Locating John Doe on the World Wide Web
March 2001

Anonymity -- or apparent anonymity -- is one of the hallmarks of the Internet. Such anonymity can be both a blessing and a curse. It allows political dissidents, for example, to express unpopular viewpoints. But it can also encourage irresponsible, malicious or fraudulent speech. Many companies have found themselves the subject of anonymous Internet criticism that - rightly or wrongly leads to precipitous stock declines. Companies have begun to fight back. This article discusses the phenomenon of “cybersmearing” and some of the steps companies and their on-line critics are taking to protect themselves.

Bad for Business

For businesses, the ability that individuals have to post messages and to “talk” online anonymously can have dramatic effects on the bottom line. Many companies have found themselves the subject of vicious and potentially damaging postings by shareholders (current or potential) and by employees (current or ex). The types of comments posted on company or industry specific bulletin boards sponsored by Internet portals such as Yahoo! or AOL range from speculations about stock price and management conduct to revelations about internal secrets and internal strife. There have even been postings of false press releases and analysts reports.

Investor chat rooms are a primary source of controversy. Everyone, from ten-year-olds to grandmothers, is obsessed with the stock market today, and many individuals spend their time online exclusively discussing particular publicly-traded companies. They exchange information (correct or otherwise), rumors, speculation and strong opinions about a company’s financial performance or of its management and the future prospects for the stock price. This type of discussion is usually harmless in itself and happens all the time whenever individuals congregate. But on the Internet, through services such as Yahoo! Finance or Raging Bull, such discussions can be viewed by thousands or even millions of readers at a time and can translate into immediate catastrophic effects on a company’s bottom line.

For example, in 1998, PhyCor Inc., a company that buys and manages physician practices, saw its stock price drop dramatically and a number of physicians quit as the negative postings on Yahoo!’s PhyCor message board increased. The animosity felt by the posters towards the company was apparent in one posting which read, “i hate what i perceive our association with phyc has done to us ... it is the single biggest career mistake of my adult life.” Late in the year, the company filed a lawsuit in Tennessee against the John Doe posters and was able to subpoena the Internet service provider to turn over the identities of the posters before any of the potential defendants found out.
Another company that suffered heavy losses as a result of misrepresentations and false reports posted by John Does is Titan Corp. of San Diego. Last year, postings declaring the impending doom of Titan’s stock were prevalent on Yahoo! message boards. The result: Titan’s stock dropped half its value in less than two months. The company filed suit on August 30, charging that the posters conspired to depress the stock to pad their own pockets.

Other companies that have filed such “cybersmear’’ lawsuits in the past several years include Medibuy.com, Emulex, Raytheon, Stone & Webster Inc., ProMedCo Management Co., and Computerexpress.com.

Unlike other industries that have been hit hard by John Doe posters, law firms have seemed immune. However, consider a message that was posted on a Vault.com message board by “Law Student.” The message stated, “... It’s been said that though it’s a 400 attorney firm, H__’s client base is comprised largely of low paying, insurance clients which is why the firm has one of the highest billable hour requirements of all the firms that recruit on campus. The firm also has a bad reputation for “churning” and over-billing. ...” The poster purported to be a law student who was considering employment with the particular firm and was looking for advice from current associates. However, the message could easily have been posted by someone who wanted to spread dirt about the firm anonymously. If one of the firm’s insurance clients had come across that posting, there would have been some awkward moments to say the least. Thus, although law firms are not primary targets of John Doe postings, but they are not immune either.

Advocates of Internet anonymity assert that, most of the time, these posters are simply making off-the cuff fictional comments intended only to arouse conversation and emotions. However, the companies who are the subject of these (sometimes raging) tirades disagree and feel that their names and reputations are coming under direct attack.

Consequently, there has been rapid growth in the number of lawsuits filed by companies in pursuit of John Doe posters in the last few years. Typically, the charges are for libel, defamation and other torts and for breach of confidentiality, trade secret and other agreements. Basically, companies have discovered a useful tool for tracing John Doe, in the form of the subpoena, and are taking an aggressive stance in defending their good name and reputation in cyberspace.

The Technicalities of Unveiling John Doe

Although the Electronic Communications Privacy Act (“ECPA”) provides some assurances that anonymity will be protected from the government, ECPA does not require a subpoena of an Internet service provider where a “non-governmental entity” is the party seeking identifying information about a user. Therefore, companies may freely contact an Internet service provider to inquire about a user’s identity. Realistically, however, the chances of obtaining information so readily from an ISP are slim. Privacy and security of information on the Internet are legitimate concerns which the large majority of service providers are very protective of. Therefore, company plaintiffs who believe they have legitimate claims and have suffered injury usually resort to the civil litigation process.

Typically, upon filing a complaint the company’s lawyers will serve John Doe subpoenas on the Internet service providers, or the sponsor of the message board (or chat room) in question, in an attempt to learn the true identity of the anonymous posters. ECPA does not require that a service provider must notify the individual upon receipt of a civil subpoena for information concerning the subscriber or user. Any rights of notification are provided solely by the service providers’ Terms of Service or privacy policies. Previously, many service providers responded to subpoenas as a matter of course. Since companies have become more aggressive in pursuing John Does, however, most ISPs have changed their practices, promising to notify the individual prior to disclosing information pursuant to a civil subpoena.

Although resort to the legal process seems rather harsh and has been strongly criticized in some circles as repression of free speech, alternative methods of identifying John Doe would be extremely cumbersome if not impossible. If the ISP were responsive to informal inquiries, then John Doe could be tracked down through his IP (Internet Protocol) address. The IP address is essentially the user’s unique identifier and originates at the point of connection to the Internet, usually the ISP’s server. It is not possible to connect to any other computer on the Internet without using an IP address. The IP address is typically recorded at both 1) the local server that provides the individual Internet access (the ISP), and 2) a visited web site’s server. An IP address can be traced from “a specific web site back to the user’s ISP, which can then relate the IP address to the login name of the individual user. Thus, an IP address can be traced back to the user’s home computer eventually, through a method of filtering and backtracking. Many creative ways have been developed, however; for users to “cover their tracks” and virtually erase their original IP address as they move across the Internet. Example: the use of proxy servers. In the end, the subpoena is the only viable option for companies desiring to unveil a John Doe poster.

John Doe Fires Back

Even as companies pursue anonymous posters across the Internet, John Doe is fighting back. John Doe, also known as Aquacool_2000, sued Yahoo! in May 2000 in US District Court in California for disclosing personal information to his then-employer. Answerthink, a Web consulting firm, filed a complaint for defamation against several Doe defendants, including Aqualcool_2000, in February 2000 based upon statements that the Does posted on the AnswerThink message board operated by Yahoo!. Yahoo! identified Aquacool_2000 in response to a subpoena without informing him. Answerthink subsequently fired Aquacool_2000. Aquacool_2000’s suit charges Yahoo! with violation of constitutional privacy rights, breach of written contract, negligent misrepresentation and unfair competition and false advertising.

There is even a John Does Anonymous Foundation (www.johndoes.org) which was founded by Les French, a John Doe defendant himself, early last year. The purpose of the Foundation is to combat companies who sue anonymous posters and promote free speech on the Internet. Mr. French used money from a settlement he won after being sued by his former employer, Itex. Facing mounting legal fees and a countersuit by Mr. French, Itex agreed to pay $5,000 to French and $40,000 to the Foundation. Itex claimed Mr. French had posted damaging comments about its management on a message board.

As the controversy continues into 2001, it will be interesting to see how the balance will be struck in the courts between John Doe’s right to privacy and a company’s right to unveil those who intentionally cause it injury.

View entire article in PDF format here.