Instapaper lashes out at FBI over stolen business

This week the FBI raided a DigitalOne datacenter in Reston, Virginia taking with them three racks full of servers, many of which were completely unrelated to any criminal activities, causing loads of havoc in the process.

After the obligatory “oh shit” period when it is usually more important to stop the bleeding than yell at the attacker, it seems business owners are taking stock of the damage and self-reporting their frustration. Marco Arment of Instapaper is duly pissed and wrote up as such in a company missive, aptly titled “The FBI stole an Instapaper server in an unrelated raid”:

As far as I know, my single DigitalOne server was among those taken by the FBI (which I’m now calling “stolen” since I assume it was not included in the warrant). I’m assuming this because it became unreachable and stopped sending updates to my internal monitoring system at approximately the time that the FBI raided the datacenter, and has not come online again since then.

[…]

What the FBI stole from Instapaper

I didn’t own the hardware — I was leasing it from DigitalOne. So the FBI has only stolen my time and a partial month of hosting fees, not any physical property of mine. (The hardware was pretty expensive to DigitalOne, though: each of these servers probably costs $5,000–8,000.)

Possibly most importantly, though, the FBI is now presumably in possession of a complete copy of the Instapaper database as it stood on Tuesday morning, including the complete list of users and any non-deleted bookmarks. (“Archived” bookmarks are not deleted. “Deleted” bookmarks are hard-deleted out of the database immediately.)

Instapaper stores only salted SHA-1 hashes of passwords, so those are relatively safe. But email addresses are stored in the clear, as is the saved content of each bookmark saved by the bookmarklet.

The server also contained a complete copy of the Instapaper website codebase, but not the codebase of the iOS app.

Linked Facebook, Twitter, or Tumblr accounts only store their respective OAuth keys. Linked Evernote accounts only store the Evernote email-in address. Linked Pinboard accounts, however, store plaintext usernames and encrypted passwords, and the encryption keys are present in the website source code on the server.

So the FBI now has illegal possession of nearly all of Instapaper’s data and a moderate portion of its codebase, and as far as I know, this is completely out of my control.

Due to the police culture in the United States, especially at the federal level, I don’t expect to ever get an explanation for this, have the server or its data returned, or be reimbursed for the damage they have illegally caused.

I’m really not sure what to do about this. I’m speaking to my lawyer about it shortly, but as far as I know, there’s nothing I can reasonably do without spending more money, time, and stress than I can afford on a path that would likely lead nowhere productive.

As a small business owner, it’s a good indication now might be the right time to offshore everything if only to put it outside of the reach of these bumbling fools. As a libertarian, I’m thoroughly disgusted with this rampant keystone kops behavior that’s constantly on display and depressed that seemingly nothing will be done punitively to curb this very real criminal behavior by a mere tentacle of the executive branch’s police state apparatus. I might as well just say Obama stole the guy’s server, code and livelihood, it’s really not that much of a stretch any more.

The federal government’s bureaucratic non-response (to the NY Times and other press) to their own “law enforcement” agency’s criminal theft of a business’s resources is undoubtedly forcing a lot of tech heads to take a long hard look at doing their business in the U.S. If your company’s property can literally be stolen in the night, then that’s more than just a scary proposition that runs counter to the free market, it’s a good indication America is on the slide as the freedom-loving tech mecca to the world.

Update: Instapaper head Marco Arment has posted a new announcement that the server miraculously returned from FBI internet jail. How did he know? By him noticing that the server came back online.

Arment investigated and found things seemingly unmolested from his analysis of the server logs. Unfortunately he couldn’t be completely sure there was no further illegal breach by the government and is mistrustful, “they could have copied the data for future analysis” and hinted at the less than honest dealings of the FBI “I have no way to know what they did (or didn’t do) with it.”

In putting the affair behind him, blame for the screw-up is getting placed squarely between the FBI and DigitalOne. He explains, “[I] asked DigitalOne to cancel my account immediately. I’m not convinced that they did everything they could to prevent the seizure of non-targeted servers.”

Now, instead of fighting the FBI and potentially ruining his sanity (come, join us) for the sake of upholding his Fourth Amendment right, Arment plans to return to what’s important to him. “I have a great product to maintain, expand, and improve, and there’s nothing I’d rather do than get back to work doing what I love.”

We wish him the best of luck and know it feels terrible to get caught up in an uncaring bureaucracy, but we want to be the first to tell Marco that we love our work too. Crushing bastards is highly satisfying and we strongly recommend it.

5 Comments
  1. Patriot first, business second. If you aren’t free, being rich doesn’t matter.

    1. A true US patriot defends the US Constitution, including the Fourth Amendment which guards against unreasonable searches and seizures, along with requiring any warrant to be judicially sanctioned and supported by probable cause. The sad part these days is that so many people that take an oath to defend that same US Constitution think nothing of ignoring it in the name of fake “patriotism”.

  2. The fact is that if you’re storing any user data on any server anywhere, including outside the US, ALL of it should be store encrypted and then decrypted on the fly. We’ve had this technology for several years, and it is inexcusable to not be doing this as a standard operating procedure. Racks get seized by governments, backup tapes get stolen and lost, hackers break in, etc. The new normal is to encrypt everything on your servers, and on your own computers.

%d bloggers like this: