on getting subpoena’d for participating in Zotero

So, apparently Thomson Reuters is subpoenaing everyone who has ever committed to Zotero as part of their ongoing lawsuit.

I have not looked closely at the lawsuit itself (relevant looking extracts here; James Grimmelman comments here); my sense is that given the current primacy of contract over common sense they probably have at least some legally valid claims in there, though I think that as a matter of policy it is a horribly bad idea to allow contracts that prohibit reverse engineering of this sort.

A couple quick thoughts, though, on other issues around the subpoenas:

First, it is hard to see this as anything other than pure intimidation; if there really were an issue with the relevant code they could have subpoena’d only the names/identities of those who committed the code. A purely harassing/intimidating subpoena is against the lawyer’s code of ethics, but since we also enforce it ourselves, and since there are (I suppose) thin-but-not-completely implausible arguments that this is for real informational purposes (perhaps, for example, they want to check all inboxes for discussions of the code at issue) the odds of anything happening on this front are slim to none.

Second, the real thing that you should take away here, if you’re a regular computer user, is that if you give your personal data to a third party, you have given up essentially all rights in that data in the face of a subpoena.1  As I’m sure Zotero’s lawyers told them, there is pretty much no way Zotero could have prevented that information from getting out once Thomson Reuters decided they wanted it. Nor does Zotero have to notify you- what Zotero did here (notifying everyone whose information got subpoena’d) is actually purely polite. So bottom line: if someone else has your information, that information is available to anyone with a subpoena (or a warrant), and there is nothing you can do to stop it. That applies to things like committer information, but also your email provider or any other third party who has your data. Keep that in mind next time you give your information out even to ‘trusted’ third parties.

  1. Really, you give up virtually all rights, period, but that is a story for a different blog post. []