267

The recent arrest of someone behind Silk Road is in the news today, he was arrested in a San Francisco public library. A couple of background articles here and here.

To what extent, if any, did staff and/or admins have in assisting law enforcement agencies in arresting this programmer? Did they voluntarily cooperate, or was it a legal requirement to cooperate under US law?

An answer from some authority saying Stack Exchange is not able to discuss the issue with users is also acceptable to me.

Improve this question
17
  • 261
    I, personally, hand-cuffed him. For using PHP, no less.
    – Oded
    Commented Oct 3, 2013 at 12:12
  • 3
    I assumed they gave the authorities proof he was using his real name before changing to "frosty" plus maybe the IP address he was using to cross with his personal computer.
    – Shadow Wizard
    Commented Oct 3, 2013 at 12:17
  • 23
    I down and close-voted all his questions at SO (for lack of minimal understanding, of course) to help FBI identify him
    – gnat
    Commented Oct 3, 2013 at 12:17
  • 29
    closely related Does Stack Exchange report on the numbers of requests and orders it receives from law enforcement agencies?
    – Taryn
    Commented Oct 3, 2013 at 12:23
  • 46
    @Oded: PHP alone can be fine...but using mysql_* should be a federal offense.
    – Time Traveling Bobby
    Commented Oct 3, 2013 at 12:52
  • Apparently the answer to this is that "we need a canary in a coal mine", hope that helps
    – Richard Tingle
    Commented Oct 3, 2013 at 12:58
  • 4
    @MNight using them together is an act of terrorism.
    – Cole Tobin
    Commented Oct 3, 2013 at 13:16
  • 1
    @ColeJohnson - Act of madness, I think you will find.
    – Oded
    Commented Oct 3, 2013 at 16:35
  • 2
    The guy's who answered his posts can enjoy a fair rep boost, silver lining and all that....
    – Arran
    Commented Oct 3, 2013 at 17:27
  • 32
    Obviously, this is the 7th tip for getting Stack Overflow reputation fast.
    – Shog9
    Commented Oct 3, 2013 at 17:38
  • 4
    @Shog9 What, frame the person who asks questions you answer as the head of a major criminal empire?
    – Servy
    Commented Oct 3, 2013 at 17:41
  • 3
    I'd love to know the thinking behind those (currently 5) downvotes.
    – JDB
    Commented Oct 3, 2013 at 18:16
  • 16
    Really don't understand why people still trying to close this. It's a perfectly valid and unique question. It will just be reopened again anyway.
    – Shadow Wizard
    Commented Oct 3, 2013 at 18:25
  • 18
    Should be tagged "always frosty in iceland"
    – Pollyanna
    Commented Oct 3, 2013 at 18:33
  • 6
    On May 29, 2015 Ross Ulbricht was sentenced to life in prison. Notably: "The challenge for the prosecution was to prove that Ulbricht was Dread Pirates Roberts, the person running the black-market e-commerce site Silk Road when the FBI shut it down in 2013." While Stack Exchange may have played only a minor part in this case, it is very notable that it did play a part. As such this question should remain open and available for further consideration, both for users and for Stack Exchange itself. businessinsider.com/…
    – Pollyanna
    Commented May 29, 2015 at 21:50

2 Answers 2

Reset to default
238

Caveat: I'm not a lawyer; I'm just a humble VP who wants to ensure we're as transparent with our community as possible.

Summary:

  • Sadly, I can't legally share any of the specific details of what law enforcement requested in this specific case.
  • I can, however, tell you that the inquiry was extremely specific, legally enforceable, and had nothing to do with the NSA.
  • Some press on this case implies that the FBI found this person from his activity our site. I can't disprove that, but it is much more likely that they found him through other means, and then tracked his activity on various sites to build enough evidence for an arrest, indictment, etc.

Things we want you to know:

  1. We take your privacy seriously, and are extremely reluctant to share private information if it can possibly be avoided.

  2. We comply with any legally enforceable requests for information from law enforcement agencies.

  3. This happens very, very rarely. I have more than enough fingers to count the times this has occurred since I started working here a year and a half ago. I wouldn't need a single toe, and I'm pretty sure I wouldn't need both hands.

