On July 28, the Department of Justice turned to the D.C. superior court to enforce a since-modified computer search warrant against DreamHost, a web hosting service. One of DreamHost’s customers, a website called DisruptJ20 (www.disruptj20.org), is the focus of an investigation into protests that turned violent on Inauguration Day, and the warrant sought information on an estimated 1.3 million visitors to the site. Critics suggested the Trump administration was using the DOJ to crack down on political opponents. “The Justice Department Goes Phishing in DreamHost Case,” the New York Times Editorial Board wrote. Others wrote, “Government warrant threatens privacy and free speech of all web users” and “Trump administration's new threat to free speech.” Still other commentators have argued that this reaction is an overblown, alarmist response to a fairly standard criminal computer investigation.
The Washington Post noted this week that DreamHost is considering whether to appeal the judge’s most recent order to turn over user data. For those who want a quick overview of the case thus far, below is a summary of the major documents in the case.
On July 12, a D.C. superior court judge signed a search warrant that required DreamHost to turn over its stored documents and files related to the website DisruptJ20. That website was a portal for coordinating protests related to President Donald Trump’s inauguration. According to the Justice Department’s July 28 motion to show cause, DisruptJ20 is directly connected to a riot at the Inauguration Day events in D.C. Over two hundred rioters were arrested and some are facing felony charges. While the trials will not take place until March 2018, one rioter was sentenced this summer to four months in jail.
The warrant compels DreamHost to turn over:
- Any information it has pertaining to DisruptJ20;
- Any DisruptJ20 subscriber information, including names, addresses, phone numbers, email addresses, length of service, means and source of payment, and domain name registration information;
- Any information about the service utilized by the user; and
- Any communication between DreamHost and any person about the DisruptJ20 account
The warrant also allows the government to seize the portion of the disclosed information “that constitutes fruits, evidence[,] and instrumentalities of violations of D.C. Code § 22-1322 involving the individuals who participated, planned, organized, or incited the January 20 riot, relation to the development, publishing, advertisement, access, use, administration or maintenance” of DisruptJ20.
At the Volokh Conspiracy, Orin Kerr notes that this type of warrant, with a broad request for disclosure followed by a search for particular data and a seizure of only that narrower set of information, is typical in computer cases. Kerr writes:
Computer warrants are ordinarily executed in two stages. First, the government gets access to all the electronic records. Next, the government searches through the records for the particularly described evidence. Courts have broadly allowed the government to follow this two-step procedure...Some federal magistrate judges in the “magistrate’s revolt” have [ruled against this type of warrant], but they generally have been overruled at the district court level.
In a series of emails submitted as exhibits attached to the government’s motion to show cause, DreamHost and John Borchert, Deputy Chief of the Felony Major Crimes Trial Section, discussed the production of records. The exchange began when the government emailed DreamHost the search warrant. After Karl Fry, a DreamHost compliance team member, requested personal service and additional time, Borchert threatened a Motion to Show Cause if the information was not produced by July 19, the day of the message. Chris Ghazarian, DreamHost’s general counsel, noted that some requested information was outside of what DreamHost had preserved so the company would need additional time to produce the records. Borchert then asked for DreamHost to provide records as they became available. DreamHost obtained outside counsel from Raymond Aghaian, who expressed four concerns about the warrant:
- Vagueness surrounding the DisruptJ20 hosting account’s subscriber information;
- Jurisdictional issues arising from the fact that the warrant was from D.C. and the information was stored in Portland, Oregon;
- Applicability of the Privacy Protection Act (PPA), which rendered some of the information not subject to a search warrant; and
- Overbreadth of the warrant, which would result in the IP addresses of 1,000,000 visitors to DisruptJ20.
The government rebuts each of Aghaian’s concerns in its motion.
First, it states that the vagueness about the hosting account’s subscriber information is not relevant because that pertains to what the government can seize, not what DreamHost has to disclose.
Second, the government argues that despite the data’s physical location in Oregon, the D.C. Superior Court has jurisdiction under the Stored Communications Act (SCA) because it is a “court of criminal jurisdiction of a State authorized by law of that State to issue search warrants.” The government also noted that D.C. was included in the definition of a state.
Third, the government argues that DreamHost has not proven that any of the information would fall within the PPA’s protected category. It also notes that even if DreamHost had made such a showing, protected information can still be searched. To support this, it states that a civil suit is the only remedy for a person whose information is searched or seized in violation of the PPA. It also quotes language from the PPA stating that otherwise admissible evidence should not be excluded simply because the collection of the evidence violated the PPA.
Finally, and most importantly, the government denies that the warrant is overbroad. Without going into detail, the government states that limits were placed both on what DreamHost is required to produce and on what the government is allowed to seize. Presumably, more of the government’s argument was revealed at the subsequent hearing, as this appears to be the crux of DreamHost’s refusal to comply.
