Legal Requests of User Data
Are you a law enforcement officer conducting an investigation that may involve user content hosted on HASH? Or maybe you're a privacy-conscious person who would like to know what information we share with law enforcement and under what circumstances. Either way, you're on the right page.
In these guidelines, we provide a little background about what HASH is, the types of data we have, and the conditions under which we will disclose private user information. Before we get into the details, however, here are a few important details you may want to know:
→
We will notify affected users about any requests for their account information, unless prohibited from doing so by law or court order.→
We will not disclose location-tracking data, such as IP address logs, without a valid court order or search warrant.→
We will not disclose any private user content, including the contents of private repositories, without a valid search warrant.
About these guidelines
Our users trust us with their data, software projects and code—often some of their most valuable business or personal assets. Maintaining that trust is essential to us, which means keeping user data safe, secure, and private.
While the overwhelming majority of our users use HASH's services to create new businesses, build new technologies, and for the general betterment of humankind, we recognize that with millions of users spread all over the world, there are bound to be a few bad apples in the bunch. In those cases, we want to help law enforcement serve their legitimate interest in protecting the public.
By providing public guidelines for law enforcement personnel, we hope to strike a balance between the often competing interests of user privacy and justice. We hope these guidelines will help to set expectations on both sides, as well as to add transparency to HASH's internal processes. Our users should know that we value their private information and that we do what we can to protect it. At a minimum, this means only releasing data to third-parties when the appropriate legal requirements have been satisfied. By the same token, we also hope to educate law enforcement professionals about HASH's systems so that they can more efficiently tailor their data requests and target just that information needed to conduct their investigation.
HASH terminology
Before asking us to disclose data, it may be useful to understand how our system is implemented. HASH hosts a wide variety of projects, in a variety of different ways, including Git repositories. Projects on HASH, which may be public or private, are most commonly used for software development projects, but are also often used to work on content of all kinds.
→
Users — Users are represented in our system as personal HASH accounts. Each user has a personal profile, and can own multiple projects. Users can create or be invited to join organizations or to collaborate on another user's project.→
Collaborators — A collaborator is a user with read and write access to a project who has been invited to contribute by the project owner.→
Organizations — Organizations can contain one or more users, and they typically mirror real-world organizations, such as businesses or projects. They are administered by users and can contain both projects and teams of users.→
Accounts — Every user and organization corresponds to a unique account. Projects and data can be stored within and 'owned by' an account, sometimes also called a 'namespace' or a 'workspace'.→
Projects — The term project can be used to describe one or more entities, types, blocks, services, or other HASH listings. A project may contain one or more files (including documentation), as well as revision history and other metadata. Projects can have multiple collaborators and, at its administrators' discretion, may be publicly viewable or not.
User data on HASH
Here is a non-exhaustive list of the kinds of data we maintain about users and projects on HASH.
Public account data
There is a variety of information publicly available on HASH about users and their repositories.
Account profiles (including user profiles and organization profiles) can be found at a URL such as https://hash.ai/@username
. They display information about when the user created their account as well their public activity on HASH and social interactions.
All public profiles display:
→
Username (or "handle") by which an account can be uniquely addressed→
A user's display name (or "preferred name")→
The other HASH accounts the user follows→
The users that follow them
Public user profiles can also include additional information that a user may have chosen to share publicly. This may include:
→
A user's real name→
An avatar→
An affiliated company→
Their location→
A public email address→
A user's personal web page→
Organizations to which the user is a member (depending on either the organizations' or the users' preferences)→
Badges or awards the user has received
Private account data
HASH also collects and maintains certain private information about users as outlined in our Privacy Statement. This may include:
→
Private email addresses→
Payment details→
Security access logs→
Data about interactions with private repositories
Organization account data
Information about organizations, their administrative users and repositories is publicly available on HASH.
Organization profiles can be found at a URL such as https://hash.ai/@organization
. All organization profiles display:
→
The organization name→
The repositories that the owners have starred→
All HASH users that are owners of the organization
Public organization profiles can also include additional information that the owners have chosen to share publicly. This may include:
→
An avatar→
An affiliated company→
Their location→
Associated accounts, including users who are members→
Collaborators
Public repository data
You can browse almost any public repository to get a sense for the information that HASH collects and maintains about projects. This can include:
→
The code or data itself→
Previous versions of the code or data→
Stable release versions of the project→
Information about collaborators, contributors and project members→
Logs of write/update operations, including branching, forking, cloning and extension of a project→
Conversations related to projects→
User-created project documentation→
Statistics and graphs showing contributions to the project and the network of contributors
Private repository data
HASH collects and maintains the same type of data for private repositories that can be seen for public repositories, except only specifically invited users may access private repository data.
Other data
Additionally, HASH collects analytics data such as page visits and information occasionally volunteered by our users (such as communications with our support team, survey information and/or site registrations).
We will notify any affected account owners
It is our policy to notify users about any pending requests regarding their accounts or repositories, unless we are prohibited by law or court order from doing so. Before disclosing user information, we will make a reasonable effort to notify any affected account owner(s) by sending a message to their verified email address providing them with a copy of the subpoena, court order, or warrant so that they can have an opportunity to challenge the legal process if they wish. In (rare) exigent circumstances, we may delay notification if we determine delay is necessary to prevent death or serious harm or due to an ongoing investigation.
