Subpoenaing Online Records: Why and How to Find an Anony
By Scott E. Chapman Anonymous Internet speakers, not immortal
By now, it’s likely that most attorneys have figured out that unmasking an anonymous Internet speaker (Anony) seems impossible. It’s also just as likely that the list of questions regarding how to reveal an Anony, so they can be pursued for damages or served with an injunction, is still longer than the list of answers.
Pursuant to what is commonly referred to as Section 230(c) immunity, Internet service providers, hosts, Web sites, and other relevant carriers (ISPs) are generally exempt from liability for the speech that is posted on their Web sites, blogs, chat rooms, and even the speech republished through their search engines. The Communications Decency Act (CDA) states, “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” 47 U.S.C. § 230(c)(1) (2008). In other words, providers of the Internet itself, where anyone can generate all manner of speech, is not a “publisher” of content as traditionally understood by the print media. So who is liable for the massive amount of false, defamatory, and libelous information published on the Internet? The original speaker is, whoever that person or entity may be. Allowing an ISP to be free from any liability while it provides third-party speakers the tools to defame and harass at-will likely sounds far-fetched and radical to many experienced lawyers, given the body of law regarding print, radio, and televised media. However, to an entire generation of attorneys and other young web surfers this ideology is the norm. Since Section 230(c) was enacted, a whole new body of law had to be interpreted by the courts to deal with this new enigma, the Internet. Generally, publishers and reporters find themselves at the center of libel suits when false information is published. A strong incentive exists for newspapers, magazines, and radio/television to protect their reputation and their “sources.” “Sources” have rarely been sued because they can not be identified. The popularized “Deep Throat” from the Watergate scandal can likely attest to the way things “used to be.” Although ISPs closely resemble their publisher cousin, an effort to not limit commercial activity on the Internet created Section 230(c). However, there is one great distinction between the print/televised media and the Internet: the Internet Protocol Address (IP Address). The IP Address allows the ISP to identify each individual user on the Internet and log their activity. While an IP Address can be masked and proxy servers can be used by the Anony, which often involves interstate and international activity, often the un-savvy Anony has no idea that their ISP is keeping track of their activity. More importantly, even to the “black hat” or experienced user, it only takes one login without a proxy server for an experienced expert to capture the legitimate IP Address. Likewise, since Section 230(c) grants the ISP immunity, there is little incentive for the ISP to protect the identity or Internet activity of the Anony. For obvious reasons, the ability of litigants to get access to the ISP logs has become the center of the legal discussion.
With no pre-litigation discovery available, sue “John Doe”
It only takes about three seconds of legal analysis to recognize that it is impossible to serve a subpoena on a person you can’t identify, but it may take quite a bit longer for you to realize you can sue them. What Section 230(c) immunity has created is an enormous need for “John Doe” lawsuits. Since the Federal Rules of Civil Procedure only allow for limited pre-litigation discovery under Rule 27 and since Texas is the single state to have extensive pre-litigation investigatory procedures, the other 49 of us must file “John Doe” lawsuits. While traditionally these lawsuits have been discouraged by the courts, the ease with which anyone on an Internet connection can anonymize themselves and create a path of fraud and destruction has necessitated the courts’ relaxation and allowance of “John Doe” actions.
Given that Anonys post tortious statements both on their own Web sites and Web sites owned by others, the web address of the tortious activity must be identified as a foundational matter. Once the lawsuit is filed, service needs to occur. The only way to identify and serve an unknown party is through additional investigation.
Identifying the owner of a Web site
Every Anony who gains access to the Internet or has a web address is assigned an IP Address. The IP Address is tied to the ISP, including web addresses/Web sites and e-mails. The Internet Corporation for Assigned Names and Numbers (ICANN) requires that every web address be owned and tied to a name, address, and e-mail. The owner of any web address can allow a “proxy” to be listed in their stead, maintaining the owner’s anonymity. The name, address, and e-mail of the proxy must be public information listed with ICANN for service of process and billing. Thus, by researching ICANN, one can find the proxy/owner of any web address from which tortious activity occurs. However, since the proxy is created for the exclusive purpose of masking the identity of the true owner, the proxy will generally not provide the identity of the IP Address owner without a subpoena.
