Identifying Anonymous Forum Posters is a Real Possibility

Imagine that you want to sue someone for what they wrote, anonymously, in a web-based online forum. To succeed, you’ll first have to figure out who they really are. How hard is that task? It’s a question that Harlan Yu, Ed Felten, and I have been kicking around for several months. We’ve come to some tentative answers that surprised us, and that may surprise you.

Until recently, I thought the picture was very grim for would-be plaintiffs, writing that it should be simple for “even a non-technical Internet user to engage in effectively untraceable speech online.” I still think it’s feasible for most users, if they make enough effort, to remain anonymous despite any level of scrutiny they are practically likely to face. But in recent months, as Harlan, Ed, and I have discussed this issue, we’ve started to see a flip side to the coin: In many situations, it may be far easier to unmask apparently anonymous online speakers than they, I, or many others in the policy community have appreciated. Today, I’ll tell a story that helps explain what I mean.

Anonymous online speech is a mixed bag: it includes some high value speech such as political dissent in repressive regimes, some dreck we happily tolerate on First Amendment grounds, and some material that violates the laws of many jurisdictions, including child pornography and defamatory speech. For purposes of this discussion, let’s focus on cases like the recent AutoAdmit controversy, in which a plaintiff wishes to bring a defamation suit against an anonymous or pseudonymous poster to a web based discussion forum. I’ll assume, as in the AutoAdmit suit, that the plaintiff has at least a facially plausible legal claim, so that if everyone’s identity were clear, it would also be clear that the plaintiff would have the legal option to bring a defamation suit. In the online context, these are usually what’s called “John Doe” suits, because the plaintiff’s lawyer does not know the name of the defendant in the suit, and must use “John Doe” as a stand in name for the defendant. After filing a John Doe suit, the plaintiff’s lawyer can use subpoenas to force third parties to reveal information that might help identify the John Doe defendant.

In situations like these, if a plaintiff’s lawyer cannot otherwise determine who the poster is, the lawyer will typically subpoena the forum web site, seeking the IP address of the anonymous poster. Many widely used web based discussion systems, including for example the popular WordPress blogging platform, routinely log the IP addresses of commenters. If the web site is able to provide an IP address for the source of the allegedly defamatory comment, the lawyer will do a reverse lookup, a WHOIS search, or both, on that IP address, hoping to discover that the IP address belongs to a residential ISP or another organization that maintains detailed information about its individual users. If the IP address does turn out to correspond to a residential ISP — rather than, say, to an open wifi hub at a coffee shop or library — then the lawyer will issue a second subpoena, asking the ISP to reveal the account details of the user who was using that IP address at the time it was used to transmit the potentially defamatory comment. This is known as a “subpoena chain” because it involves two subpoenas (one to the web site, and a second one, based on the results of the first, to the ISP).

Of course, in many cases, this method won’t work. The forum web site may not have logged the commenter’s IP address. Or, even if an address is available, it might not be readily traceable back to an ISP account: the anonymous commenter may been using an anonymization tool like Tor to hide his address. Or he may have been coming online from a coffee shop or similarly public place (which typically will not have logged information about its transient users). Or, even if he reached the web forum directly from his own ISP, that ISP might be located in a foreign jurisdiction, beyond the reach of an American lawyer’s usual legal tools.

Is this a dead end for the plaintiff’s lawyer, who wants to identify John Doe? Probably not. There are a range of other parties, not yet part of our story, who might have information that could help identify John Doe. When it comes to the AutoAdmit site, one of these parties is StatCounter, a web traffic measurement service that AutoAdmit uses to keep track of trends in its traffic over time.

