For a european perspective; a company I used to work for was in this situation many times over. We worked with law enforcement and the data protection commission to ensure zero "pollution" of unrelated information into legal requirements (like subpoenas).
If you end up being contacted by law enforcement for data, I'd recommend doing everything you can to help educate them about the information you carry. It might be tempting to volunteer as little as possible, but you also might be the first willing and knowledgeable technical person they've spoken to in some time, and starting a relationship like that on a good foot can be incredibly useful to your company; maybe even you personally.
It can mean future requirements get handled without hassle, and may never even come to you at all if they know it's information you don't or can't carry. You can also help shape policy around how such things are handled for others in future.
YMMV depending on jurisdiction, but it's worth considering contacts from law enforcement as an opportunity to build a healthy (two way) relationship.
As much as I foam at the mouth around here against many law enforcement actions, both parties did the right thing here.
It's not like they showed up in the middle of the night and yanked their entire servers out of the office without a warrant and covered it up under "homeland security" or other nonsense.
They did it the proper way through the courts with a judge and public documentation of their actions, and asked for only a subset of the data (limited to a year and GA).
Kudos to SparkFun for responding with caution.
That said, I think the lead will be useless to them because the person could have bought it anywhere, even outside the USA and brought it into GA. Apparently there are also clones now of sparkfun boards complete with logo.
Not quite the right thing: the subpoena is too broad.
This is very typical for law enforcement everywhere these days. Luckily SparkFun was diligent enough to negotiate it down to relevant information, but it the "gimme all your data" attitude is a fundamental problem. This also extend to seizures ("gimme all your servers", not just the ones involved). The courts should never allow this, so although this is the proper process, it is failing. There's no point in insisting law enforcement goes through the proper channels if those proper channels don't do their job properly.
Curious that in an effort to combat credit card skimming, the cops are requesting SparkFun to print out full credit card information for thousands of innocent parties.
As a result, about 20 customers that had purchased a specific device at sparkfun that had delivery in Georgia had their information given to the police to use in this investigation.
I really want the people running the skim operation caught, but I agree with Nate (the sparkfun guy) that it is a very fine line harassing the others that are (most likely) blameless.
Am I reading this correctly that then these 20 people have their info in the public record after this trial closes? wow... not sure I'd want my name on that list.
At first I thought it was this[1] device, but on closer reading of the article it indicates a sparkfun silkscreen on a board, which I don't think the mag reader would have.
Has anyone figured out which board was in the offending device?
> Am I reading this correctly that then these 20 people have their info in the public record after this trial closes?
Nope. The subpoena is in the public record. The data SparkFun sent in response to the subpoena is not in the public record. It will just go to the investigators who are trying to track down the credit card thieves.
If the investigation leads to someone being charged with a crime, and that leads to a trial, the proceedings of that trial will be in the public record, but there would be no reason for the information for the customers NOT charged with the crime to be entered into the record at that trial.
I doubt that anyone will be harassed over this, unless we use a very loose definition of harassment. Most likely the investigators will take the list of customers, look up these people to see if any of them have a record of prior criminal activity, and concentrate on those.
If they do question the rest, mostly likely the investigators will simply ask them what they purchased the board for. The customer will then enthusiastically launch into a description of the neat gadget they built and insist on showing it to the investigator and explaining in excruciating detail exactly how it works. The investigator will see the SparkFun board, see that the device is obviously not a credit card scanner, and try to figure out how to escape the enthusiastic hobbyist without being rude to him.
Most likely the investigators will take the list of customers, look up these people to see if any of them have a record of prior criminal activity, and concentrate on those.
Or other things. Was someone who's name was on the list seen hanging around the places where the skimmers were installed lots? Was the money being sent (however roundabouty) to anyone on the list? etc.
The police might have thought that Sparkfun only sold credit card skimming machines. Hence asking for "all orders" doesn't sound as bad if you consider that they might be thinking that's only those parts.
This matches up with reality since they seem happen when Sparkfun talks to them and they agree to only get the details for that parts.
More likely, they just ask for everything in the hopes that they don't miss anything, and then rely on the targeted business to try to argue down the scope of the subpoena. The police have no incentive to try and limit the scope because they don't care about protecting the privacy of the people they're investigating.
> they don't care about protecting the privacy of the people they're investigating.
