The subpoena issued by Uber has been revealed to be to code repository Github.
In the original story, Uber managing counsel of data privacy Katherine Tassi said a “John Doe” lawsuit had been filed in order that can gather information that may lead to confirmation of the identity of the third party who accessed a database of 50,000 driver details.
In the subpoena, hosted by the Register, Uber attorneys ask to produce documents, information or objects or to permit inspection of premises in a civil action. In the attached “Exhibit A”, requires Github to produce all records, including but not limited to transactional or other logs, from March 14th 2014 to September 17th 2014, identifying the IP addresses or subscribers that viewed, accessed, or modified these posts and the date/time of access, viewing, or modification, as well as any records or metadata relating to the browser (i.e., logged HTTP headers, including cookies) or device that viewed, accessed, or modified the posts”.
The subpoena does not request the contents of any communications, but commands Github to “produce at the time, date, and place set forth below the following documents, electronically stored information, or objects, and to permit inspection, copying, testing or sampling of the material”.
Craig Young, security researcher at Tripwire, said: “This incident involves some interesting circumstances which could set precedence regarding the repercussion of accessing sensitive information which was mistakenly made publicly accessible.
“Specifically Uber has filed suit against GitHub requesting records of which IPs accessed a certain gist containing a confidential key. Based on the subpoena, it sounds like Uber had a script related to insurance which likely included a private API key. It will be interesting to see if this leads to security researchers being questioned because this Git gist came back in scans for private key data.”