A very nice summary of a recent Ontario case on Norwich orders by Omar Ha-Redeye in Slaw. Within the context of anonymous internet communications (anonymous e-mail accounts, forum postings, etc.), a Norwich order can be used to compel a service provider (such as an ISP, a forum host or e-mail service provider) to provide information on its customer in an attempt to identify the individual who has sent an e-mail or posted a message that has given rise to a claim or potential claim.
The case noted by Omar related to a defamatory e-mail that was sent from an anonymous Gmail account. The person making the claim needed to take a few steps in order to attempt to identify the alleged wrongdoer. First, as it is possible to open a Gmail account without submitting full/accurate personal information, he would have needed to obtain a Norwich order from Google. That order likely would have requested from Google a listing of the IP addresses used to create and/or access the specified Gmail account and the times at which they were used. Once the IP addresses were obtained, it would be easy to identify the ISPs or organizations which were allocated those addresses through a WHOIS or similar enquiry (generally IP address allocations are public information). IP addresses typically are not sufficient to identify a particular individual since most (if not all) of them are allocated to organizations, who then either permit specific computers within their organization to use them on a permanent basis (static IP addresses), or allocate them on a dynamic basis. In the case of most ISPs, they will maintain a pool of IP addresses that are used as their customers switch on their computers and access their accounts, so that the address allocated to any particular customer may vary over time.
Consequently, one the wronged party had obtained the relevant IP addresses and identified the ISPs, he would have needed to file a Norwich order against the ISPs to obtain information regarding the account holders who had used the IP addresses at the indicated times. The ISP’s records would allow them to do this, as ISPs will usually need to validate the identity of their customers when they sign up. The case at hand involved this second step, and the wronged party was successful in having the Norwich order issued against the ISPs.
Norwich orders are very useful devices to help advance claims where a wrongdoer attempts to use the cloak of anonymity to protect him or herself from liability. That being said, technology being what it is, there are limits to what a Norwich order can do. For example, if a wrongdoer used cash-only web-cafes, free anonymous wifi connections or, anonymization proxies, IP spoofing or pirates third party wifi signals or hacks into a third party computer, it may be more difficult to successfully identify the wrongdoer (though even in these cases it may not be impossible). Along similar lines, the defence of a claim by an individual whose information was obtained in such a manner could also assert that, although the account with the ISP was in his or her name, it wasn’t that individual who actually initiated the wrongful communication – e.g. shared ISP connection with others or hacked computer or internet connection. In short, while a Norwich order will provide useful information that will likely lead in the right direction to track down a wrongdoer, ultimately the only information it will provide is the linkage between an IP address used for wrongdoing and the account holder allocated that IP address, and not necessarily the individual committing the wrongdoing.