PyPI, the Python Package Index, began evaluating ways to reduce the amount of identifying information that it stores even before the US Justice Department came asking for data on suspect users.
But now that the code repository has disclosed receiving three subpoenas for data on five users earlier this year, the Python community package registry wants developers to understand that it's working to minimize the user data that it stores.
The goal is not to be unable to respond to lawful requests for information; rather it's to store only the minimum amount of data necessary so as not to expose users to unnecessary privacy intrusion.
Coincidentally, data minimization may prevent organizations from becoming a preferred source of on-demand surveillance: having excessive amounts of information about users invites legal demands, which staff then have to handle.
While data demands from authorities are commonplace among large commercial internet services, like GitHub, we're unaware of previous public reports about subpoenas directed at open source software package registries.