Sparkfun Explains Why It Provided Customer Info In Response To Subpoena

from the tough-situations dept

When you receive an official law enforcement document/request, like a subpoena, it can actually be pretty scary. An official-looking document from a court in association with law enforcement may leave many people with the impression that they absolutely have to comply. While there are circumstances in which you do need to comply, you can often fight back. Tragically, many companies don't. They just roll over and hand over the info, even if it violates their own policies (and sense of right and wrong). There are (unfortunately few and far between) cases like Twitter, who has shown a willingness to fight for user privacy, but it's still a tough issue for many companies.

Shawn Sims points us to the interesting story of how the popular electronics company Sparkfun publicly explained how it dealt with a very broad subpoena demanding all sales information on sales made to addresses in Georgia over a six month period. The reasoning was that a Sparkfun device was found as a part of a credit card skimmer device.
Sparkfun CEO Nate Seidle explains that the subpoena came after an initial call requesting the same info, where the company politely refused to provide the info, noting its support of the privacy rights of its consumers. As Seidle noted, no one supports card skimming, but there are issues of principle here:

I want to be very clear: creating devices that steal credit card numbers are illegal and cause pain for a lot of people. We know our parts can be used for good or for evil. We have zero tolerance for those who use them for evil. I will offer our technical services to any law enforcement that may need help reverse engineering a device. It is obvious the law enforcement agency is requesting this information to put a stop to this activity. However, I also believe strongly in the right to privacy and the protection of personal data.

After talking to their lawyers, and realizing that you don't have to fully comply with a subpoena -- but also that a subpoena can turn into a warrant which you do have to comply with -- the company worked with the law enforcement to try to limit the type of information requested, and eventually came to a compromise:

Please read the subpoena carefully. The request for 'all orders' seemed like they were casting a very wide net without cause. Discussing this issue with our counsel and working with the law enforcement agency, we agreed to obtain the orders that had the product on it, not all orders as required by the subpoena. This ended up being about 20 orders. In my opinion, one order is too much information. While I believe this legal process protects us all from wrong doing, turning over any piece of data goes against every fiber in my being. But without any further legal options, I made the decision to turn over the sub set of data.

I want everyone to know that we take your data and privacy extremely seriously. We guard it with the highest levels of security and confidentiality. If we are legally forced to turn over data, we promise you we will work with the law enforcement agency to do everything in our power to limit the amount of information released.

This is a tough position to be in -- and you can certainly argue that the company could have (or perhaps should have) continued to fight the subpoena. But in the end, it's likely that it would have to turn over the info eventually no matter what. At the very least, you have to respect the company for being totally transparent and open about what happened and why (and how Seidle personally felt). Plenty of other companies would hand over the data and then never discuss the issue publicly ever.

Filed Under: nate seidle, privacy, subpoena, transparency
Companies: sparkfun