Here's the siterunner's statement:
Alright, things seem to have settled down (it's been over two weeks and a subpoena has not actually arrived), and I finally have some time to type this up, so here you go. I'm not going to give specific details.
I want to preface this by saying that I started this as a fun project to be able to play online with my friends, and never expected or wanted it to explode in popularity like it has. I kept running the servers, paying the costs out of my own pocket to comply with Cards Against Humanity's CC-BY-NC-SA license, because it was still fun to do so. It is no longer fun for me to run these servers. I still haven't decided if I'm going to bring them back with changes or not.
tl;dr: Somebody made a threat that investigators determined was credible, I provided them with what log files I had, and I don't have the time or money to risk having to deal with this again.
On Wednesday, July 18, I was contacted via email by a local police department in Canada. I verified the authenticity of the email itself (`spf=pass (google.com: domain of REDACTED@police.REDACTED.ca designates REDACTED as permitted sender)`), and then looked into the contents. The short version is they received a tip from Interpol about something that had happened a few days prior, and provided the date, server name, user name (which included the phrase "school shooter"), and the message itself (which was presented in a way that made it look like a chat message, and was "Shooting up <name of a specific school in the police department's jurisdiction>"). They wanted to know if a subpoena would be required. I replied that since the email headers checked out, I would directly supply them with that user's IP address (which did turn out to be in the same area), the times during which that user was connected, and the type of device that they appeared to be connecting from, and informed them that I do not keep chat logs so I could not confirm if such a message was sent. I also copied the log files so they would not get automatically deleted in case further analysis would be required. I have not heard back from the police department.
Several hours later, I received a missed phone call from the FBI's New York Field Office's outgoing number at roughly the same time as I received an email from an FBI agent. The authenticity of this email was also verified (`dkim=pass header.i=@fbi.gov header.s=cjis header.b=REDACTED;` and `spf=pass (google.com: domain of REDACTED@fbi.gov designates REDACTED as permitted sender)`). They provided roughly the same information, except that it was a card, not a chat message, and wanted to know where to send a subpoena for any relevant information. I supplied my address, but offered to send the information without one (as I would have to obtain a lawyer to handle a subpoena), and informed them that I was contacted by the local police earlier in the day. I did not supply any log information. I have not heard back from the FBI.
I have not heard anything further from any law enforcement, nor did I provide other information. However, I did do some of this research before replying to the FBI. Knowing that it was a card I was looking for, I was able to find the round in the permalink database. I was able to correlate timestamps to determine that it was in fact played by the user in question (which is something I didn't want to be able to do when I designed it, so that's really a bug). I was also able to determine other users from the same IP address, and that the user in question had played the game from the same device on at least two previous occasions. This is all more information than I'd like to be able to determine, so I'm going to disable server log files completely if I re-enable my servers (permalinks will continue to be generated, as those data are anonymized sufficiently; the issue was being able to correlate timestamps with the server logs).
After having been contacted by the police department, I was debating what I would do in response, but after being contacted by the FBI, I decided that it wasn't worth risking having to spend time and potentially money having to deal with this again in the future, so I immediately stopped the servers.
On that Friday, I was made aware of a Reddit post. I'm not going to link it, or give to many details about it, but based on the information in the post I was able to determine that it was posted by the person who tipped off the FBI. I want to make it PERFECTLY CLEAR that this person did the right thing: A fill-in-the-blank card mentioning a specific school played by a user with that kind of user name can very easily be interpreted as a threat, and clearly the police and FBI thought it was credible enough to contact me. If you want to be angry with somebody, be angry with the person who played the card. I communicated privately with this person and got a few more details.
So, now what? I don't know. If I start my servers up again, there will be no chat (not even game chat) and no fill-in-the-blank cards. User-generated content is too risky now. I see no reason to disable Cardcast support at this time, since those still need generated before the game, but if that ends up causing a problem too then it'll get turned off as well. We're looking at next weekend at the earliest.
Everybody's free to run their own server: The source code is at https://github.com/ajanata/PretendYoureXyzzy. I want to try to hack up a quick server registry so the server list page can show other people's servers as well, but that will definitely take a couple weeks. In the mean time, if you have a server running and after reading all of this you still wish it to be a public server, I can manually add it to the server list page. Tweet at @_PYX_ with a link and the desired server name, and I'll update it ASAP (within 24 hours). I also wouldn't mind letting other people use my metrics/permalink infrastructure, but that requires much more work to get set up and I'm not going to make official offers on that for a couple weeks at least.
I apologize for the sudden shutdown of the servers, but this is not something I want to have to deal with again. I also apologize for taking so long to get this information out there, but I wanted to make sure that everything was resolved, and I didn't really have any free time anyway.
And as one last thing: There is nothing legally preventing me from turning the servers back on in the state they were in previously. I just don't want to do so.