At the moment I am writing this post, anyone can verify that AutoAdmit uses StatCounter by visiting AutoAdmit.com and choosing “View Source” from the web browser menu. The first screenfull of web page code that comes up includes a block of text helpfully labeled “StatCounter Code,” which in turn runs a small piece of javascript that places a personalized StatCounter cookie on the machine of every user who visits AutoAdmit, or else (if one is already present) detects and records exactly which cookie it is. That’s how StatCounter can tell which visitors to AutoAdmit are new, which ones are returning, and which pages on the site are of greatest interest to new and returning users. StatCounter is in a position to track not only each user, but also each page, and each visit by a user to a certain page, over time. This includes not only the home page, but also the particular web page for each discussion “thread” on the site. Moreover, each post (even if anonymous) is marked with the time it was posted, down to the minute. So the plaintiff’s lawyer in our story could go to StatCounter, and ask only about visits to the particular thread where the relevant message was posted. If the post went up at 6:03 p.m. on a certain date, the lawyer could ask StatCounter, “What if anything do you know about the person who visited this web page at 6:03 p.m. on this date?” Of course, if John Doe’s browser is configured to refuse cookies, he wouldn’t be trackable. But most web based discussion sites, including AutoAdmit, rely on cookies to let people log in to their pseudonymous accounts in order to post comments in the first place. In any case, the web is much less convenient place without cookies, and as a practical matter most users do allow them.

In fact, the lawyer may be able to do better still: The anonymous commenter will have accessed the page at least twice — once to view the discussion as it stood before he took part, and again after clicking the button to add his own post to the mix. If StatCounter recorded both visits, as it very likely would have, then it becomes even easier to tie the anonymous commenter to his StatCounter cookie (and to whatever browsing history StatCounter has associated with that cookie).

There are a huge number of things to discuss here, and we’ll tackle several in the coming days. What would a web analytics provider like StatCounter know? Likely answers include IP addresses, times, and durations for the anonymous commenter’s previous visits to AutoAdmit. What about other, similar services, used by other sites? What about “beacons” that simply and silently collect data about users, and pay webmasters for the privilege? What about behavioral advertisers, whose business model involves tracking users across multiple sites and developing knowledge of their browsing habits and interests? What about content distribution networks? How would this picture change if John Doe were taking affirmative steps, such as using Tor, to obfuscate his identity?

These are some of the questions that we’ll try to address in future posts.

[thanks to specialkrb and freedom to tinker via cc]

The AutoAdmit Scandal: The XOXOTH Secret Forum Identities

There’s a major controversy that’s been brewing at the law school forums at AutoAdmit (also known as Xoxoth). One of the forum posters involved in this scandal is AK-47, who used profane language to describe the intimate lives of women who were attending the top law schools in America in 2007. Some of these posts were so vile that they caused a national debate over the anonymity that people usually have while online.

Here’s a sample of the language used by AutoAdmit forum poster AK-47: “Women named Jill and Hillary should be raped.”

Now these two female law student-lawyers from Yale Law School have discovered AK-47′s true identity along with the names of other AutoAdmit.com forum posters. These posters now face the possibility of their names being published in court records which could spell the downfall of their law careers long before they ever start.

This coming out of the true identities of the forum posters is a rare mark in a world where being anonymous is the name of the game. Yet over a year since the lawsuit was filed nothing much else has been resolved, and the controversies surrounding the case have only increased. The original women that filed the suit have since gone silent, with two also being sued themselves. Experts are now wondering if there is any point to continuing with the case.

“You have good lawyers putting their time in on the case, and in a policy sense, they are achieving something.” Said Ann Bartow, an associate professor at the University of South Carolina School of Law. “But in a victim sense — assuming you think of the women as victims — it’s not clear what this is going to achieve.”

Behind the Scenes of the AutoAdmit Controversy

The controversy surrounding AutoAdmit began even before one of the women started classes in late 2005. She was told in the summer that a thread existed on AutoAdmit that was titled “Stupid Bitch to Attend Law School.” The thread also included posts stating “I think I will sodomize her repeatedly” and a reply post claiming “she has herpes.” The second woman was attacked in a similar fashion beginning in January of 2007.

