|5 Va. J.L. & Tech. 3 (2000)
1522-1687 / © 2000 Virginia Journal of Law and Technology Association
VIRGINIA JOURNAL of LAW and TECHNOLOGY
The Process that
"John Doe" is Due:
Addressing the Legal Challenge to Internet Anonymity
David L. Sobel[*]
II. Anonymity and Free Speech
provides relatively unlimited, low-cost capacity for communication of all kinds . . . [t]his dynamic, multifaceted category of communication includes not only traditional print and news services, but also audio, video, and still images, as well as interactive, real-time dialogue. Through the use of chat rooms, any person with a phone line can become a town crier with a voice that resonates farther than it could from any soapbox. Through the use of Web pages, mail exploders, and newsgroups, the same individual can become a pamphleteer.
The decision in favor of anonymity may be motivated by fear of economic or official retaliation, by concern about social ostracism, or merely by a desire to preserve as much of one's privacy as possible.
Anonymity is a shield from the tyranny of the majority . . . It thus exemplifies the purpose behind the Bill of Rights, and of the First Amendment in particular: to protect unpopular individuals from retaliation -- and their ideas from suppression -- at the hand of an intolerant society.
III. The Challenges to Anonymity
A. Law Enforcement Access to User Identities
B. Civil Discovery of User Identities
The same technology that lets companies communicate with investors also lets investors communicate with each other. The instrument of better investor relations can easily become the instrument by which investors challenge management, and it is no secret that investors are increasingly challenging management. . . .
IV. Leveling the Playing Field: Establishing Procedural Rights
General Counsel, Electronic Privacy Information Center ("EPIC"),
Washington, DC. The author gratefully acknowledges the assistance
of EPIC law clerks Jason Abrams of Fordham University School of
Law and Ethan Preston of the Georgetown University Law Center in
the preparation of this article.
 The Circuit Court in Loudoun County, Virginia, the home of America Online, has been inundated with requests for warrants seeking information on AOL users. As of April 1999, 70 of the 107 applications filed with the court since the beginning of the year were directed to information maintained by the online service. Serving warrants on AOL is "almost a full-time job" for the Sheriff's investigator responsible for service. Stephen Dinan, Search Warrants Keep AOL Busy, WASHINGTON TIMES, April 27, 1999, at C4.
 Reno v. American Civil Liberties Union, 521 U.S. 844 (1997), aff'g, 929 F. Supp. 824 (E.D. Pa. 1996).
 The challenged provisions of the CDA were enacted as Title V of the Telecommunications Act of 1996, Pub.L.No. 104-104, §502, 110 Stat. 56, 133-35 (1996).
 521 U.S. at 870.
 Id. at 868.
 514 U.S. 334 (1995).
 Id. at 341-42.
 Id. at 357. See also Lamont v. Postmaster General, 381 U.S. 301, 307 (1965) (finding unconstitutional a requirement that recipients of Communist literature notify the post office that they wish to receive it); Talley v. California, 362 U.S. 60, 64-65 (1960) (declaring unconstitutional a California ordinance that prohibited the distribution of anonymous handbills); ACLU of Georgia v. Miller, 977 F. Supp. 1228 (N.D. Ga. 1997) (striking down a Georgia statute that would have made it a crime for Internet users to "falsely identify" themselves online).
Similarly, in Denver Area Educational Telecommunications Consortium, 518 U.S. 727 (1996), the Supreme Court struck down a statutory requirement that viewers provide written notice to cable operators to obtain access to certain sexually oriented programs because the requirement "restrict[s] viewing by subscribers who fear for their reputations should the operator, advertently or inadvertently, disclose the list of those who wish to watch the . . . channel." 518 U.S. at 754. In Reno v. ACLU, the Supreme Court found that the credit card and adult access code requirements of the CDA would also unconstitutionally inhibit adult Web browsers. 521 U.S. at 857 n.23 ("There is evidence suggesting that adult users, particularly casual Web browsers, would be discouraged from retrieving information that required use of a credit card or password.").
 The Court recognized in McIntyre the "respected tradition of anonymity in the advocacy of political causes" and noted that "even the arguments favoring the ratification of the Constitution advanced in the Federalist Papers were published under fictitious names." 514 U.S. at 342-43, citing Talley v. California, 362 U. S. 60, 64-65 (1960).
 See, e.g., The Importance of Anonymity (visited Feb. 18, 2000) <http://www.alcoholics-anonymous.org/em24doc9.html>.
