The Power of the Courts to Unmask the Anonymity of Those Online

By David C. Castleberry

While most know that an employee's every computer keystroke can be (and often is) monitored by the employer, some may think that at home, behind the safe and comforting cloak of anonymity, an employee can post and write defamatory remarks about the employer without any consequences. This cloak of anonymity should not provide much comfort to those online. Through the power of the courts, specifically through the power of subpoena, a plaintiff may obtain identifying information about an Internet user from an Internet Service Provider ("ISP"), even if the Internet activity is conducted anonymously online.

As a general rule, discovery proceedings take place only after the defendant has been served; however, in rare cases, courts have made exceptions, permitting limited discovery to ensue after filing the complaint to permit the plaintiff to learn the identifying facts necessary to permit service on the defendant.

Columbia Ins. Co. v. seescandy.com, 185 F.R.D. 573, 577 (N.D. Ca. 1999).
In cyberspace litigation, the exception to the general rule forbidding discovery until the defendant has been served seems not so rare.

Companies often sue a John Doe to obtain his online identity because he is publishing defamatory remarks about the company on the Internet, he is diluting a trademark or his online activity constitutes copyright infringement. Most of the subpoenas in these John Doe suits are not challenged by a defendant because the defendant lacks the resources to hire an attorney or receives no notice of the subpoena from his ISP. In some cases, the defendant mounts a vigorous defense. In such cases, courts have employed different safeguards to protect the Doe defendants.

The Dendrite standard v. the seescandy.com standard

The most stringent standards guarding anonymity have been created when the actual speech of the defendant forms the basis for the lawsuit. For example, in Dendrite International, Inc. v. John Doe, No. 3, a large, publicly traded company sued a Doe defendant for posting defamatory content about the company on a message board maintained by Yahoo. 775 A.2d 756 (N.J. Super 2001). While the John Doe in that case posted allegedly defamatory messages using the pseudonym "xxplrr" rather than his real name, he was required to provide Yahoo with detailed information, such as his name and contact information, to use this service. Id. Dendrite wanted this information from Yahoo. Id.

The Dendrite court created certain procedural requirements the plaintiff must satisfy before pre-service discovery on the identity of the online poster is allowed. First, the plaintiff must attempt "to notify the anonymous posters that they are the subject of a subpoena" to obtain the identity of the online poster. Id. The plaintiff must also make out "a prima facie cause of action against the fictitiously-named anonymous defendants" and "produce sufficient evidence supporting each element of its cause of action, on a prima facie basis, prior to a court ordering the disclosure of the identity of the unnamed defendant." Id. (emphasis added). Finally, the plaintiff must prove to the satisfaction of the court that "the defendant's First Amendment right of anonymous free speech" does not outweigh "the strength of the prima facie case presented and the necessity for the disclosure of the anonymous defendant's identity to allow the plaintiff to properly proceed." Id.

A variant of the Dendrite standard was followed in John Doe No. 1 v. Patrick and Julie Cahill, a case recently decided by Delaware's highest court. In Cahill, an anonymous blogger posted defamatory statements about the plaintiff on an Internet blog. 884 A.2d 451 (Del. 2005). At issue was whether the defendant was entitled to a protective order seeking to prevent the plaintiffs from obtaining the defendant's identity from Comcast, his ISP. Id. at 455. On appeal, the Delaware Supreme Court held that a plaintiff must "satisfy a ‘summary judgment' standard before obtaining the identity of an anonymous defendant." Id. at 457. In other words, sufficient evidence supporting the claims of the plaintiff must be provided to the court before a plaintiff is allowed to engage in pre-service discovery on the identity of the defendant. The Cahill court chose to follow the Dendrite standard because "setting the standard too low will chill potential posters from exercising their First Amendment right to speak anonymously." Id.

Another line of cases employs a lower standard than that outlined in the Dendrite and Cahill cases. Most notably, in these cases, evidence is not required before a plaintiff may conduct pre-service discovery; only a well-pleaded complaint that will survive a motion to dismiss is required. In Columbia Insurance Co. v. seescandy.com, the owner of the "See's Candies" trademark brought suit alleging, inter alia, trademark infringement and dilution against certain persons who registered the Internet domain names "seescandy.com" and "seescandys.com." 185 F.R.D. 573 (N.D. Ca. 1999). The plaintiff sued Doe defendants and subsequently sought discovery from an ISP to uncover the identities of those persons who registered these Internet domain names.