In this motion, DreamHost argues that the warrant authorizes an unreasonable search under the Fourth Amendment because it lacks sufficient specificity as required by the involved First Amendment issues and because it does not provide for the destruction or return of the non-seized data provided. The motion also argues that the warrant violates the PPA and lacks jurisdictional basis.
Fourth Amendment Issues
DreamHost argues that the warrant calls up First Amendment issues, requiring “particular exactitude” to justify the search. It notes that the files requested would permit the government to identify the specific computers used to visit the website and the specific activity of each computer, as well as all emails, including those sent by third parties. Courts have held that demands for records of customer purchases relating to protected speech violate the Fourth Amendment, even when the government has a legitimate need to investigate. DreamHost argues that the government’s request would violate third-party individuals’ expectations of privacy.
DreamHost further argues that the warrant also fails “particular exactitude” scrutiny because it requires DreamHost to disclose all information pertaining to the website, including records of third-party users, while seizing only information that relates to violations of the D.C. Riot Act. DreamHost argues that such two-stage search is unconstitutional. It cites several cases in support; however, all were decided at the magistrate level.
In addition, DreamHost argues that the warrant lacked the specificity required of a constitutional search because it describes the information to be seized as evidence of a crime “involving” unnamed participants and “relating to” the website, and because the information to be disclosed lacks a date range. These features render the warrant unconstitutionally vague, and the search thus violates the Fourth Amendment’s requirement of reasonableness.
Privacy Protection Act
The PPA protects information that is intended to be published. DreamHost argues that as DisruptJ20 publishes information to the public, much of the requested information may be protected; therefore, the data requires further analysis to determine what is protected before being disclosed. DreamHost also argues that, contrary to the government’s argument, a civil suit is not the exclusive remedy for PPA violations; the language of the statute does not prevent DreamHost from using the PPA to challenge the search warrant. If successful, the challenge would prevent the government from searching the protected information.
Finally, DreamHost argues that the SCA does not allow for unrestricted extraterritorial jurisdiction. Courts have looked to state law to determine whether an extraterritorial warrant is permissible under the SCA, and D.C. law permits warrants for searches only “in the District of Columbia.”
On August 21st, the government filed a Motion to Modify the Search Warrant. The government includes a fairly emotional description of the riot (which sounds like an opening argument and may not be supported by facts):
The rioters — some of them armed with hammers, crow bars, wooden sticks[,] and other weapons — moved as a cohesive unit for approximately thirty (30) minutes, traveling more than a dozen city blocks, as individual participants engaged in violence and destruction that caused hundreds of thousands of dollars’ worth of property damage and left civilians and officers injured.
After emphasizing the gravity of the violence, the government ties the warrant into the current riot-related prosecutions and hints at the still-sealed warrant. According to the government, DisruptJ20 functioned as a private communications channel for the organizers of the premeditated riot. At private, in-person meetings, organizers were allegedly required to log into DisruptJ20 with their personal credentials to prove their identity.
Throughout the Motion to Modify, the government repeats that it is searching only for “specific evidence of the crime” and has no interest in information regarding peaceful protesters who were exercising their First Amendment rights. The government claims ignorance of the quantity of records DreamHost kept, all of which would have been swept into the original search warrant. According to the Motion to Modify, the government was unaware of the following until DreamHost’s motion:
- “During the time period from January 23, 2017 to January 28, 2017, DreamHost has maintained HTTP logs for over 1,300,000 IP addresses of visitors to the website” which is a time period after the riot at issue in the government’s case.
- “DreamHost maintains emails associated with the Website, including emails of third parties.”
- “The Website proposes several email addresses within the disruptj20.org domain name and invites correspondence.”
- “DreamHost maintains membership lists for several email discussion lists, from a number of different email accounts sponsored by the website.”
- "DreamHost maintains over 2,000 images related to the Website.”
- DreamHost maintains some “unpublished” materials such as “draft blog posts” and “hundreds of images.”
After learning this information, the government requested that the search warrant be modified in the following ways:
- The timeframe is limited to July 1, 2016 to January 20, 2017.
- Unpublished drafts and HTTP request and error logs are excluded from disclosure.
The types of information the government will seize are more narrowly described.
- The information that DreamHost discloses but the government does not seize will not be retained in any fashion but will be placed under seal with the court.
