Apr 23 2008
UPDATE: The TRACE/TRACK methods are disabled in Plesk 8.4 right out of the box!
It’s always been a bit of a challenge to disable TRACE and TRACK methods with Plesk. The only available options were to create a ton of vhost.conf files or adjust the httpd.include files and prevent modifications with chattr (which is a bad idea on many levels).
Luckily, Parallels has made things easier with a new knowledge base article.
Apr 23 2008
At base, the court held that a demand for an IP address must be connected with some sort of judicial proceeding, and not a simple subpoena issued by a court without any kind of review. The court stated that the demand for the IP address must “bear some possible relationship” to an investigation. That relationship can be demonstrated by requiring that the subpoena be issued as part of the grand jury process, rather than through a process in which a subpoena may be issued without any demonstration of relevance. The court refused to go further, and require that a subpoena be issued by a grand jury only upon demonstration of probable cause (the standard necessary to issue a warrant).
This decision shows the difference in privacy rights that is developing between state constitutions and the U.S. constitution. Federal courts have routinely held that there is no Constitutionally based expectation of privacy in IP addresses, while state courts are increasingly interpreting their constitutions the opposite way. Like many similar state vs. Federal issues, these different interpretations are ironic since most state constitutions are based on the Federal constitution. However state courts have a long history of interpreting their constitutions differently than the U.S. constitution.
For hosts, this decision reinforces the need to require some sort of service of process prior to disclosing information about your customers. It’s important to note that the ISP in this case, Comcast, was not a party to the suit, and not held to be liable for its response to the defective subpoena. However, what this case does illustrate is the growing body of law supporting customer’s expectation of privacy in information generated by their use of technology.
From a micro perspective, hosts should always require that any request for customer information be part of a judicial proceeding, or otherwise authorized by law. From a macro perspective, it should cause those who are interested in commercializing this information to be careful in how customer information is used. The line between a host’s ownership of information generated by customer’s use of its technology, and a customer’s expectation of privacy, becomes thinner with every decision in this area.