In determining whether to allow the plaintiff to conduct discovery on the identities of the defendants, the seescandy.com court fashioned four limiting principles that govern whether a plaintiff is entitled to obtain discovery in such situations. Id. at 577. First, the plaintiff must identify the individuals with "sufficient specificity such that [a court] can determine that [the] defendant is a real person or identity who could be sued in federal court." Id. at 578. Second, the plaintiff must "identify all previous steps to locate the elusive defendant." Id. at 579. Third, the "plaintiff should establish to the Court's satisfaction that plaintiff's suit against [the] defendant could withstand a motion to dismiss." Id. Finally, a plaintiff must file a request for discovery with the court justifying the information sought and outlining the likelihood that the sought for discovery will identify "information about the defendant that would make service of process possible." Id. at 580.

The seescandy.com standards are easy to meet; only a well-pleaded complaint that can survive a motion to dismiss is required. This stands in stark contrast to the Dendrite standards where the court must see actual evidence supporting the plaintiff's claims before it allows the plaintiff to engage in pre-service discovery.

The lower standard outlined in seescandy.com has been followed in copyright infringement cases. In an attempt to protect music copyrights from users of peer-to-peer programs ("P2P"), the Recording Industry Association of American ("RIAA") sued over 10,000 Doe defendants in an effort to obtain the P2P's identities. See Data Sec. & Privacy Law: Combating Cyberthreats § 9:107.30 (2006). In a similar case, Sony Music Entertainment, Inc. v. Does 1-40, the court held that "the First Amendment does not bar disclosure of the Doe defendants' identities" in certain circumstances. 362 F. Supp.2d 556, 564 (S.D.N.Y. 2004).

In making that determination, the Sony Music court relied on the seescandy.com factors and also analyzed whether the Doe defendants have an expectation in privacy when engaging in P2P file-sharing. Id. at 556. In that case, each of the seescandy.com factors was satisfied. Further, according to the Sony Music court, the Doe defendants did not enjoy an expectation of privacy because (1) the ISP's Terms of Service prohibit copyright infringement and allow the ISP to disclose information to protect copyrights and (2) "[i]f an individual subscriber opens his computer to permit others, through peer-to-peer file-sharing, to download materials from that computer, it is hard to understand just what privacy expectation he or she has after essentially opening up the computer to the world." Id. at 556 fn. 7.

It now appears that the seescandy.com factors will be employed by courts when intellectual property rights, such as trademarks and copyrights, are at issue, while the higher Dendrite standards will be applied by courts when the content of speech is at issue. Whether this distinction holds up in the future remains to be seen and will likely be a subject for future litigation.

Conclusion

The power of the Internet lies in its ability to facilitate "robust exchange and debate." Sony Music Entertainment, Inc., 362 F. Supp.2d at 562. Robust exchange and debate are oftentimes strengthened and fortified by allowing individuals to contribute anonymously. At the same time, the courts to this point are unanimous: the right to anonymity does not trump a company's right to protect itself from defamatory speech, trademark dilution or copyright infringement. The courts only differ as to whether a well-pleaded complaint or actual evidence is needed before the identity of the anonymous Internet user is exposed.

David C. Castleberry practices commercial litigation in the Las Vegas office of Snell & Wilmer.

Tracking with Radio Frequency Identification (RFID)

By Shlomo Sherman

New technologies test the judicial conscience. On the one hand, they hold out the promise of more effective law enforcement, and the hope that we will be delivered from the scourge of crime. On the other hand, they often achieve these ends by intruding, in ways never before imaginable, into the realms protected by the Fourth Amendment.
—Judge Alex Kozinski, dissenting in U.S. v. Kincade, 379 F.3d 813, 871 (9th Cir. 2004).

Such a technology now stands poised to take its place among the many technologies that have become an indelible feature of our society, and, if we permit, will join them in reshaping many of our expectations of privacy. Joining the ranks of the Internet, the cellular phone, and DNA testing is Radio Frequency Identification, commonly known as RFID.