Identifying the owner of a statement
The retention of an expert who has the ability to forensically track IP Addresses will be required in identifying the owner of a given statement. A forensic Internet expert will be able to gather valuable information that ties certain web addresses, e-mails, or other identifying information to other statements. Though not simple, once the relevant technical information is gathered that connects the IP Address to the tortious activity, one has the support for the “John Doe” lawsuit.
Securing a subpoena
Given that we have no specific procedure allowing for this type of a subpoena in Nevada, a petition for pre-litigation subpoenas should be made to the court in order to demonstrate the necessity for issuance of subpoenas prior to discovery. Suggested actions prior to filing the petition include serving the owner, the proxy, and the ISP of the Web site a copy of the complaint; drafting request letters to the Web site owner seeking the identity of the “John Doe”; and requesting the same from the ISP. Other scenarios include the “John Doe” appearing and filing a motion to dismiss; the “John Doe” appearing to file a motion to quash; the ISP appearing to file a motion to quash; or the taking of a default against the “John Doe,” in the event you can substantially establish Web site ownership via a proxy and adequate service. Often times, these activities alone provide the identity needed to uncover an identity.
Once the ISP receives the subpoena, they in turn forward it to the owner or proxy. The ISP will generally provide the personal identifying information, unless the owner files a motion to quash the subpoena. Matching the IP Addresses provided by the forensic expert and the ISP log information gathered via subpoena will allow connection of activity to identity.
Drafting the complaint in preparation of a motion to quash
In the wake of the “John Doe” lawsuits and the resulting subpoenas, jurisdictions have had to wrestle with various motions to quash. In response to promptings from the California Court of Appeals, the California legislature enacted California Code of Civil Procedure Section 1987.2, drastically changing the “John Doe” subpoena landscape and setting the standard. In a nutshell, Section 1987.2 provides that when out of state subpoenas are issued in California “for personally identifying information…for use in an action pending in another state…and that subpoena has been served on any Internet service provider,” if a motion to quash is granted, if the “underlying action arises from the moving party’s exercise of free speech rights on the Internet,” and if the subpoenaing party fails to “make a prima facie showing of a cause of action,” the court “shall” award attorney’s fees and costs incurred by the moving party. Since so many ISP’s are located in California, significant compliance with local procedure is necessary. While there are many cases on point in various jurisdictions relevant to what constitutes “a prima facie showing of a cause of action,” the only way to push the weight of the evidence in one’s favor is to plead the complaint with particularity, naming specific Web sites, statements, actions, e-mails, etc. This will provide the additional information necessary when an Anony files a motion to quash the subpoena.
The identity of the Anony
There is no way getting around the fact that putting an identity to an Anony is complicated, time consuming, expert required, and court involved. Many times, identity can be discovered through simple investigation. Other times, filing a “John Doe” lawsuit will be the only remedy. As the courts continue to amend procedural rules and the common Internet user continues to become more astute, hiding your identity online will continue to be an often litigated topic and the subject of much legal debate. Scott E. Chapman is Of Counsel with the Las Vegas office of McCormick Barstow LLP, licensed to practice before all Nevada Courts. He received his MBA at UNLV and is a Certified Information Privacy Professional practicing in the areas of Internet & Privacy Law, General and Commercial Litigation, Insurance Law and General Corporate matters. He can be reached at
This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
or (702) 949-1100.
Social Networking In A Law Firm? Yes, Provided You Have A Policy.
By Molly Malone Rezac LinkedIn, Twitter, Facebook, Legal OnRamp, Justia, YouTube, and AVVO are just some of the websites lawyers are using these days to market and connect with clients and other lawyers. Utilizing social media and social networking sites can create relationships that were not available to your firm’s lawyers before the Internet, lead to increased visibility within your field, and potentially garner you new clients. However, it can also create public relations nightmares, unintended attorney-client relationships, inadvertent violations of the State Bar of Nevada’s advertising rules, and potentially significant liability. Get out in front of those risks by creating a policy that can both allow the lawyers in your firm the ability to use social media to their advantage and protect the firm from its unintended consequences. This article includes some suggestions for creating a social media policy for your firm.
