We are the founders of Kodex (https://www.kodex.us). Kodex makes it easy for companies to process and respond to subpoenas from governments around the world.
Government agencies subpoena user data from thousands of companies around the world, and companies largely rely on email, fax, and spreadsheets to manage them. At a previous job, we would frequently see companies struggle to comply with legal orders, because they lacked the internal resources or expertise to automate the process of working with government agencies. Even multi-billion dollar companies had this problem. At scale, it is enormously burdensome.
Somewhat surprisingly, companies have all independently learned to comply with these requests in almost the exact same way. Regular ticketing systems don't work for this, so companies have adopted a web of Zendesk tickets, spreadsheets, and emails just to manage the intake of requests. To respond to requests, they typically send unsecured emails. The fact that this inefficient and insecure setup is so common suggests that these companies' needs can be met with one product, rather than custom solutions for each company.
Kodex automates the entire process of parsing, analyzing, and responding to subpoenas by providing companies with their own online Government Request Portal. It is similar to the Law Enforcement Portal that Facebook made for themselves, but it is a resource for every other company to use.
I think most people who haven't lived this problem assume it is only an issue for big tech, when in reality big tech are the only ones who can afford to build their own internal tools to alleviate their pain. If any of you have felt this pain, we'd love to speak with you! And your comments and questions are welcome.
We do already offer company specific transparency reports, so they can analyze the threats on their platform and the agencies investigating them! We have also been thinking more generically about offering a public transparency report that doesn't give away any customer specific details.
Great questions! The hardest part was probably getting our initial customer. This is inherently sensitive company info, and getting the initial social proof & trust from a big name opened a lot of doors for others to trust us.
We have about 60 agencies verified with us so far. What's interesting about this problem is that the company dictates how government agencies contact them. As a result, the moment our customers adopt Kodex, they automatically pull in any government agency that wants to contact them. We have new government agents signing up everyday to send our customers requests.
> As a result, the moment our customers adopt Kodex, they automatically pull in any government agency that wants to contact them.
Am I reading this right: agencies aren't reaching out to companies because it's kinda hard to because every company has their own process? Or at least, agencies are slowed down by this fact? So, couldn't adopting your product be seen as a bad thing? If a company prefers noncompliance to government agencies (legal noncompliance through explainable bureaucratic friction), and the lack of a product like yours allows for friction to slow down both the government sending, and companies responding to, for example FBI requests, that sounds like an ideal state for some companies.
Say for example if I manage a wiki, forum, library etc for protest movements, I would be motivated to make it as hard as possible for the FBI to investigate some of my users that the FBI has improperly identified with the unjust "Black Identity Extremist" [1] label. I mean, obviously I wouldn't become a customer of yours, but if other companies also don't become your customer, the FBI has less resources writ large to deal with my organization manually. Therefore, in general, it's helpful for everyone to avoid helping the FBI do their job more easily, right?
I see what you're saying, but I think there is a fundamental misunderstanding - Kodex was made to make things easy for the company, not the government. Agencies are never deterred from reaching out to companies because it's "kinda hard," nor because it's different for each company. It actually doesn't even slow them down - data requests are already growing ~25% YOY. Govt agencies get more and more resources to serve subpoenas, but companies are left to fend for themselves with an ever increasing volume. The moment a company receives a subpoena, the company is now legally obligated to respond in one way or another. The nuance is that you don't necessarily have to comply and provide data - the company can push back on the legality of subpoena, but it will still need to be addressed one way or another.
Sure, you can certainly choose noncompliance through bureaucratic friction but that doesn't eliminate your problem as a company, that actually only makes it more burdensome for your company. At some point you still have to address the subpoena.
When a company does not have an intake method for these types of legal inquiries, it only makes it harder on the company...not the agency. The agency will just send the inquiry to any publicly known address, email, etc. In one way or another, if they want to send you a subpoena, they will...aka making the process hard does not prevent them from reaching out to your company, it only makes it hard on your company.
I think a perfect example is Facebook. They built their own Law Enforcement Portal because 1. there was nothing like Kodex that they could buy, and 2. They understood that making the process easier for themselves greatly helped their company with cost of compliance, protecting user privacy, and pushing back on overly broad requests. Did the Facebook LE Portal make it easier for agencies to send them subpoenas? Sure. But it's not as if agencies wouldn't still be sending just as many subpoenas to Facebook if they hadn't built their LE portal...Facebook would still be getting them, it would just be that much harder for Facebook to manage them.
In regards to your example, I understand wanting to do your part to stand up to government overreach. The government is not infallible - they've been on the wrong side of history more than once.
I think the answer to standing up for these issues, is not to create more friction, but instead to facilitate a streamlined process of engaging with government agencies - so you (as a company) can more easily push back on the legality of a subpoena that you don't agree with, and also more easily assist in the very real instances of identifying victims, or subjects, that end up saving a life.
I think this subpoena process has become so sloppy and overwhelming that it is easy to forget that there are victims at the end of this transaction.
If there are subpoenas sent to you regarding a user on your wiki, wouldn't you want to have a clear understanding of what the government is looking at, and why? What threats are on your wiki? Wouldn't you want to easily be able to prioritize a case involving child exploitation, or self-harm, and help protect those users, while also having a better avenue to push back on requests you find to be unjust?
There is a lot that can be fixed in government. This process is one of them. The goal is not to "help the government do their job more easily"... making the process easier for the company, forces the government to do their job BETTER, and helps society move forward.
A relief to receive a response like this, thank you for taking the time to write it up! Sometimes I feel like the technology sector moves quickly without taking the time to consider the ethical implications of developing technology, and it seems to me that you have taken that time and have a good ethical basis for your business.
> the company dictates how government agencies contact them
What mechanism governs this? Are you standing in as their registered agent? Politely asking agencies to follow your process and finding that they tend to be willing to do so? Something else?
Companies provide points of contact for these types of legal process to be served on them - it is akin to the registered agent process. Govt agencies do not have the authority to dictate how a company accepts this legal process, only that they comply with the legal order itself. As a result, govt agencies follow the methods of contact that a company provides, whether its a fax number, email address, mailing address, etc.
Agencies are willing to follow the process that a company lays out because it makes engaging with that company easier. It is not in an agency's interest to make the process difficult (i.e. demanding to use fax machines when a company already has a lawenforcment@company.com email set up).
How big is the market? It seems people who really need this and see it frequently have the resources to build their own and its otherwise rare enough to not be worth a whole product.
I think that is the most common misconception with this problem, and that is why it has gone so long without a solution. You are correct in that the biggest players (i.e. big tech) are the ones who have the resources to solve their own problems. However, this problem spreads much further and wider than just big tech. There are thousands of companies in the US alone that get these requests (from ISPs, banks, insurance, fintechs, crypto, tech, etc.). "Big tech" typically gets all the focus because of the volume they get (FB gets 300k+ per year). What goes unnoticed is that even at 100+, or 1000+ per year, these requests are very overwhelming for companies to manage. These are also the companies that don't have the internal resources to fix their pain like FB and Google.
To answer your question about the market, there are ~30k companies that are vulnerable to data requests in the US alone. At $100k price point, that is roughly a $3B market
Great way of looking at it - good to have on deck even if you haven't yet gotten a data request, because you never know when the "flood gates" might open and bog your company down.
Government agencies subpoena user data from thousands of companies around the world, and companies largely rely on email, fax, and spreadsheets to manage them. At a previous job, we would frequently see companies struggle to comply with legal orders, because they lacked the internal resources or expertise to automate the process of working with government agencies. Even multi-billion dollar companies had this problem. At scale, it is enormously burdensome.
Somewhat surprisingly, companies have all independently learned to comply with these requests in almost the exact same way. Regular ticketing systems don't work for this, so companies have adopted a web of Zendesk tickets, spreadsheets, and emails just to manage the intake of requests. To respond to requests, they typically send unsecured emails. The fact that this inefficient and insecure setup is so common suggests that these companies' needs can be met with one product, rather than custom solutions for each company.
Kodex automates the entire process of parsing, analyzing, and responding to subpoenas by providing companies with their own online Government Request Portal. It is similar to the Law Enforcement Portal that Facebook made for themselves, but it is a resource for every other company to use.
I think most people who haven't lived this problem assume it is only an issue for big tech, when in reality big tech are the only ones who can afford to build their own internal tools to alleviate their pain. If any of you have felt this pain, we'd love to speak with you! And your comments and questions are welcome.