
SparkFun Gets A Subpoena - phren0logy
http://www.sparkfun.com/news/836
======
duggan
For a european perspective; a company I used to work for was in this situation
many times over. We worked _with_ law enforcement and the data protection
commission to ensure zero "pollution" of unrelated information into legal
requirements (like subpoenas).

If you end up being contacted by law enforcement for data, I'd recommend doing
everything you can to help educate them _about_ the information you carry. It
might be tempting to volunteer as little as possible, but you also might be
the first willing and knowledgeable technical person they've spoken to in some
time, and starting a relationship like that on a good foot can be incredibly
useful to your company; maybe even you personally.

It can mean future requirements get handled without hassle, and may never even
come to you at all if they know it's information you don't or can't carry. You
can also help shape policy around how such things are handled for others in
future.

YMMV depending on jurisdiction, but it's worth considering contacts from law
enforcement as an opportunity to build a healthy (two way) relationship.

------
ck2
As much as I foam at the mouth around here against many law enforcement
actions, both parties did the right thing here.

It's not like they showed up in the middle of the night and yanked their
entire servers out of the office without a warrant and covered it up under
"homeland security" or other nonsense.

They did it the proper way through the courts with a judge and public
documentation of their actions, and asked for only a subset of the data
(limited to a year and GA).

Kudos to SparkFun for responding with caution.

That said, I think the lead will be useless to them because the person could
have bought it anywhere, even outside the USA and brought it into GA.
Apparently there are also clones now of sparkfun boards complete with logo.

~~~
rickmb
Not quite the right thing: the subpoena is too broad.

This is very typical for law enforcement everywhere these days. Luckily
SparkFun was diligent enough to negotiate it down to relevant information, but
it the "gimme all your data" attitude is a fundamental problem. This also
extend to seizures ("gimme all your servers", not just the ones involved). The
courts should never allow this, so although this is the proper process, it is
_failing_. There's no point in insisting law enforcement goes through the
proper channels if those proper channels don't do their job properly.

------
jonknee
Curious that in an effort to combat credit card skimming, the cops are
requesting SparkFun to print out full credit card information for thousands of
innocent parties.

------
K2h
As a result, about 20 customers that had purchased a specific device at
sparkfun that had delivery in Georgia had their information given to the
police to use in this investigation.

I really want the people running the skim operation caught, but I agree with
Nate (the sparkfun guy) that it is a very fine line harassing the others that
are (most likely) blameless.

Am I reading this correctly that then these 20 people have their info in the
public record after this trial closes? wow... not sure I'd want my name on
that list.

At first I thought it was this[1] device, but on closer reading of the article
it indicates a sparkfun silkscreen on a board, which I don't think the mag
reader would have.

Has anyone figured out which board was in the offending device?

[1] <http://www.sparkfun.com/products/8634>

~~~
MBCook
I'm all for helping the police, I'd be pretty willing to give them information
in a case like this.

But I'm amazed their initial subpoena was for ALL orders from Georgia for a
multi-month period. That's an amazingly wide net.

~~~
InclinedPlane
I suspect that the police in this case have no idea how big sparkfun is or how
much business they do.

~~~
eridius
More likely, they just ask for everything in the hopes that they don't miss
anything, and then rely on the targeted business to try to argue down the
scope of the subpoena. The police have no incentive to try and limit the scope
because they don't care about protecting the privacy of the people they're
investigating.

~~~
sirclueless
> they don't care about protecting the privacy of the people they're
> investigating.

That seems like an overbroad generalization. All else being equal, I'm sure
the police don't want to compromise people's privacy. To be sure it's not
their top priority, and if they had to choose between missing important data
and dragging too many innocent people into an investigation they will probably
err on the side of too much data.

Even if the police don't much care about privacy, there are a lot of people
who do. For example, there's no way a court would let any of this subpoenaed
evidence into the record unless it was specifically relevant to a charge being
brought.

------
jwwest
> 7\. Complete credit card numbers used on Order(s)

Can you fail PCI compliance if you're able and do this? What if you use a
third party system such as Stripe where you have no access to the full credit
card number?

~~~
jws
_Neither credit card numbers nor IP addresses were included because we don’t
retain that information for our own protection as an organization._

In general, you can not be compelled to produce something which you do not
have. This is why you see legislation proposed with mandatory retention
policies for various businesses.

------
ChuckMcM
Interesting take. The credit card skimming scams are coming fast and furious,
they are easy money according to some folks. I have heard estimates at $2B/yr
in the US in lost cash.

That being said, a subpoena can be 'quashed' if you can prove that the agency
is over reaching or 'fishing' but if you refuse it you put yourself in a
position to be held in contempt by the court.

------
kefs
I think the only concern here is that the plain-text csv file containing these
20 rows was sent via email to his attorney, which was probably forwarded on to
the requesting detective. That file is in no way encrypted and is essentially
sitting in two email servers, two desktop machines, and possible mobile
devices.. all of which are vulnerable to attack from multiple vectors. The
file should have, at the least, been encrypted.

~~~
rmc
You think all the police and courts and attorneys and judges and clerks and
secretaries have a completely set up, and working private key infrastructure?

You know that the police routinely handle & store information that people
would kill to get at (hint: mobsters)? Do you not think they know how to
protect information like this?

If you were to email it encrypted, you'd have to send a follow email with the
decryption key. Encryption would only be a inconvience and would not protect
this information at all.

