Remember the days before caller ID? If the person who answered the telephone was not the person to whom you wanted to speak, then you could just hang up, secure that he would never know it was you who had bothered him. Calls were not traceable-or at least not easily traceable. Crank calls? No problem, at least for the caller. Anyone could make them without fear of being caught.
A similar absence of fear is driving some Internet users to use aliases rather than their true names to post nasty, untrue and often-illegal messages. When users register with online networks, they often can choose alias identities that are, in essence, pen names used to post messages on online message boards and chat rooms. Some people believe that their aliases provide an anonymity that insulates them from detection and from liability for their actions. But they are wrong. And in most cases, it takes only the threat of legal action to persuade them to disappear.
The problem is not limited to cyberspace name-calling or to cranky people with no lives belittling each other over their political views or harassing one another about which Star Trek movie has the best special effects. Corporate America is getting its share too. Trade secrets are being disclosed, anonymously of course, over the Internet. Stocks are being illegally manipulated through mass dissemination of false information. Corporate executives are being slammed by mysterious, unseen adversaries, often from within their own ranks.
The scenarios are as plentiful as the variety of aliases people use to post offensive and illegal messages. The chairman of one client, Talk Visual, faced an online barrage of falsehoods accusing him of violating SEC and other laws. The accused perpetrators? "bgtit," "Spider Valdez" and "Rico Staris." Another client found that an Internet message board established for discussion about its online stock-trading business was frequented by an alias-using person who was falsely informing all board visitors of his firsthand knowledge that the company was engaging in proprietary trading and other misconduct. Since the company markets itself as providing instant stock trades and not accumulating trades for its proprietary account, the accusations went to the heart of its credibility. The cases degenerate further. Another client has chosen to ignore, for the time being, messages posted by a presumably disgruntled employee referring to a senior corporate executive as a "lesbian" and a "whore" who sleeps with other employees.
Online transgressions are not limited to libel and defamation, and companies' exposure can go beyond reputational damage. Two cases have recently been filed by Lexington, Mass.-based Raytheon against alias employees, including the likes of "Raytheonveteran" and "RSCDeepthroat," for disclosing trade secrets online.
In addition to libel law and intellectual property rights laws, securities law is now intersecting Internet law. Message boards and chat lines dedicated to discussion of publicly traded companies are not receiving thousands of hits per day just for their entertainment value (although the online exchanges in some instances are quite amusing). Investors are accessing these sites for information they can use in making investment decisions. Go2Net 's Silicon Investor, a fee-paying, members-only online financial discussion site, boasts that its members have posted more than 9.7 million messages on its network. This is a situation ripe for abuse. Stock manipulators holding short positions are posting false reports of corporate doom and gloom to drive down stock prices. There are also so-called "pump and dump" schemes. Promoters take a large position in a company and then flood a corporation's message board with false information or rumours that the company is about to benefit from a huge contract or some other good fortune. Stock prices skyrocket. The promoters then sell their positions before the rest of the market realises that the rumours were unfounded and the stock is overpriced.
Of course, all of this is illegal, and the SEC is taking notice. One client was recently subpoenaed to appear before the SEC to provide testimony in connection with an investigation focused in part on market manipulation through the Internet.
Corporations facing attack want to know whether the true identities of alias-using perpetrators can be determined, what can be done to stop them and who can be held accountable. Under the Communications Decency Act of 1996, Web site operators, Internet access providers and online service providers are virtually immune from liability for content transmitted on or through their services and systems by third parties. Although the outer limits of this law have not been fully tested, as a general matter, the law allows Internet service providers (ISPs) to screen and remove offensive material but does not require that they do so or impose liability upon them if they do not.
However, the authors of defamatory or otherwise illegal Internet messages and those acting in concert with them can be held accountable. Since they usually post messages using aliases, the trick is to identify them and serve legal process upon them. And this can be done.
While online service providers and Internet access providers are largely immune from liability for messages transmitted through their networks, they are not immune from the discovery process in civil lawsuits. Once a suit is filed against alias defendants (that is, "John Doe a.k.a. 'Spider Valdez'"), online networks can be subpoenaed for information as to the defendants' true identities. Indeed the only means of formally serving cyberdefendants with a complaint in person, as is required by the Rules of Civil Procedure, is to determine their true identities and street addresses. The only source of this information is the networks on which the offensive material was posted.
In some instances, the services operating the chat lines and message boards on which offensive or illegal remarks have been posted may not know the posters' true identities. For example, Yahoo does not require users of their message boards to identify themselves prior to registering the aliases that they use to communicate with others on the Yahoo network. Even if online networks do not have a user's true identity, however, they will possess some information that can be used to track down the wrongdoer. When users post on an online network, they typically leave an Internet portal (IP) address, a digital series. This IP address is like a fingerprint. With it, one can usually determine a poster's online service provider, which can then be subpoenaed. The ISP may have the user's true identity or, at a minimum, a telephone number or e-mail address. Users' identities can usually be determined in this way.
What happens once alias defendants are unmasked, their identities revealed? As a practical matter, the offensive posting may stop immediately. Once stripped of their belief that they can post without regard to consequences, these people often stop posting bad stuff. In one recent case, months of offensive and defamatory messages about our client permanently ceased the day after we filed a complaint (which was delivered to the defendants electronically on the very message boards on which they had been posting their defamatory messages about the client). Remember, the Internet users we are talking about are not necessarily sophisticated corporate warriors accustomed to the rough and tumble of business or litigation. Many are unsophisticated penny-stock promoters, hackers or disgruntled employees. The mere filing of a lawsuit can scare them straight.
That is not to say damages cannot be pursued-they can; although most hackers' pockets are not deep. Injunctions barring the posting of future messages are harder to come by. Judges find themselves restrained by the First Amendment from barring people from communicating on the Internet. Some courts, however, have entered very narrowly tailored injunctions barring defendants from repeating-verbatim-statements that have been proven defamatory. Further, where there is suspicion that larger market-manipulating forces are directing (or paying) those that are actually typing the messages and clicking the mouse, the discovery process can be used to uncover greater wrongdoing and perhaps deeper pockets. It's a tough issue, and it isn't going to go away overnight.
Some day, law and technology may work together to make it harder for unidentified people to publish false, damaging messages. Until that happens, victims of such attacks can begin their legal defence with a solid threat and hope that that's all it takes.
Carl Solomont is a partner at the law firm of Bingham Dana LLP and can be reached at email@example.com.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.