Could these subpoenas be published (Fully or partially redacted)?
Does it impact certificate owner?
Does it impact visitors of Let's Encrypt website (letsencrypt.org and others)?
Does it impact visitors of websites using a Let's Encrypt certificate (ex. IPs Asking for OCSP)?
Was it a request for data? If so, what kind of data? Did ISRG had it? Did ISRG gave it?
Was it a request for action (ex. forced revocation, forced certificate issuance)? Did ISRG did it?
Were the affected users notified? If so, before or after the fact? How long before or after?
Were the affected users US citizen? Located (themselves, their servers or their domains) in the US?
Are you aware of any of your subcontractor (Discourse, Akamai, GitHub, PayPal, donorbox, ...) receiving similar request about your users?
Could more detailed be shared in the future (about this case or about others)?
Any other details?
After these requests:
Did ISRG updated it's procedure (how to handle these requests)?
Retrospectively, did IRSG staff think they could/should have handle it better/differently?
Could ISRG Legal Transparency Reports includes more details where there is non-zero numbers and no gag order? (sorry to ask that only 15 days before the next one...)
Ping @lestaff as they are the only ones that can answer most of these question!
The first thing we do when we receive a request from law enforcement or a court is review it with our attorneys to see if it is something we want to comply with or push back against. If we comply, we will notify affected subscribers if we are legally allowed to and if we have contact information on record. Sometimes subpoenas come with non-disclosure orders, particularly when an investigation is ongoing. Non-disclosure orders usually have a expiration date, after which we will try to notify.
I can’t discuss the specific subpoenas in question except to say that we found them to be properly executed and pursuant to apparently legitimate criminal investigations. Neither puts the integrity of Let’s Encrypt at risk in any way. We complied with both. We will disclose at least 1-2 more in our next transparency report (I don’t recall off the top of my head how many we have received since the last report). These kinds of subpoenas are normal for any service provider that operates at the scale we do.
Generally speaking, we do not retain much information about our subscribers. This is intentional. The kinds of data that typically get requested in subpoenas include account contact email addresses (which are optional) and ACME transaction logs. You can read more about the information we do and don’t collect, including our policies around OCSP log data retention, in our Privacy Policy:
I don’t, and probably wouldn’t, know about any subpoenas that may have been received by any of our partners.