A court in Auckland ruled Thursday that Mega–a cloud storage and file sharing service launched by Kim Dotcom–needs to provide contract, account, and payment information, as well as IP and email addresses of users implicated in the 2014 leak of Kazakh government documents.
According to New Zealand High Court documents, Kazakhstan claims that in August 2014 government computer systems and email accounts of government employees were hacked. “A substantial number of the Stolen Documents were uploaded on an archived website hosted by a New Zealand registered company, Mega Limited,” the court document states.
Kazakhstan filed a civil suit last year in the United States District Court for the Southern District of New York (SDNY) against unnamed persons–“Does”–because Astana does not know the identity of the hackers.
According to Kazakhstan, Astana only became aware of the leak in 2015 when Respublika, an opposition newspaper, made two initial Facebook posts regarding information from the stolen documents.
As part of its suit in New York, Kazakhstan sought to block Respublika from publishing information from the stolen documents, using a preliminary injunction issued by the court which barred the unnamed “Doe” defendants from further dissemination of the stolen documents. SDNY Judge Edgardo Ramos, however ruled in late October that the injunction did not apply to Respublika because Kazakhstan “does not have sufficient evidence to indicate that Respublika was in any way responsible for the alleged hacking or acted in concert with the hackers.”
The judge cited the first amendment as granting “persons a near absolute right to publish truthful information about matters of public interest that they lawfully acquire” and also a precedent set in a 1979 cased against Britain’s sensationalist tabloid, the Daily Mail, that protects re-publisher of such such information even if they know “that its source had obtained the information illegally.” As Respublika did not publish the documents first–and Kazakhstan cannot yet prove that Respublika is linked to the hackers–it is not legally barred from publishing about the leaks.
But Mega, where a large portion of the more than 70 gigabytes worth of information were first uploaded and shared, may have the information Kazakhstan seeks regarding the identity of the hackers.
In order to ascertain the identity of the hackers responsible, Ramos issued a formal request (a “Motion for Issuance of Letters Rogatory”) to the New Zealand High court for “assistance in obtaining evidence from Mega Limited, a company based in New Zealand.”
Kim Dotcom, a German-Finnish internet mogul and founder of the now-defunct file sharing service Megaupload, is no stranger to legal battles over leaked documents. Dotcom, who made an unsuccessful run for office as the head of the Internet Party (which he founded) in 2014, has been hounded by the U.S. Department of Justice for criminal copyright infringement, money laundering, and wire fraud, among other charges. The U.S. has requested his extradition from New Zealand, which Dotcom is fighting in a case observers say is destined for the New Zealand Supreme Court.
Mega’s defense is rooted in the fact that it provides an encryption and cloud sharing service and does not know the content of files uploaded by users. Mega’s counsel said in court that “because Mega’s model is centered on protecting the privacy interests of its users it will test and challenge attempts to access user personal information held by it.” Mega argued that the subpoena orders were “tantamount to discovery orders.” The judge rejected this, noting that while there was an “‘investigatory flavor’ to the Request” but that it was not the “overarching purpose of the Request.”
The New Zealand High Court’s recent ruling–that Mega needs to turn over user information–followed the denial of a similar request filed by Kazakhstan in California to subpoena user information from Facebook. The judge in the U.S. District Court for the Eastern District of California ruled that the “subpoena issued by Kazakhstan to Facebook is QUASHED,” (Emphasis as exists in original document) but noted that Kazakhstan can refile based on “appropriate authorization from the U.S. District Court for the Southern District of New York.”
The reason the Facebook subpoena was denied is the same as why SDNY Judge Ramos ruled that Respublika was not covered by the injunction: Kazakhstan still does not know the identity of the hackers. The U.S. courts have stymied Kazakhstan’s efforts to broadly use U.S. law, specifically the Computer Fraud and Abuse Act (CFAA), to stop the dissemination of the leaked documents. While the U.S. courts have left the door open for Kazakhstan to pursue the hackers, it has made clear that Astana has to identify them first.
Moreover, as both the New York and California court documents make clear, Mega is most likely to have the information Kazakhstan actually seeks. In his letter requesting New Zealand’s assistance, Judge Ramos wrote “[t]he SDNY is satisfied that Mega has, or is likely to have, within its possession, custody or control, documents that are required to identify the proper defendants for the New York proceedings and that could lead to admissible evidence at trial.”
The New Zealand High Court agrees.