The Technology

A typical RFID system consists of three main components: a "tag," a "reader" and a wireless computer network. An RFID tag (or transponder) is comprised of a tiny microchip that stores a unique ID number and an antenna that enables the microchip to transmit that number to an RFID reader (or transceiver). The reader is a device that communicates wirelessly with the tag. Once the reader receives the tag's radio communication, the transmission is then converted into a computer-readable format and is collected automatically by system management software running on a host computer.

Although there are different types of RFID tags that are appropriate for different contexts, the two main types are active tags and passive tags. An active tag possesses a battery that provides the tag with independent power, permitting it to broadcast a signal while seeking an RFID reader to talk to. A passive tag, on the other hand, has no independent power source. Rather, when a reader queries the tag for its unique identifier, the query itself powers the tag's response. This process, however, allows for only a very weak signal.

A key feature of RFID tags is that they can be made very small—and therefore hidden from detection. Manufacturers continue to find ways to produce smaller and cheaper tags that are capable of increasingly greater range. Today, an RFID tag need not be three-dimensional. It can be flexible, paper-thin and smaller than a postage stamp. In fact, one company has recently developed a way of printing the RFID tag onto paper, label stock or cardboard packaging. These printed tags could be read from less than an inch to ten feet away and could be mass-produced for less than a penny. Last year, Hitachi unveiled its new prototype chip with a size of 0.32mm—roughly half the size of the smallest RFID chip on the market and merely a speck on a grain of rice.

RFID technology is subject to a number of important physical limitations, such as a certain degree of proximity to the reader, as well as interference caused by materials that may absorb, detune or reflect the radio signal, which may prevent the signal from reaching the RFID tag. In addition, the size of a tag plays a large role; generally speaking, the smaller the tag, the weaker the signal and the shorter the range. Despite these shortcomings, however, manufacturers have been making great strides in overcoming many of these obstacles, and RFID tags continue to become smaller, cheaper and more powerful.

The Application

Various applications of RFID technology are already in place—and have received significant negative attention from several privacy-focused organizations. However, the application that has most offended the sensibilities of many Americans is RFID's tracking capability.

Last year, Brittan Elementary School in Sutter, California implemented an experimental program that used mandatory ID badges to track children's movements in and around the school with RFID technology. The program involved the installation of RFID readers above classroom and bathroom doors that would read RFID tags embedded in the students' ID badges as they entered a room. However, when parents (and the ACLU) became acquainted with the program, it was quickly abandoned. The idea that somebody might be tracking the comings and goings of a particular student raised in some parents' minds the specter of an Orwellian environment, sounding the death knoll for the experiment.

The intensity of the opposition seemed somewhat extreme; similar programs have since been implemented—with approval—in schools in both Texas and Japan. Perhaps it was the larger RFID issue looming on the horizon that lent the sense of panic to the opposition; after all, RFID technology was not developed to monitor school children.

RFID in the Retail Environment

The ePC stands for Electronic Product Code. As its name suggests, it is intended to function in very much the same way as the current UPC (Universal Product Code) barcode with some important improvements.

The existing UPC system, employing a 12-digit code, allows retailers to track products only at the SKU (stock keeping unit) level by providing every series of product with a unique identifier. This means that an entire batch of a particular product is assigned one UPC number. For example, a batch of Coca Cola cans would receive a single UPC bar code. If any variations were made to the product series, then a new UPC bar code would be assigned. This system, limited as it is to 12-digit codes, allows only a relatively limited number of combinations. In fact, reports suggest that the available number of UPC codes have almost been exhausted.

The ePC code, on the other hand, is a new product numbering standard that goes far beyond the abilities of the UPC. Utilizing a 96-bit numbering scheme, the ePC is capable of uniquely numbering every item currently produced on the planet and well into the future. Taking advantage of this capability, the ePC in fact is designed to assign a unique number to every single item that rolls off a manufacturing line. This would allow every company in a supply chain, including retailers, to track products at the individual item level. With ePC, every single item on a shelf could be traced back to when it was made and when it was sold. This, quite understandably, would be of tremendous advantage to companies wishing to keep a closer eye on inventory, shipping and delivery, shoplifting and more.

