On the 25th May 2005 we were requested to eliminate the mailbox croceneraanarchica-at-inventati.org. This injunction was sent to the President of Investici, the association which manages the Autistici/Inventati server. The President forwarded the notification to the technical administrators of the site, and they performed the judges' demand after talking to their lawyers and having ascertained that they could not possibly counteract that censorship act.
Following that injunction, being parties to the case, we asked the Bologna Public Prosecution (in charge of the inquiry) to see the documents related to the proceedings we were involved in. Among such documents there were: a report by the ROS (the special corps of the Carabinieri, a police force belonging to the Army) that essentially aimed at fashioning a vision of the "insurrectional anarchic" movement, and a report by the DIGOS (the antiterrorism police) about the inquiry which had also involved the Postal Police operation on our server.
What caught our attention was a part of the DIGOS report in which the Postal Police was said to have examined the traffic of croce nera's newsletter. While doing this, they complained that, in order to confirm their suspects concerning the people who sent that newsletter, they sould have had to decrypt the communications going through some of the inquired people's web mailboxes. In the attachments to the DIGOS report it was expressly said that on the 06.15.2004, about a year before, the Postal Police had gone to the headquarters of Aruba.it asking them to open the autistici.org/inventati.org server and to extract from it the ssl certificates -- the keys they needed to decode the communication between a particular telephone number and the inventati.org/autistici.org webmail.
Being sure that noone in our association had ever been informed about that incident, we recalled our past communication with Aruba and remembered what the company's technicians had told us during a down we had suffered on that same 06.15.2004: they said that, incredible as it may be, there was a technical failure due to a trouble with the rack power supply.
Around mid July we have received the text of the warrant concerning the Aruba incident as well as all other relevant documents. Talking with our lawyers and with other legal consultants, we can raise two fundamental points:
- Despite everything, Aruba could and should have opposed the acquisition of our data, while giving us the responsibility of interacting with the police.
- The operation carried out by the Postal Police reminds more a real seizure than a simple data acquisition, and this enforces the latter point.
Some important legal questions:
- Our server was housed by Aruba, so the computer belonged to us and we were liable for it. If this notion still has a meaning according to the legal code, we should have been informed about those requests and should have had the whole responsibility of reacting to that injunction.
- The operation of the Postal Police at the Aruba webfarm was carried out in such an obscure way that we cannot possibly know what data were actually acquired.
- Even if the police had only extracted the ssl certificates, they were able anyway to read not only the inquired mailbox, but any HTTPS communication going through our server, that is every mail passing through the 4,800 mailboxes and any message sent by the 30,000 people using every day the public and private mailing lists hosted by our server.