~~~
morsch
The fact that they _don't_ have anything more secure than unencrypted email
gives reason to doubt that they know how to protect information like that.

An encrypted mail attachment would be a start -- if you use a second channel
to deliver the secret key, e.g. call them up to tell them the password.

~~~
rmc
OK so you doubt their means. Look at the ends. Have there been many security
breeches from the police/courts? Is this a large threat to personal security?
I don't think so. Hence I think they must be doing something right here.

~~~
kefs
The following is just one group's public releases, spanning about 5 months, at
approx 20gb.

<https://thepiratebay.se/user/AntiSecurity/>

Just because you don't hear about vulnerabilities and attacks, doesn't mean
they don't happen.

------
rudiger
I have a question. Are companies required to hold certain information about
their customers? Or can a company simply answer a subpoena with "We don't
store that information."?

~~~
jlarocco
It may be theoretically possible, but it's probably more hassle than it's
worth. It's easier for inventory tracking if you have a paper trail (or
equivalent on disk). It's also good to have the receipts if you're ever
audited.

It's also inconvenient for the 99.999% of customers who aren't trying to cover
their tracks, because without the info they wouldn't be able to check their
order history.

And it's not simply a matter of telling the law enforcement agency "We don't
store that information." You most likely have to jump through the hoops to
prove that you don't store the information.

------
micheljansen
What gives me a bit of hope is the fact that after the scary letter with a lot
of legalese, SparkFun and the Police Department were able to just talk about
it as people and do what was best for everyone. The police was not interested
in having to sift through a big pile of irrelevant data; SparkFun was not
comfortable handing over sensitive information of innocent customers. I wish
it were more common that people just talk and cut the crap.

------
eck
SparkFun is lucky that the subpoena was for one of their products being used
in a credit card skimmer and not an improvised cruise missile.

Also, protip for criminals: make your own circuit boards without identifying
marks.

~~~
stilldavid
This is not the first time[1] we've had issues with our products showing up in
the news for less than stellar reasons - luckily nothing as awful as an
explosive device. As Nate said in the article, we know our parts can be used
for good or for evil. If only there was less of the latter...

[1] <http://www.sparkfun.com/news/308>

~~~
DanBC
Christopher Tappin claims he didn't know the batteries were going to be used
for evil.

([http://www.guardian.co.uk/world/2012/apr/27/chris-tappin-
den...](http://www.guardian.co.uk/world/2012/apr/27/chris-tappin-denies-
terror-links))

~~~
stilldavid
I'm not entirely sure what you're getting at here. Should we stop selling
Arduinos because they can be programmed for nefarious purposes, in addition to
lowering the barrier to entry for embedded electronics in the classroom? How
about spools of wire because wire can be made a part of something far more
sinister than we can imagine? Should Apple stop selling the iPhone because
it's also bluetooth-enabled?

I understand where you're coming from, but think it's entirely ungrounded in
this case. We actively work with the DHS on export control. There is a very
real risk involved in selling the products we do, but I don't think that
should stop us from our goal of education and - right there at the bottom of
every page on our site - sharing ingenuity.

------
igorsyl
Did Sparkfun send a representative to the court house? I'd be surprised if the
court forced Sparkfun to show up and incur transportation and other related
costs.

~~~
jauer
Having received subpoenas for other things, no. You provide the information to
the requesting agency and they take it to court. I assume if you were going to
refuse you'd have to have a lawyer show up.

------
neurotech1
I'm wondering if they track unique MAC or IMEI numbers for devices involved. A
Bluetooth module would have a unique MAC ID, but I've never heard of that ID
being used for network admin or security. MAC for WiFi or Ethernet is used for
DHCP and MAC address filters.

If the investigator were smart enough, they could ID the other coupled nodes
connecting to the BlueSMiRF device. This technique is done to locate a WiFi
node.

------
jayferd
I had to stare at the word "SUBPOENAED" for a long time before concluding that
it was indeed spelled correctly.

------
CHsurfer
From the comments in the post:

"Alright, it’s settled. We gotta build a robot to fight crime."

~~~
bitwize
ED-209!

~~~
pavel_lishin
Not a problem, I'll just commit my crimes in stairwells.

------
mkramlich
The interesting thing in this case is that the cops may have in effect caused
more credit card numbers to be skimmed (innocent people's data taken against
their will, and possibly sent or stored in plaintext somewhere along the way,
putting them in further jeopardy) than the original thieves did with their
skimmer. But rememeber, when a government agent does it (whether cops here or
soldiers or drones abroad) it's good and just. Only when a "bad guy" does
something is it evil and wrong. If the government spies on you, it's legal.
When you spy on them, it's illegal. If you were to plot to overthrow the US
government, for example, it's treason: illegal and "evil". Whereas if the US
government plots to overthrow a foreign government, it's perfectly legal and
ok. Fun stuff to think about.

------
tomjen3
Great so now anybody who reads those court records can steal those 20 peoples
identities?

~~~
dtparr
No. While the subpoena itself is public record, the information turned over
would not be.

