Every time I'm reminded of this law, specifically the year of its passing, I'm newly surprised. With some digital authoritarian laws, I'm acutely aware that they are only recent history (eg FOSTA, DMCA, bank surveillance, "Patriot" act). But with the NETA and the CFAA I have to work at remembering that things weren't always this way, as recently as only a few decades ago. Like imagine the different world we could be living in if they had failed at becoming law and things had developed without them.
The nominal reason for the passing of the law was widespread use of VCRs, which allowed non-centralized and difficult to control recording/copying, distribution, and at home playing where usage couldn’t be monitored (like at a theatre which can be audited).
Before that, it would involve something like literal film, which didn’t scale well, and was too expensive and difficult for a typical person to do at home. It still happened, but was VERY niche.
With VHS/VCRs, someone could spend a couple thousand dollars and make hundreds of bootleg copies of any blockbuster video out there from their garage, and it was easy to literally go to Blockbuster(tm) and get an copy to duplicate without being tracked. Easy money. Folks would sell them out of the back of (literally) vans, or through friends, or via flea markets, etc.
It’s still super prevalent in Asia, using DVD/Blu-ray’s.
In the US, it then eventually got applied to the internet, because it was even easier and more scalable using computers, and harder to track down the culprits.
Not a US cititzen, but "The government" is a wide term and any law enforcement agency would fit this, including the ones that are responsible to deal with things like copyright enforcement - that's exactly the type of fish they exist to fry ...
In the US, subpoenas come from the Justice Department (either state or federal depending on the crime for which evidence is being sought). The court that issued the subpoena is on it, and the person or entity being served, has the right to see why some government agency felt it could aid in the uncovering of a crime that had already been committed. The person or entity then has the opportunity to challenge that in court prior to complying with it. This is sometimes informally called "quashing the subpoena." From my sister-in-law who is a defense attorney, the most common result of challenging a subpoena is to get what it asks for narrowed down to just what is plausibly responsive.
In the article, this response: As a result we are currently developing new data retention and disclosure policies. These policies will relate to our procedures for future government data requests, how and for what duration we store personally identifiable information such as user access records, and policies that make these explicit for our users and community. Is good practice for limiting what a subpoena can request (you can't give what you don't have).
At Blekko we logged access records in such a way that we could use PII for 48 hours and then it was deleted. The CTO, Greg Lindahl, is a huge privacy advocate and this sort of architecture made it possible to get information to improve our ranking and service without compromising people's privacy. In practice I don't think any agency could go from "we have a suspect" to "issue a subpoena" in 48 hrs so it was a useful way for us to stay out of the crosshairs. The most interesting event was the FBI asking for information on IP addresses that had accessed their honeypot CSAM site. That turned out to be some of the machines in the crawling cluster. Given that the site was outside the crawl "horizon" and didn't rank (very few sites linked to it) it didn't even make it into the cache for rank analysis. But in that case the turn around time was impressive. Of course that is because they were just using their own logs to generate subpoena requests.
As I recall (and I'm not a lawyer so don't rely on this advice) the lawyers had advised that as long as the retention period was published, even if a subpoena asked for a longer look back you could meet your obligation by returning "all the data you had" which would only be 48hrs worth.
Had a jurisdiction said, "You should have expected ..." I expect our response would have been, "We have published what we retain, me meet conform to federal and state laws you knew ahead of time we wouldn't have more than 48 hrs worth."
That said, jurisdiction when it comes to the Internet is always kind of "weird". Did you use the web service in your house in Columbus OH, or did you use the web service on a server in a data center in California? Also as I recall our TOS also had a requirement that any legal action be brought in California but I don't think we ever tested that in court.
Given the discussion around how lacking PyPI supply chain security is, how juicy of a target it is for attackers, and how critical infrastructure is probably relying on PyPI, yt-dlp is the last thing on my mind.
What usually happens is the large corporation lays out a case like "yt-dlp is responsible for billions in damages" and they press the DOJ to investigate and prosecute.
Given PyPI has been a vector for distributing malware into dependency chains, wouldn't you think that would be a more likely target for the DoJ over one of HN's favorite axes to grind?
I wouldn't be surprised if it was more of AI based impersonation stuff. AI in the government is big because people can use it impersonate people as a form of identity fraud.
