Internet Privacy: Inroads into Assumptions

June 30, 2001

Motley Fool Limited operated a Web site that had various discussion forums available to site users. On one discussion board, messages were posted about Totalise Plc an ISP. Totalise took exception to certain comments made about it by a site user known as ‘Zeddust’. Totalise complained to Motley Fool that the notices were defamatory and eventually MotleyFool removed the postings and ultimately banned Zeddust from its site.

Not satisfied with simply having the messages removed, Totalise wanted to know the identity of the person who had posted them but Motley Foolrefused to do so. Motley Fool’s terms and conditions provided for confidential postings and it undertook to site users not to reveal their identities, except as specifically described in its privacy policy or to comply with legal requirements. Not deterred, Totalise applied to the court for an order for disclosure of Zeddust’s identity.

Under the Contempt of Court Act 1981, the court may require disclosure of information contained ‘in a publication for which a person is responsible’ if it is satisfied that the disclosure is necessary, in the interests of justice, or for the prevention of disorder or crime. The court felt that preventing defamation was a sufficient reason to require disclosure and confirmed that such disclosure was permitted under the Data Protection Act 1998,s35.

So that’s what happened, but what are the implications of this for Internet users?

The first issue arising from this decision is that even if you have a privacy policy which states that you will not reveal the name of a person using a chat room or forum, you cannot guarantee such privacy to site users if the law requires the identity to be revealed. As anyone who has studied RIPA will know, this is a cause celebre atthe moment. Privacy policies need to be drafted to account for this to avoid site owners inadvertently breaching their contracts with site users. Obviously disclosure will be required only in instances where an offence has been committed or is likely to be committed, but usually this involves national security or criminal matters, not defamation.

Interactive Investor Limited (the second Defendant) argued thatit was exempt from the obligation to provide details as to source on the basis that it was akin to a newspaper (Contempt of Court Act 1981, s 10). The court disagreed and took the view that because Interactive Investor Limited had disclaimed responsibility for the content of its site, it could not then argue that it was a content provider like a newspaper is. Does the MotleyFool decision mean that if you monitor Web site content, you will be deemed to be a newspaper and thus able to use the section 10 defence? Probably yes, but having control of content will almost certainly mean you will be liable under defamation law for publishing the defamation and presumably liable under other legislation for offences relating to pornography or copyright infringement. This seems to be a situation of damned if you do monitor (like Demon) and damned ifyou don’t.

The American Federal Courts have taken a somewhat different approach. Bankrupt US company went to court to discover the identity of people who had anonymously posted messages about it alleging securities fraud. The District Judge found that had not provided sufficient evidence to overcome the rights of people posting messages to have their identity kept secret under the First Amendment. Such differences betweenthe UK and the US approach will surely lead to confusion in this area.

So, what’s to be done? All Web site owners should make their site users actively agree to a privacy policy and click their acceptance of it before being allowed to enter registration details or post a message for the first time. Such privacy policy should state that the site owner will be permitted to reveal the identity of a person posting a message in the event that they are involved in court proceedings, or if they are otherwise compelled to do so by law. Of course, this assumes that people using bulletin boards etc will always provide accurate details as to identity in the first place. Will the next step in the legislator’s battle to regulate the Internet be the requirement to verify site users’ identities? If this is happens the name of this case could not be more apt, as it is likely to make motley fools of legislators, ISPS and internet users.

Joanne Ashley is anassociate at Sprecher Grier Halberstam and specialises in IP and e-commerce.