When Megaupload founder Kim Dotcom launched his new Mega cloud-storage company in January 2013, the company was focused on one key issue – privacy.
Mega encrypts all files uploaded by users, meaning that no one other than the uploader can see what is in those files unless he or she shares their private key with a third party. But while Mega is secure in many respects, users can not expect complete anonymity.
From the start Mega made it clear it would carry communication logs, the IP addresses used by subscribers to access the service, and other personal information.
Nevertheless, although Dotcom is no longer part of the company (his current stance is actually one of hostility), Mega’s commitment to privacy has been maintained by its current operators. Just recently, however, their stance of keeping user information private has been challenged in court.
The case involves a hack on a Kazakhstan government computer system which is said to have taken place in August 2014 but was not unearthed until 2015.
According to the Kazakh authorities the hackers made off with a trove of information including thousands of sensitive documents and emails between the government and advisors in the United States. These were then uploaded and stored on Mega by either the hackers or individuals closely linked to them.
In order to begin tracking the hackers down, in May last year Kazakhstan filed a lawsuit in the United States against 100 unnamed “John Does” seeking an injunction and damages. The EFF became involved in the case after the Kazakhstan government tried to stop Respublika, a site which reports critically on Kazakhstan’s ruling regime, from publishing the leaks.
Subsequently the Southern District of New York sought assistance from authorities in New Zealand in an effort to gain access to the hackers’ personal details. The request was processed by the New Zealand High Court which was asked to order Mega to hand over the information it holds on the supposed hacker(s).
The application was opposed by Mega, who told the Court that handing over the information would undermine the privacy of its users and was not guaranteed to assist in the U.S. hacking case.
However, in a ruling handed down today Mega’s attempt at protecting user privacy was dismissed by the High Court.
“[This] information is neither particularly revealing nor particularly sensitive; it does not, for instance, carry the same degree of confidentiality as an individual’s email or phone records,” wrote Justice Simon Moore.
“Therefore, I am satisfied that the privacy interests in this case should not carry significant weight. I am also satisfied that any potential harm could be mitigated by the imposition of properly worded protection orders”
As a result, Mega will now have to reveal the IP addresses, email addresses, contact and payment details of the users in question. When it does, that information will have to be sent to the New York district court, although Mega will be compensated for its trouble.
Speaking with TorrentFreak, Mega chairman Stephen Hall says that he has concerns about the Kazakhstan Government and the process it has undertaken.
“The Kazakhstan Government has a poor record as documented by international groups (1,2). Mega holds concerns that this is not a mere civil case about seeking damages from a hacker as the only damages that have been mentioned are the costs of the investigation,” Hall says.
“By construing it as a civil case [the Kazakhstan Government] has bypassed the usual discretion that needs to be exercised by a Minister of the NZ Government under the Mutual Assistance in Criminal Matters Act 1992 process.
Furthermore, Hall says that Mega is not convinced that the party who uploaded the content to Mega is the original hacker as no evidence to that end has been provided. Additionally, it appears there has been little effort to take the content down.
“Mega has only received one request to take down any of the material. This request which related to the contents of a Gmail account of an official in the Finance Ministry was implemented immediately,” he explains.
“However, takedown requests were not received for the remaining material, suggesting that finding the hacker was more important than preserving secrecy of the material.”