A few days ago, Google was ordered to reveal the
identity of an otherwise anonymous blogger as part of a defamation court case. And of course, said no-longer-anonymous blogger is
now planning on suing Google in return.
One of the very common topics here on Ask Leo! is, in fact, privacy, along with its companion
topics anonymity and security. As a result,I think it’s very important that everyone consider carefully what all this implies.
I am not a lawyer, and I’m in no way going to suggest that laws were or were not broken, that one side or the other is right or
wrong. This is about understanding what’s possible and realizing that the things you say on the internet – even “anonymously” – can
often be traced back to you.
]]>
I get questions all the time about the ability to trace back an IP address to an address, a phone, or a person. My answer: you can’t do it. The information that’s required to do all that is simply not available to the average consumer. Anyone that tells you otherwise is either lying or misinformed.
But… that doesn’t mean it can’t be done.
The second half of my response to these kinds of queries is exactly that: “you’d need a court order”.
That’s exactly what Google was responding to … a court order. And that’s where the blogger lost their anonymity. (I realize that I may be comparing apples and oranges somewhat here: in addition to IP information Google probably had the blogger’s account login information to the Google-owned service – blogger.com – being used. That just made the technical steps involved slightly easier for Google. The point and the concerns are the same, regardless.)
So what does all this mean for the “average” person using the internet?
In short: be aware of what you say realizing that you may not be as protected as you think. Not necessarily from any legal perspective – laws can change and can be quite different from place to place – but from a technical perspective.
Let’s use an example. Say you post an inflammatory comment here on Ask Leo!. Something that is clearly slanderous or threatening someone, for which you include no information that would personally identify yourself.
That person you’ve slandered then contacts law enforcement or just hires a lawyer to file suit against you – the “anonymous commenter”.
I get served with a court order to release any information pertaining to the comment. I then turn over the server logs that include the IP address from which the comment was posted, and the date and time on which it was done.
The investigators then use that IP address to locate your ISP, whom they then serve with another court order to release any and all information about that IP address on that date and time. The ISP turns over their log information that says on that day and time that IP address was connected to this physical location, or via that telephone number.
That’s a simplified case, and indeed sites and your ISP may not have, or may not have kept, the very logs that this back trace relies on, but then again – many sites and ISPs do. You just don’t know which. Similarly, if a school or a business is involved, the respective IT department may get involved to narrow the search with whatever logs they have available.
Ultimately, there’s a very real risk that with sufficient motivation and resources and with enough legal backing or ambiguity you can be found. Absolute “they’ll never find me” privacy is nearly impossible to achieve. You can certainly make it harder using various techniques and technologies, but you’re putting a lot of faith in whatever those techniques might be.
The bottom line is simply this: the internet has enabled a level of public discourse that’s allowed people to speak out and be heard with ease to a degree never before seen. Not unexpectedly, the boundaries of what is and is not legal and protected, and perhaps even moral, are constantly being tested.
If you’re one to push the envelope, realize that sometimes the envelope breaks.
So Leo, does this mean that the buck stops with the owner of the line/internet link? ie Am I right in thinking that if a comment was posted at say, a MacDonalds or Starbucks, then the only possible trace would be through cctv in the store, or am I missing something?
25-Aug-2009
You wrote:
A nitpick on spelling, Leo — That grates! — the word “Internet” is always capitalized! Grrr! :(
02-Sep-2009
The sources you provided had some interesting details. According to CNET article of August 18th, the judge didn’t order the identity to be released. According to it, the judge told Google to tell the blogger to “inform the blogger that he or she should probably get a lawyer, as there is a risk of unmasking.”
The lawyer then said that the blogger had called a person “psychotic, lying, whoring…skank” but it wasn’t meant as defamatory.
According to the blogger’s twisted logic, Google has a lot of money, so it should spend it defending her against repercussions of what she says.
Dear Leo,
as said “it is (technically) possible to trace someone back, for what ever reasons”, I wonder why it is than not possible to get rid of those persons/institutions who spread virus software, malware etc over the internet? On the other hand realizing that there has been established a huge industry which sells with great profit software to fight against such intrusions, I must come to the conclusion that it is (technically) Not possible. Or is it? Why must we use a pill to superimpose the disease instead of eradicating it?
02-Sep-2009
If these nitpicky things can be traced,than why can’t the crooks who are daily trying to get me to click onto a link to “properly prove my idenity” be caught? I forward these very professonial lookalikes to the abuse department of Bank of America almost on a daily basis. And they always email me back,”thanking me” and they are very close to catching these people and shutting down their website. I believe every email I get from them are basically “form letters”,because they all say the very same thing! My real point is,all this technology is available, why not use it to catch the REAL bad guys, freaks who like child porno, crooks who try to get people to “click” onto a link so they can rip them off,etc.
02-Sep-2009
The basic moral of the story is that the moment you commit a crime, you lose your privacy. In fact, even if you don’t commit a crime you can lose your privacy if a court order inadvertently includes access to your details.
So, to clarify, it’s POSSIBLE, but difficult and often prohibitively expensive. Which means someone would be spending lots of money on subpoenas to identify the source of defamation for potentially little recovery of “damages”. Basically, “So sue me for everything I don’t own.” It just seems to me that it’s not all that much risk for a blogger to “talk mean” about someone on the internet, and a lot of expense trying to get even for it.
Thanks Leo for enlighten me here. Yet, in this regard I would like to give a suggestion. Instead of producing/developing and maintaining Antivirus/AntiSpam/AntiMalware software to fight against intrusions or asign huge and costly human effort to trace back offenders, it makes more sense to me in developing software which does the back tracing with a minimum of human interference and with an automatic result of blocking or forwarding the addressee. Unfortunately, even possible, who pays for it and therefore there’s no profit. May be governments would do to protect their community.
09-Sep-2009
Thanks again Leo, I wasn’t aware of that fact. Did the reading about zomie botnets and how they created (Kaspersky, Symantec).
This article is “old”, but I think a comment is merited. To avoid any backtracking, ‘Ultrasurf’ can be used. http://www.ultrasurf.us. All internet access using Ultrasurf is anonymized by being routed through their servers, and all data transfers between their servers and your machine are encrypted both ways. Some posts I’ve seen around indicate that some people suspect that Ultrasurf may be malware, but it is not. See their site.