The Python Package Index (PyPI) is a very popular software repository among developers that provides over 450,000 Python packages, primarily hosting them as archives called 'sdlists' or precompiled 'wheels'.
Sadly, a platform like this attracts unwanted attention from time to time, and the recent move by the US Department of Justice might be related to the same (hopefully).
What's Happening: The Python Software Foundation (PSF) received three subpoenas issued by the US Department of Justice for forking over PyPI user data.
These subpoenas were related to five PyPI usernames, with the data request 📊 consisting of the following:
- “Names (including subscriber names, user names, and screen names);”
- “Addresses (including mailing, residential addresses, business addresses, and email addresses);”
- “Connection records;”
- “Records of session times and durations, and the temporarily assigned network address (such as Internet Protocol addresses) associated with those sessions;”
- “Length of service (including start date) and type of services utilized;”
- “Telephone or instrument numbers (including the registration Internet Protocol address);”
- “Means and source of payment of any such services (including any credit card or bank account number) and billing records;”
- “Records of all Python Package Index (PyPI) packages uploaded by...” given usernames
- “IP download logs of any Python Package Index (PyPI) packages uploaded by...” given usernames
Yep, that is a very long list of user data demands by the Department of Justice.
As the PSF is governed by the laws of the United States, they had to comply with it after they had a chat with their legal counsel and determined that no other course of action was viable.
However, this may not be entirely, considering the government is trying to catch the malicious actors 🐱💻 responsible for infecting PyPI and potentially affecting innocent users without them knowing.
On the other hand, it can be a bit of a concern when handing over users' data to the government.
What Now: Well, nothing needs to be done on your end as a user. But, PyPI and PSF will be revisiting their current data and privacy practices to further enhance their users' freedom, security, and privacy.
Of course, it is tough to fight against a subpoena. So, complying access to a handful of users could have been the right course of action instead of putting the entire organization at risk.
Now they will develop new data retention and disclosure policies to handle future government data requests. Those will also govern how and for what duration the users' personally identifiable information will be stored in their systems.
This shouldn't be much of an issue for most users; the information they demanded would most likely be used to identify malicious actors involved in shady stuff.
Still, if you want to dive deeper into what data was given and how PyPI is trying to be transparent about it, you can go through their blog post to know more.
💬 What do you think about the Python Software Foundation complying with the subpoenas? Share your thoughts.