Sparkfun Explains Why It Provided Customer Info In Response To Subpoena
from the tough-situations dept
When you receive an official law enforcement document/request, like a subpoena, it can actually be pretty scary. An official-looking document from a court in association with law enforcement may leave many people with the impression that they absolutely have to comply. While there are circumstances in which you do need to comply, you can often fight back. Tragically, many companies don't. They just roll over and hand over the info, even if it violates their own policies (and sense of right and wrong). There are (unfortunately few and far between) cases like Twitter, who has shown a willingness to fight for user privacy, but it's still a tough issue for many companies.Shawn Sims points us to the interesting story of how the popular electronics company Sparkfun publicly explained how it dealt with a very broad subpoena demanding all sales information on sales made to addresses in Georgia over a six month period. The reasoning was that a Sparkfun device was found as a part of a credit card skimmer device.
Sparkfun CEO Nate Seidle explains that the subpoena came after an initial call requesting the same info, where the company politely refused to provide the info, noting its support of the privacy rights of its consumers. As Seidle noted, no one supports card skimming, but there are issues of principle here:
I want to be very clear: creating devices that steal credit card numbers are illegal and cause pain for a lot of people. We know our parts can be used for good or for evil. We have zero tolerance for those who use them for evil. I will offer our technical services to any law enforcement that may need help reverse engineering a device. It is obvious the law enforcement agency is requesting this information to put a stop to this activity. However, I also believe strongly in the right to privacy and the protection of personal data.After talking to their lawyers, and realizing that you don't have to fully comply with a subpoena -- but also that a subpoena can turn into a warrant which you do have to comply with -- the company worked with the law enforcement to try to limit the type of information requested, and eventually came to a compromise:
This is a tough position to be in -- and you can certainly argue that the company could have (or perhaps should have) continued to fight the subpoena. But in the end, it's likely that it would have to turn over the info eventually no matter what. At the very least, you have to respect the company for being totally transparent and open about what happened and why (and how Seidle personally felt). Plenty of other companies would hand over the data and then never discuss the issue publicly ever.Please read the subpoena carefully. The request for 'all orders' seemed like they were casting a very wide net without cause. Discussing this issue with our counsel and working with the law enforcement agency, we agreed to obtain the orders that had the product on it, not all orders as required by the subpoena. This ended up being about 20 orders. In my opinion, one order is too much information. While I believe this legal process protects us all from wrong doing, turning over any piece of data goes against every fiber in my being. But without any further legal options, I made the decision to turn over the sub set of data.
I want everyone to know that we take your data and privacy extremely seriously. We guard it with the highest levels of security and confidentiality. If we are legally forced to turn over data, we promise you we will work with the law enforcement agency to do everything in our power to limit the amount of information released.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: nate seidle, privacy, subpoena, transparency
Companies: sparkfun
Reader Comments
Subscribe: RSS
View by: Time | Thread
You are evil. Fuck off.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
credit card numbers
[ link to this | view in chronology ]
Re: credit card numbers
[ link to this | view in chronology ]
Re: Re: credit card numbers
[ link to this | view in chronology ]
Re: Re: Re: credit card numbers
[ link to this | view in chronology ]
Re: Re: Re: credit card numbers
Looking at the site it appears that Sparkfun doesn't manufacture the items it sells. So who says the item was bought there?
[ link to this | view in chronology ]
Re: Re: Re: Re: credit card numbers
More details can be found at: http://www.sparkfun.com/news/308
[ link to this | view in chronology ]
Re: Re: credit card numbers
[ link to this | view in chronology ]
Re: credit card numbers
Storing credit card info long-term without good cause is enough for me to completely avoid a company. If they're doing that, it's quite possible they're breaking other credit card security guidelines. The payment card industry has card-handling standard for a reason!
[ link to this | view in chronology ]
Cash
Another reason to use cash whenever you can (and of course get the things you need in person). That's best way to avoid ending up on a list of suspects just because you bought something that some criminal also bought.
[ link to this | view in chronology ]
It helps not annoy the company when you describe and item not bearing the companies actual name.
I think Sprakfun is in a deep pile of crap thou.
It is amazing a court saw no problem with handing over a ton of unrelated data.
They were tracking a single piece of the unit, and created a window when they thought it was purchased that could be completely incorrect.
Thankfully this owner found a way to protect a majority of their clientele from unneeded harassment with their purchase history ending up in some database somewhere because someone thinks they should keep it in case they have a use for it someday.
