International co-operation gone awry - what happened to Indymedia?
‘Indymedia’ (IMC) describes itself as ‘a network of individuals, independent and alternative media activists and organisations, offering grassroots, non-corporate, non-commercial coverage of important social and political issues.’ According to Indymedia, its content is widely read, with the transfer of over 3.2 terabytes of information a month, serving over 18 million page views a month.
On October 7, 2004, over 20 websites administered by the Independent Media Center were taken off-line. This was a result of the seizing of two servers, named ‘Ahimsa1’ and ‘Ahimsa2’, that served the content of a number of media ‘collectives’ around the world.
While there is no central hub to this organisation, a volunteer for IMC established a contractual relationship with Rackspace Managed Hosting, a San Antonio-based Internet hosting company. The servers were physically located in London, England. The contract was between Rackspace UK and the said individual.
On October 7, 2004, Rackspace informed the individual that Rackspace had received a U.S. commissioner’s subpoena from a ‘requesting agency’. Though Rackspace refused to provide a copy of the subpoena on the advice of counsel, on October 8 Rackspace released a statement.
In the present matter regarding Indymedia, Rackspace Managed Hosting, a U.S. based company with offices in London, is acting in compliance with a court order pursuant to a Mutual Legal Assistance Treaty (MLAT), which establishes procedures for countries to assist each other in investigations such as international terrorism, kidnapping and money laundering. Rackspace responded to a Commissioner’s subpoena, duly issued under Title 28, United States Code, Section 1782 in an investigation that did not arise in the United States. Rackspace is acting as a good corporate citizen and is cooperating with international law enforcement authorities. The court prohibits Rackspace from commenting further on this matter.
A ‘commissioner’s subpoena’ under Title 28 section 1782 U.S.C. enables a Court to authorise an individual, usually an assistant U.S. attorney, to issue subpoenas in order to assist foreign and international tribunals.
According to reports from AFP, an FBI spokesperson stated that the subpoena was ‘on behalf of a third country’, but the FBI spokesperson later said that the FBI was not involved. Indymedia and the associated news coverage spent the next few days trying to find out who that ‘third country’ was. The facts seemed to point to Switzerland, Italy, or the United Kingdom. The Swiss were suspected because Swiss authorities had previously placed pressure on Indymedia for information on posters and demanded the removal of content. On October 12 a Swiss federal prosecutor admitted that while he was investigating a case involving Indymedia, he had not asked for a seizure. There were some reports that the Italians were seeking the servers but there was no explanation as to why.
The greatest confusion arose when it became a political issue in the UK. On a number of occasions MPs asked the UK Government in Parliament as to what happened. When asked which UK law-enforcement agency was involved in the seizure that had after all taken place in London, the Home Office Minister responded on October 18: ‘I can confirm that no UK law-enforcement agencies were involved in the matter referred to in the question posed by the Hon. Member for Sheffield, Hallam.’
On October 27, the Government was asked which foreign governments had requested the seizure of the servers. The Government responded that no one had asked for anything, and on November 2 it was confirmed that not even the Americans had made representations in the case. Though in a letter response to a question from one MP, a Home Office Minister stated that
Unfortunately, I am not in a position to comment on this particular matter, but I can provide general information. It is standard Home Office policy neither to confirm nor deny the existence or receipt of a mutual legal assistance request. However, where the UK has received a valid request, we will seek to execute it within the framework of our domestic law. This will include being provided with sufficient evidence to justify the actions sought.
The Home Secretary himself admitted on the 28th of October that the Home Office had not even received a prior notification of the seizure. In a letter in response to a query from an MP, the Home Secretary stated that:
While I cannot comment in detail on the reasons behind the US action I hope that I can clarify the situation for him. Rackspace, which is based in the USA, sought to comply with a US court order simply by ordering their United Kingdom subsidiary to access the servers, which they duly did. There was no UK involvement in this process.
I am confident that any action taken by the US authorities in this case would be in accordance with US law.
The fact that the British authorities were not involved in a seizure on British territory was quite surprising to everyone involved.
There was a public response to this specific case, particularly over the lack of certainty as to who actually seized the server and for what purposes. As Mark Thomas said in the New Statesman, this case ‘was the equivalent of the FBI storming the Guardian’s offices and demanding that the paper hand over all its computers, including those that hold details of its writers and photographers.’ Jeremy Dear, General Secretary of the British NUJ, put it similarly: ‘To take away a server is like taking away a broadcaster’s transmitter. It is simply incredible that American security agents can just walk into a London office and remove equipment.’