Review the Rules of Professional Conduct
Before even starting to develop your firm’s social media policy, a review of the Nevada Rules of Professional Conduct is necessary. For example, Rule 7.1 prohibits false or misleading communications about a lawyer or a lawyer’s services. See NRPC 7.1. Some social media sites allow testimonials or recommendations. This can be misleading information and testimonials may not be verifiable, and, as such, can be seen as violations of Rule 7.1. Review the advertising rules to make sure your social media policy instructs your lawyers how to comply with these rules while out tweeting. Similarly, Rule 7.4 governs how lawyers communicate their fields of practice and specialization. See NRPC 7.4. Profiles, postings, and recommendations on social networking sites may be seen as lawyer advertising, and thus must comply with the Nevada Rules of Professional Conduct. For example, LinkedIn has a box allowing a user to identify a “specialty.” A lawyer identifying him or herself as a specialist must comply with Rule 7.4. In addition, communications on social media sites must be monitored to prevent unintended attorney-client relationships, inadvertent disclosure of client information, ex parte communications, or improper contact with parties.
Determine to whom the policy applies
Once you have reviewed the rules that may apply to your social media use, consider whether you need a policy for staff and a separate policy for lawyers and law clerks. One reason for this distinction is whether you will not allow anyone to access social media sites during normal work hours and from work computers or you will allow your lawyers only to do so when they are doing so as part of their marketing business efforts.
Decide what social networking activity you will police
Most employers, including law firms, tend to want to ban all social networking by its employees on its computers or equipment. However, given that social networking sites can generally be accessed by almost any smart phone, employees will be accessing these sites while at work. Rather than having every new site “banned” at work, having parameters of when and how social networking may be conducted on firm equipment may be a more realistic approach. For lawyers, social media during work hours and on work equipment would be appropriate if it is for business marketing purposes. Such use would need to be limited so that it does not interfere with or impact their work and must comply with all firm policies.
Provide guidance
Lawyers using social media as a marketing tool are representing the firm with every blog post, tweet, or status update, regardless of what site they are utilizing. As such, guidance on the content of posting, including what is prohibited and what is allowed, is imperative. For example, remind your firm that social media is NOT a place for attorneys to have conversations relating to cases or other firm matters with clients, opposing counsel, or anyone else. Remind them that all correspondence must be handled via e-mail, fax, or traditional mail in order to maintain attorney-client privilege, and preserve the integrity of the correspondence itself. Your policy should instruct the lawyer how to respond to inquiries for legal assistance on a social media platform. For example, a “friend” posts on the lawyer’s wall asking for legal advice about a landlord/tenant issue. Rather than responding to the question posed, the lawyer should thank the “friend” for contacting him about the matter, and indicate that the “friend” should contact the lawyer at
This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
so that unintended attorney-client relationships are not created, and any privileged communications remain privileged.
Remind them about confidentiality
Social media posts are informal. As such, things can be said without appropriate forethought. That status update or tweet stating “bad day in deposition—bad facts and we will lose” may inadvertently convey client confidences or work product. Social media policies need to remind all that confidential information must remain confidential.
Incorporate your other policies
Your social media policy should incorporate your harassment, discrimination, workplace violence, confidentiality, and other policies so that all conduct prohibited by these policies is still prohibited even if it occurs on a blog post, status update, or tweet. A violation of these other policies in any social media outlet is still a violation.
Stress personal responsibility
Your social media policy should tell all those subject to it that they are personally responsible for all content that they post on any social media site. Remind them that it is difficult to delete that content once it is posted to a site, and they need to be cautious and exercise good judgment when writing a post, status update, or tweet. Let them know that they may be liable for monetary damages for improper disclosures of confidential client information, violations of the privacy rights, or other rights of third parties, or for the content of anything that they post.
Monitor the posts
Your policy should state what monitoring of lawyer’s social media posts that your firm will conduct. If lawyers in your firm are using social media for business purposes, the firm should know what sites the lawyers are using and under what username or “handle.”
The policy should address responses to inaccurate, accusatory, or negative comments. Unfortunately, inaccurate or negative comments can and do occur on the web. Your social media policy should address that no one should respond without approval, should notify firm management about any such comments, and address how the firm will develop a response.
