US Govt demands details of 1.3 million internet users who visited Trump resistance website

Web host challenge Department of Justice’s over-reaching demands.

US Govt demands details of 1.3 million internet users who visited Trump resistance website

The US Department of Justice is demanding that a web-hosting provider hand over details of the IP addresses of 1.3 million people who visited a website involved in organising protests against Donald Trump on the day of his presidential inauguration.

The website in question is disruptj20.org

DreamHost writes that it is challenging the DOJ's warrant in order to protect the identities of internet users exercising their right to political free speech and protest:

The request from the DOJ demands that DreamHost hand over 1.3 million visitor IP addresses — in addition to contact information, email content, and photos of thousands of people — in an effort to determine who simply visited the website.

That information could be used to identify any individuals who used this site to exercise and express political speech protected under the Constitution’s First Amendment. That should be enough to set alarm bells off in anyone’s mind.

This is, in our opinion, a strong example of investigatory overreach and a clear abuse of government authority.

Law enforcement approaches technology companies on a regular basis, hoping to gather information that may help them with criminal investigations.

But demands for information about every person who visits a website like disruptj20.org? That feels like definite over-reach to me, and is the kind of request that should be fought strongly in the courts.

Folks, if you're not already doing so, protect your privacy online by using technology such as a VPN and Tor.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

11 Responses

  1. Mick

    August 15, 2017 at 10:20 am #

    Interesting. So if I visited it from my UK home address will my current ESTA be cancelled when I next go to the US if I appear on the list? Will I then be targeted by the US security snoopers.

    • Matt in reply to Mick.

      August 15, 2017 at 12:35 pm #

      If you visited a US-based website which had the sole purpose of illegally preventing a legally elected President of the USA from taking office, then I would expect that the status of your ESTA waiver could be brought into question and subjected to further investigation.

      Nobody, excpet a US citizen, has an automatic right of entry into the USA.

      • RICO in reply to Matt.

        August 15, 2017 at 5:18 pm #

        In what way did the website act to prevent the president take office?

  2. Mike

    August 15, 2017 at 10:23 am #

    Fair play.

    SJWs are one of the most threatening cults of the modern day. Domestic terrorists in fact.

    Determined to undermine anything civil that we have developed. Creating straw-man arguments out of nothing. Making it acceptable to allow our 6 year-olds to be trans-gender. Their agenda is that of mental patients.

    Trump is doing his job well.

    Fair play.

  3. Lew Swires

    August 15, 2017 at 11:31 am #

    Nothing new here. Obama did it all the time with little outcry.

  4. darth

    August 15, 2017 at 12:41 pm #

    The early beginnings of a police state.

  5. Dave Farquhar

    August 15, 2017 at 2:41 pm #

    Graham, do you have a list of VPN providers you recommend? Buying a VPS and installing OpenVPN on it doesn't do much good for this purpose, as you're just moving your data from a DHCP IP address that can be traced to you to a static IP address that can even more easily be traced to you.

    • Graham Cluley in reply to Dave Farquhar.

      August 15, 2017 at 2:50 pm #

      At the time of writing I'm using Freedome from F-Secure.

      F-Secure is based in Finland (which has some obvious advantages privacy-wise) and I've known guys who work there for 25-or-so years. So I trust them!

  6. Eli

    August 15, 2017 at 2:56 pm #

    Are you suggesting to use bot a VPN and TOR together?

    I remember reading something about the US Govt. having access to some TOR nodes and being able to identify who is who. Is that accurate, or is TOR still secure?

  7. Guy

    August 15, 2017 at 7:14 pm #

    We outsiders are at a disadvantage because we don't know the contents of the sworn affidavits. In any case, the wording of the search warrant is aimed at proprietors of and paid subscribers to the website. That is the only information Dreamhost should hand over, now or ever. If DOJ wants to come back and get identity information for every visitor, subscriber or not, they should have to make their case for that kind of broad dragnet as something distinct from the identities of proprietors and paid subscribers

    An FBI agent once showed me a photo of myself which was taken at an SDS rally on the grounds of a school I attended in my youth. It was meaningless, as I forcefully pointed out to the agent, because I had simply seen a gathering at my school and had walked over to listen out of sheer curiosity, knowing nothing about the SDS at the time. That one photo snapped during the 30 seconds or so that I listened from the fringe of the crowd before walking on, was all they had. They had nothing else to indicate any association between the SDS and myself. But they tried to play it for whatever leverage they could get, which turned out to be zero.

    A handed-over list of all visitors to a website is a grossly overbroad way to investigate the website, and if the DOJ demands such a list regardless, then it's probably because they're seeking leverage over persons not necessarily related to the investigation at hand. If that isn't abuse of process, what is?

  8. Peter Freeman

    August 16, 2017 at 2:54 am #

    There are a number of issues here.

    First, the DOJ search warrant states that the website and/or its visitors organised and/or incited a riot in Washington DC on the day of Trump's inauguration. That assertion is at the very least open to argument, but the "riot" aspect appears to provide a fig-leaf of legality for the issuance of the search warrant.

    The breadth of scope of the warrant makes it appear either that the DOJ and whoever is behind this action believe that every visitor to the website is guilty of incitement to riot by association, or that one or more of the US law-enforcement agencies is cynically conducting a massive trawl to get hold of those IP addresses for their own purposes.

    Once the DOJ has a list of these IP addresses, the US addresses will of course be passed on to the FBI and other agencies; the overseas ones will go to the CIA and NSA. They all then become potentially "persons of interest".

    However, there is a problem with the assertion that every IP address actually represents a visitor to the website. Many browsers allow prefetching or preloading – Chrome has had it for a long time. If a webpage contains a link to disruptj20[dot]org then there is the possibility that the browser contacts the remote server and asks for elements of the website to be downloaded in case the link is clicked. So, has the user "visited" the website or not? And would this prefetching show on the server logs as a connection from a specific IP address?

    I hope DreamHost can afford some good lawyers, and also that they don't get bullied into submission.

Leave a Reply