Infringements of copyright or other IP rights, or false accusations which can damage the brand or reputation of a business or individual are sometimes committed anonymously. The offending actions are carried out from an email account or computer terminal whose owner / operator has taken steps to hide his or her identity. What steps can be taken to require an ISP or email account provider to disclose the information that it holds about the account holder?
We have recently been involved in a case involving a well-known and highly respected financial company. The company came under attack from an anonymous email account holder who, having somehow obtained the contact details of the clients of the company, sent a highly defamatory email to these clients making inaccurate and untrue assertions about the company's actions. It goes without saying that the potential damage such emails could do to the company's brand is substantial especially given the importance of confidence and trust in the financial sector.
Steps needed to be taken to prevent the anonymous individual from sending further emails or even going to the press with the false and damaging accusations.
An "anonymous" email is certainly in one sense anonymous, having no signature, but is in fact full of clues as to the identity of the sender. First, it is possible to discover the IP address of the computer from which the email was sent. It is also possible to send what is known as a tracking email which will reveal the IP address of the recipient when he or she opens the email. It is then possible to contact the Internet Service Provider (ISP) who owns the IP address to request that it reveals the identity of the IP address subscriber.
Data Protection legislation prevents unauthorised disclosure of personal data, so the ISP will not usually disclose such information without a court order. Nevertheless, to see if the cost of obtaining a court order can be avoided and to seek to agree the scope of the disclosure that will be needed, it is generally worth writing to the ISP. This has the added advantage in showing the court that the court order is absolutely necessary, and an ISP will not normally oppose such an application.
Second, it is possible to appeal to the email account provider to request from them information as to the account holder's identity. Again, the email provider will usually require a court order. A Court order for disclosure of such information can be requested under the principles laid down in the case of Norwich Pharmacal v Commissioners of Customs & Excise  UKHL 6.
A very recent case from the Supreme Court gives some guidance as to the circumstances in which the court will give such an order for disclosure. The Supreme Court made a ruling on 21 November 2012 in the case of Rugby Football Union v Viagogo Ltd  EWSC. The RFU's terms and conditions stipulate than any resale of tickets above face value will constitute a breach of contract rendering the ticket null and void. The company Viagogo, now in liquidation, provided a website where people were able anonymously to sell event tickets at the going market price - much higher than the face value. In 2010 and 2011 tickets with a face value of £20 to £55 were being advertised for sale at up to £1300.
The RFU's legal advisers wrote to Viagogo requesting information about the identity of those involved in the sale and purchase of the tickets. This was refused. The RFU then issued proceedings seeking disclosure under the Norwich Pharmacal principles.
Disclosure was ordered in the first instance but Viagogo appealed and eventually the Supreme Court was asked to conduct a balancing exercise between an interference with Article 8 of the Charter of Fundamental Rights of the European Union (which guarantees the protection of personal data) and the likely benefit to RFU from the disclosure requested. In other words, the test for the court will be whether the request for disclosure is proportionate to the harm being suffered.
The Supreme Court found that the benefit from disclosure is not just that it will enable the RFU to take action against individual wrongdoers but that it will also discourage others in the future. In light of this, the Supreme Court held that in the facts of this case disclosure was proportionate. The case sets out a non-exhaustive list of 10 factors that a court may take into account in deciding whether or not to make an order. The evidence that needs to be served in support of any application should address the factors that are relevant to the particular circumstances and show that the order which is requested is indeed necessary and proportionate when balanced against the Article 8 privacy rights of the individual whose private information is being sought.
Of course, the results of disclosure may not be clear cut. Disclosure may not reveal the actual identity of the anonymous individual but it should provide information which takes the investigation one step closer. The ISP or email account provider may disclose billing information, access logs, other emails and contacts. It might reveal that the IP address is that of an Internet Café. The location of the particular Internet café may be significant, or it may be possible to visit the Internet Café and look through their CCTV images at the time that the offending emails were sent.
It is clear that nothing done on the internet can be truly anonymous and steps, like those taken above, can help to track the identity of those attacking the reputation of brands and companies over the internet. However it is also important to recognise that anyone who seeks disclosure through a court order will need to produce evidence to show that the requested disclosure is proportionate to the facts of the case.