PyPI Is Working To Minimize Stored User Data Following DOJ Subpoena

"While data demands from authorities are commonplace among large commercial internet services, like GitHub, we're unaware of previous public reports about subpoenas directed at open source software package registries," wrote The Register.

PyPI Is Working To Minimize Stored User Data Following DOJ Subpoena
  • "In March and April 2023, the Python Software Foundation (PSF) received three (3) subpoenas for PyPI user data. All three subpoenas were issued by the United States Department of Justice."
  • "The PSF was not provided with context on the legal circumstances surrounding these subpoenas. In total, user data related to five (5) PyPI usernames were requested."

"The data request was:

  1. "Names (including subscriber names, user names, and screen names);"
  2. "Addresses (including mailing, residential addresses, business addresses, and email addresses);"
  3. "Connection records;"
  4. "Records of session times and durations, and the temporarily assigned network address (such as Internet Protocol addresses) associated with those sessions;"
  5. "Length of service (including start date) and type of services utilized;"
  6. "Telephone or instrument numbers (including the registration Internet Protocol address);"
  7. "Means and source of payment of any such services (including any credit card or bank account number) and billing records;"
  8. "Records of all Python Package Index (PyPI) packages uploaded by..." given usernames.
  9. "IP download logs of any Python Package Index (PyPI) packages uploaded by..." given usernames."
  • "PSF determined with the advice of counsel that our only course of action was to provide the requested data. I, as Director of Infrastructure of the Python Software Foundation, fulfilled the requests in consultation with PSF's counsel."
  • "Much of the concern focuses on IP address data, which gets stored in conjunction with web log access; user events such as logins; project events including uploads; events associated with recently introduced organizations; and administrative PyPI journal entries."

EDITORS NOTE: It is prudent for all operators to minimize amount of data they hold on users. Any data held is a liability that operators may be forced to hand over to governments.

Full Disclosure / Archive
The Register Article / Archive