Monday, March 12, 2012

Subpoenaing Online Records: Why and How to Find an Anony

By Scott E. Chapman, Esq., MBA, CIPP

© Originally published in the COMMUNIQUÉ (November 2011, Vol. 32, No. 11), the official journal of the Clark County Bar Association. All rights reserved. Click HERE for the Article or visit http://www.clarkcountybar.org.


Anonymous Internet Speakers, Not Immortal


By now, it’s likely that most attorneys have figured out that unmasking an anonymous Internet speaker (“Anony”) seems impossible. It’is also just as likely that the list of questions regarding how to reveal an Anony, so they can be pursued for damages or served with an injunction, is still longer than the list of answers.


Pursuant to what is commonly referred to as § 230(c) immunity, Internet service providers, hosts, websites, and other relevant carriers (“ISPs”) are generally exempt from liability for the speech that is posted on their websites, blogs, chatrooms, and even the speech republished through their search engines. The Communications Decency Act (“CDA”) states, “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” 47 U.S.C. § 230(c)(1) (2008). In other words, providers of the Internet itself, where anyone can generate all manner of speech, is not a ‘publisher’ of content as traditionally understood by the print media.


So who is liable for the massive amount of false, defamatory and libelous information published on the Internet? The original speaker is, whoever that person or entity may be. Allowing an ISP to be free from any liability as it provides third party speakers the tools to defame and harass at-will likely sounds far-fetched and radical to many experienced lawyers, given the body of law regarding print, radio and televised media. However, to an entire generation of attorneys and other young web surfers this ideology is the norm.


Since § 230(c) was enacted, a whole new body of law had to be interpreted by the courts to deal with this new enigma, the Internet. Generally, publishers and reporters find themselves at the center of libel suits when false information is published. A strong incentive exists for newspapers, magazines, and radio/television to protect their reputation and their ‘sources’. ‘Sources’ have rarely been sued because they could not be identified. The popularized “Deep Throat” from the Watergate scandal can likely attest to the way things “used to be”. ISPs closely resemble their publisher cousin, but an effort to not limit commercial activity on the Internet created ISP § 230(c). There is one great distinction between the print/televised media and the Internet…the Internet Protocol Address (“IP Address”).


The IP Address allows the ISP to identify each individual user on the Internet and log their activity. While an IP Address can be masked and proxy servers used by the Anony, which often involves interstate and international activity, often the un-savvy Anony has no idea that their ISP is keeping track of their activity. More importantly, even to the ‘black hat’ or experienced user, it only takes one login without a proxy server for an experienced expert to capture the legitimate IP Address. Likewise, since § 230(c) grants the ISP immunity there is little incentive for the ISP to protect the identity or Internet activity of the Anony. For obvious reasons, the ability of litigants to get access to the ISP logs has become the center of the legal discussion.


With No Pre-litigation Discovery Available, Sue “John Doe”


It only takes about 3 seconds of legal analysis to recognize that it is impossible to serve a subpoena on a person you can’t identify, but it may take quite a bit longer for you to realize you can sue them. What § 230(c) immunity has created is an enormous need for “John Doe” lawsuits. Since the Federal Rules of Civil Procedure only allow for limited pre-litigation discovery under Rule 27 and since Texas is the single state to have extensive pre-litigation investigatory procedures, the other 49 of us must file “John Doe” lawsuits. While traditionally these lawsuits have been discouraged by the courts, the ease with which anyone on an Internet connection can anonymize themselves and create a path of fraud and destruction has necessitated the courts relaxation and allowance of “John Doe” actions.

Given that Anony’s both post tortious statement on their own websites and websites owned by others, the web address of the tortious activity must be identified as a foundational matter. Once the lawsuit is filed, service needs to occur. The only way to identify and serve an unknown party is through additional investigation.


Identifying the Owner of a Website

Every Anony that gains access to the Internet or has a web address is assigned an IP Address. The IP Address is tied to the ISP, including web addresses/websites and emails. The Internet Corporation for Assigned Names and Numbers (“ICANN”) requires that every web address be owned and tied to a name, address and email. The owner of any web address can allow a “Proxy” to be listed in their stead maintaining the owner’s anonymity. The name, address and email of the Proxy must be public information listed with ICANN for service of process and billing. Thus, by researching ICANN one can find the Proxy/owner of any web address from which tortious activity occurs. However, since the Proxy is created for the exclusive purpose of masking the identity of the true owner, the Proxy will generally not provide the identity of the IP Address owner without a subpoena.