That seems like an overbroad generalization. All else being equal, I'm sure the police don't want to compromise people's privacy. To be sure it's not their top priority, and if they had to choose between missing important data and dragging too many innocent people into an investigation they will probably err on the side of too much data.
Even if the police don't much care about privacy, there are a lot of people who do. For example, there's no way a court would let any of this subpoenaed evidence into the record unless it was specifically relevant to a charge being brought.
Which is interesting, because you'd think that credit card scammers would buy Bluetooth modules in bulk from Chinese sellers that are both cheaper and harder to subpoena.
Having one's private information placed into (assuredly sealed) evidence in a criminal trial is hardly "harassment". This is what subpoenas are for: evidence exists that might constitute proof of a crime, and courts have (and have always had) the authority to demand its production. There's nothing unique here. If these were 20 paper records from a vacuum tube supplier in 1939, surely the court would have requested (and gotten) the same thing.
"Am I reading this correctly that then these 20 people have their info in the public record after this trial closes?"
Allow me to venture a guess. At some time in the future the county will auction off its surplus assets (old computers). The computer with hard drive, data & all else will be sold to the highest/only bidder for about three bucks.
It is also possible that the county has data retention/destruction policy, in which case the county commissioner's brother-in-law will be paid on a contract basis to have his children / some migrant workers remove the drives and feed them into a tree shredder, and then sell the bits for scrap.
> 7. Complete credit card numbers used on Order(s)
Can you fail PCI compliance if you're able and do this? What if you use a third party system such as Stripe where you have no access to the full credit card number?
Neither credit card numbers nor IP addresses were included because we don’t retain that information for our own protection as an organization.
In general, you can not be compelled to produce something which you do not have. This is why you see legislation proposed with mandatory retention policies for various businesses.
Interesting take. The credit card skimming scams are coming fast and furious, they are easy money according to some folks. I have heard estimates at $2B/yr in the US in lost cash.
That being said, a subpoena can be 'quashed' if you can prove that the agency is over reaching or 'fishing' but if you refuse it you put yourself in a position to be held in contempt by the court.
I think the only concern here is that the plain-text csv file containing these 20 rows was sent via email to his attorney, which was probably forwarded on to the requesting detective. That file is in no way encrypted and is essentially sitting in two email servers, two desktop machines, and possible mobile devices.. all of which are vulnerable to attack from multiple vectors. The file should have, at the least, been encrypted.
You think all the police and courts and attorneys and judges and clerks and secretaries have a completely set up, and working private key infrastructure?
You know that the police routinely handle & store information that people would kill to get at (hint: mobsters)? Do you not think they know how to protect information like this?
If you were to email it encrypted, you'd have to send a follow email with the decryption key. Encryption would only be a inconvience and would not protect this information at all.
OK so you doubt their means. Look at the ends. Have there been many security breeches from the police/courts? Is this a large threat to personal security? I don't think so. Hence I think they must be doing something right here.
What basis do you have to conclude that? The subpoena doesn't even include an email address. It is far more likely that the data were sent on a CD-R by registered mail, or printed out and transmitted by fax. Many court systems allow information to be submitted electronically now, but only by the attorney for the presenting side.
I have a question. Are companies required to hold certain information about their customers? Or can a company simply answer a subpoena with "We don't store that information."?
It may be theoretically possible, but it's probably more hassle than it's worth. It's easier for inventory tracking if you have a paper trail (or equivalent on disk). It's also good to have the receipts if you're ever audited.
It's also inconvenient for the 99.999% of customers who aren't trying to cover their tracks, because without the info they wouldn't be able to check their order history.
And it's not simply a matter of telling the law enforcement agency "We don't store that information." You most likely have to jump through the hoops to prove that you don't store the information.
It depends. Some countries have laws creating data retention requirements — in some contexts, for some time periods (with mandatory expiration in the EU), with sharing conditional on some purposes (hopefully for reasons relating to serious crime, but with some laws suspecting or detecting copyright infringement is good enough), with varying degrees of judicial review and oversight of bad-faith requests.
The USA doesn't have a law like that, but it doesn't have a right to privacy either (there is a law about the privacy of correspondence that the NSA and telcos have ignored), so this sort of data retention law is sidestepped by a few large actors “voluntarily” collecting and sharing information. National security letters, gag orders, and whatever power incited AT&T to first do large scale warrantless interception mean that there can be a lot of abuse with little consequences for the participants. This might also apply to smaller actors, although less publicised (I don't know if there's any bad publicity the US government would care about). If you collect it, you might end up sharing it.