Blogs
Determine whether your firm will host its own blogs or whether it will allow its lawyers to maintain their own legal blogs. If blogs are hosted by the firm, policies and procedures should be put in place that allow the firm to control what information is posted the blog, and all posts must adhere to the social media policy. Comments to blogs can be an integral part of a blog. However, how and when comments may be posted must be considered. For example, one option is to have all comments approved before they are able to be viewed on the blog. Social networking is a great way to build relationships and acquire new clients, and should be an integral part of a lawyer’s marketing strategy. According to Adrian Dayton, author of Social Media for Lawyers: Twitter Edition, more than half of corporate counsel responding to a survey said that they will stop and think before hiring a lawyer without a credible online presence in addition to their bio on their firm website. A social media policy will help in reaping all the positive benefits of social networking while helping keep the liabilities at bay. Molly Malone Rezac is a Shareholder at Jones Vargas and concentrates her practice in the area of employment law representing employers. She handles all types of employment law litigation matters, and provides advice to employers regarding employment matters, including formulating employment policies and drafting employee handbooks, conducting investigations and provides workplace seminars for employees regarding discrimination laws.
Cloud Computing Considerations for Nevada Attorneys
By Jeff Grace and Lizette B. Sundvick Cloud computing promises to solve a multitude of business problems. Properly implemented, the cloud can provide a higher level of performance and reliability, superior security and scalability, and unprecedented mobility. Naturally, it also carries some inherent risks and raises some legal questions and issues.
Nevada’s state bar has issued a formal statement on the potential legal risks of cloud computing for attorneys and law firms, and recommends law firms:
Exercise reasonable care in choosing a cloud provider, such that the firm has a reasonable expectation that privileged client information will be kept confidential.
Specifically instruct cloud providers to safeguard client data. Ensure providers have a specific provision in their agreement that guarantees the provider will take measures to preserve the confidentiality of the firm’s data.
Vetting the cloud computing service provider
Assessing the reputation and reliability of a provider is the logical first step. How long has the cloud provider been in business, and are they using time-tested, proven technology? Because technology changes at a rapid pace, the longevity of a provider may be difficult to evaluate, but look for some quantifiable history of the company and the technology it employs. Reputable cloud providers use technology that is consistent with industry standards and holds up to expert opinions and analysis, as well as complies with standards, such as Statement on Auditing Standards No. 70: Service Organizations (SAS 70), Payment Card Industry Data Security Standard (PCI DSS), or the Health Insurance Portability and Accountability Act (HIPAA). Any cloud provider trying to sell its platform is going to tout its security features. The best measure of a company’s worth in terms of security should be gathered from a third-party security audit. The provider should also be able to explain any occurrences of security breaches, as well as the actions the provider took in terms of restoring the lost or compromised data and compensating the injured parties. If the provider has had no history of security breaches, it should be able to provide a detailed contingency plan, including a detailed description of where data is stored and backed up. Performing due diligence will yield information that will allow you to make a well-informed decision.
Types of information
Clearly, a client’s personally identifiable information must be protected at all costs. However, according to Nevada Revised Statutes Chapter 603A, personally identifiable information consists of any information that directly or indirectly identifies an individual. The language in a cloud service provider’s contract may not be specific enough. Before attorneys begins placing sensitive information on the Internet, they should draft language into the agreement that specifies the types of information that are protected under the provider’s security agreement. This may include, but not be limited to, data from a third party, data drawn from both electronic and non-electronic formats, metadata, trade secrets, personally identifiable information, and intellectual property. Attorneys should carefully formulate this language so it accurately covers all of the categories of information contained in their records. Per NRS Chapter 603A, law firms are “data collectors” because they handle nonpublic personal information. “Personal information” is defined as first name or first initial and last name combined with one of the following when the name and data elements are not encrypted: social security number; driver’s license number or identification card number; account number; credit card number; and access code or password that would allow access to a person’s financial account. Therefore, law firms must require cloud providers to implement and maintain reasonable security measures to protect their records from unauthorized access. An easy way to accomplish this is to contractually bind the cloud provider to adhere to NRS Chapter 603A.
Understanding what cloud computing “security” means
Unlike physical data storage, cloud computing relies on servers in data centers, authorized user passcodes, and electronic security measures. Cloud servers are typically stored in highly secure facilities requiring a biometric match and the consent of an on-premise security guard to gain entrance. The bigger risk with the cloud is unauthorized electronic intrusion, or “hacking,” in which the hacker steals user names, passwords, and client records;. Hacking can be as disastrous as having a pack of thieves make off with a filing cabinet. Realistically, there is no way to guarantee against unauthorized electronic intrusion in the cloud, just as it isn’t possible to guarantee against it with your on-premise computer equipment. All network connected computers carry some level of inherent risk. Agreements with cloud providers should specify that they are responsible for exercising a “reasonable standard of care” to prevent unauthorized access to the information on cloud servers.
