Clearly that PyPI, which manages Python packages, has disclosed user data to the US Department of Justice
The Python
PyPI was subpoenaed - The Python Package Index
https://blog.pypi.org/posts/2023-05-24-pypi-was-subpoenaed/
PyPI is a platform for uploading Python packages, and packages registered on PyPI can be installed with the 'pip install' command. In order to register a package on PyPI, it is necessary to register a user account , and it is information about this user account that the Department of Justice has issued a subpoena this time. However, the PyPI side has not been told about the legal situation of 'why the Department of Justice is requesting user data'.
According to the PSF, some of the user data requested by the Ministry of Justice does not belong to the PSF, and they were reluctant to disclose the user data from the perspective of privacy. We have clarified that we have responded to the provision of data to
The user data requested by the Department of Justice and the data provided by PyPI are as follows.
1: name
The PyPI database has an element called username, where names are registered. The display name can be changed by the user, but the history of PyPI's user display name change is not recorded.
2: Address
Since PyPI does not require mailing or residential addresses to be registered, only user email addresses are stored, only email addresses were provided to the Department of Justice.
3: Access record
PyPI keeps track of all changes to your project in an index. These are recorded in a database and published via the XMLRPC API , except for user names and IP addresses. In addition, records of user events such as account creation, email transmission, email address change, login, login failure are also kept and can be retrieved from the database.
4: Records of session time and duration, network addresses associated with the session, etc.
PyPI provides session time, that is, the time you logged in, as data, but does not record the duration of the session.
5: Service period and type of service used
With PyPI, this is the date the user account was created and the record of the last successful login. The set of records is stored in a database and is private information on PyPI.
6: Phone number or IP address
All IP addresses for each user were shared. These are taken from database records and are not publicly available on PyPI.
7: Payment Methods and Sources for Services
PyPI does not set user fees, so there are no credit card payment or billing records.
8: Record Python packages uploaded by users
A list of all projects associated with each username was provided. These are taken from database records and are not publicly available on PyPI.
9: IP logs that download user-uploaded Python packages
PyPI does not keep package download logs that include IP addresses. The download logs were processed in a pipeline containing only the geolocation information (GeoIP) of the IP address reported by the content delivery network (CDN) and were obtained from the Google BigQuery Public dataset .
by Michał Kosmulski
'PyPI user privacy is of paramount concern to PSF and PyPI administrators, and we are committed to protecting user data from disclosure whenever possible,' said Yee Durbin, PSF's Director of Infrastructure. However, this time, on the advice of my legal counsel, I have determined that providing the requested data is the only course of action.As PSF's Director of Infrastructure, I am working with my legal counsel to comply with the request. I got it,” he said.
Related Posts:
in Software, Web Service, Security, Posted by log1i_yk