UK: Finding Anonymous Wrongdoers - The e-commerce Context

Originally published in BLG's Technology Law Review, Summer 2007

How do you find out who has made an anonymous bulletin board posting? What if an unknown person has leaked a confidential e-mail to someone? There is a legal remedy which can help claimants find out who is responsible, and recent cases show just how it can be used in an online context.

It is not usually possible to sue a party just to obtain information from them. Although you can now apply to the court to obtain documents from a potential defendant before a substantive claim is brought, it has to be shown that such a claim is likely. However, as an exception to the general rule, the courts will make orders requiring innocent third parties to disclose documents or information where disclosure will throw light upon another party's wrongful act. To get such an order, three conditions usually need to be satisfied:

• a wrongful act must have been carried out by someone;

• an order must be necessary to enable action to be brought against the wrongdoer; and

• the party against whom a disclosure order is sought must be involved in the wrongdoing so as to have "facilitated it" and be able to provide information which will enable the wrongdoer to be sued.

These principles have been established following a well-known 1974 case called Norwich Pharmacal. They do not require the person from whom disclosure is sought actually to have committed a wrongful act. Indeed, that party is often entirely innocent of any wrongdoing. It is only necessary that they should have been mixed up in the wrongdoing in some way, quite possibly without ever knowing much about it. Norwich Pharmacal was decided long before e-commerce came into being, but a number of recent cases have now considered how it is to be applied in an IT context.

In Totalise PLC v Motley Fool (2001), the defendant ran an investment advice website. A user of the site anonymously posted defamatory material about the claimant. Because the wrongdoer was anonymous, the claimant did not know who to sue. The operators of the website would not voluntarily release the identity of the user who had posted the comments: service providers and others who operate websites may take down inappropriate sites or content once made aware of them but are often unwilling voluntarily to disclose details of who is responsible because of confidentiality and data protection. The Data Protection Act (section 35) nevertheless allows courts to make an order overruling the Act's non-disclosure provisions in certain circumstances, and the claimant successfully applied for an order requiring the disclosure of the wrongdoer's identity.

What is meant by "facilitating" wrongdoing? The recent case of Campaign Against the Arms Trade v BAE Systems PLC (2007) shows that the test is not a strict one. It may consist merely of the receipt of an e-mail. In this case, an unknown individual unlawfully leaked to BAE an e-mail containing privileged legal advice. BAE's solicitors returned the e-mail to its original owners and assured them that everything reasonable had been done to destroy all copies of it. The court nevertheless took the view that the damage had already been done and wrongdoing had already been facilitated. Although BAE had sent a redacted version to the owners, removing the routing information and header from it, these very actions had prevented the discovery of the sender's identity. BAE had therefore facilitated the unlawful disclosure by allowing the identity of the sender to remain undetected. They were ordered to reveal that information.

The Norwich Pharmacal order can therefore perform a very useful function in the e-commerce context, where it is not difficult to withhold or conceal the identity of the originator of an electronic communication. Some practical points about the operation of such orders are nevertheless worth considering:

• The scope of the disclosure which will be permitted by the court is strictly limited. A recent IT-related case, Nikitin v Butler LLP (2007), re-emphasised the existing principle that orders are not intended to allow applicants to "fine tune a pleading or identify every person... who may have committed an unlawful act". The application in that case failed because the applicants already had sufficient information with which to make their intended claim. The court in the BAE Systems case also substantially cut down the scope of the disclosure originally requested when it made its order: fishing for more information than is absolutely necessary will not be allowed.

• In most cases where an order is made, it is the applicant who will have to pay the costs of the party ordered to make the disclosure, including the costs of making the disclosure itself, not just of the court application. Those against whom orders are made will not always resist an order, so will not necessarily run up a lot of costs, but this is a very important practical point for applicants to remember, not least because it is contrary to the usual rule that a successful party can recover its costs.

• Although confidentiality and data protection will not usually defeat a Norwich Pharmacal application, if documents or information are privileged (i.e. would be exempt from disclosure in litigation, for example because they contain legal advice) the court will not usually be able to override that privilege and order disclosure.

Despite these limitations, disclosure orders on these lines are likely to become increasingly popular in an online context, providing an important weapon in the IT litigator's armoury.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.