Skip to content Skip to footer
0 items - $0.00 0
Menu

PyPI Was Subpoenaed by quercusa

26CommentsShare Post
PyPI Was Subpoenaed by quercusa
Top

PyPI Was Subpoenaed by quercusa

May 24, 2023
26Comments
Share This Article
Share Post
Newsletter

Sed ut perspiciatis unde.

Subscribe

Send to HN

by: Ee Durbin ·

2023-05-24

In March and April 2023, the Python Software Foundation (PSF)
received three (3) subpoenas for PyPI user data.
All three subpoenas were issued by the United States Department of Justice.
The PSF was not provided with context on the legal circumstances surrounding these subpoenas.
In total, user data related to five (5) PyPI usernames were requested.

The data request was:

  1. “Names (including subscriber names, user names, and screen names);”
  2. “Addresses (including mailing, residential addresses, business addresses, and email addresses);”
  3. “Connection records;”
  4. “Records of session times and durations, and the temporarily assigned network address (such as Internet Protocol addresses) associated with those sessions;”
  5. “Length of service (including start date) and type of services utilized;”
  6. “Telephone or instrument numbers (including the registration Internet Protocol address);”
  7. “Means and source of payment of any such services (including any credit card or bank account number) and billing records;”
  8. “Records of all Python Package Index (PyPI) packages uploaded by…” given usernames
  9. “IP download logs of any Python Package Index (PyPI) packages uploaded by…” given usernames

The privacy of PyPI users is of utmost concern to PSF and the PyPI Administrators,
and we are committed to protecting user data from disclosure whenever possible.
In this case, however, PSF determined with the advice of counsel that
our only course of action was to provide the requested data.
I, as Director of Infrastructure of the Python Software Foundation,
fulfilled the requests in consultation with PSF’s counsel.

We have waited for the string of subpoenas to subside, though we were committed
from the beginning to write and publish this post as a matter of transparency,
and as allowed by the lack of a non-disclosure order associated with the
subpoenas received in March and April 2023.

Next Steps

PyPI and the PSF are committed to the freedom, security, and privacy of our users.

This process has offered time to revisit our current data and privacy standards,
which are minimal, to ensure they take into account the varied interests of
the Python community.
Though we collect very little personal data from PyPI users,
any unnecessarily held data are still subject to these kinds of requests
in addition to the baseline risk of data compromise via malice or operator error.

As a result we are currently developing new data retention and disclosure policies.
These policies will relate to
our procedures for future government data requests,
how and for what duration we store personally identifiable information such as
user access records,
and policies that make these explicit for our users and community.

Please continue to watch this blog for related announcements as policies
are finalized, published, and implemented.

Details

In order to provide as much transparency as possible,
the following will detail the shape of and extent of
the data that was contained in the responses to these subpoenas.

We will not be releasing the usern

Read More

0Likes
Show comments (26)

Leave a comment

In the Shadows of Innovation”

© 2025 HackTech.info. All Rights Reserved.

Sign Up to Our Newsletter

Be the first to know the latest updates

Whoops, you're not connected to Mailchimp. You need to enter a valid Mailchimp API key.