from the that-doesn't-seem-right dept
Possibly most importantly, though, the FBI is now presumably in possession of a complete copy of the Instapaper database as it stood on Tuesday morning, including the complete list of users and any non-deleted bookmarks. (“Archived” bookmarks are not deleted. “Deleted” bookmarks are hard-deleted out of the database immediately.)Marco is quite reasonably pissed off at the hosting company, DigitalOne, who never contacted him about this (before or after the raid, including up until the blog post, days later). Frankly, that's unconscionable. For an ISP to simply not tell their customer that a server has been seized? Marco is also upset that DigitalOne didn't do anything to stop the seizure. Now, on both of those accounts, it's possible that DigitalOne's hands were tied. There's not much they can realistically do if the FBI shows up with a seizure warrant, even if it's super broad. And we have seen the FBI use gag orders barring ISPs from talking about what was seized.
Instapaper stores only salted SHA-1 hashes of passwords, so those are relatively safe. But email addresses are stored in the clear, as is the saved content of each bookmark saved by the bookmarklet.
The server also contained a complete copy of the Instapaper website codebase, but not the codebase of the iOS app.
Linked Facebook, Twitter, or Tumblr accounts only store their respective OAuth keys. Linked Evernote accounts only store the Evernote email-in address. Linked Pinboard accounts, however, store plaintext usernames and encrypted passwords, and the encryption keys are present in the website source code on the server.
So the FBI now has illegal possession of nearly all of Instapaper’s data and a moderate portion of its codebase, and as far as I know, this is completely out of my control.
But, really, that just goes to show, yet again, the problems of such government seizures with no prior adversarial hearings. I recognize that they're looking for evidence that might disappear, but the chance for serious collateral damage, including potentially serious privacy violations, seems pretty high. I'm not sure there's anything he could do, but it certainly would make for an interesting lawsuit if either Marco or an Instapaper customer decided to sue the federal government over these seizures.