DigitalOcean and Government Requests?

October 11, 2014 4.8k views
nooblag
By:
nooblag

Hi there,

I'm interested as to whether DigitalOcean both has published policy and guidelines concerning governmental information requests, and also releases figures pertaining to such (or similar) requests? Or if not, at the very very least, has a public stance on the issue, in the interests of its customers and the community?

CloudFlare has a great stance on this and does a "Transparency Report" every year. Notable points conceded that I'd like to see DigitalOcean side with:

  • CloudFlare has never turned over our SSL keys or our customers SSL keys to anyone.
  • CloudFlare has never installed any law enforcement software or equipment anywhere on our network.
  • CloudFlare has never terminated a customer or taken down content due to political pressure.
  • CloudFlare has never provided any law enforcement organization a feed of our customers' content transiting our network.
  • If CloudFlare were asked to do any of the above, we would exhaust all legal remedies, in order to protect its customers from what we believe are illegal or unconstitutional requests.

I wonder what DigitalOcean's stance is, and whether there is a public commitment to privacy and security in the same spirit...

Thanks!

Log In to Comment
3 Answers
jedgar February 17, 2015

Hey Folks,

We are working with our law firm, WSGR, and our in-house counsel to put together a transparency report that is inline with industry standards. We hope to have this complete by the end of Q2 this year.

To clarify above:

Has DigitalOcean ever turned over any customer SSL keys to anyone?

NO.

Has DigitalOcean ever installed any law enforcement software or equipment anywhere on their systems or network?

NO.

Has DigitalOcean ever terminated a customer or taken down content due to political pressure?

NO.

Has DigitalOcean ever provided any law enforcement organisation a feed of customer content transiting the network?

NO.

And if DigitalOcean were asked to do any of the above, would it exhaust all legal remedies in order to protect its customers?

Absolutely, we regularly push back on governments or local jurisdictions that we believe may infringe any of our customers rights.

As mentioned, we hope to provide a much more comprehensive report towards the end of Q2 this year.

Reply
Zachary_DuBois October 12, 2014

You will need to open a ticket so someone of staff may answer that question. I am not sure of this myself.

Reply
cweeks MOD October 13, 2014

Hi all,

Thank you for your concern about our privacy policy with regard to government requests for information. Our privacy policy states:

"We also reserve the right to access, read, preserve, and disclose any information as we reasonably believe is necessary to (i) satisfy any applicable law, regulation, legal process or governmental request, (ii) enforce this Privacy Policy and our Terms of Service, including investigation of potential violations hereof, (iii) detect, prevent, or otherwise address fraud, security or technical issues, (iv) respond to user support requests, or (v) protect our rights, property or safety, our users and the public."

You can read the full policy here:
https://www.digitalocean.com/legal/privacy/

I hope this clarifies our policy, but please let us know if you have any other questions or concerns. Thank you.

Chrissy
DigitalOcean Support

Reply
  • nooblag October 13, 2014

    Hi there, thank you for your reply. It clarifies things somewhat, but I'm still at a bit of a loss to better understanding DigitalOcean's intent to protect user privacy and security, as well as fight for what is right in the current climate of mass surveillance and extra-legal government requests. What is the stance on this? Please, it's strenuously important...

    To the portion of your response which is relevant, what you've provided (paraphrased) from the Privacy Policy is that DigitalOcean will disclose any information to satisfy any governmental request. Now this is somewhat understandably broad and vague---and could be another matter to clarify in-and-of-itself (i.e. see below regarding law enforcement software or equipment)---but for now, this is why I'm asking about intent.

    For example: What about a government (agency) request not sanctioned by court order or warrant? Has DigitalOcean ever received such requests? What would they do if they did? How about any requests with gag orders such as NSLs? This is why transparency reporting, as mentioned with CloudFlare above---regardless of hypotheticals---is something I'd like to see DigitalOcean comment on.

    And the second part to that is an answer to what I also previously was wondering: Can/would/does DigitalOcean side with the intention of others such as CloudFlare (as above) on the point of transparency? i.e. As posited originally:

    • Has DigitialOcean ever turned over any customer SSL keys to anyone?
    • Has DigitalOcean ever installed any law enforcement software or equipment anywhere on their systems or network?
    • Has DigitalOcean ever terminated a customer or taken down content due to political pressure?
    • Has DigitalOcean ever provided any law enforcement organisation a feed of customer content transiting the network?
    • And if DigitalOcean were asked to do any of the above, would it exhaust all legal remedies in order to protect its customers?

    Thank you for taking the time to help clarify this! I appreciate that it can be a naggling issue. DigitalOcean is a great service and I'd love to see it support its users as much as they support them by being open and honest about this, during such pertinent and important times.

    Thank you!

  • nooblag October 18, 2014

    // Crickets? //

    Perhaps adding some EFF ideas may help stir things along?

    They've wonderfully crafted an idea of the Warrant Canary for so-called Transparency Reports... Here's an explanation about what that is, complete with FAQ.

    Or maybe the crickets are indicative---analogous to the canary... Hmmm.

    So. Any progress on the bullet points above?

    Thanks.

  • arnists February 17, 2015

    This point needs to be addressed. Especially since privacy laws in one of your zones might be different from another (I'm specifically thinking: if I host in the US, am I vulnerable to NSL's vs. if I choose Amsterdam I would not be?). Microsoft (of all companies) recently denied the FBI data that resides in Ireland and Irish authorities have clearly stated that if they would turn over the data Irish laws would be broken.

Have another answer? Share your knowledge.