One important thing to remember here is that PyPI was originally started in 2002 as a weekend hack project that grew overtime to become the piece of critical infrastructure it is today. There's a lot of stuff in PyPI that exists as historical baggage and cruft and reviewing them just never bubbled up to be a priority. Likewise a lot of the policies it has have been added and grown overtime as something happened that caused us to need one.
On top of all of that, it's volunteer run and has been understaffed for basically it's entire life, so sitting down and figuring out a proper data retention policy that takes a holistic view of everything we have just never bubbled up.
In general I think we already do a pretty good job of collecting a minimal amount of data, and hopefully with proper policies we can do an even better job.
While they are transparent the events happened, they are not transparent about which packages and what authors are being flagged, which is unfortunate.
Considering they are admitting they will always obey government commands, including regarding non-disclosure of actions to affected users, it is prudent to assume they are, in fact, not transparent about events; only about those events which the government has let them tell you about. Other events (e.g. National Security Letters) may or may not have occurred.
There are lots of situations in which disclosing facts is indeed a crime. You are answering my specific question with a nice sounding maxim which is obviously not true in general.
Perhaps there is no NDA on the fact that subpoenas were issued, but still an NDA on whom they were issued about?
Limiting The scope of such an NDA feels like a plausible result of negotiations after a motion to squash the subpoena.
Not OP but yeah. I don't buy into the whole "to protect you from bad people I need to erode your rights" argument.
Never made sense to me. Terrorists and other very bad people usually aren't in the business of following laws so I don't know what crimes you'd prevent by weakening the rights of everyone else.
I'm very unaware exactly what the issue is with this particular case, so be gentle, but what is the difference between the government agencies doing their job to stop criminals, and evil rights-destroying which it sounds like you are clearly convinced is what's going on?
Let's say someone stole your identity and in the process they emailed all your financial documents to example.anon12345(at)gmail. If you contacted the police and the FBI subpoenaed Google to force them to give them the details of whatever they know about that accountholder, is that bad and hurting the rights of somebody, or is it protecting your rights?
Does it change based on the despicableness level of the crime suspected? From one count of copyright infringement of a Taco Bell commercial, to organized retail theft rings, to identity theft, to CSAM, to terrorism?
I'm not saying you're wrong, I'm just curious what the "We hate subpoena power" argument is so I can decide where I stand on it. I feel mildly like I'm not as bothered as you are, but I suspect I'm missing something.
Also, should "online" operate under different rules than offline? If the "feds" have probable cause that some guy is a drug kingpin and they break into his office and his safe to seize evidence, is that equally bad as forcing Google to open up his Gmail account for them?
I mean, surveillance reduces crime. Wherever you fall on the spectrum of surveillance/privacy, I can guarantee if the government read everything everyone wrote/texted/read and recorded their every move, there would be less crime.
Is a subpoena of 5 specific users' data, presumably with the purpose of getting evidence about things that already happened, the same as 'surveillance'?
> the government read everything everyone wrote/texted/read
is this really a relevant analogy for this? And yes, I've heard of the mass surveillance via telco that we did find out (through Snowden) was happening, and do think it seriously crossed the line. I'm just wondering if this kind of case at issue has anything in common with that malfeasance at all.
Is it your belief that they lacked any probable cause and are actually trying to persecute those 5 people for some reason?
Rather than try to argue against a position I'm not fully understanding, I'd like to hear how you think police should solve crimes with a significant "cyber" component.
To be clear, I'm not advocating for it. But if people couldn't use the internet/communications to plan or communicate criminal activities, crime would reduce (to some degree, meaningful or not).
Climate activism is also being considered an act of terrorism by some now (particularly some Christian party in Germany), dunno if those people label themselves as 'very bad persons'. Probably goes for all terrorists, but this might be easier to relate to as it's grounded in reality and we'd likely agree with the change they seek
Child porn and terrorism are the favorite subjects of politicians looking to enact a new law but idk if it's good to follow that thinking and use it as an example as opposed to a serial killer or something
Yes. Truth itself stands at the top of the moral hierarchy. It can stand alone without any justification. "You told the truth" will never be immoral, consequences be damned.