Civil society also entered the fray. Anriette Estherhuysen of the Association for Progressive Communication stated that: ‘We are disturbed by the apparently arbitrary and extreme measures taken to silence an independent internet-based source of information. This is a violation of freedom of expression across international frontiers.’[46] The editor of the International Press Institute, David Dadge, was quoted as saying: ‘The fact that the authorities’ actions are shrouded in mystery leaves Indymedia in the Kafkaesque position of not knowing the identity of its accusers or the nature of their claim.’
Rackspace reported that the servers were returned on October 12 and were operational by October 14. It was only at about that time that it was discovered why these actions may have taken place. An Italian prosecutor in Bologna was quoted in an article as saying that she had requested IP log information through an MLAT to the U.S., but did not seek the seizure.
Indymedia then decided that lawyers in the UK, Italy, and the U.S. must be able to communicate with each other to start unraveling what had happened. A UK law firm advised Indymedia that it could do little to pursue a case against Rackspace without access to the actual subpoena.
The Electronic Frontier Foundation (EFF), a U.S.-based non-governmental organization, came to Indymedia’s aid by filing a motion on October 25, 2004 to unseal the subpoena and other information relating to the case in the U.S. EFF sought to uncover which agencies and governments were responsible for the seizure. In its motion, the EFF argued that Indymedia and the general public were left with no knowledge of the reasons or nature of the seizure.
Citing a gag order, Rackspace has not revealed the contents of the seizure order, the requesting agency, or even confirmed the identity of the court that issued it. Apparently requested by an unidentified foreign government, the secret order was served to San Antonio-based Rackspace Managed Hosting, which hosts IndyMedia’s servers.
The motion was filed on the grounds that in U.S. law one has the right of access to know the reasons for direct injuries under First and Fourth amendment rights (freedom of speech and protection from unlawful search and seizure), and even under common law by stating that ‘the public and the press have a clear and compelling interest in discovering under what authority the government was able to unilaterally prevent Internet publishers from exercising their First Amendment rights.’
The Assistant U.S. Attorney Don J. Calvert argued the Government’s case for keeping the files sealed. First, the Government argued that neither EFF nor Indymedia have standing to make the request: ‘The parties to the instant action are the requesting foreign country, the United States government, and the party on whom the subpoena was served, Rackspace’.
The Government also argued that Article 8 of the treaty between the U.S. and the ‘requesting country’ entitled ‘protecting confidentiality and restricting use of evidence and information’ and states:
2. If deemed necessary, the Requesting State may request that the application for assistance, the contents of the request and its supporting documents, and the granting of such assistance be kept confidential. [emphasis added]
The Government stated that since such a request had been made to the U.S., the unsealing of the documents would violate the treaty, and under Article VI of the Constitution, treaties shall be the supreme law of the land to which judges of every state shall be bound. Finally, the Government argued that the documents ‘pertained to an ongoing criminal terrorism investigation’ and the unsealing would ‘seriously jeopardize the investigation’. ‘The non-disclosure is necessitated by a compelling government interest.’
The EFF had its opportunity to respond in turn. On the issue of jurisdiction and standing, the EFF responded that parties who are not part of the litigation still have standing to challenge the closure of judicial proceedings or confidentiality orders. On the issue of confidentiality and the said ‘treaty’, the EFF was able to find the treaty that was being quoted and discovered that it was in fact the treaty on mutual legal assistance between the U.S. and Italy from 1985. The EFF went to that treaty and saw that the Government was quoting from Article 8(2); but EFF pointed that Article 8(1) states that:
1. When necessary, the Requested State may require that evidence and information provided, and information derived therefrom, be kept confidential in accordance with stated conditions. [emphasis added]
The EFF argued that this language meant that the U.S. may requireconfidentiality but Italy may only request it. The EFF went on to say: ‘The provision cited by the Government is permissive rather than compulsory, and as this Court had the discretion to decline Italy’s confidentiality request, it has the power to unseal the documents after the fact.’ The EFF also reminded the court that no treaty obligation to a foreign government can trump the Bill of Rights.
On the issue as to whether there is a compelling need due to the ‘ongoing criminal terrorist’ investigation, the EFF argued that despite the reference to terrorism, the Government failed to assert a national security interest in non-disclosure. And anyway, the EFF noted, it is well established that ‘important First Amendment values’ cannot be overcome by ‘a mere assertion of ‘national security’.’ The EFF also pointed out that as it became clearer that the request was for assistance in an Italian criminal matter, and that the order was unrelated to any federal investigation, and that even Italy has spoken about the case to AP where the prosecutor was quoted as saying that she sought the logs investigating a specific case involving Romano Prodi, the then-President of the European Commission, the EFF concluded that the Government’s argument was falling apart. Confidentiality was therefore unnecessary.