Before the incident became public both women contacted the admin of AutoAdmit to remove the offending threads, but then the story hit the front page of The Washington Post and became very public. Soon after, both students with the help of Stanford and Yale professors filed a lawsuit in June 2007 seeking restitution in the amount of hundreds of thousands of dollars.

Both plaintiffs contend that the thread made about them ended up on the first page of search engines sullying their names which cost them prestigious jobs and affected their relationships and social lives.

“We have never had such a way to lie and distort facts about people — to spread lies and distortions in a way that is attached to them,” says Bartow. “And you can game it to come up on the front page of Google.”

Your Online Reputation: Is It at Risk?

Ms. Bartow believes that the problem lies in the fact that technology has outstripped the law. Daniel Solove, a professor at George Washington University has been thinking about the issue long enough to have written a book entitled “The Future of Reputation: Gossip, Rumor, and Privacy on the Internet“.

“The internet isn’t a radical-free zone where you can hurt people. But on the other hand, we can’t have everyone rushing to the court, because the court is a blunt tool,” states Solove. “We need something to help shape norms — there needs to be some kind of push back against the notion that the internet is a place where you can say what you want and screw the consequences. That’s not what free speech is about.”

Since libel lawsuits are usually about someone clearing their name, Mr. Solove laments the lost art of the duel, which is described by him to be an elaborate nonjudicial way of people settling disputes that most of the time never got to the shooting phase.

“We don’t have any middle-ground dispute resolution processes in society anymore, and courts aren’t a good way to vindicate these non-monetary harms,” Solove says. “I think we need something else.”

An idea that has been gaining a lot of support lately would be DMCA-like legislation enabling victims of slander to issue a take-down notice with the site owner, or hosting company. If the served complies with such an order they would then be immune to any resulting legal action.

But there are flaws with that system as well, as false DMCA notices have been used by numerous people and entities, such as the Pentagon, in order to remove content from YouTube.

The acting director of the Law, Technology and Public Policy Clinic at UC Berkeley, Jason Schultz, states that it would be a gross mistake to use such acts to limit controversial speech online.

“I think you run the risk of too much take-down,” Schultz says. “I think you need procedural hurdles in place since we are talking about a constitutional right.”

Even relying on current liability law, the AutoAdmit case has trod on dangerous ground.

The AutoAdmit Forum Administrator Anthony Ciolli: What’s the Future?

Lawyers of the two women originally named one of the administrators of AutoAdmit.com, Anthony Ciolli, who was at the time a third-year law student, as a defendant — even though Congress has intentionally covered electronic service providers from being responsible for what their users post online.

Mr. Ciolli’s former lawyer, Marc Randazza, says that Ciolli never participated in any of the offending threads, and was only ever named in order to gain leverage in an effort to change how vile material was handled at AutoAdmit.

“As an attorney, I found it really offensive that Ciolli was being held hostage to these people’s demands on a third party,” says Randazza.

Mr. Solove is not so sympathetic.

“Part of reason people were so upset with Anthony Ciolli was that they believe he stuck to his guns and defended things on free speech grounds,” Solove says. “People want to see some sort of contriteness.”

After a number of months the two women who originally filed the lawsuit dropped Anthony Ciolli from the suit. That act did not completely satisfy Ciolli though, who in return filed his own lawsuit in March of 2008 claiming that the women and their lawyers improperly listed him in the lawsuit.

In January a federal judge ruled that the attorneys would be able to serve subpoenas to the ISPs and webmail providers. Now using that power the lawyers have discovered the identities of some, but not all of the offending posters.

They are now asking the judge to give them some additional time to try and ascertain the identities of the rest of the defendants who are currently being sued under the handles they used for posting on AutoAdmit.com, including PaulieWalnuts, Cheese Eating Surrender Monkey, The Ayatollah of Rock-n-Rollah, Patrick Bateman and HitlerHitlerHitler.