Disclosure of non-public information
It is our policy to disclose non-public user information in connection with a civil or criminal investigation only with user consent or upon receipt of a valid subpoena, civil investigative demand, court order, search warrant, or other similar valid legal process. In certain exigent circumstances (see below), we also may share limited information but only corresponding to the nature of the circumstances, and would require legal process for anything beyond that. HASH reserves the right to object to any requests for non-public information. Where HASH agrees to produce non-public information in response to a lawful request, we will conduct a reasonable search for the requested information. Here are the kinds of information we will agree to produce, depending on the kind of legal process we are served with:
With user consent
HASH will provide private account information, if requested, directly to the user (or an owner, in the case of an organization account), or to a designated third party with the user's written consent once HASH is satisfied that the user has verified his or her identity.
With a subpoena
If served with a valid subpoena, civil investigative demand, or similar legal process issued in connection with an official criminal or civil investigation, we can provide certain non-public account information, which may include:
→
name(s) associated with the account;→
email address(es) associated with the account;→
billing information;→
registration date and termination date;→
IP address, date, and time at the time of account registration; and/or→
IP address(es) used to access the account at a specified time or event relevant to the investigation.
In the case of organization accounts, we can provide the name(s) and email address(es) of the account owner(s) as well as the date and IP address at the time of creation of the organization account. We will not produce information about other members or contributors, if any, to the organization account or any additional information regarding the identified account owner(s) without a follow-up request for those specific users.
Please note that the information available will vary from case to case. Some of the information is optional for users to provide. In other cases, we may not have collected or retained the information.
With a court order or a search warrant
We will not disclose account access logs unless compelled to do so by either:
→
a court order issued under 18 U.S.C. Section 2703(d), upon a showing of specific and articulable facts showing that there are reasonable grounds to believe that the information sought is relevant and material to an ongoing criminal investigation; or→
a search warrant issued under the procedures described in the Federal Rules of Criminal Procedure or equivalent state warrant procedures, upon a showing of probable cause.
In addition to the non-public account information listed above, we can provide account access logs in response to a court order or search warrant, which may include:
→
any logs which would reveal a user's movements over a period of time;→
account or private repository settings (for example, which users have certain permissions, etc.);→
user- or IP-specific analytic data such as browsing history; and/or→
security access logs other than account creation or for a specific time and date.
Only with a search warrant
We will not disclose the private contents of any account unless compelled to do so under a search warrant issued under the procedures described in the Federal Rules of Criminal Procedure or equivalent state warrant procedures upon a showing of probable cause. In addition to the non-public account information and account access logs mentioned above, we will also provide private account contents in response to a search warrant, which may include:
→
source code or other content in private projects;→
contribution and collaboration records for private projects;→
communications or documentation in private projects;→
any security keys used for authentication or encryption.
Under exigent circumstances
If we receive a request for information under certain exigent circumstances (where we believe the disclosure is necessary to prevent an emergency involving danger of death or serious physical injury to a person), we may disclose limited information that we determine necessary to enable law enforcement to address the emergency. For any information beyond that, we would require a subpoena, search warrant, or court order, as described above. For example, we will not disclose contents of private repositories without a search warrant. Before disclosing information, we confirm that the request came from a law enforcement agency, an authority sent an official notice summarizing the emergency, and how the information requested will assist in addressing the emergency.
Cost reimbursement
Under state and federal law, HASH can seek reimbursement for costs associated with compliance with a valid legal demand, such as a subpoena, court order or search warrant. We only charge to recover some costs, and these reimbursements cover only a portion of the costs we actually incur to comply with legal orders.
While we do not charge in emergency situations or in other exigent circumstances, we seek reimbursement for all other legal requests in accordance with the following schedule, unless otherwise required by law:
→
Initial search of up to 25 identifiers: Free→
Production of subscriber information/data for up to 5 accounts: Free→
Production of subscriber information/data for more than 5 accounts: $20 per account→
Secondary searches: $10 per search
Data preservation
We will take steps to preserve account records for up to 90 days upon formal request from U.S. law enforcement in connection with official criminal investigations, and pending the issuance of a court order or other process.
Submitting requests
Please serve requests to:
HASH, Inc.
FAO: HASH Legal Counsel
2109 Broadway Unit 1141
New York, NY 10023 USA
For the fastest response time, email a courtesy copy of your request to legal@hash.ai
Please make your requests as specific and narrow as possible, including the following:
→
full information about authority issuing the request for information;→
the name and badge/ID of the responsible agent;→
an official email address and contact phone number;→
the user, organization, repository name(s) of interest;→
the URLs of any pages, gists or files of interest; and→
the description of the types of records you need.
Please allow at least two weeks for us to be able to look into your request.
Requests from foreign law enforcement
As a United States company based in New York, HASH is not required to provide data to foreign governments in response to legal process issued by foreign authorities. Foreign law enforcement officials wishing to request information from HASH should contact the United States Department of Justice Criminal Division's Office of International Affairs. HASH will promptly respond to requests that are issued via U.S. court by way of a mutual legal assistance treaty (“MLAT”) or letter rogatory.
Questions
Do you have other questions, comments or suggestions? Please contact support.
Create a free
account