PyPI Subpoenaed: US Government Requests User Data
The Python Package Index (PyPI), with an extensive collection of more than 450,000 Python packages, is a highly popular repository among developers. These packages are stored as archives referred to as “sdlists” or precompiled “wheels.”
The US Department of Justice issued three subpoenas to the Python Software Foundation (PSF), requesting the disclosure of PyPI user data. The focus of these subpoenas was on five specific PyPI usernames, and the data requested can be summarized as follows:
PyPI Data Request
- Names, including subscriber names, user names, and screen names.
- Addresses, including mailing, residential, business, and email addresses.
- Connection records
- Records of session times and durations, along with the temporarily assigned network address, such as Internet Protocol (IP) addresses, associated with those sessions.
- Length of service, including the start date and the type of services utilized.
- Telephone or instrument numbers, including the registration Internet Protocol (IP) address.
- Means and source of payment for any such services, including any credit card or bank account number and billing records.
- Records of all Python Package Index (PyPI) packages uploaded by the specified usernames.
- IP download logs of any Python Package Index (PyPI) packages uploaded by the specified usernames.
As you can see, the Department of Justice has requested a large list of PyPI user data. After consulting with their legal advice and deciding that there was nothing else PyPI administrators could do, they had to comply with it because the PSF is subject to US law. Of course, resisting a subpoena is difficult. To further improve their users’ freedom, security, and privacy, PyPI and PSF will review their present data and privacy procedures.
The Python Software Foundation will now create new data retention and disclosure policies to respond to upcoming government data requests. They will also specify how and how long personally identifiable information about users will they store on their systems. If you want to learn more about the information provided and PyPI’s efforts to be transparent, you can read their blog article.
TuxCare’s Extended Long-term Support (ELS) program for Python 2.7 allows you to continue using your existing software as you did previously. This program provides a modern platform that meets your compliance needs while ensuring that you receive essential security updates specifically addressing high and critical vulnerabilities.
The sources for this article include a story from It’s FOSS News.