmers were stolen. That’s totally plausible. But again, why does that mean that government shouldn’t be able to seek information about who bought them from Sparkfun, as long as that info-seeking is subject to some appropriate limits? Yes, it’s possible that none of those 20 people who purchased those parts from Sparkfun from Georgia during that particular time had anything to do with the skimmers. In fact, it’s almost certain that most of them had nothing to do with it. That’s not a very good argument for saying government shouldn’t be able to find out any information about those purchasers, no matter what. (Which is what many seem to be suggesting.)
I understand being concerned about customer privacy. I don’t like it that some stores obtain and retain a ton of information about my purchasers (and some times I put up with it to get some sort of benefit, and other times I don’t think the benefit is worth the privacy loss). But if I were to, say, use my credit card to buy a completely innocuous product from a store, and aroudn the same time, the store was robbed and the clerk killed, I wouldn’t find it absurd or over the top for police to check credit card records, and then go interview people were int he store at aroudn the same time — including me, even though I definitely wasn’t the guy who robebd the place.
My overall point is that, while I understand privacy concerns, and I appreciate on some level Sparkfun’s zealousness in protecting its customer records, in this case most of us would agree taht the people makign and installing these skimmers ought to stop. And it’s pretty easy to see how Sparkfun records could be useful in finding out who made these skimmers. And that means there ought to be a way to obtain these records. Perhaps rather than overreating, and saying it’s never OK to reveal even one customer record, perhaps the better response is to focus ont he standards for getting those records, and the use to which they’re put later on. In other words, argue about whether a subpoena is enough, or whether there ought to be additional legal hoops (explicit court approval, a higher standard of proof, or a narrowed or more specifically-justified request). Or focus on making sure that the police don’t use that information to hassle people who aren’t doing anything wrong.
But suggesting that police don’t have any business seeking regular old sales records from a business seems like a drastic overreaction, that wouldn’t work very well in practice anyway.
Re: Re: Re: Re:
So many words for such an obvious rationalization.
I’m just guessing here, but possibly … it is the carpet bomb approach to information gathering that aggravates many.
Re: Re: Re:2 Re:
Yeah, how silly for someone to use “so many words” to make a point, when terse outrage is so much quicker.
Yeah, I suspect many people on TD read this and think this subpoena represents “carpet bombing.” But I would reserve that phrase for demands for information that are ridiculously overbroad, not ones that merely need a little more focus. Here, there’s an obvious attempt to limit the scope of the request (just orders to Georgia and just within a relatively short time frame). I agree that it’s probably broader than necessary to obtain the information that (I think) is relevant to the investigation here. But what the post above took issue with is Shandalow’s statement that “In my opinion, one order is too much information. While I believe this legal process protects us all from wrong doing, turning over any piece of data goes against every fiber in my being.”
SparkFun is awesome. But they’re not my priest, or my doctor, or my rape crisis hotline, or the reporters I call to blow the whistle on some major wrongdoing down at City Hall. They are folks who sell me really cool chips for money. I don’t want to him sharing my order info willy nilly, but if some of the chips I buy end up being used to hurt people, I don’t expect Keith Shandlow to take my order info to the grave with him, and I don’t think he should expect to, either. I admire his willingness to go the extra mile to protect customer privacy, but the idea that it’s never OK to share any customer information at all, no matter what, is way less realistic and less practical and less wise than most of the commenters seem to realize.
Re: Re: Re:3 Re:
Agree – love sparkfun as a customer, and very much appreciate the up front attitude about the entire affair.
I’m not one of the 20 affected, but if I was, I would understand that they did their best to keep the scope of the discovery limited.
I’ll buy from them again without reservations.
Credit Cards
My question is simple. How is Sparkfun going to hand over the CC#’s used to make the purchases?
If they are able to hand those CC#’s over then I for one will not do business there. A person’s CC# should never, ever, EVER be stored in such a way that it is so easily recovered. But then neither should any other such personal informatioon.
Re: Credit Cards
Perhaps it isn’t stored so that it can be easily recovered by anyone but Sparkfun.
Why aren't the cops names and the judge's name on display?
So a couple of public servants abuse their authority in a way that would have put thousands of innocent people’s names, addressed, credit card numbers, unlisted phone numbers, etc on the public record…And nobody wants to expose their names?!?!
Those morons work for us. When a dummy cop in my home town file an over-reaching subpoena or warrant against my neighbors, I should be able to know so I can set up a meeting with his/her supervisor.
Remember that the ACLU’s only tactic that ever worked was to destroy those who opposed them. Until we go after the careers of those who violate our rights, we will continue to loose rights.
I would love to see the face of a cop who filed an overly broad subpoena, when he sees his face on a “WANTED” bumper sticker, 10 years later.
For those who will claim the cops are our friends, I say this: We are Jews. This is Germany. The year is 1938.
Re: Why aren't the cops names and the judge's name on display?
If you want to know who the police officers or investigators are in this case, why not just call the sheriff’s department in Coweta County and ask them? If you’re interested in speakign to their supervisor, then you don’t even need their names – you could just ask to speak to their supervisor. (What, you’re not actually going to do that? I’m shocked.)
As for the other redacted names (like the judge and the clerk), they didn’t have anything to do with issuing this particular subpoena.
Crud – I think I ordered from them in the last 6 months. And no I didn’t buy a credit card ‘skimmer’ although I have some legitimate uses for one. I remember reading about people getting harassed by DirecTV just for buying microcontroller programming tools (that were some of the cheapest prices on the web at the time). http://www.theregister.co.uk/2003/07/17/directv_dragnet_snares_innocent_techies/ It gets better. Look at what Sosa and company did. http://news.cnet.com/8301-13578_3-9776790-38.html
It wasn’t like people were buying pre-written cards designed and written specifically for their Satellite decoder, or just outright cracked decoder boxes. They were buying stuff that was essentially no different than an EPROM programmer.
I hope they don’t suddenly realize that these are just tape heads like those used by the cell phone dongles… GoPayment and SquareUp could be in a pretty big pickle! Uh oh, Apple is going to need jail breakers to help them get out of… OK, that’s going a bit far. Sorry but I couldn’t resist the pun, heh.
It’s really a complete article. I like its informative writing very much. I’m looking forward more adjustment of you. Thanks.
credit cards