Identifying the Owner of a Statement


The retention of an expert that has the ability to forensically track IP Addresses will be required in identifying the owner of a given statement. A forensic Internet expert will be able to gather valuable information that ties certain web addresses, emails or other identifying information to other statements. Though not simple, once the relevant technical information is gathered connecting the IP Address to the tortious activity, one has the support for the “John Doe” lawsuit.


Securing a Subpoena


Given that we have no specific procedure allowing this type of a subpoena in Nevada, a Petition for Pre-Litigation Subpoenas should be made to the court in order to demonstrate the necessity for issuance of subpoenas prior to discovery. Suggested actions prior to filling the Petition include serving the owner, the Proxy and the ISP of the website a copy of the complaint, drafting request letters to the website owner seeking the identity of the “John Doe” and requesting the same from the ISP. Other scenarios include the “John Doe” appearing and filing a Motion to Dismiss, the “John Doe” appearing to file a Motion to Quash, the ISP appearing to file a Motion to Quash, taking a default against the “John Doe” (in the event you can substantially establish website ownership via a Proxy and adequate service). Often times these activities alone provide the identity needed to uncover an identity.


Once the ISP receives the subpoena, they in turn forward it to the owner or Proxy. The ISP will generally provide the personally identifying information, unless the owner files a Motion to Quash the subpoena. Matching the IP Addresses provided by the forensic expert and the ISP log information gathered via subpoena will allow connection of activity to identity.


Drafting the Complaint in Preparation of a Motion to Quash


In the wake of the “John Doe” lawsuits and the resultant subpoenas, jurisdictions have had to wrestle with various Motions to Quash. In response to promptings from the California Court of Appeals, the California legislature enacted Cal. CCP. Code § 1987.2 drastically changing the “John Doe” subpoena landscape and setting the standard. In a nutshell, § 1987.2 provides that when out of state subpoenas are issued in California “for personally identifying information…for use in an action pending in another state…and that subpoena has been served on any Internet service provider”, if a motion to quash is granted, if the “underlying action arises from the moving party’s exercise of free speech rights on the Internet” and if the subpoenaing party fails to “make a prima facie showing of a cause of action”, the court “shall” award attorney’s fees and costs incurred by the moving party. Since so many ISP’s are located in California, significant compliance with local procedure is necessary.


While there are many cases on point in various jurisdictions relevant to what constitutes “a prima facie showing of a cause of action”, the only way to push the weight of the evidence in one’s favor is to plead the complaint with particularity, naming specific websites, statements, actions, emails, etc. This will provide the additional information necessary when an Anony files a motion to quash the subpoena.


The Identity of the Anony


There is no way getting around the fact that putting an identity to an Anony is complicated, time consuming, expert required and court involved. Many times identity can be discovered through simple investigation. Other times filing a “John Doe” lawsuit will be the only remedy. As the courts continue to amend procedural rules and the common Internet user continues to become more astute, hiding your identity online will continue to be an often litigated topic and the subject of much legal debate.



Scott E. Chapman, Esq., MBA, CIPP is Of Counsel with the Las Vegas office of McCormick Barstow LLP, licensed to practice before all Nevada Courts. He received his Bachelor of the Arts degree (1995) and his Juris Doctor degree (1998) at Brigham Young University, his Master of Business Administration (2002) at the University of Nevada, Las Vegas and is a Certified Information Privacy Professional (2007) practicing in the areas of Internet & Privacy Law, General and Commercial Litigation, Insurance Law and General Corporate matters. He can be reached at scott.chapman@mccormickbarstow.com or (702) 949-1100.

Friday, April 18, 2008

What is Good for the Reader, Is Not Good For the Newspaper

My comments on a recent story (my comments are in BLUE):

Adding its voice to the debate about behavioral targeting, the Newspaper Association of America filed comments with the Federal Trade Commission recently arguing that its proposed privacy standards could infringe on newspapers' First Amendment rights. WHAT??? SO they can now invade our privacy, track our activities in order sell us more news, that we really don't even want, but they are able to HANG ON to their ever-prized "confidential source", even if the guy is a murderer. This is a perfect example of the objective creating the position. Hell with truth and privacy...uh...Mr. Newspaper, I want to know how you get your information if you want to know why I read your information...

The newspaper association argues that ads are a form of speech, and that it has the right to serve them, provided that they are not misleading. Ads displayed to readers based on their online behavior are "not only truthful advertising speech, but advertising speech that meets their interest," the group wrote in its filing. Like I said, they want to know what we want to read, but they won't tell us how they got their information. COME ON, what's fair is fair.

