The social media platform Gab, which for years has been scrutinized for its role in permitting the spread of hate speech, could find its ability to evade European investigations coming to an end. Right Wing Watch has discovered that despite Gab’s claims that it is a U.S. company that is not able to cooperate with European law enforcement, it appears likely that at least some of the website’s data is stored or is passing through servers physically located in the Netherlands. And under proposed changes in European Union law, that physical location of the servers may make all the difference. Gab users’ basic data may be more susceptible to European law enforcement inquiries if proposed rule changes are passed.

The potential change in European law could have enormous consequences for Gab, dealing a serious blow to its attractiveness to extremist users abroad seeking a consequence-free outlet for posting incendiary and violent speech. Meanwhile, it turns out that another Gab defense against disclosure – its longtime claim that U.S. law prevents it from sharing certain user information – is also faulty. Experts who spoke to Right Wing Watch made it clear that under current U.S. law, Gab has largely been able to decide whether it cooperates with requests for basic user information that it receives from foreign law enforcement agencies, but that it is hardly prohibited from doing so.

Right Wing Watch determined the possibility of Gab data passing through the Netherlands by examining an automated email new Gab users receive that prompts them to verify the email address they used to register in order to activate their account. An inspection of the header code on the account activation email showed that Gab was employing the email delivery service Mailgun. (After Right Wing Watch inquired with Mailgun for this story, the company terminated Gab’s account.)

A domain search of Gab’s public-facing website displays an IP address owned by Cloudflare and a domain registered by the tech company Epik, which effectively obscures the exact location of Gab’s home on the web in order to protect it from would-be attackers. But in the header of the automated email used for Gab account creation, the IP address that was displayed as Gab plugging input to Mailgun is part of an IP address range owned by Sibyl and registered in the Netherlands. It is currently unknown what Gab data may pass through or is potentially stored in the Netherlands, only that it appears likely that such is happening, especially given Gab’s close relation to Sibyl. Multiple tech industry contacts reviewed Right Wing Watch’s methodology and concurred that our findings could indicate Gab information was passing through infrastructure in the EU.

Sibyl is owned by Epik, which is owned by Rob Monster, who has acted as one of Gab’s few remaining online allies after Gab was booted from a handful of hosting services and payment processors following the ​massacre at the Tree of Life ​synagogue in Pittsburgh.

Lilac Kapul, a former employee of Sibyl, told Right Wing Watch that Gab’s back-end servers, where data is stored, are spread across several European countries, including the Netherlands, which belongs to the European Union. Kapul told the Southern Poverty Law Center in February that Gab “is using three servers that handle the website and two servers that act as an entry point to the site.” If Gab is in fact passing user information through the Netherlands, it appears the proposed legislation would grant EU member countries such as Germany and the U.K. would have more opportunities to obtain that subscriber data.

Extremism and Evasion

Created in 2016 by CEO Andrew Torba, Gab sought to become a “free speech” social media site​ after mainstream platforms came under pressure to enforce their terms of service with regard to the posting of hateful messages. But under the “free speech” banner, ​Gab became a social-media home to hardcore white supremacists, anti-Semites, and conspiracy theorists​. The site became infamous as a hub of white supremacist organizing and chatter; the man accused of murdering 11 worshipers at a synagogue in Pittsburgh posted messages on Gab about his hatred ​of Jews. Before he began his attack, he posted to Gab, “Screw your optics, I’m going in.”

The Southern Poverty Law Center reported that British authorities sentenced two Gab users in June for using the platform to encourage “an attack on Prince Harry for marrying Meghan Markle, who is of mixed race.” In June, Gab took three days to suspend the account of a man arrested for threatening to kill black people and possessing a firearm. Those threats and calls for violence against Jews and LGBTQ people remained on Gab, untouched by moderators, for months before and for days following his arrest. Groups dedicated to advocating for white supremacist terror are still active on the site.

As a result, Gab has faced scrutiny from the press, government officials, and its peers in the tech industry for its role as an engine in extremist politics, especially as far-right violence has spread across the United States and overseas.

Secrecy Bolstered by Phony Pretext

Late last year, Gab issued a statement on Twitter saying that it had refused foreign governments’ requests for user data, citing the United States’ First Amendment protections and laws about data sharing, and claiming that U.S. laws prohibited it from sharing basic user data with foreign governments. Gab posted information requests it received from Germany, Brazil, and the United Kingdom that it had refused in prior months. Gab cited sections of the U.S. legal code, 18 U.S. Code § 2702 and 18 U.S. Code § 2703, in its refusals to argue that Gab could not fulfill the requests.

Jennifer Daskal, professor of law at American University, told Right Wing Watch that Gab’s claim that U.S. legal statutes prevented it from handing over non-content data such as IP addresses and subscriber information to foreign officials was untrue. The legal statutes Gab cited in its refusals, Daskal explained, do not actually prohibit the site from turning over user data that is non-content data. Under the statutes, Gab is not required to disclose the information, but is also not forbidden from doing so. She explained that foreign governments can use the mutual legal assistance process to work with U.S. officials to compel the disclosure of basic user data that companies refuse to disclose on their own, and that foreign governments could take steps under their own domestic laws to impose fines or other sanctions against companies that refuse to cooperate, according to their own laws.

Peter Swire, professor of law at Georgia Tech and research director for the Cross-Border Data Forum, explained that when it comes to turning over basic subscriber data, there’s no prohibition in U.S. law; basic subscriber information has been regarded by other U.S. companies as permissible to turn over in response to foreign requests. ​However, if Gab had been asked by a foreign government to turn over the contents of a communication—not just the subscriber data—Gab would have a strong argument in refusing to do so without a warrant issued by a U.S. court, Swire said.

U.S.-based companies are forbidden from turning over communications content stored on U.S. soil, but for U.S.-owned communications content housed overseas, disclosure rules remain unclear.

An Evolving Legal Landscape

In 2018, the United States Congress enacted the CLOUD Act, which determined that in instances of U.S. government requests for content in custody or control from within the United States, the physical location of the information is irrelevant to that request. The European Commission has proposed similar rules in order to streamline data requests in cross-border situations, which could open up Gab to increased pressure under law.

According to the Cross-Border Data Forum, the proposed e-evidence rules could allow Internet and Cloud Service providers “to transfer directly the required data to [law enforcement agents] of the State that issues such an order … regardless of the location where the data are stored or where the suspect in a criminal investigation resides.” The Global Public Policy Institute wrote of the regulations earlier this year: “Under the new framework, judicial authorities in one member state would be authorized to issue so-called European Production and Preservation Orders to directly compel a service provider to disclose or preserve electronic evidence for any crime for which the maximum jail sentence is a minimum of three years, ‘irrespective of the place of data storage.’”

Swire said, “The E-Evidence approach in Europe is only a proposal right now, and not the law. If enacted, it would apply to requests from one EU member state to another. So, if Germany then made a request for data in the Netherlands, E-Evidence as currently drafted would apply.”