The government also addresses DreamHost’s legal arguments. With regard to extraterritoriality, the government argues that neither D.C. Code § 23-521(a) nor D.C. Superior Court Rule of Criminal Procedure 41(f)(2) limits D.C.’s authority under the SCA, and none of the cases cited by DreamHost resulted in a denial of a state’s authority to issue an extraterritorial warrant. Moreover, the government considers “execution” under the SCA to occur remotely, with law enforcement officers emailing or faxing a warrant rather than entering a property. The government also uses a recent District of D.C. case to support its interpretation of “search”: “the constitutional ‘search’ and ‘seizure’ that is the subject of a search warrant — occurs in the location where law enforcement reviews that subscriber’s information.” The relevant conduct in this case—the issuance and execution of the warrant and the search and seizure of the data by law enforcement personnel— thus occurred within the District of Columbia.
As for the two-stage warrant practice, the government argues that it is widely accepted and has been affirmed by every federal circuit that has addressed it, citing cases from the First, Third, Sixth, Ninth, and Tenth Circuits. It quotes a District of D.C. case to explain the myriad problems that would arise if third-party providers were allowed to filter data:
[I]t would be unworkable and impractical to order Apple to cull the e-mails and related records in order to find evidence that is relevant to the government’s investigation. To begin with, non-governmental employees untrained in the details of the criminal investigation likely lack the requisite skills and expertise to determine whether a document is relevant to criminal investigation. Moreover, requiring the government to train the electronic service provider’s employees on the process for identifying information that is responsive to the search warrant may prove time-consuming, increase the costs of the investigation, and expose the government to potential security breaches.
Additionally, the government distinguishes the situation at hand from most of the cases Dreamhost relies on, arguing that those cases were either subsequently superseded or involved unique factual situations not at play here.
Finally, the government notes that DreamHost simply critiqued the two-stage process rather than explaining why it is a particular problem in this case or providing a workable alternative.
Although DreamHost acknowledges that the government’s motion to modify removed both the problematic request for visitor data and the request for data subject to the PPA, it still finds significant problems with the warrant.
First, the government saw a problem and did not fix it. The government noted that it was unaware of both third-party emails and email discussion lists. However, DreamHost argues that the government did not sufficiently narrow the warrant to exclude these items.
Second, the government is still using one warrant to get access multiple email accounts that were not listed by name in the warrant. Comparing this warrant to the one in the D.C. Circuit’s recent decision in United States v. Griffith, in which the court held a warrant overbroad because it permitted seizure of all electronic devices (otherwise lawful objects) within an apartment regardless of the owner, DreamHost argues that the email accounts in question are both otherwise lawful objects and plagued with the same lack of particularity as the electronic devices in Griffith.
Third, DreamHost fears that the email accounts of those suspected in the crime will disclose the identities of third parties with whom the suspects communicated. This, it worries, will cause “an individual to second guess  her political expression while visiting legal Internet websites for fear of being exposed directly interferes with [her] associational rights.”
Fourth, DreamHost believes that the government actually expanded the scope of the search warrant in the motion to modify. In describing the items to be seized, the government listed two crimes not mentioned in the previous warrant: conspiracy to commit crime and malicious burning, destruction, or injury of another’s property. According to DreamHost, this modification would create a warrant that was too far removed from the initial finding of probable cause to maintain validity.
Finally, DreamHost still believes that D.C. law does not allow extraterritorial search warrants under the SCA. And based on DreamHost’s definition of “executed” and “searched,” both the execution of the warrant and the search of the data occurred extraterritorially. According to DreamHost’s reading of the District of D.C. case that the government cites for their definition of a search, a warrant is executed when it is delivered to a provider by law enforcement, which in this case was in California. DreamHost quotes the same case to say that a “search occurs when an expectation of privacy that society is prepared to consider reasonable is infringed,” and it interprets infringement as occurring when and where a provider produces the information.
DreamHost included a redline strikeout, comparing the original warrant with the modifications.
Judge’s Ruling on Order to Show Cause and the Modified Warrant
On August 24, according to Zoe Tillman from BuzzFeed News, DC Superior Court Judge Robert Morin decided from the bench that DreamHost must disclose the data described in the modified warrant. However, the judge will be supervising the process. He required the government to “provide him with a report explaining who would review the data, how they would do the search, and the procedures they would use to minimize access to information” not related to the riot and, therefore, not seizable. Additionally, he ordered the government to “give him a list of all the information it wanted to seize, with an explanation for why it fell under the search warrant.” All other information disclosed by DreamHost will be placed under seal with the court.
DreamHost signaled in court that since the modified warrant was still not satisfactory, it will consider appealing.
A Comment in Conclusion
As Bobby Chesney and Steve Vladeck noted on the National Security Law Podcast on August 16, the Motion to Modify suggests this was not a case of political retribution: it was more likely that an assistant U.S. attorney issued a standard two-stage computer warrant that was unintentionally overbroad in its first stage and then attempted to rectify his mistake.