A Washington DC judge has told the US Department of Justice (DoJ) it "does not have the right to rummage" through the files of an anti-Trump protest website – and has ordered the dot-org site's hosting company to protect the identities of its users.

Chief Judge Robert E. Morin issued the revised order [PDF] Tuesday following a high-profile back and forth between the site's hosting biz DreamHost and prosecutors over what details Uncle Sam was entitled to with respect to the disruptj20.org website.

The site was used to organize public protests and demonstrations against the telly-celeb-turned-president on his inauguration day in January. A week later, following rioting and property damage, DreamHost received a grand jury subpoena demanding it hand over details of those who had created profile pages on the dot-org and any contact and payment details related to them – an order the company complied with.

Six months later, however, DreamHost received another request from the DoJ: a search request for all contact information, email content, photos, and all of the 1.3 million IP addresses of anyone who merely visited the protest website. That's a lot of people suddenly under suspicion, simply for visiting a website.

DreamHost went public with its concerns and told The Register the request was "unlike anything we've seen before in 20 years of web hosting." It refused to hand the details over, sparking a motion to compel from Uncle Sam's lawyers, which DreamHost refused.

Chief Judge Morin listened to both sides of the arguments – DreamHost claiming the demand broke the First and Fourth Amendments and was tantamount to political persecution, and the DoJ claiming it needed the information to continue its investigation into criminal acts – and decided in August that DreamHost must hand over the information, but with important caveats.

Minimization

First, the DoJ was told to narrowed its search warrant to include only registered users of the website. And second, the judge introduced a "minimization plan" in which the government had to name the investigators that will have access to the data, and list the methods they will use. In addition, the court said it will oversee the search, and the DoJ must justify why it believes the information provided is "responsive to" the warrant, i.e. directly relevant to their criminal investigation.

Judge orders handover of Trump protest website records – DreamHost claims victory READ MORE

The DoJ would not be allowed to share the information with any other government agency and the court will seal any information that it decides is "not responsive," meaning that to access it the government will need to get a court order.

This week, Judge Morin issued his final order on the matter – and it has fallen down more on the side of individual users.

"As previously observed, courts around the country have acknowledged that, in searches for electronically stored information, evidence of criminal activity will likely be intermingled with communications and other records not within the scope of the search warrant," he noted in his ruling.

"Because of the potential breadth of the government's review in this case, the warrant in its execution may implicate otherwise innocuous and constitutionally protected activity. As the Court has previously stated, while the government has the right to execute its Warrant, it does not have the right to rummage through the information contained on DreamHost's website and discover the identity of, or access communications by, individuals not participating in alleged criminal activity, particularly those persons who were engaging in protected First Amendment activities."

Steps

The order then lists a series of protocols designed to protect netizens "to comply with First Amendment and Fourth Amendment considerations, and to prevent the government from obtaining any identifying information of innocent persons."

The DoJ will have to tell the court precisely what it will search for in disruptj20.org's files – rather than just asking for it all – and must gain court approval before obtaining that data. DreamHost will then carry out that search and send the result – with individual users' personally identifying details, such as names and email addresses, redacted – to the DoJ, which will have to file a second request to the court stating which records it wants to retain along with an explanation for how they are relevant to its criminal probe.

The DoJ will also have to justify any requests to have that user information un-redacted, and the court will decide whether to grant that request based on whether there is evidence of criminal activity using the legal standard of probable cause.

Therefore, it appears, prosecutors can, say, ask for comments posted on the site mentioning smashed windows, and get a dump of matching comments with any identifying information redacted. Next, the DoJ has to specify which parts it wants un-redacted, and the court has to agree before any more data is disclosed.

In essence, it is a very strong judgment in favor of user privacy, and DreamHost was, unsurprisingly, pleased with the result.

DreamHost general counsel Christopher Ghazarian said the company was "happy to see significant changes that will protect the constitutional rights of innocent internet users," and applauded the judge for acknowledge people's rights. "This is another huge win not just for DreamHost, but for internet users around the world," Ghazarian said.

The DoJ has not commented on the order. ®