Does MXRoute have any intention of publishing a transparency report consisting of intelligence agency requests, law enforcement warrants, patched security vulnerabilities, etc.?
Would be nice to see with other mailbox providers like mailbox.org moving to publish transparency reports.
We’re probably still a little small for that. Though we’ve grown exponentially, we’ve never received a law enforcement request. I would intend post about changes related to vulnerability concerns on Twitter. If no change is necessary and it seems a significant concern, I may just post about it on Twitter. If no one is asking about it and it’s just a routine software update to address, it may be true that I don’t post about it at all as to me that’s just routine daily admin work.
A software bug led to faulty information, which led me to provide an inaccurate update to this. With the software bug fully identified, I’m replacing it with a new response.
Today we did receive our first contact from law enforcement. They asked for our help in identifying a scammer who has been using our service as home base since 2019. They did not submit a court order at this time.
This contact immediately sparked an internal investigation. I want to be clear that this does not involve reading emails other than one sent to us by law enforcement themselves. The number of things that can be investigated without violating privacy are numerous. Domain registrations, login history, identity of customer at time of order, etc. What we found was that this user signed up with a fake identity to execute a wide variety of scams, our servers playing a key role in many of them.
With only the information provided by law enforcement and public facing resources, we were able to find the real identity of the customer. This allowed us to share vital information with law enforcement about someone who has actively made us party to their crimes, without violating user privacy or requiring a court order.
If a customer is targeted for political reasons, or accused of crimes they didn’t commit to try to gain our sympathy, we would not fold and would fight to protect our customers. However, when we can verify with our own eyes that our customer is a scam artist, we’re more than happy to lend a hand to law enforcement as subject matter experts. That doesn’t mean we’ll give up private info without a court order, but what about public info? We’re good at finding that too.
The bottom line is that if you don’t cross us, we don’t cross you. Making us a party to financial scams where you take investment money from people and then disappear, that isn’t going to make a friend out of us.
There are plenty of ways for us to help catch scammers without violating privacy, they don’t even have to be customers of our service. Good old fashioned digging on the internet is great fun, and a purpose makes it even more fun.