The Volokh Conspiracy
Mostly law professors | Sometimes contrarian | Often libertarian | Always independent
A closer look at DOJ's warrant to collect website records
The Hill is getting a lot of attention in privacy circles with a story headlined "Justice demands 1.3M IP addresses related to Trump resistance site." Here's the opening:
The Department of Justice has requested information on visitors to a website used to organize protests against President Trump, the Los Angeles-based Dreamhost said in a blog post published on Monday.
Dreamhost, a web hosting provider, said that it has been working with the Department of Justice for several months on the request, which believes goes too far under the Constitution.
DreamHost claimed that the complying with the request from the Justice Department would amount to handing over roughly 1.3 million visitor IP addresses to the government, in addition to contact information, email content and photos of thousands of visitors to the website, which was involved in organizing protests against Trump on Inauguration Day.
I was curious about what was really happening, so I took a look. Here's what I found.
First, the U.S. Attorney's Office in the District of Columbia obtained a search warrant from a Superior Court judge requiring Dreamhost to hand over records to the government relating to a website, disruptj20.org. The provider, Dreamhost, refused. The government filed this motion for Dreamhost to show cause as to why it wasn't complying with the warrant, and Dreamhost filed this reply.
Here's my very tentative take, based on just a quick skim of the documents. First, it's not obvious to me whether the warrant is problematic. Attachment B tells Dreamhost to turn over records to the government relating to "each account and identifier listed in Attachment A." Notably, Attachment A doesn't list any specific user accounts: It just lists the specific website. So the warrant seems to be telling Dreamhost to turn over pretty much everything it has on that website. I understand this to be Dreamhost's objection. Dreamhost thinks the warrant should only require it to hand over specific records about specific users.
What makes this tricky, I think, is that Dreamhost is only involved in the initial search stage of a two-stage warrant. Computer warrants are ordinarily executed in two stages. First, the government gets access to all the electronic records. Next, the government searches through the records for the particularly described evidence. Courts have broadly allowed the government to follow this two-step procedure, in which they get all the stuff in the initial stage of electronic evidence warrants so that they can search it for the relevant evidence. Given that, Dreamhost's objection is slightly off. As I read it, Dreamhost is essentially challenging the widely accepted two-stage warrant practice. Some federal magistrate judges in the "magistrate's revolt" have made that argument, but they generally have been overruled at the district court level.
With that said, there's an interesting and unresolved issue presented here: What's the correct level of particularity for a website? Courts have allowed the government to get a suspect's entire email account, which the government can then search through for evidence. But is the collective set of records concerning a website itself so extensive that it goes beyond what the Fourth Amendment allows? In the physical world, the government can search only one apartment in an apartment building with a single warrant; it can't search the entire apartment building. Are the collective records of a website more like an apartment building or a single apartment? I don't know of any caselaw on this. And it's not obvious to me how much functionality the website offers, which would determine what records it keeps. Those details would likely be in the affidavit. But I believe the affidavit is not public.
Beyond the constitutionality of the warrant, there's also an important procedural question that I don't see raised. Some may recall that I blogged at length a few years ago about whether a provider has a legal right to bring a pre-enforcement challenge to an allegedly defective warrant. As I argued here, I think neither the statute nor the Fourth Amendment gives such a right. At the same time, as I argued here, I think providers have a good due process argument that they can argue at least some parts of the legality of a warrant to the extent it seeks to command the provider to assist in its execution. This question does not appear to have been raised, but I think it's an important issue.