Statistics reveal that most security breaches originate from inside an organization, so attorneys are advised to use the evaluation of cloud systems as a precipitant to review their own internal security processes as well. Properly implemented and managed cloud systems are likely to be more secure than on-premise equipment due to a higher level of proficiency in the design, along with adherence to more rigorous protocols. But most attorneys are not technology experts, so a potential cloud provider should be able to clearly articulate the security measures they employ.
Ramifications of the Nevada security of personal information law on cloud computing
Nevada Revised Statutes Chapter 603A requires that personal information be encrypted. Attorneys should review this law and determine what methods of encryption the provider is using. A big problem comes in the language of the provision, which focuses on the transmission of information from a “secure system.” Technically, anyone transmitting data from an “insecure system” may be able to evade the requirements of the provision. Also, telecommunication providers conveying the communications of other people are technically exempt from the requirement to use encryption. Nevada attorneys should write language that clearly defines the role of the provider so they do not manage to technically evade their responsibilities.
Under this law, the technical methods of encryption used by the provider should meet the standards or guidelines of an established institution, such as the Federal Information Process Standards, which is maintained by the governmental agency, National Institute of Standards and Technology (NIST).
Defining a security breach in compliance with NSPI law
Attorneys should also make sure that the terms of a “security breach” are adequately defined. If, for example, a provider defines a breach as unauthorized access to its user codes only, a breach that managed to exploit a weakness in the firewall of the underlying cloud computing system not related to the official password system itself could technically be described as falling outside the purview of the definitions of a security breach. When reviewing the provisions of the contract, attorneys should consider consulting a third-party cloud computing engineer who can provide terminology describing how breaches occur.
This is especially important in light of the “safe harbor” provision of NRS Chapter 603A. According to the law, “data collectors” are exempt from damages for a security breach if they follow the provisions of the law and the breach is not caused by the data collector or any of its associated employees. Again, this provision can be avoided if the cloud computing provider is not defined as a data collector. However, it is a scenario that attorneys should be careful to avoid. If the provider claims they are a “data collector,” then they would be able to evade practically any form of responsibility for a data breach they did not directly cause as long as they had followed the provisions of the law, even if their security procedures were sloppy but technically adequate.
Stating the obvious: limiting “sharing” policies
Attorneys should make sure contractually they are the sole owners of the data they store with a cloud provider. Furthermore, attorneys should make sure that the provider will not share or use the information it stores for any other reason than the reasons stated in the agreement. Providers should not “share” the information with other providers or service entities unless they have been specifically instructed to do so. Additionally, should the transfer of data or “sharing” be a part of the provider’s regular security activities, any agents, associates, or entities involved in this process should be prepared to agree to the terms written between the provider and the attorney.
The same best practices that apply to on-premise computer equipment apply to cloud-based systems. Law firms should make sure their staff is adequately trained to create strong passwords that are more difficult to compromise, not share passwords with anyone, and report any suspicious activity on their computer that may indicate a virus or other malware.
Reporting and notification procedures
Attorneys and providers should have a clear policy on how breaches or other security problems will be reported. If a breach occurs, the provider should state what actions will take place. First and foremost, the provider should notify the attorney’s office promptly if a breach occurs and provide them with procedures to prevent any further data from being exposed or lost. An investigation involving the seizure of related documentation or an active evidence collection phase may be necessary in order to establish how the breach occurred. The policy should specify that notice of these actions will occur within hours, not days, of an investigation or of the service of any subpoena or other legal process.
Conclusion
Cloud computing offers attorneys a multitude of compelling benefits, including improved mobility, reliability, security, and the ability to cost-effectively store and reference virtually any of their firms’ resources. By taking the time to carefully review the language of provider agreements and the applicable laws, attorneys can realize the benefits of the cloud while minimizing their exposure to risk. Jeff Grace is the President & CEO of NetEffect, a Las Vegas-based technology support and consulting firm serving the IT needs of small- and medium-sized organizations in southern Nevada since 2002. In February of 2011, NetEffect launched MyGrid, a fully hosted cloud computing platform.
Lizette B. Sundvick, Esq. has been serving the Las Vegas and Henderson community since 1993. She is the President of Sundvick Legacy Center, an innovative law firm providing strategic estate planning and asset protection services to professionals, business owners, and families. |
Communiqué 
