Online activity by individuals frequently breaches the criminal and civil law. Some common examples of unlawful online activity is the downloading of films, music and other material through sites like Pirate Bay and the posting of defamatory comments online. These behaviors can give rise to civil actions for torts such as breach of copyright and defamation. Whether legal action can be taken against someone for this activity depends on whether their identity and whereabouts can be ascertained. One way this can be achieved through the courts is by obtaining Discovery Orders requiring Internet Service Providers (ISPs) to disclose users’ identities.
What are discovery orders?
Discovery orders are procedural orders a court can make prior to the commencement of a civil trial in order to establish the identity of a person or to obtain additional information from a known defendant. ‘Identity discovery’ is of particular relevance to civil actions arising from online activity. In these cases it is generally known that a cause of action exists and the issue is the identity and location of the defendant.
When can discovery orders be made?
The decision of Roads and Traffic Authority of New South Wales v Care Park Pty Ltd provided some guidance on when a discovery order can be made upon a third party to establish the identity or whereabouts of a person. The court found that this can be done where such information may reveal the identity or whereabouts of a prospective defendant. The information obtained need not be ‘the last piece in the puzzle’; it need only help in the process.
A preliminary discovery order can require an ISP to identify the subscriber whose IP address was used for online activity when a civil action has arisen. Of course, it is possible that the subscriber is not the end user and therefore not the wrongdoer. In the case of Dallas Buyers Club LLB v iiNet, iiNet opposed preliminary discovery based on the argument that the identity of the account holder would not establish the identity of the end-user. The court considered a number of principles relevant to preliminary discovery on ISPs, namely:
- The reliability of evidence that an IP address was responsible for specific internet activity;
- The purpose for which the applicant was going to use the information and whether that purpose was lawful;
- The user’s right to privacy; and
- Whether other legislation prevented such an order being made.
Ultimately, Perram J rejected iiNEt’s argument and stated:
From the point of view of principle, it is difficult to identify any good reason why a rule designed to aid a party in identifying wrongdoers should be so narrow as only to permit the identification of the actual wrongdoer rather than the witnesses of that wrongdoing.
Australian federal and state courts are already granting preliminary discovery orders upon ISPs to release the name of a subscriber of an IP address that has perpetrated harm. These orders can be made regardless of whether the subscriber is the actual wrongdoer or not. To protect their privacy and avoid having their identity disclosed by an ISP, users may migrate to readily accessible technologies like The Onion Router (TOR) browser, which allows anonymous browsing. Users may further migrate to implementing the Tails operating system, which not only routes all communications through TOR but also leaves no trace of activity on the computer and encrypts all files, emails and instant messages.
As internet users become more knowledgeable about anonymity online and how to utilise this software, it is likely to become more difficult to establish the identity and whereabouts of someone engaging in illegal activity online. Discovery orders will probably be unable to assist in ascertaining the identities of these technologically savvy internet users.
How much control does a subscriber have over their network?
The IP address of a subscriber only identifies the physical router. It does not identify the actual computer or device used or the user who accessed the Internet. Similarly, the new WiFi enabling business model of some large Australian telecommunications companies effectively shares the private IP address of a subscriber with the world, meaning the subscriber has little or no control over who uses the network. This gives rise to the possibility that connection owners could be unfairly targeted by a preliminary discovery order to explain activity by users who have used their IP address.
In the Dallas Buyers Club case it was argued that control of a car is similar to control of a network router. The case concluded that the owner of a car is likely to know the driver of the car at a particular time and subsequently the owner of a network router is likely know who has been using it. However, it could be argued that control of a car is very different to control of a network router. A car requires a key to operate. While a network router can have security of varying degrees applied to it, this security is susceptible to attack. The susceptibility lies not only in physical connectivity but wireless connectivity, which is now so prevalent. This could potentially leave the owner of a network router susceptible to legal action when they have no knowledge of who has used their router. Similarly, users contributing to the TOR project by allowing their computers to be part of the TOR network may also be at risk. It is possible that a TOR exit node may have its router’s IP address recorded against a defamatory post on the internet.
If a Discovery Order were made on your ISP, which revealed you as the account holder, this could place you in a position of having to explain how your router’s IP address was used to commit unlawful activity online. It is therefore important to safeguard your network to prevent its unauthorised use.
If you require legal advice or representation please contact Go To Court Lawyers.