The FBI stole an Instapaper server in an unrelated raid

UPDATE: The server has been returned. Please read.

One of Instapaper’s five leased servers was hosted at DigitalOne, a Swiss hosting company leasing blade servers from a Virginia datacenter. Early Tuesday morning, the FBI raided the datacenter to seize servers used by another DigitalOne customer for fraudulent “scareware” distribution, according to the FBI’s press release, but they seemingly took a lot more servers that happened to be physically near the server(s) they were looking for.

There’s very little information on this, but The New York Times has the most complete coverage in Tuesday’s Bits post:

The F.B.I. seized Web servers in a raid on a data center early Tuesday, causing several Web sites, including those run by the New York publisher Curbed Network, to go offline. …

In an e-mail to one of its clients on Tuesday afternoon, DigitalOne’s chief executive, Sergej Ostroumow, said: “This problem is caused by the F.B.I., not our company. In the night F.B.I. has taken 3 enclosures with equipment plugged into them, possibly including your server — we cannot check it.”

Mr. Ostroumow said that the F.B.I. was only interested in one of the company’s clients but had taken servers used by “tens of clients.”

The LA Times also has good coverage:

"FBI was interested in one of our clients and in his servers, but they took besides target servers tens of not related servers of other customers," [Ostroumow] said.

As far as I know, my single DigitalOne server was among those taken by the FBI (which I’m now calling “stolen” since I assume it was not included in the warrant). I’m assuming this because it became unreachable and stopped sending updates to my internal monitoring system at approximately the time that the FBI raided the datacenter, and has not come online again since then.

The server was used as a MySQL replication slave, handling read-only queries to speed up the site. Instapaper suffered no downtime as a result of its theft and no data has been lost, but site performance has been slower without it.

Instapaper’s main host, SoftLayer, responded quickly to an order I placed to replace this server there. It’s almost completely set up, and the site’s performance should be fully restored by tonight.

What the FBI stole from Instapaper

I didn’t own the hardware — I was leasing it from DigitalOne. So the FBI has only stolen my time and a partial month of hosting fees, not any physical property of mine. (The hardware was pretty expensive to DigitalOne, though: each of these servers probably costs $5,000–8,000.)

Possibly most importantly, though, the FBI is now presumably in possession of a complete copy of the Instapaper database as it stood on Tuesday morning, including the complete list of users and any non-deleted bookmarks. (“Archived” bookmarks are not deleted. “Deleted” bookmarks are hard-deleted out of the database immediately.)

Instapaper stores only salted SHA-1 hashes of passwords, so those are relatively safe. But email addresses are stored in the clear, as is the saved content of each bookmark saved by the bookmarklet.

The server also contained a complete copy of the Instapaper website codebase, but not the codebase of the iOS app.

Linked Facebook, Twitter, or Tumblr accounts only store their respective OAuth keys. Linked Evernote accounts only store the Evernote email-in address. Linked Pinboard accounts, however, store plaintext usernames and encrypted passwords, and the encryption keys are present in the website source code on the server.

So the FBI now has illegal possession of nearly all of Instapaper’s data and a moderate portion of its codebase, and as far as I know, this is completely out of my control.

Due to the police culture in the United States, especially at the federal level, I don’t expect to ever get an explanation for this, have the server or its data returned, or be reimbursed for the damage they have illegally caused.

UPDATE: Fortunately, I was wrong about one of those: The server has been returned. Please read.

I’m really not sure what to do about this. I’m speaking to my lawyer about it shortly, but as far as I know, there’s nothing I can reasonably do without spending more money, time, and stress than I can afford on a path that would likely lead nowhere productive.

DigitalOne’s response

DigitalOne hasn’t handled this well. Nobody from the company has contacted me at all since this began. The company’s website is still down, suggesting that they might not have any backups (or at least don’t care enough) to set up a temporary page elsewhere. I have no idea whether I’ll ever see the server again, whether I’ll be reimbursed for the remainder of the month that I’m not receiving the service I paid for, or whether I’ll be billed on July 1 for the next month of nonexisting service.

It’s also possible that miscommunication or a lack of communication from DigitalOne caused the FBI to be so imprecise in what they took. Nobody really knows except DigitalOne and the FBI, and neither are being particularly helpful.

Regardless, I’m not hosting any servers at DigitalOne in the future, and I’m not renewing this one (if that ever becomes possible).

UPDATE: The server has been returned. Please read.