 Even where individuals have taken precautions, the Internet has a lowest common denominator of privacy: the IP address. It is not possible to connect to any computer on the Internet without using one. The IP address is typically recorded at both 1) the local server that provides the individual Internet access (typically called an Internet service provider or an ISP), which can relate it to the login name of the individual; and 2) a visited web site's server, which correlates that IP address' activities and the individual's activities on the website. "From an IP address, a server can determine the domain name . . . [and then] retrieve the name, physical location (e.g., country, state and zip code) and contact persons of the organization that originally registered that name . . ."
Although it is technically possible to forge an IP address by means of a proxy server or "spoofing," it is difficult and not necessarily within the average users' ability. Thus, knowledge of the IP address almost always leads to the organization which gave the targeted individual his or her Internet access. With the IP address and the time of the connection, "the ISP . . . will likely keep logs that identify the individual user, [along with] the remote computer contacted . . . and the date and time of contact."
Kang, Information Privacy In Cyberspace Transactions, 50 STAN. L. REV. 1193 at 1225, 1233 (1998). See also Lessig, The Law of the Horse, 113 HARV. L. REV. 501, 504-505 (1999).
 Louis J. Freeh , Child Pornography on the Internet and the Sexual Exploitation of Children (last modified March 10, 1998) <http://www.fbi.gov/pressrm/congress/congress98/sac310.htm>.
 Stephen Shankland, Melissa Suspect Arrested in New Jersey (last modified April 2, 1999) <http://news.cnet.com/news/0-1005-200-340689.html>. See also Joel Dean, Melissa Manhunt Creates Precedent (last modified April 7, 1999) <http://www.zdnet.co.uk/news/1999/13/ns-7648.html>.
 Erich Lvening, Smith Pleads Guilty to Melissa Virus Charges (last modified December 9, 1999) <http://news.cnet.com/news/0-1005-200-1489249.html>.
 Congressman Questions FBI on Melissa Arrest (last modified April 16, 1999) <http://www.zdnet.com/pcweek/stories/news/0,4153,1014408,00.htm>. Rep. David Wu (D-OR) was quoted as saying, "I believe in our society we are very concerned about privacy and anonymity and giving people space in which to act."
 18 U.S.C. §§ 2510 et seq.
 18 U.S.C. § 2518.
 Specifically, "the name, address, local and long distance telephone toll billing records, telephone number or other subscriber number or identity, and length of service of a subscriber to or customer of [an electronic communication] service and the types of services the subscriber or customer utilized." 18 U.S.C. § 2703(c)(1)(C).
 18 U.S.C. § 2703(c)(1)(A).
 In January 1999, Security and Exchange Commission Chairman Arthur Levitt stated that online trading accounted for approximately 25 percent of all retail stock trades and predicted that the number of online brokerage accounts would exceed 10 million by the end of the year. Statement by Chairman Arthur Levitt Concerning On-Line Trading, (last modified January 27, 1999) <http://www.sec.gov/news/press/99-9.txt>.
 Media Metrix, Inc. has reported that in June 1999 Yahoo! Finance attracted more than 5 million users; The Motley Fool logged 1.2 million; and Raging Bull and Silicon Investor each had a quarter million visitors. Kris Hundley, Surfing the Message Boards (last modified August 2, 1999) <http://www.sptimes.com/News/80299/Business/Surfing_the_message_b.shtml>.
 Getting to Know You: Dealing with the Wired Investor, Remarks by Commissioner Laura S. Unger, (last modified June 25, 1999) <http://www.sec.gov/news/speeches/spch287.htm>.
 While exact figures are impossible to ascertain, one report states that "[s]ince June 1988, American companies fighting . . . cyber-smears reportedly have been filing one or two lawsuits a week in Santa Clara County, Calif., the home of Yahoo! Inc." Blake A. Bell, Dealing With the "Cybersmear," N.Y.L.J., April 19, 1999, at T3.
 See, e.g., Lilly Files Message Board Defamation Suit (last modified July 28, 1999) <http://news.cnet.com/news/0-1005-200-345458.html>.
 See, e.g., Raytheon Sues 21 People Over Sharing of Company Secrets Online (last modified March 5, 1999) <http://www.freedomforum.org/technology/1999/3/5raytheon.asp>.
 Tom Kirchofer, Yahoo! Forum Case Raises Questions About Online Privacy (last modified April 6, 1999) <http://detnews.com/1999/technology/9904/06/04060129.htm>. According to a company spokesman, "whenever AOL receives a subpoena in a civil case, it always notifies the member, giving the person 14 days to try to quash the subpoena." While the AOL Terms of Service do not obligate the company to notify subscribers upon receipt of civil subpoenas, it has been AOL's practice to do so.
