By: Neil McLean, Discovery Consultant
When I think about consumer data privacy as it relates to electronic discovery, I have mixed feelings. On one hand, I want to know that information about me is secure and cannot fall into the possession of anyone who I don’t grant permission, and that I have the regulatory framework in place to rectify any wrongdoings. On the other hand, many of these measures often make it more difficult for forensic investigators and law enforcement to gain access to information that will bring truth to a case.
Even if a company is located outside of the EU, it must comply with GDPR if its operations involve EU citizens. Most famously, Google was fined $57 million in January for failure to adequately disclose details to consumers on how its products are utilizing their data.
Even with global companies facing more stringent rules than smaller, domestic companies in the US and other countries outside the EU (at least for now), data will inevitably be collected and processed without the transparency required by the GDPR. While I think we can all agree that the right to privacy is a necessity in this digital age, I want to focus on what data is being collected now that can potentially be subpoenaed and be useful to your case.
As we consumers require more be done to maintain our ability to be anonymous travelers on the information super highway, what comes with that privacy can be considered a double-edged sword. Take for instance the issue of online defamation. Many of the choices consumers make are influenced by the reviews left online by other consumers. I would consider it strange to not do a quick Google search for a product or service you were thinking about purchasing and not read what others have to say about their experience. There have been many occasions in which a review has had either made a sale or deterred me to find another option. If you’re a business that’s focused on service, a wealth of positive reviews can set you apart from the rest of the field. But what if a false claim was made about your client and is out there for the entire world to see? Someone with the intent could easily create a fake alias to shield themselves from any accountability.
Without legal action, there are steps you can take to have them removed. For example, you can submit a request through Google to have inappropriate reviews removed from its platform. But what if they determine it cannot be removed as fraudulent? What if the damage has already been done and the runaway viral train has already destroyed your client’s reputation? How do I find who did this? More importantly — if I find them, how can I prove in the court of law this person is responsible? The road to finding this out can be complex, but it will most likely require subpoena power.
To successfully file a John Doe case can be tricky since state law varies and internet entities are diverse in the location of their corporate structure. Joe Meadows, a former DOJ attorney and partner with Bean, Kinney & Korman in Arlington, Virginia discusses some of the hurdles litigators face in filing a John Doe case on the Digital Detectives podcast. Firstly, one must prove a “defamatory impact” that outweighs traditional First Amendment anonymity protections. Once that has been accomplished, a good place to start is to subpoena an IP address from the platform on which a post made. You can use this to track, within a reasonable distance, the location of the computer that was used to create the post, as well as the ISP (Internet Service Provider) that the person was using. If it’s simple, you can then subpoena the ISP, such as AT&T or Comcast, for the account holder associated with that IP address. A guide to best practices for utilizing IP subpoenas published by Colleen M. Deanney, Partner at Vorys, Sater, Seymour and Pease LLP, is a fantastic resource to get started if you find yourself in this situation.
There can be some challenges to utilizing an IP address to track down the defendant. For instance, if the post was made on a mobile device connected to a cell network, or by someone utilizing a VPN connection it may be difficult to track the IP address to a specific location or user immediately. You would need to subpoena cellular networks for their logs containing the device IMEI, and then associate the account holder of the registered device by subpoenaing mobile carriers for that information. You can also subpoena a VPN service for their IP logs to show what original IP’s have connected to their servers and the browsing activity during that connection. Some VPN services advertise they do not keep logs of this activity, but there are examples where this can be circumvented or is untrue. Also, VPN services may be headquartered in a foreign country which can pose even greater challenges for obtaining this information. In short, it may require a considerable effort to find the correct data, and just when you thought you were at the end of the road, you may only uncover another data point to lead you to your next subpoena.
Since we’ve established the potential for savvy users to mask their online activity, there is one more interesting caveat companies are using to track visitors on their platforms: browser fingerprinting. The general concept is that in order to render a webpage, a browser must communicate to a website to read the information presented, and then pull it up on your screen. The information shared includes what plug-ins you have installed, time zone, screen resolution, languages, fonts, and several other data points. The combination of inputs, obtainable through your browser, can often be completely unique to all other internet users on the planet. Thus, if a website was accessed through several layers of VPN, a website may still be able to identify a user based on the browser fingerprint and associating that fingerprint with any previous visits that could have been made when not attempting to mask identity. I tested mine on Panopticlick and found that my fingerprint is 1 in 26,406. Generally, the more basic you can make your browser, the more difficult it is to uniquely fingerprint.
In summary, I think we can be thankful as consumers that there is a growing trend to protect privacy in the digital frontier. However, these measures do present massive challenges to the justice system in not only developing the governance framework to protect citizens but also in providing enough leeway to hold those who abuse the internet accountable. Although the adoption of the GDPR is a massive first step in the right direction, I believe this topic will need to evolve and change as rapidly as technology itself, if that’s possible.