A few days ago, Google was ordered to reveal the
identity of an otherwise anonymous blogger as part of a defamation court case. And of course, said no-longer-anonymous blogger is
now planning on suing Google in return.
One of the very common topics here on Ask Leo! is, in fact, privacy, along with its companion
topics anonymity and security. As a result,I think itâs very important that everyone consider carefully what all this implies.
I am not a lawyer, and Iâm in no way going to suggest that laws were or were not broken, that one side or the other is right or
wrong. This is about understanding whatâs possible and realizing that the things you say on the internet â even âanonymouslyâ â can
often be traced back to you.
]]>
I get questions all the time about the ability to trace back an IP address to an address, a phone, or a person. My answer: you canât do it. The information thatâs required to do all that is simply not available to the average consumer. Anyone that tells you otherwise is either lying or misinformed.
But⊠that doesnât mean it canât be done.
The second half of my response to these kinds of queries is exactly that: âyouâd need a court orderâ.
Thatâs exactly what Google was responding to ⊠a court order. And thatâs where the blogger lost their anonymity. (I realize that I may be comparing apples and oranges somewhat here: in addition to IP information Google probably had the bloggerâs account login information to the Google-owned service â blogger.com â being used. That just made the technical steps involved slightly easier for Google. The point and the concerns are the same, regardless.)
So what does all this mean for the âaverageâ person using the internet?
In short: be aware of what you say realizing that you may not be as protected as you think. Not necessarily from any legal perspective â laws can change and can be quite different from place to place â but from a technical perspective.
Letâs use an example. Say you post an inflammatory comment here on Ask Leo!. Something that is clearly slanderous or threatening someone, for which you include no information that would personally identify yourself.
That person youâve slandered then contacts law enforcement or just hires a lawyer to file suit against you â the âanonymous commenterâ.
I get served with a court order to release any information pertaining to the comment. I then turn over the server logs that include the IP address from which the comment was posted, and the date and time on which it was done.
The investigators then use that IP address to locate your ISP, whom they then serve with another court order to release any and all information about that IP address on that date and time. The ISP turns over their log information that says on that day and time that IP address was connected to this physical location, or via that telephone number.
Thatâs a simplified case, and indeed sites and your ISP may not have, or may not have kept, the very logs that this back trace relies on, but then again â many sites and ISPs do. You just donât know which. Similarly, if a school or a business is involved, the respective IT department may get involved to narrow the search with whatever logs they have available.
Ultimately, thereâs a very real risk that with sufficient motivation and resources and with enough legal backing or ambiguity you can be found. Absolute âtheyâll never find meâ privacy is nearly impossible to achieve. You can certainly make it harder using various techniques and technologies, but youâre putting a lot of faith in whatever those techniques might be.
The bottom line is simply this: the internet has enabled a level of public discourse thatâs allowed people to speak out and be heard with ease to a degree never before seen. Not unexpectedly, the boundaries of what is and is not legal and protected, and perhaps even moral, are constantly being tested.
If youâre one to push the envelope, realize that sometimes the envelope breaks.
So Leo, does this mean that the buck stops with the owner of the line/internet link? ie Am I right in thinking that if a comment was posted at say, a MacDonalds or Starbucks, then the only possible trace would be through cctv in the store, or am I missing something?
25-Aug-2009
You wrote:
A nitpick on spelling, Leo â That grates! â the word âInternetâ is always capitalized! Grrr!          :(
02-Sep-2009
The sources you provided had some interesting details. According to CNET article of August 18th, the judge didnât order the identity to be released. According to it, the judge told Google to tell the blogger to âinform the blogger that he or she should probably get a lawyer, as there is a risk of unmasking.â
The lawyer then said that the blogger had called a person âpsychotic, lying, whoringâŠskankâ but it wasnât meant as defamatory.
According to the bloggerâs twisted logic, Google has a lot of money, so it should spend it defending her against repercussions of what she says.
Dear Leo,
as said âit is (technically) possible to trace someone back, for what ever reasonsâ, I wonder why it is than not possible to get rid of those persons/institutions who spread virus software, malware etc over the internet? On the other hand realizing that there has been established a huge industry which sells with great profit software to fight against such intrusions, I must come to the conclusion that it is (technically) Not possible. Or is it? Why must we use a pill to superimpose the disease instead of eradicating it?
02-Sep-2009
If these nitpicky things can be traced,than why canât the crooks who are daily trying to get me to click onto a link to âproperly prove my idenityâ be caught? I forward these very professonial lookalikes to the abuse department of Bank of America almost on a daily basis. And they always email me back,âthanking meâ and they are very close to catching these people and shutting down their website. I believe every email I get from them are basically âform lettersâ,because they all say the very same thing! My real point is,all this technology is available, why not use it to catch the REAL bad guys, freaks who like child porno, crooks who try to get people to âclickâ onto a link so they can rip them off,etc.
02-Sep-2009
The basic moral of the story is that the moment you commit a crime, you lose your privacy. In fact, even if you donât commit a crime you can lose your privacy if a court order inadvertently includes access to your details.
So, to clarify, itâs POSSIBLE, but difficult and often prohibitively expensive. Which means someone would be spending lots of money on subpoenas to identify the source of defamation for potentially little recovery of âdamagesâ. Basically, âSo sue me for everything I donât own.â It just seems to me that itâs not all that much risk for a blogger to âtalk meanâ about someone on the internet, and a lot of expense trying to get even for it.
Thanks Leo for enlighten me here. Yet, in this regard I would like to give a suggestion. Instead of producing/developing and maintaining Antivirus/AntiSpam/AntiMalware software to fight against intrusions or asign huge and costly human effort to trace back offenders, it makes more sense to me in developing software which does the back tracing with a minimum of human interference and with an automatic result of blocking or forwarding the addressee. Unfortunately, even possible, who pays for it and therefore thereâs no profit. May be governments would do to protect their community.
09-Sep-2009
Thanks again Leo, I wasnât aware of that fact. Did the reading about zomie botnets and how they created (Kaspersky, Symantec).
This article is âoldâ, but I think a comment is merited. To avoid any backtracking, âUltrasurfâ can be used. http://www.ultrasurf.us. All internet access using Ultrasurf is anonymized by being routed through their servers, and all data transfers between their servers and your machine are encrypted both ways. Some posts Iâve seen around indicate that some people suspect that Ultrasurf may be malware, but it is not. See their site.