I get user data protection and all that, but when you know that the charges are drug-related and they'd get a warrant anyway, why not cooperate and make it easier for everyone?
Would you risk having your servers seized for someone you know committed a crime? If you do, you make it very easy for competitors to shut you down.
edit: I'm assuming they don't blindly trust the police, but can verify the transactions to the drug site themselves. If that's not the case, making the police get a warrant would be the right thing to do.
In the US: make them get the warrant. It's not the service provider's job to determine if probable cause exists, and the service provider is probably very bad at it. Police always go for the consent search first precisely because the standard for a warrant is so high.
In Germany the police can threaten all they want, getting a warrant for user data is the prosecutor's job. That's also why don't give out the data directly the police. If the prosecutor is asking that's a totally different level than the police.
It might also be an indication that the police doesn't risk wasting the judge's time and get shitted on if they don't have rock solid reasons for suspecting someone.
Is a bit over 20k drug related warrants over 10 years really that much for the country the size of USA with such a drug problem and such an axe to grind with drugs users (war on drugs, private prisons, blacks with crack and teens with weed being juicy targets to boost statistics, etc.)?
Or 1300 warrants and 600 extensions in one fiscal year for a 'black bag job search' across all circuits?
Because if you make it too easy for the police they'll just ask for too much all the time, even for things where they wouldn't get a warrant. This is happening in Germany all the time when a provider wants to be nice to the police.
If they say "we'll get a warrant anyway", just response "okay, so get the warrant and come back and I'll give you the data". Then at least it's up to a judge to decide where giving out data is warranted, and not up to an oridinary policeman and sysadmin.
Not literally. But if you make the police work much easier by voluntarily giving out data that you don't need to give them of course they are happy to take your offer to make their job easier whenever they can.
See my edit. I'm assuming they can verify the allegations, due to the nature of BTC transactions.
A warrant possibly means that they go out of business, because the servers are physically seized. If you tell me you'd risk that for a stranger who you can tell probably committed a crime, I don't believe you.
If the investigators think that you are withholding data or harboring criminals, they can take the equipment. Bitcoins generally don't have the best reputation and they're a small company, so it's more likely they'll get treated roughly be the law if they don't cooperate.
Probably not because of one user, but when the cases pile up there's a good chance it'll raise questions about the legitimacy of their service.
When you earn your money by running said service, you are likely going to want to avoid that.
They may not be explicitly interested in destroying a business, but they may be very interested in seizing equipment and not particularly caring that you don't have a backup strategy.
>If you tell me you'd risk that for a stranger who you can tell probably committed a crime, I don't believe you.
That's a very very slippery slope. It is the job of the police to not look into data not related with the case, not yours.
Surrendering the info would be giving the police more power if anything since, they now can come and get data from anyone without a warrant (how do you even know that this account is dealing drugs other that "the police came looking for him"?).
>how do you even know that this account is dealing drugs other that
Take a look at the transaction history. If there are transactions with known drug site wallets, give them the data they are asking for. Otherwise, request they get a warrant.
If you are going to cooperate, I think that's the most reasonable way to go about it.
Bitcoin exchanges are seen as dodgy anyway and they don't have a lobby to fight for them, so showing some way of cooperation while keeping everyone's (legal) interests in mind might be a good idea.
You usually don't know if the address is known drug site wallet, dark markets usually generate unique address for each transaction.
Even if you do know it, you can't know if the user bought something illegal, there is also legal stuff sold on dark markets.
Keeping everyone legal interests in mind means that you don't give personal data to police or anyone else without proper warrant.
The article mentions the specific site and it seems to deal only drugs. They don't keep the money at the generated address, but transfer it to another wallet I suppose?
Not necessarily. A acquaintance of mine at an ISP always did that when police came knocking for "illegale pirating" allegations. His standard response was: Get a warrant or else I would commit a criminal offence (what he would have done).
Nearly never police came back with a warrant.
And in the spare cases they did come back he did provide the data (if it was still available) and never did any equipment get seized.
That was in Germany, USA or where? Just don't tell me Iceland or Sweden (with their famous Pirate Parties)..
Your friend is also a saint with cojones the size of cannon balls for doing that too.
In Poland the "take it all" strategy seems to be the default one, at least for private devices. There was once a case related to one Polish movie being shared on torrents that ended in 40 thousand confiscated PCs. The law firm hired by the movie studio gave the prosecution a list of 40 thousand IPs they said were pirating their client's movie. The prosecution gave a blanket warrant and the police got the people data from the ISPs, confiscated the computers and gave the law firm copy of the personal data so they could offer the 'pirates' a few hundred zloty settlements to not press charges.
Also, doesn't Germany have unusually strong privacy laws that prevent them from even cooperating with the police if they aren't obligated to? My immediate reaction was, "If you got a German service to hand over user data, you must have done something really bad."
