The first thing we do when we receive a request from law enforcement or a court is review it with our attorneys to see if it is something we want to comply with or push back against. If we comply, we will notify affected subscribers if we are legally allowed to and if we have contact information on record. Sometimes subpoenas come with non-disclosure orders, particularly when an investigation is ongoing. Non-disclosure orders usually have a expiration date, after which we will try to notify.
I can’t discuss the specific subpoenas in question except to say that we found them to be properly executed and pursuant to apparently legitimate criminal investigations. Neither puts the integrity of Let’s Encrypt at risk in any way. We complied with both. We will disclose at least 1-2 more in our next transparency report (I don’t recall off the top of my head how many we have received since the last report). These kinds of subpoenas are normal for any service provider that operates at the scale we do.
Generally speaking, we do not retain much information about our subscribers. This is intentional. The kinds of data that typically get requested in subpoenas include account contact email addresses (which are optional) and ACME transaction logs. You can read more about the information we do and don’t collect, including our policies around OCSP log data retention, in our Privacy Policy:
I don’t, and probably wouldn’t, know about any subpoenas that may have been received by any of our partners.
I hope that helps.