On May 29, 2013, Pete Ashdown received a two-page document from the United States Department of Justice Criminal Division at the United States Embassy in Rome, Italy. Ashdown is the founder and CEO of XMission, an independent ISP and Web host based in Salt Lake City, Utah.
You are hereby requested to preserve, under the provisions of Title 18, United States Code, Section 2703(f), the following records in your custody or control, including records stored on backup media:
A. All stored electronic communications and other files associated with the following IP address: 166.70.270.2
There are two minor problems with this request. First, it’s not a valid IP address. Second, the IP address it’s supposed to be is actually that of XMission’s Tor node (166.70.207.2).
“So not only did they not bother to investigate the fact that it was Tor node, but they didn’t know what a proper IP address was either,” Ashdown told Ars.
Not all legal requests are as malformed as this one. The local entrepreneur's company, XMission, is one of the few ISPs and hosts in the United States that seems to make a point of standing up for the user privacy of its 30,000 customers (California's Sonic.net is often noted as one of the others). When Ashdown gets requests to preserve or hand over data, he checks to see that the requests are accurately written. If so, he tells law enforcement to come back with a probable cause-driven warrant—at which point they never do. In the age of new disclosures about what government agencies are finding out about all of us, such a defiant stance is worth noting.
“My guess is that it's just laziness,” he said. “It's so much easier to fire off a boilerplate subpoena than have to go to a court and defend probable cause and get a court to sign off on it.”
A viewpoint born out of experience
Ashdown said that since 1997 (XMission began in 1993), he’s gotten requests like these, but they’ve been “ramping up” in recent years. These days it's “one to two every quarter”—a cumulative total of “upwards of 100.”
“My view of patriotism is that you question your government,” he added. “You question law enforcement. You question everyone who may be trying to peer into your life. I believe that the 4th Amendment makes that very clear. It should be questioned and it should be balanced against a court asking the same questions. I have a history in my family. My mother was in Denmark when the Nazis overran it in a couple of days. She always had distaste for authority and people telling her what she needed to do. That's not my vision of freedom in the US, that somebody can peer into our communications or save all of our communications for later.”
Ashdown says that 75 percent of the requests are from Utah-based law enforcement, 15 percent come from federal authorities, and 10 percent are out of jurisdiction.
“The actual warrants I’ve received are probably less than half a dozen,” he said. “I've never received a follow-up warrant to subpoenas that were not signed off by a court. I've never received an FBI follow-up (to my knowledge) to an out-of-jurisdiction request as well.”
“It’s not worth it to me to sell out to the government”
Ashdown has a history in local politics. Twice he’s run for the United States Senate, and twice he’s been defeated. But he clearly has strong views about data protection, privacy, and how the United States Constitution should be applied in the digital age.
“It seems pretty obvious to me that the data that is retained within my business is, in effect, my papers and effects and is covered under the 4th Amendment of the US Constitution and Article 1, Section 14 of the Utah Constitution,” he added.
As far as local media can tell, that makes Ashdown likely the only ISP in the Beehive State that puts the brakes on such investigations. Nearly 99.9 percent of others comply according to Craig Barlow, chief of children’s justice in the Utah attorney general’s office (speaking to the Salt Lake Tribune).
Legal experts say that there's little market pressure to compel Ashdown (and his larger competitors) to take such a position. After all, they don't want to be seen as being soft on crime. Furthermore, even if the administrative subpoenas are challenged, companies can lose.
"I know Twitter challenged one in regard to Occupy and eventually lost," Amie Stepanovich, director of the domestic surveillance project at the Electronic Privacy Information Center, told Ars. "The further problem is that there is a really high standard to challenge these orders—institutional bad faith. The Supreme Court has indicated that the countervailing interests at issue are the public's interest in order and the target's interest in absolute privacy. It should be noted that the public's interest in 'order' is referenced but not the public's interest in lively public debate or the ability to communicate anonymously, both First Amendment considerations."
Despite his newly publicized privacy stance, Ashdown hasn’t seen a huge uptick in new customers—since being written up on Russia Today, for example, he said he has only gotten 10 new customers. Nonetheless, XMission does pretty well for itself. Ashdown says that he takes in $7 million per year in revenue, and 80 percent of that is from hosting and colocation.
“It's not worth it to me to sell out to the government—[other ISPs] are all making money off of these taps,” he said. “It's not worth it to me to sell out to the government because that's not the country I live in. That's not what I want to see the Internet used for. I’m not saying that criminals should be free to do whatever they want, but just that those investigations should be specific. If the investigative bodies say that we need to monitor this specific IP address, I will help them with that process. What I will not do is to give them metadata or broad monitoring of all the traffic that is passing over my network because I don't believe that's necessary to protect the safety of Americans. I don't believe it's constitutional either.”
In the end, Ashdown thinks too many American tech companies have complied with such legal requests. His best guess for a reason why? These moves come from the advice of conservative-minded counsel and corporate boards.
“There are lots of small ISPs in this country that are struggling to get by in the face of the behemoths, and the small ISPs are much more likely to protect their privacy because they make the decision,” he said. “It's one person making the decision and a small ISP is not answering to a board of directors or stockholders. It's probably still rare that there's this small ISP run by one person, but I know they're out there. I've heard from them.”
reader comments
88