[ link to this | view in chronology ]
When you take protecting privacy too far
[ link to this | view in chronology ]
Re: When you take protecting privacy too far
[ link to this | view in chronology ]
Re: When you take protecting privacy too far
[ link to this | view in chronology ]
Re: When you take protecting privacy too far
[ link to this | view in chronology ]
Re: Re: When you take protecting privacy too far
[ link to this | view in chronology ]
Why was the subpoena censored?
[ link to this | view in chronology ]
Re: Why was the subpoena censored?
The originally posted document might have been done by the company who believes in privacy and might like the court to accept more reasonable terms by not being the source of a buncha pizzas and hookers showing up for the Judge.
[ link to this | view in chronology ]
Beholdeth ye olde language
[ link to this | view in chronology ]
There is a problem where the subpoena was granted to recover such broad information, information that clearly has nothing to do with the case. That it was requested speaks of the laziness of the officer writing the subpoenaing officer and of the rubber-stamp mentality of our judiciary that approves these broad requests.
[ link to this | view in chronology ]
Re:
Have you not been paying attention? One does not need the CC# in order to accomplish your stated task.
Not sure whether ignorant or troll.
[ link to this | view in chronology ]
I realize a lot of people here feels the same way (or would say say if asked), but, uh, really? Are one's orders to some elctronic company sacrosanct, kind of like confession to a priest, or asking your doctor about that weird rash you got? I appreciate that the owners of Sparkfun care about their customers' privacy. That's a good thing, and makes me want to patronize them instead of some other place that doesn't car eat all. But if you acknowledge that police somewhere, sometime, might have a legitimate interest in investigating crime, you also need to acknowledge that they're going to need evidence, and they need to be able to obtain it. Using a subpoena to require a person to produce evidence for a court or grand jury is a process older than the United States. If there's some special privilege or reason not to produce the evidence, a personc an challenge the demand in court.
Many of the commenters seem to misunderstand what was going on. It wasn't that people can used stolen CC #s to buy stuff from Sparkfun, it was that the skimmers police had discovered had used Sparkfun parts of a certain type. So police were looking to see who bought these particular parts from Sparkfun. Of course, there is every reason to believe that the vast majority of those customers were doing nothing wrong. And perhaps they would rather not be "investigated."
But for those who seem to be suggesting that either the police should never be able to obtain records from third parties, or that they should not be able to obtain records about people who aren't involved in crime: do you have any ideas on how police ought to investigate a case like this? And if your answer is, for example, "find the people who used stolen CC#s obtained formt he skimmers," I understand, but it's possible that those people are (a) outside th US, and (b) don't know who made and placed the skimmers themselves. What would be a good approach to investigating a case like this that would be sufficiently respectful of privacy rights, in your view?
[ link to this | view in chronology ]
Re:
what if the sparkfun device was stolen? then the question is moot as to who originally bought it.
See there ARE two side to almost every question, yes it does make law enforcement's job harder, but there ( as far as I know of )is no law that says it has to be "easy"
the Rights of the Individual are (in my mind) always Paramount to the Rights of the state, That's what "used" to make this country Great, it HAS eroded in that past few decades, and look what has happened.
[ link to this | view in chronology ]
Re: Re:
According to the article, the skimmers were installed on gas pumps. And you're right - many gas tations have video surveillance as well. Maybe that sort of evidence is available. Maybe not (most businesses don't keep those recordings, and video at gas stations tends to be targeted at drive-offs and robberies, so there may be no need for a gas station to save video for more than a day or a week, or to point video cameras the pumps, as opposed to cars). But even if it were, what does that get you? Perhaps one can see the face of the person who did it. But they won't be wearing a name tag. Maybe it'd be possible to grab a license plate. Maybe not.
And maybe the Sparkfun devices used in those skimmers were stolen. That's totally plausible. But again, why does that mean that government shouldn't be able to seek information about who bought them from Sparkfun, as long as that info-seeking is subject to some appropriate limits? Yes, it's possible that none of those 20 people who purchased those parts from Sparkfun from Georgia during that particular time had anything to do with the skimmers. In fact, it's almost certain that most of them had nothing to do with it. That's not a very good argument for saying government shouldn't be able to find out any information about those purchasers, no matter what. (Which is what many seem to be suggesting.)
