The FBI portrayed yesterday’s action against a ring of fraudsters pushing “scareware” anti-virus software as a major international action to fight cyber-crime. But the seizure of “more than 40 computers, servers and bank accounts” apparently included some serious collateral damage. Instapaper is one of at least three companies whose data was grabbed by the FBI, simply because the company had the misfortune to use the same web-hosting servers as the bad guys.
In addition to Instapaper, the raid took down sites owned by Curbed Network, a New York digital publisher, according to a report in the NYT. Also down was Pinboard, a bookmarking service, although most Pinboard services are now back up.
The owner of DigitalOne, the web-hosting company that owned the servers, told the NYT that the F.B.I. was only interested in one of his clients but took servers used by “tens of clients.”
He’s not the only one complaining, either.
“So the FBI now has illegal possession of nearly all of Instapaper’s data and a moderate portion of its codebase, and as far as I know, this is completely out of my control,” wrote Instapaper founder Marco Arment in a blog post published today. “Due to the police culture in the United States, especially at the federal level, I don’t expect to ever get an explanation for this, have the server or its data returned, or be reimbursed for the damage they have illegally caused.”
For those concerned about online privacy, the potentially disturbing part is that the FBI now has an unencrypted copy of Instapaper’s complete list of users and their bookmarks. (User passwords were also on the server, but were encrypted.) It’s a sobering reminder that data stored in the cloud can quickly end up in places one doesn’t expect it to.
The stated goal of the raid was to knock out purveyors of “scareware,” a type of virus that infects consumers’ computers and continually sends out warnings that they’ve been infected with a virus. It only goes away when the victims pay up to $129 for fake “anti-virus” software. More than 960,000 users were hit by the scareware. In addition to the raids, indictments were issued against two Latvian nationals, and Latvian authorities seized five different bank accounts used to funnel profits from the scheme.