A judge has ruled that federal agencies seeking information from DreamHost on subscribers to an anti-Trump website do not have the right to that data, stripping away much of the warrant's power.
In August this year, the Trump administration demanded logs containing 1.3 million visitor IP addresses to an anti-Trump website from the hosting provider, as well as data on the owners.
As DreamHost is the host of the website, DisruptJ20.org -- the domain used to plan a mass-protest for the inauguration of the now-President -- law enforcement demanded "all information available" on anyone who dared visit the domain and therefore may have been involved in the protest.
Several people believed to be linked to DisruptJ20 were arrested at the protest for alleged violence.
When DreamHost received the order, the company made the demand public and said it was attempting to talk to the US Department of Justice (DoJ) to ascertain just how far the warrant was able to go and clarify exactly what police could legally have -- and simply wanted to have.
DreamHost revealed that the warrant asked not only for IP addresses, but "contact information, email content, and photos of thousands of people."
This far-reaching data pool caused serious concern, as it would gift the administration a list of people who likely oppose Trump's election -- despite free speech protection -- and so DreamHost fought back.
"While we regularly work with law enforcement and hand over certain types of data as part of various ongoing investigations, this particular request for customer data was overly broad, and we objected to it on those terms," DreamHost said.
Such a case has serious significance not only for the Trump administration but the protection of US citizen rights as a whole, let alone DreamHost's reputation. As a result, Chief Judge Morin of the Washington D.C. Superior Court decided to act as an intermediary between DreamHost and the DoJ.
On Tuesday, Morin issued his final ruling (.PDF) on the matter which contains radical changes to the warrant's scope.
Under the terms of the new order, DreamHost is now able to redact all identifying information and protect the identities of users linked to DisruptJ20 before handing over any records.
The judge has ordered that DreamHost remove identifying markers including names, addresses, email addresses, member and email lists, IP addresses, and any "information contained within the content of any blogs or emails that would identify the individual communicating with the website."
"As the court has previously stated, while the government has the right to execute its warrant, it does not have the right to rummage through the information contained on DreamHost's website and discover the identity of, or access communications by, individuals not participating in alleged criminal activity, particularly those persons who were engaging in protected First Amendment activities," the judge ruled.
DreamHost said in a blog post on Tuesday that the company is "elated to see significant changes that will protect the constitutional rights of Innocent internet users worldwide."
"We are now required to hand over a drastically reduced amount of data to the government and will redact any identifying information from every scrap of it that relates to non-subscribers," the company added.
Morin said that "safeguards" were needed to protect the rights of both subscribers and visitors, and so the government is required to give the court a shaved-down, specific and itemized list of the information law enforcement requires, and justify why.
The court will then need to approve the particulars of the search, and should the judge find "probable cause" that the requested data is "evidence of criminal activity," then, and only then, the DoJ will be permitted to obtain non-redacted records from DreamHost.
If no cause is found, then law enforcement will be scuppered in its quest to create a full log of the website's users and their sensitive information.
DreamHost likely could not have wished for much more. The US government may have the right to request some customer information, but this does not automatically grant it the right to monitor the entire Internet for political purposes -- and should Internet users be privacy-conscious anyway, VPN usage would snarl this further.
It is still possible that DreamHost will need to hand over information belonging to those that allegedly conducted violent actions at the protest, but the new ruling will protect the rights of innocent visitors at the least.
As a result, the hosting provider does not intend to appeal the ruling.
"There's really no need," DreamHost says. "Any sweeping requests for data that could personally identify website visitors not directly related to an ongoing criminal investigation are now off the table. It's sort of a moot point!"
It is now up to DreamHost to remove every indicator, pointer, address, and clue to user identities hidden in the DisruptJ20 information cache. The firm says it plans to go over this data with a "fine-toothed comb" before any government employee has access to it, to prove that "our commitment to user privacy is strong and unwavering."
"We see this as an absolute victory not just for DreamHost, but for online service providers throughout America and for internet users around the world," the company added. "As a result of this ruling, Internet users retain the ability to simply browse the Internet without fear of being swept up in a criminal probe."