And if you are allowed to do that and want to do it, why not? The purpose of a warrant is to verify that a judge has done due diligence and found the search to be justified, but if you check for yourself and come to the same conclusion, the warrant isn't really necessary.
But if you check yourself what. By looking at their data? How would that be okay? I'm not putting words in your mouth, just looking for a logical conclusion.
If you look at their transaction history with your service, it's not just their data, it's also yours and you have every right to look at it.
Now what's morally ambiguous is then deciding to reveal that data to others, and if you did it indiscriminately for all customers I'd be against it. But on a small scale, I don't think it's so wrong.
"why not cooperate and make it easier for everyone?"
Because the law in Germany EXPLICTLY forbids this - Bundesdatenschutzgesetz is the name of the law.
Which means bitcoin.de doesn't care about following the law in the first place.
Not a surprise for a company trying to make money off of a pyramid scheme currency.
I want to understand this a bit better from an operational perspective..
Say my DigitalOcean VPS hosted in Germany provides a service X which can be subverted for illegal purposes. Will the police have to me to ask for data or can they go to DO and demand access to the data without my knowledge?
> Encrypt the shit out of it. My servers are in Amsterdam/Paris.
Is this meant to imply that the legal situation is very different in the Netherlands/France, or that you encrypt everything because it's the same as in Germany?
Regardless of the risk of seizure from law enforcement, I feel you should fully encrypt any remotely hosted servers. There are plenty of examples of datacenter techs being socially engineered to install backdoors, affecting both colo and dedicated. Had it happen to myself with an old server - they called up with some excuse and were able to completely bypass the 2FA in the control panel I thought I was secure with and have the techs disable pubkey authentication and reset the root password.
Yes, the situation is very different. Germany has the strongest privacy laws, Netherlands is practically a police state like the UK, and the French are at war like the US, with special police powers.
Im not a lawyer, but I assume the laws behind this look pretty much the same in every western country.
I assume that if you want to search/seize somebodies property then you have get a warrant made out the the legal owner of the property. (Obviously you don't have to get a warrant if the owner voluntarily hands out the data...) In your example DO is the legal owner of the server your VPS runs on. I can't see why DO would be required to tell you about it.
I don't know how the owners of data centers play into this. I guess if you have somebody else's property in your possession and the cops have a warrant then you have to hand it to them.
Keep in mind that the actual data on the VPS may be protected by all sorts of privacy laws if, e.g., you run a mail server on it.
Edit: I forgot to mention that the location of the server and the jurisdiction the legal owner is under also play a large role. Also don't forget which jurisdiction you're under. Nobody cares that you've rented a server from a russian company located on the dark side of the moon. In this case they'll probably make the warrant out to you rather than the legal owner. And you'll have to comply.
By this logic, a renter has no right against unlawful searches on their own place of residence. The police just needs to ask the landlord for permission to search a rented property.
I'm just asking, not challenging what you're saying.
Yeah I know. I guess the other extreme would be a rental car or something. I can't imagine the guy currently renting the car being involved in the legal process.
I don't know what happens when a landlord hides weapons or something under the floorboards and then rents the place to somebody. Say the people renting the place are on vacation and the police has a warrant (made out to the landlord in this example). Maybe they can go in with the landlord (and, at least in Germany, they also need an independent witness) but are only allowed to search the actual property and not the stuff in it (because the landlord doesn't own the stuff). I don't know. But this kind of renting is well covered by laws (including lots of laws protecting the renters).
"Renting" a VPS (webspace would be a better example) probably isn't defined by any laws. It feels more like user data connected to a (paid) software service. Renting a dedicated server is a different story.
Actually in most countries there is a lot of laws for landlords and tenants that regulates who is in the possession. A landlord can not just hand out keys to anyone.
Ironically, bitcoinblog.de, (which is the blog of bitcoin.de) published an article in November 2016, citing the lack of anonymity in bitcoin transactions, that would drive around 1/5 of bitcoin users to not using bitcoin anymore.
the article I am referring to:
https://bitcoinblog.de/2016/11/09/ein-fuenftel-der-bitcoin-n...
> The protection of our unscrupulous customers and their bitcoins is more important to us than the protection of the data of offenders.
Another interesseting thing:
> We only issue data from customers to investigating authorities if they can inquire in writing in specific cases and can demonstrate a legitimate interest in specific criminal offenses. This has always been the case from our point of view.
Big question here: So they've done it several times?
I'd think most of them would cooperate with the police.
We've already seen local cops in Sweden and Denmark track drug dealers through bitcoin. They must have had the cooperation of exchanges and banks to make that happen.
So I expect exchanges to cooperate on the same level that banks cooperate with police.
Would you risk having your servers seized for someone you know committed a crime? If you do, you make it very easy for competitors to shut you down.
edit: I'm assuming they don't blindly trust the police, but can verify the transactions to the drug site themselves. If that's not the case, making the police get a warrant would be the right thing to do.
reply