I understand being concerned about customer privacy. I don't like it that some stores obtain and retain a ton of information about my purchasers (and some times I put up with it to get some sort of benefit, and other times I don't think the benefit is worth the privacy loss). But if I were to, say, use my credit card to buy a completely innocuous product from a store, and aroudn the same time, the store was robbed and the clerk killed, I wouldn't find it absurd or over the top for police to check credit card records, and then go interview people were int he store at aroudn the same time -- including me, even though I definitely wasn't the guy who robebd the place.
My overall point is that, while I understand privacy concerns, and I appreciate on some level Sparkfun's zealousness in protecting its customer records, in this case most of us would agree taht the people makign and installing these skimmers ought to stop. And it's pretty easy to see how Sparkfun records could be useful in finding out who made these skimmers. And that means there ought to be a way to obtain these records. Perhaps rather than overreating, and saying it's never OK to reveal even one customer record, perhaps the better response is to focus ont he standards for getting those records, and the use to which they're put later on. In other words, argue about whether a subpoena is enough, or whether there ought to be additional legal hoops (explicit court approval, a higher standard of proof, or a narrowed or more specifically-justified request). Or focus on making sure that the police don't use that information to hassle people who aren't doing anything wrong.
But suggesting that police don't have any business seeking regular old sales records from a business seems like a drastic overreaction, that wouldn't work very well in practice anyway.
[ link to this | view in chronology ]
Re: Re: Re:
I'm just guessing here, but possibly ... it is the carpet bomb approach to information gathering that aggravates many.
[ link to this | view in chronology ]
Re: Re: Re: Re:
Yeah, I suspect many people on TD read this and think this subpoena represents "carpet bombing." But I would reserve that phrase for demands for information that are ridiculously overbroad, not ones that merely need a little more focus. Here, there's an obvious attempt to limit the scope of the request (just orders to Georgia and just within a relatively short time frame). I agree that it's probably broader than necessary to obtain the information that (I think) is relevant to the investigation here. But what the post above took issue with is Shandalow's statement that "In my opinion, one order is too much information. While I believe this legal process protects us all from wrong doing, turning over any piece of data goes against every fiber in my being."
SparkFun is awesome. But they're not my priest, or my doctor, or my rape crisis hotline, or the reporters I call to blow the whistle on some major wrongdoing down at City Hall. They are folks who sell me really cool chips for money. I don't want to him sharing my order info willy nilly, but if some of the chips I buy end up being used to hurt people, I don't expect Keith Shandlow to take my order info to the grave with him, and I don't think he should expect to, either. I admire his willingness to go the extra mile to protect customer privacy, but the idea that it's never OK to share any customer information at all, no matter what, is way less realistic and less practical and less wise than most of the commenters seem to realize.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
I'm not one of the 20 affected, but if I was, I would understand that they did their best to keep the scope of the discovery limited.
I'll buy from them again without reservations.
[ link to this | view in chronology ]
Credit Cards
If they are able to hand those CC#'s over then I for one will not do business there. A person's CC# should never, ever, EVER be stored in such a way that it is so easily recovered. But then neither should any other such personal informatioon.
[ link to this | view in chronology ]
Re: Credit Cards
[ link to this | view in chronology ]
Why aren't the cops names and the judge's name on display?
Those morons work for us. When a dummy cop in my home town file an over-reaching subpoena or warrant against my neighbors, I should be able to know so I can set up a meeting with his/her supervisor.
Remember that the ACLU's only tactic that ever worked was to destroy those who opposed them. Until we go after the careers of those who violate our rights, we will continue to loose rights.
I would love to see the face of a cop who filed an overly broad subpoena, when he sees his face on a "WANTED" bumper sticker, 10 years later.
For those who will claim the cops are our friends, I say this: We are Jews. This is Germany. The year is 1938.
[ link to this | view in chronology ]
Re: Why aren't the cops names and the judge's name on display?
As for the other redacted names (like the judge and the clerk), they didn't have anything to do with issuing this particular subpoena.
[ link to this | view in chronology ]
It wasn't like people were buying pre-written cards designed and written specifically for their Satellite decoder, or just outright cracked decoder boxes. They were buying stuff that was essentially no different than an EPROM programmer.
I hope they don't suddenly realize that these are just tape heads like those used by the cell phone dongles... GoPayment and SquareUp could be in a pretty big pickle! Uh oh, Apple is going to need jail breakers to help them get out of... OK, that's going a bit far. Sorry but I couldn't resist the pun, heh.
[ link to this | view in chronology ]
credit cards
[ link to this | view in chronology ]