norwich orders, part ii (an editorial of sorts)

<rant>

I was a bit surprised to find this article that covered the court orders that had required Google to disclose information on some Gmail users and the subsequent orders in Canada against certain Canadian ISPs, which was the subject of a previous post. The long and short of it is that the author considers Norwich orders to be some sort of grave, grave intrusion on privacy rights and personal liberty. Hence, this dire warning at the end of the article:

No matter how many precautions we take to remain private or cloak our identity, the authorities and other potential litigants usually have little difficulty obtaining this content. And they do it not by nefarious mean like hacking, but through our very own court system.

Internet users everywhere would do well to take heed. Your emails — and maybe even your Google searches — could be one subpoena away from the prying eyes of federal authorities, not to mention private litigants.

Why am I surprised? Because it seems to lack the most basic understanding of the legal system. I won’t get into all the details of the workings of Norwich orders – the original article by Omar Ha-Redeye that I had previously mentioned does a very good job at that, and I would certainly commend it to the author of this article so he may perhaps gain some insight.

The fact of the matter is that no, your privacy rights and right to anonymity have not suddenly disappeared altogether. However, as with all rights there are limitations. Thus, while U.S. citizens have the right to bear arms, they do not have the right to shoot people. If someone were to do that, they should reasonably expect their gun (and likely their liberty) to be taken away. Similarly, if someone uses their right to anonymity in an attempt to commit a crime or harm someone else, they should reasonably expect that right of anonymity to be taken away – at least to the extent it relates to the crime.

Remarkably, the author seems to suggest that the use of “subpoenas” (presumably he meant to refer to the Norwich orders) are almost the equivalent of, say, parking tickets, that the authorities or litigants can simply write up  if and when they choose to stomp on someone’s personal liberties for no good reason. What an unfortunate misperception of the legal system. The very reason why someone must go to the courts to obtain such as order is to ensure that the interests of the parties involved are balanced and safeguarded. If someone seeking the order does not have a reasonable and valid basis for doing so, it is likely that the order would not issue.

Regarding process, he cites Eric Goldman:

“People need to know that very little information that they give or make available to third parties [like Google] is unavailable to the government or private litigants,” says Eric Goldman, director of the High Tech Law Institute at Santa Clara University School of Law. “I think most people are surprised at how relatively easy it is for the government and private litigants to obtain ‘their’ information.”

I can’t speak to the process in the U.S. or what Mr. Goldman considers to be “relatively easy”. What I can say is that in Canada there is reasonable due process and consideration before such orders are issued. Just to cite one part of Mr. Redeye’s article:

A Norwich order is a pre-action discovery mechanism that is described by Spence J. in Isofoton S.A. v. The Toronto-Dominion Bank,

Requests for Norwich relief are largely unfamiliar to Canadian courts.  A Norwich order essentially compels a third party to provide the applicant with information where the applicant believes it has been wronged and needs the third party’s assistance to determine the circumstances of the wrongdoing and allow the applicant to pursue its legal remedies.

The 5 elements identified in this case for granting such an order include:

(i) Whether the applicant has provided evidence sufficient to raise a valid, bona fide or reasonable claim;
(ii) Whether the applicant has established a relationship with the third party from whom the information is sought such that it establishes that the third party is somehow involved in the acts complained of;
(iii) Whether the third party is the only practicable source of the information available;
(iv) Whether the third party can be indemnified for costs to which the third party may be exposed because of the disclosure, some [authorities] refer to the associated expenses of complying with the orders, while others speak of damages; and
(v) Whether the interests of justice favour the obtaining of disclosure.
[emphasis added]

The privacy interests of the alleged wrongdoer were overcome by the last element, the interests of justice, because of the applicant’s equitable right to information.  Spence J. pointed to Alberta v. Leahy and Bankers Trust Orders (from Bankers Trust Co. v. Shapira) indicating that court orders can override confidential information, even for financial records, and Glaxo-Wellcome PLC v. M.N.R. that the privacy interests of alleged wrongdoers is somewhat diminished.

Perhaps its just me, but this doesn’t sound particularly easy.

Of course, as with most things, the legal system is certainly not perfect, and there may well be instances where abuses might occur, or wrong decisions might be made by the courts where the scales of justice tip a bit. But to point at the sky and say it’s falling because of this case seems to me to be somewhat premature, to say the least.

Or at very least, as far as privacy concerns go, consider focusing more on things like the NSA and TIA than the courts.

</rant>

anonymous e-mailers, forum posters, meet norwich orders

A very nice summary of a recent Ontario case on Norwich orders by Omar Ha-Redeye in Slaw. Within the context of anonymous internet communications (anonymous e-mail accounts, forum postings, etc.), a Norwich order can be used to compel a service provider (such as an ISP, a forum host or e-mail service provider) to provide information on its customer in an attempt to identify the individual who has sent an e-mail or posted a message that has given rise to a claim or potential claim.

The case noted by Omar related to a defamatory e-mail that was sent from an anonymous Gmail account. The person making the claim needed to take a few steps in order to attempt to identify the alleged wrongdoer. First, as it is possible to open a Gmail account without submitting full/accurate personal information, he would have needed to obtain a Norwich order from Google. That order likely would have requested from Google a listing of the IP addresses used to create and/or access the specified Gmail account and the times at which they were used. Once the IP addresses were obtained, it would be easy to identify the ISPs or organizations which were allocated those addresses through a WHOIS or similar enquiry (generally IP address allocations are public information). IP addresses typically are not sufficient to identify a particular individual since most (if not all) of them are allocated to organizations, who then either permit specific computers within their organization to use them on a permanent basis (static IP addresses), or allocate them on a dynamic basis. In the case of most ISPs, they will maintain a pool of IP addresses that are used as their customers switch on their computers and access their accounts, so that the address allocated to any particular customer may vary over time.

Consequently, one the wronged party had obtained the relevant IP addresses and identified the ISPs, he would have needed to file a Norwich order against the ISPs to obtain information regarding the account holders who had used the IP addresses at the indicated times. The ISP’s records would allow them to do this, as ISPs will usually need to validate the identity of their customers when they sign up. The case at hand involved this second step, and the wronged party was successful in having the Norwich order issued against the ISPs.

Norwich orders are very useful devices to help advance claims where a wrongdoer attempts to use the cloak of anonymity to protect him or herself from liability. That being said, technology being what it is, there are limits to what a Norwich order can do. For example, if a wrongdoer used cash-only web-cafes, free anonymous wifi connections or, anonymization proxies, IP spoofing or pirates third party wifi signals or hacks into a third party computer, it may be more difficult to successfully identify the wrongdoer (though even in these cases it may not be impossible). Along similar lines, the defence of a claim by an individual whose information was obtained in such a manner could also assert that, although the account with the ISP was in his or her name, it wasn’t that individual who actually initiated the wrongful communication – e.g. shared ISP connection with others or hacked computer or internet connection. In short, while a Norwich order will provide useful information that will likely lead in the right direction to track down a wrongdoer, ultimately the only information it will provide is the linkage between an IP address used for wrongdoing and the account holder allocated that IP address, and not necessarily the individual committing the wrongdoing.