As a Pirate in Canada, this story grabbed my attention when it broke on Twitter last week. Here’s a recent follow-up article, authored by a lawyer in Germany that I’d like to meet.

#Servergate
Under this hashtag, a remarkable and probably thus far unprecedented incident made the rounds on Twitter last Friday.

The premises of the aixIT GmbH company in Offenbach am Main had been raided. The basis for the raid was a corresponding court order from the district court of Darmstadt dated 5/19/2011, which, in addition to a search, ordered the seizure of an unspecified number of hard drives with unknown capacities from the “piratenpad.de” domain, as well as the stored data related to a specific IP number. The operator of the aforementioned domain is the Pirate Party of Germany. Police officers had made their way to the aixIT GmbH company on Friday and during the execution of the search warrant, had disconnected from the internet all of the servers belonging to the Pirate Party, not just the ones running Piratenpad.

According to the search warrant, the raid resulted from an incident that had occurred between April 20 and 23, so exactly a month earlier, in which unknown persons allegedly staged a 14-hour DDoS attack against the website of the French power utility company EDF, which caused various subdomains of the site to be unavailable for the duration of the attack.

“Open source research” supposedly led the French investigators to the page “http://piratenpad.de” of the Pirate Party of Germany, where the Federal Crime Police in Wiesbaden allegedly found numerous links to other pages with details about the group of attackers, representations calling for further attacks on other websites, and information on EDF. It was suspected that further information could be found on the “piratenpad.de” server that might lead, among other things, to the identification of the perpetrators.

Due to an assumed data volatility on the internet and the resulting risk of loss of potentially valuable data for the French investigators, the court furthermore deemed it necessary to seize the storage devices in order to preserve potential evidence, based solely on an announced, but not yet filed, request for assistance by the French agency. The whole thing was topped off with the statement that in Germany, there is no legal requirement for a provider to preserve evidence without a court order.

On May 20, 2011, I filed a complaint against the search warrant on behalf of the Pirate Party of Germany, with the goal of having it declared improper and getting a court order to have the data that had been obtained destroyed and to get an official determination that it was unlawful.

From my point of view, the warrant is also an outrage because a major part of the communications and production infrastructure of a political party was knowingly put out of service, without the issuing court addressing with a single sentence, the special protection afforded to political parties under Article 21 of the constitution. As far as I can tell, the district court of Darmstadt didn’t even consider that aspect before issuing the warrant. My colleague Vetter already demonstrated on his Lawblog that the legal issue was obvious.

Which leads to the question: What exactly did the district court deliberate about before issuing the requested warrant? Did it consider anything at all or did it just sign off on the warrant surmising that everything was in order?

A scary thought, but the warrant leads to this concern.

Yet, even the scope of the ordered seizure should be cause for concern to the court in the course of an examination. According to case law, a seizure must be defined so precisely that it does not leave any doubt with respect to what is to be seized. A general order such as “any available evidence” is insufficient. The warrant from the district court of Darmstadt is vague, because it states that an unknown number of hard drives with unknown capacities was to be seized. Theoretically, one could therefore conclude that the entire IT infrastructure of the Pirate Party could be seized.

As a result, there is a concern that the seizure was overly broad. Sadly, this may not be a unique case, as I have reported about a similar problem in the past.

Also noteworthy is the ease with which the court ignores the fact that, at that point in time, it had not yet received an official request for assistance from the French authorities. Prematurely and obediently, it fabricates some sort of imminent danger and then makes the claim that data on the net are volatile. Please remember that the warrant is dated almost exactly a month after the alleged DDoS attack! The court offers no explanation as to the reason why it feared that the data would now suddenly disappear. Ostensibly, because there is no such reason. This, too, causes us to doubt that the court satisfied its legal duty to examine the issue before it.

Additionally, I ask myself why they didn’t make a request for the data they were seeking to the leadership of the Pirate Party in the first place. Clearly, there is no allegation of complicity against the Pirate Party or its leadership in the attacks. As a democratic party with the key goals of “preservation of civil rights and the rule of law”, the party cannot be suspected of being so opposed to a police investigation that it would intentionally undermine it. Instead of an explanation of the issue, we find only a self-serving reference to the absence of a legal obligation of a provider to turn over data without a court order.

At this point, at the latest, any legal professional familiar with copyright disputes would be flabbergasted: in the avalanche of copyright infringement cases, providers are compelled daily, through preliminary injunctions, to preserve IP data and forced, weeks later, to provide them along with user data to the authorities through subsequent court orders. Is the district attorney precluded in any way from making use of a legal procedure that is the copyright holders’ daily bread? Is a simple court order, which would have precluded the Pirate Party from wiping the data in question and then compelled it to turn them over, calmly and without having to shut down its servers, only available to law firms representing copyright owners but not to district attorneys, in the German legal system?

Evidently, the scope of the court order was boundless, in the true sense of the word, and conflicts with the prohibition of disproportionality. An investigative measure must be proportionate to its intended objective. The investigating officers are not permitted to seize millions of data and data files just to obtain a specific pad and the data related to it.

Or were they, once again, on a fishing expedition?

Additional translations (some incomplete) in German, Dutch, French, Russian, Spanish, Serbian/Croatian, Romanian, Portuguese, and Italian are available on this piratepad from Pirate Parties International.

Here’s a handy little video if you want to host Node.js apps on hosts running Nodester (formerly NodeFu):

Current Nodester hosting providers that I’m aware of:

• http://nodester.com/
• http://bejes.us/

And as Nodester is open source software, you can find the source on github.

Content is being migrated from the old psema4.com and should be available soon.