This is a rather disturbing turn of events. Federal Magistrate Joseph Spero has approved a request by Sony to subpoena the hacker GeoHot’s web host, as well as YouTube, Google, and Twitter, for identifying information on anyone who has accessed, commented, or viewed information relating to the hack. At best this is lazy on Sony’s part and irresponsible on Magistrate Spero’s, and at worst it is a deliberate and malicious wholesale violation of privacy.

The pretense for this wildly overreaching action is that Sony needs this information to prove the case should be tried in San Francisco, in federal court and close to Sony’s headquarters. And why do they feel it should be? Because that’s in Sony’s terms of service. This after another judge noted that by Sony’s standards, “the entire universe would be subject to [her] jurisdiction.”

Sony contends that the subpoenas are “narrowly tailored for jurisdictional discovery.” Yet their subpoena for Bluehost, GeoHot’s host, requires “all server logs, IP address logs, account information, account access records and application or registration forms” and “any other identifying information corresponding to persons or computers who have accessed or downloaded files hosted using your service and associated with the www.geohot.com website, including but not limited to the geohot.com/jailbreak.zip file.” Essentially, everyone who visited GeoHot’s site (or his blog at Blogspot) is subject to involvement in this case.

They also will subpoena YouTube and Google requiring identifying information for anyone who watched GeoHot’s video showing a PS3 hack.

Every viewer. Every visitor. No matter how they came there, whether or not they downloaded the contested information. Whether they used that information illegally or not. I’m on that list. Are you? How do you like the idea of Sony subpoenaing your personal browsing data from when you followed a link from Reddit or CrunchGear out of curiosity?

Sony contests that everything is proper, and that the non-parties (which is to say, you and I) will have a chance to contest involvement. Really? Sony is asking that the court knowingly involve potentially hundreds of thousands of individuals, because those individuals aren’t legally restricted from saying they’re not involved. They may as well accuse the whole world and then let the 6.9 billion of us not concerned each send a letter to Magistrate Spero saying there’s been a minor mistake.

The EFF has responded in a letter to the Magistrate, saying “the discovery seeks information about non-parties and… the relationship to the narrow jurisdictional question at issue [i.e. where the case should be tried] seem tenuous at best” and citing a previous decision in which it was found that “Nonparty disclosure is only appropriate in the exceptional case where the compelling need for the discovery sought outweighs the First Amendment rights of the anonymous speaker.”

The DMCA forbids devices that circumvent copyright or other protections, and the idea behind it is similar to the laws preventing you from modifying, say, your bumper height beyond a certain level, or building a house without the proper permits. But cases like this one clearly are not analogous, as has been pointed out thousands of times over the last few years (TechDirt is a reliable source on this topic). Being able to do what you like with your own property is somewhere between a right and a privilege, but at the very least if it is done in private and no ill effect can be shown to result, you should be free to hack. It’s not legal yet, but neither is crossing the street against the light.

Whether Sony or the Magistrate is more at fault here, I don’t know. It’s clear that this request by Sony is either lazy or malicious: they could have made it more specific, but didn’t bother. And the Magistrate should have demanded, as the EFF points out, that Sony meet higher standards for discovery limitations. Is anyone else worried that our judges and legislators are unable to comprehend the issues they are forced to judge and legislate? Magistrate Spero for one clearly does not understand the scope or gravity of the request he just granted.

Meanwhile, of course, the master signing key for the PS3 is widely available to anyone who looks. What Sony thinks it will accomplish by suing GeoHot and anyone else who posts the key (including their own Kevin Butler, I expect) is beyond me. Hacks are like the hydra, and while Sony is suing the head it has already cut off, two more, or two thousand, will grow in its place.

[edited for clarity]