  4. There are many circumstances in which we may be legally prohibited from sharing such requests. The NSA cases have been most widely publicized. But the more common cases are much narrower, such as those where a judge has determined that the details of the investigation would undermine law enforcement's ability to proceed without risk to innocents, etc. But the most common examples are probably grand jury subpoenas. These are also the most benign, as grand jury proceedings are sealed predominantly to protect the accused from having personal details dragged into public view before the government has demonstrated reasonable cause to do so.

Improve this answer
22
  • 95
    Thank you for sharing this. It really speaks highly of Stack Exchange that you guys are open to responding (where possible and legal) like this.
    – Adam Rackis
    Commented Oct 3, 2013 at 17:33
  • 2
    You give us a waffle but keep the pancake... oh well, we can't have it all. Thanks! :)
    – Shadow Wizard
    Commented Oct 3, 2013 at 17:54
  • 31
    How do you assess whether requests are "legally enforceable"? Does SE retain a lawyer to look at this stuff? Have you gotten any requests from law-enforcement agencies that aren't legally enforceable?
    – blahdiblah
    Commented Oct 3, 2013 at 18:29
  • 3
    @blahdiblah, see my latest to get a sense of volume. We don't have counsel on staff for these because they'd get bored. If we got a questionable one (asking for lots of user's info, or info that couldn't logically seem to connect to the charge, we'd probably consult with counsel to see if it's worth challenging.
    – Jaydles
    Commented Oct 3, 2013 at 18:44
  • 7
    Can you tell us when you received this inquiry?
    – Nemo
    Commented Oct 3, 2013 at 20:00
  • 49
    You probably wouldn't need both hands? But if you're using your fingers as binary digits that's up to 31 cases! With both hands it's over 1000!
    – Cam Jackson
    Commented Oct 6, 2013 at 6:42
  • 23
    "We take your privacy seriously." Not seriously enough. (1) It's possible for anyone to lookup users by email address, but this feature is never explained to users and cannot be disabled. (2) Visitor tracking data is given to all of Gravatar, Imgur, Facebook, Google, Quantserve, Adzerk, (others?) via embedded images and scripts. (3) SO used to have HTTPS. I liked that. Now it redirects to the HTTP version. But the fact that it redirects smoothly means there must be a legit SSL cert, so why block it?
    – Boann
    Commented Oct 6, 2013 at 11:27
  • 23
    @Boann: 0) privacy != anonymity. 1) this has been publicly documented for years, and... It's optional (you don't have to provide an email). We recently changed the system to use a salted hash for most users by default, meaning you have to opt-in to exposing even your hashed email. 2) Most of The Internet works this way, and has for many years - you can avoid it if you really want to. 3) HTTPS has never worked properly on SO - we're working on fixing that, but there are many hurdles.
    – Shog9
    Commented Oct 6, 2013 at 15:41
  • 5
    @blahdiblah - they turn up with guns and a badge = it's "legally enforceable"
    – Martin Beckett
    Commented Oct 7, 2013 at 0:53
  • 6
    "We take your privacy seriously, " . heard that one before
    – Kim Jong Woo
    Commented Oct 7, 2013 at 0:59
  • 7
    I'm really (unpleasantly) surprised that you can lookup users by email addresses. FWIW, the description in the email address field says "never displayed, used for optional notifications and your gravatar", which doesn't include lookup.
    – js.
    Commented Oct 7, 2013 at 7:32
  • 6
    Sometimes you need to say NO even if its legally enforceable. The law is not always morally right. Does that come into consideration?
    – Wouter Schut
    Commented Oct 7, 2013 at 11:07
  • 2
    @MDMarra No, I'm surprised that I can be found by my email address and that I can't turn that of like on twitter.
    – js.
    Commented Oct 8, 2013 at 12:23
  • 5
    @WouterSchut so you think that Stack Exchange should have taken the moral high road and sheltered a drug kingpin and supposed murderer?
    – MDMarra
    Commented Oct 8, 2013 at 12:37
  • 3
    @MDMarra yeah I was talking about Stack Exchange users searching by email address.
    – js.
    Commented Oct 8, 2013 at 12:43
62