Yahoo! may also disclose account information in special cases when we have reason to believe that disclosing this information is necessary to identify, contact or bring legal action against someone who may be violating Yahoo!'s Terms of Service or may be causing injury to or interference with (either intentionally or unintentionally) Yahoo!'s rights or property, other Yahoo! users, or anyone else that could be harmed by such activities. Yahoo! may disclose or access account information when we believe in good faith that the law requires it and for administrative and other purposes that we deem necessary to maintain, service, and improve our products and services.
 See, e.g., Xircom, Inc. v. John Doe, Case No. CIV 188724 (Superior Court of the State of California for the County of Ventura 1999). Without a written opinion, the court quashed the initial subpoena on procedural grounds but permitted Xircom to serve a second subpoena on Yahoo!. Rebecca Fairley Raney, Judge Rejects Online Critic's Efforts to Remain Anonymous (last modified June 15, 1999) <http://www.nytimes.com/library/tech/99/06/cyber/articles/15identity.html>. Prior to the re-issuance of the subpoena, the parties settled the lawsuit. Carl S. Kaplan, Company Settles Suit Against Online Critic (last modified July 16, 1999) <http://www.nytimes.com/library/tech/99/07/cyber/articles/16xircom.html>.
 Civil Action No. 99-816 (Commonwealth of Massachusetts Superior Court, Middlesex County, Filed February 1, 1999). The complaint is available online at <http://www.intelico.com/johndoe1.htm>.
 Raytheon Drops Suit Over Internet Chat, Associated Press (last modified May 22, 1999) <http://www.nytimes.com/library/tech/99/05/biztech/articles/22raytheon.html>.
 The "outing" of a gay Internet user was at issue in McVeigh v. Cohen, 983 F. Supp. 215, 219 (D. D.C. 1998). In apparent violation of both ECPA and its Terms of Service, America Online disclosed information to the U.S. Navy that identified an AOL subscriber (and sailor) as being gay. A resulting discharge proceeding against the sailor was enjoined by the district court, which observed that "enforcement of the ECPA is of great concern to those who bare the most personal information about their lives in private accounts through the Internet." Id. at 221.
 514 U.S. 334, 357 (1995), citing Abrams v. United States, 250 U.S. 616, 630-31 (1919) (Holmes, J., dissenting).
 The type of inquiry that courts should make when assessing the merits of maintaining anonymity was described by the court in Columbia Insurance Co. v. SEESCANDY.com, 185 F.R.D. 573, 578 (N. D. Cal. 1999). The court noted that "the need to provide injured parties with a forum in which they may seek redress for grievances . . . must be balanced against the legitimate and valuable right to participate in online forums anonymously or pseudonymously." The court then articulated a four-part test for "the determination of whether discovery to uncover the identity of a defendant is warranted." Id.
First, the plaintiff should identify the missing party with
sufficient specificity such that the Court can determine that
defendant is a real person or entity who could be sued in federal
court . . . This requirement is necessary to ensure that federal
requirements of jurisdiction and justiciability are satisfied . .
. Second, the party should identify all previous steps taken to
locate the elusive defendant. This element is aimed at ensuring
that plaintiffs make a good faith effort to comply with the
requirements of service of process and specifically identifying
defendants . . . Third, plaintiff should establish to the Court's
satisfaction that plaintiff's suit against defendant could
withstand a motion to dismiss. A conclusory pleading will never
be sufficient to satisfy this element . . . Lastly, the plaintiff
should file a request for discovery with the Court, along with a
statement of reasons justifying the specific discovery requested
as well as identification of a limited number of persons or
entities on whom discovery process might be served and for which
there is a reasonable likelihood that the discovery process will
lead to identifying information about defendant that would make
service of process possible.
Id. at 578-80.
 John Doe defendants do not have the option of appearing pro se for two reasons. First, a personal appearance would obviously negate a defendant's efforts to conceal his or her identity. Second, suits against John Does are frequently filed in jurisdictions distant to the defendants. As a result, anonymous defendants who wish to protect their identities are compelled to incur the expense of retaining counsel to represent them (assuming they are able to locate counsel in a distant jurisdiction on short notice).
|Presuming statutory protection of encrypted code is inadequate or unconstitutional, what do you suggest a developer of software for export require in a contract with a purchaser/importer to protect against code cracking or pirating of the software, or the products being purchased online?|
|It seems as though there is a serious conflict here between interests of consumers and businesses in allowing the free export of encryption software and the interests of the U.S. government in preventing international distribution of this technology. Both consumers and businesses need the technology because it improves data security and thereby aids international commerce. However, the international distribution of high-powered encryption software implicates grave concerns both for national security officials and law enforcement because this technology greatly hinders intelligence gathering efforts. Providing "backdoor" access to encrypted information does not necessarily resolve this issue because it makes the data more vulnerable. Therefore, before any uniform encryption policy is developed, the U.S. government's concerns must be addressed.|