On July 20, 2005, the court granted the EFF’s motion and ordered most of the documents to be unsealed but with redaction. The documentation was released on August 1, 2005. What it disclosed was just as alarming as the circumstances of the case known to date. The case details became more colored. On July 30, 2004, the request was received from Italy and filed in the U.S. District Court and was sealed. It requested the production of logs from the necessary servers. U.S. assistant attorney Calvert requested the job of commissioner on the case to collect evidence on behalf of the court. This authorizes the commissioner to submit the evidence collected to the requesting foreign court or authority. In arguing for this, the Government stated that
[i]n executing Italian requests, the Treaty obligates United States courts to compel a person to produce a document, record or article or to appear and testify ‘to the same extent as would be required for criminal investigations or proceedings’ in the United States.’
The request came from Minister of Grace and Justice of the Italian Government in connection with an investigation by the Bologna Public Prosecutor’s office (BPP) asking for assistance in obtaining records of log files in relation to the creation and updating of the webspaces of specific URLs during the period of the events of the case. The case involved a number of attacks on European officials using explosives in delivery packages. The delivery packages included letters explaining the attacks. The BPP launched an investigation under Section 280 of the Italian Penal Code, i.e., ‘Attacks for terrorist or subversive purposes’, punishable by a term of not less than six years’ imprisonment.
Copies of the letters in the explosive packages were found on the Indymedia site, though the URLs were redacted from the unsealed documents. The Italian request named Indymedia as being at a Seattle address, and named Rackspace in San Antonio as the hosting company. Judge Orlando Garcia of the San Antonio Division Court approved the appointment of Calvert as a Commissioner of the court to: collect evidence through Commissioner’s subpoenas, provide notice to those who are identified in the request as parties to whom notice should be given (‘and no notice to any other party shall be required’), and adopt procedures to collect the evidence requested, consistent with its use in the investigation or proceeding for which Italy has requested assistance.
One outstanding issue is that on December 21, 2004, U.S. Assistant Attorney Calvert certified that he authorized a subpoena to Rackspace compelling the production of a copy of the server in order to get the logs. However, the original Commissioner’s subpoena to Rackspace from Calvert demanded only ‘log files in relation to the creation and updating of the web spaces corresponding to’ particular URLs.[55] Rackspace reported that it had received a federal order to provide hardware, but the court documents are conflicting on this matter.
Another outstanding issue from the Indymedia case is how could the U.S. seize hardware from the UK without the support of the UK authorities? The UK government was surprisingly open concerning its lack of participation in the seizure. There may be a case to make that Rackspace UK overreacted to the request from the U.S. authorities. UK legal advisors to Indymedia did not feel as though they could take Rackspace UK to task for handing over the server, they were not in a position to do so until the subpoena had been unsealed. Whether Rackspace UK is at fault is a matter that can now be decided by the courts.
It can be argued, however, that Rackspace was fully complying with U.S. law. Goldstone and Shave above pointed to the likely conflict of laws that would arise particularly due to the case of United States v. Bank of Nova Scotia. In that case, the Bank of Nova Scotia refused to respond to a request from the U.S. authorities for banking information because the information was kept in the Bahamas; granting access to this information would break Bahamian banking secrecy laws. In this case the courts decided against the Bank of Nova Scotia. According to the court,
In a world where commercial transactions are international in scope, conflicts are inevitable. Courts and legislatures should take every reasonable precaution to avoid placing individuals in the situation [the Bank] finds itself. Yet, this court simply cannot acquiesce in the proposition that United States criminal investigations must be thwarted whenever there is conflict with the interest of other states. (…) The foreign origin of the subpoenaed documents should not be a decisive factor. The nationality of the Bank is Canadian, but its presence is pervasive in the United States. The Bank has voluntarily elected to do business in numerous foreign host countries and has accepted the incidental risk of occasional inconsistent governmental actions. It cannot expect to avail itself of the benefits of doing business here without accepting the concomitant obligations.
Rackspace is left in the situation where it is complying with U.S. law and yet possibly breaking UK law, and this is entirely legal because Rackspace elected to do business in the UK.
This is a very surprising rationale that goes against everything we were once promised when we heard of such things as globalization and the Internet. What is most surprising is that this has always been the law of the land, it is not the creation of the Cybercrime Convention that enabled this multi-jurisdictional quagmire. Rather, the convention may result in making the matter worse. It is indeed old wine – one that has only matured.
This is an excerpt from a chapter in CYBERCRIME AND JURISDICTION: A Global Survey, edited by Bert-Jaap Koops and Susan W. Brenner, published in 2006 by T.M.C. ASSER PRESS.