The Newspaper Association of America was one of dozens of groups to weigh in on the FTC's proposed voluntary behavioral advertising standards. It is just standards, it is not like anyone is ever going to police the Newspaper anyway, except for the Cookie Monster, Oh, he is too busy guarding his own Cookie Jar.

The agency issued the guidelines late last year, several weeks after holding a two-day town hall meeting about privacy and online advertising. The FTC held the meeting one year after the Center for Digital Democracy and U.S. Public Interest Research Group helped launch a discussion about behavioral targeting and privacy by filing a complaint seeking a probe of behavioral targeting. Google's merger with DoubleClick also fueled the privacy debates that resulted in the FTC's proposals. Did anyone ever doubt that this merger would create a MASSIVE exploration into beharioral targeting. Sure they won't ever connect the dots and track us like monkey on Chimps of Eden.

The FTC guidelines generally call for companies to allow consumers to opt-out of behavioral advertising, defined by the agency as "the tracking of a consumer's activities online--including the searches the consumer has conducted, the Web pages visited, and the content viewed--in order to deliver advertising targeted to the individual consumer's interests." The long discussed, the long debated and overly disputed "Opt Out". This assumes that we ALL want to be tracked and if we don't, we will tell you to stop tracking us. WHAT IF I HAVE NO IDEA HOW TO TELL TO STOP, STOP, STOP, LEAVE ME ALONE!! Of course, the companies would never build databases if it were an "opt in" system. They might never sell anything and I might never get all the various mail, snail, e-, driveway, whatever...

The agency also proposes that companies obtain users' express consent before using "sensitive" data, including information about health conditions or sexual orientation, for targeted ads. The KEY here is that the FTC is now just proposing some things...well thank you for the proposition, I'm sure they will ALL listen.

Since the FTC released its proposals late last year, a wide swath of marketing organizations, publishers and consumer advocates have taken positions on whether the government should become more involved in regulating the area. Individual Web companies--including AOL, Yahoo, Microsoft and Google--have submitted comments, all stating their preference for continued voluntary self-regulation. Of course, the reality of this situation is that enforcement is very, very difficult. Thus, the industry MUST devise a method for self policing if they want self preservation. Otherwise, it will only take a few more year before the FTC is fully regulating these efforts, not just in CAN-SPAM, either.

Associations like the American Advertising Federation, American Association of Advertising Agencies, Association of National Advertisers, Interactive Advertising Bureau, Magazine Publishers of America and Online Publishers Association also oppose any government regulations, arguing that limits on behavioral targeting could hurt online marketers and publishers. Of course they oppose it. I oppose anyone that stops my kids from thinking I'm cool...but really how can I stop that, I'm just not that cool anymore.

The Center for Digital Democracy and the U.S. Public Interest Research Group Friday reiterated their call for regulations requiring companies to obtain users' affirmative consent before monitoring them online and serving them ads. At least some of us have a level head about PRIVACY and know that we must protect it. Those groups also urged new regulations regarding behavioral targeting of users under age 18 and behavioral targeting related to medical or financial information.

This is a very important issue that most legislators completely forget: Sen. Edward Markey (D-Mass.) issued a statement in support of stronger limits on behavioral targeting of children. "Without stronger protections, including a prohibition on collecting data on children's and teens' online activities, young Internet users may become unwitting targets of the 'hidden persuaders' of the digital age," he stated.

THE KEY TO OPEN OUR PRIVATE DOORS (THIS IS HOW THEY DO IT): Many behavioral targeting platforms collect data anonymously, but privacy advocates find such programs troubling for several reasons. For one thing, some marketers can potentially combine the supposedly anonymous clickstream data with other, personally identifiable information, like names or e-mail addresses. In addition, advocates argue that clickstream data alone--especially comprehensive data such as that collected by Internet service providers--can provide clues to people's identities. You see, now they have your information, are they protecting it for you, are they selling it, are they profiting from it, what is being done to protect???

Another important issue is that some consumer advocates argue that behavioral targeting techniques potentially manipulate consumers in a way they are not aware of. The Center for Digital Democracy and U.S. Public Interest Research Group argues that marketers have an obligation to ensure that consumers are "meaningfully informed about the issues." Consumers, they say, "should understand that they are the subjects of evolving and sophisticated targeting platforms."

However, the crazy claim re-enters the argument again and tries to use the Constitution to allow a breach of privacy stating: "Efforts to restrict what newspaper websites publish, and the basis by which editors and advertisers make decisions regarding what to publish, run directly counter to core First Amendment rights, and can amount to a prior restraint," the Newspaper group argued in its comments.

SOOOO, what do you think...Let's Talk.