For this specific case, they'd probably need to keep that accounting information for filing taxes. I'm not sure about the U.S., but in Canada we need to keep tax-related records for 7 years (I think).
If a company gives that response law enforcement will just come back with a warrant. You might say that's the case. But from their perspective it sounds fishy, and their only way to be sure is to take your servers and find out for themselves.
Usually you're not required to record this in general, but you'd have to convince the police or the judge that you don't have it. If you just sold €1,000,000 worth of goods yesterday, the police might not believe that you (now) know nothing about this person. However if the cops ask for exact details about a €10 sale 15 years ago, you should be able to easily convince them that you no longer store that information.
Lying to the police/courts and obstructing criminal investigation blatently is, obviously, a crime. You shouldn't do it. Also if they get a warrent you are breaking the law by hiding that information.
It seems like it would be difficult to run a business without keeping basic information on your current and past customers. Or are you suggesting lying to the police? That doesn't sound like a good idea at all.
What gives me a bit of hope is the fact that after the scary letter with a lot of legalese, SparkFun and the Police Department were able to just talk about it as people and do what was best for everyone. The police was not interested in having to sift through a big pile of irrelevant data; SparkFun was not comfortable handing over sensitive information of innocent customers. I wish it were more common that people just talk and cut the crap.
This is not the first time[1] we've had issues with our products showing up in the news for less than stellar reasons - luckily nothing as awful as an explosive device. As Nate said in the article, we know our parts can be used for good or for evil. If only there was less of the latter...
I'm not entirely sure what you're getting at here. Should we stop selling Arduinos because they can be programmed for nefarious purposes, in addition to lowering the barrier to entry for embedded electronics in the classroom? How about spools of wire because wire can be made a part of something far more sinister than we can imagine? Should Apple stop selling the iPhone because it's also bluetooth-enabled?
I understand where you're coming from, but think it's entirely ungrounded in this case. We actively work with the DHS on export control. There is a very real risk involved in selling the products we do, but I don't think that should stop us from our goal of education and - right there at the bottom of every page on our site - sharing ingenuity.
> Also, protip for criminals: make your own circuit boards without identifying marks.
Why? This seems like the perfect sort of thing to buy with someone's stolen credit card - it provides a red herring for the police to chase after, and at least in this case, gives the thieves a warning that an investigation is in process.
Did Sparkfun send a representative to the court house? I'd be surprised if the court forced Sparkfun to show up and incur transportation and other related costs.
Having received subpoenas for other things, no. You provide the information to the requesting agency and they take it to court. I assume if you were going to refuse you'd have to have a lawyer show up.
I'm wondering if they track unique MAC or IMEI numbers for devices involved. A Bluetooth module would have a unique MAC ID, but I've never heard of that ID being used for network admin or security. MAC for WiFi or Ethernet is used for DHCP and MAC address filters.
If the investigator were smart enough, they could ID the other coupled nodes connecting to the BlueSMiRF device. This technique is done to locate a WiFi node.
The interesting thing in this case is that the cops may have in effect caused more credit card numbers to be skimmed (innocent people's data taken against their will, and possibly sent or stored in plaintext somewhere along the way, putting them in further jeopardy) than the original thieves did with their skimmer. But rememeber, when a government agent does it (whether cops here or soldiers or drones abroad) it's good and just. Only when a "bad guy" does something is it evil and wrong. If the government spies on you, it's legal. When you spy on them, it's illegal. If you were to plot to overthrow the US government, for example, it's treason: illegal and "evil". Whereas if the US government plots to overthrow a foreign government, it's perfectly legal and ok. Fun stuff to think about.
If you end up being contacted by law enforcement for data, I'd recommend doing everything you can to help educate them about the information you carry. It might be tempting to volunteer as little as possible, but you also might be the first willing and knowledgeable technical person they've spoken to in some time, and starting a relationship like that on a good foot can be incredibly useful to your company; maybe even you personally.
It can mean future requirements get handled without hassle, and may never even come to you at all if they know it's information you don't or can't carry. You can also help shape policy around how such things are handled for others in future.
YMMV depending on jurisdiction, but it's worth considering contacts from law enforcement as an opportunity to build a healthy (two way) relationship.