The ePC number is designed to be embedded in an RFID tag, which is then affixed to the product that the manufacturer wishes to track. The item can then be identified by a reader scanning the RFID tag for its ID number. Unlike the UPC system, an RFID branded product need not be within the scanner's line-of-sight; it is enough that it is within "read-range." And whereas the UPC requires that the label upon which the barcode is printed be relatively clear and unsullied, an RFID tag need not be.

Another advantage of the ePC system over the UPC system is the ability of an RFID reader to identify multiple tags in the field of a reader virtually simultaneously. UPC scanners are only capable of handling one at a time. In contrast, in an ePC system, a shopper can take a full cart to a checkout point where the contents would be instantaneously scanned by a sensor.

To date, Wal-Mart has promised that 300 of its top suppliers will have committed to RFID capability by the end of this year. Two years ago, Gillette Co. placed an order for 500 million RFID tags to be delivered over three years. Benetton had planned to put RFID labels on a complete line of clothes and to track items from manufacturing plants to the point of sale, but a consumer boycott forced it to reconsider.

The technology is there and the market is there; ePC stands as the likely successor of the UPC barcode. However, consumer privacy advocates are concerned that by including an RFID tag in every product, the door will be opened to the wholesale tracking of individual citizens. As RFID technology becomes more and more prevalent and RFID readers more available, someone with access to the appropriate databases—a government official, an enterprising crook—will link items possessing RFID tags with the individual that purchased them, and will thereby be able to track that individual by monitoring the RFID readers that recognize his tags. Privacy advocates are particularly concerned that, due to RFID tags' tiny size, they may be embedded in products without the customer's knowledge.

Several legislatures, including California and New Hampshire, are already considering legislation that would attempt to address these privacy concerns. Some of these proposals involve a "kill tag" provision, which would require retailers to disable or remove an RFID tag before it leaves the store. All proposals require a disclosure to the customer of the presence of an RFID tag.

RFID Identification Cards

Regardless of whether RFID technology deployed in the retail environment would be a viable means of individual tracking, any such plans would quickly be dropped in favor of a far more efficient and cost-effective method of tracking, involving identifications cards with embedded RFID tags.

RFID tags in ID cards would make individual tracking far more simple and efficient than RFID tags in products for several reasons. First, whereas the latter tracks the product, which then requires access to the retailer's database in order to link the product to the individual, the former—like a social security number—directly identifies the individual. Second, tracking an individual through his products requires that he have the same product on his person throughout all stages of the tracking, which is unlikely; people are constantly changing their clothing and accessories. An ID card, on the other hand, is something that will likely accompany the individual wherever he goes, permitting virtually uninterrupted tracking. If RFID-enabled identification cards became mainstream, this potential for individual tracking would eclipse product tracking, which would likely be abandoned as unwieldy and inefficient.

Conclusion

The increasing ability of technology to track individual movements presents a privacy issue that appears to be coming to a head on several fronts. Cellphone triangulation permits the real-time tracking of the subscriber; RFID-enabled ID cards, if allowed may permit an alternate form of tracking. Internet cookies permit a form of cyber-tracking on the internet. Indeed, the United States Supreme Court in Kyllo v. United States, 533 U.S. 27, 34 (2001), even as it announced the constitutionality of utilizing technology that has achieved "general public use," warned of "this power of technology to shrink the realm of guaranteed privacy."

These privacy concerns are currently being addressed by a legislative approach, with the enactment of piecemeal legislation that would limit tracking within particular technological contexts. There is little discussion, however, of the constitutional implications of these nascent tracking technologies. Does an individual have a reasonable expectation of privacy in his location? Do these technologies meet Kyllo's standard of "general public use"? Now? Next year? Given the widespread proliferation of these technologies, is "general public use" still a viable standard? How should we, as a people, strike a balance between the convenience of wireless connectivity and privacy? Between security and privacy?

In this era of technology and terrorism, these are the questions that ought to hold our attention; their answers will determine our nation's future.

Shlomo S. Sherman is an associate with Shea & Carlyon, Ltd.