You can read the official criminal complaint to see more details. Starting on page 30 of the criminal complaint, found here: https://archive.org/details/UlbrichtCriminalComplaint_201310 http://krebsonsecurity.com.nyud.net/wp-content/uploads/2013/10/UlbrichtCriminalComplaint.pdf (original source has been deleted by author)

It details Stack Overflow's involvement. They clearly listed the times of email address changes and edits done to his profile.

What one might find disturbing (depending on your expectations of privacy) is the amount of logs kept for various user activities on Stack Overflow. As one comment indicated, this could also be a good thing if your account needs to be restored after being hacked.

But I think it is clear, according to the criminal complaint, that they opened their books up to the feds complied with the feds in order to tie DPR to Ross Ulbricht.

Improve this answer
17
  • 11
    I like that they keep these detailed logs. It gives me hope that if my account is ever hacked, they can undo the damage relatively easily.
    – Adam Rackis
    Commented Oct 3, 2013 at 17:08
  • 147
    A guy runs a criminal empire and offers to pay to have people killed, but the disturbing thing is that Stack Overflow logs when users change their name and email address?
    – Bill the Lizard
    Commented Oct 3, 2013 at 17:19
  • 5
    I just said one "might" find it disturbing. It just depends on your privacy expectations for the site. @adam has a valid point about recovery of an account after getting hacked.
    – Terry
    Commented Oct 3, 2013 at 17:20
  • 2
    Okay, just trying to inject a little perspective. :)
    – Bill the Lizard
    Commented Oct 3, 2013 at 17:21
  • 47
    That name changes are logged shouldn't be a surprise to anyone; indeed, I wish they were logged publicly.
    – Shog9
    Commented Oct 3, 2013 at 17:28
  • 21
    @terry, in the context of recent disturbing NSA revelations, "opened our books" tends to imply broad disclosures that I can assure you did not occur.
    – Jaydles
    Commented Oct 3, 2013 at 17:32
  • 11
    For most practical purposes, every interaction you have with any major web site is logged. The only questions are whether the log entry ties the interaction back to the specific user (it usually does) and how long those logs are retained (usually at least close to permanently).
    – Jerry Coffin
    Commented Oct 3, 2013 at 17:40
  • 1
    @Shog9 as a senior employee/manager can't you decide to implement such a change? Who or what is in your way?
    – Shadow Wizard
    Commented Oct 3, 2013 at 18:02
  • 1
    I don't unilaterally decide anything, @Sha (well, nothing like this - there are areas where my decisions do fall into some "ask for forgiveness if need-be" limbo) - this is something that would effect a lot of people, and - as this case demonstrates - not necessarily in a way they'd like. So it would require a significant amount of support (see the various linked questions on that post for reasons why we might not want to do this).
    – Shog9
    Commented Oct 3, 2013 at 18:10
  • 1
    Is it possible for a regular user to see historical name changes currently on Stack Overflow?
    – philfreo
    Commented Oct 7, 2013 at 0:24
  • 2
    Depending on how often the name changes occurred on the account, it may have been possible to find the same information from other public sources, such as archive.org for example.
    – dodgy_coder
    Commented Oct 7, 2013 at 2:16
  • 1
    @Shog9 Would you happen to know how many name change records are kept per person?
    – forest distrusts StackExchange
    Commented May 9, 2019 at 2:40
  • 1
    All of them, @forest. But all are not necessarily exposed.
    – Shog9
    Commented May 9, 2019 at 2:57
  • 2
    I mean... We also log every single request, so if you're just trying to use up harddrive space there are easier ways...
    – Shog9
    Commented May 9, 2019 at 3:08
  • 2
    Naw, just the metadata. It's still a crazy amount of data. We purge eventually, but realistically you're gonna get banned before you can put a dent in the storage capacity here.
    – Shog9
    Commented May 9, 2019 at 3:13

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .