Raising the IP Address Curtain in civil court actions: Revealing the identity behind the numbers
The Scenario
Mr McGinty runs a launderette business as a sole trader. A sales representative approaches Mr McGinty and offers to sell him a brand-new washing machine. Mr McGinty cannot afford to buy the machine in cash. Worry not, says the sales representative, we can get you finance. Mr McGinty appears reluctant but the representative's persistence pays off. In his eagerness to obtain a sales commission, the representative rushes the sale and obtains the bare minimum of Mr McGinty's personal and business details. These include an email address "a44056bc@hotmail.com". The details also include a photograph of Mr McGinty's driver's licence. The sales representative then sends the details to the finance company. The finance company emails an online application to the email address provided. The application is filled in and signed online via that email address. A finance contract is produced that appears to be signed by Mr McGinty bearing his name in the signature box.
But the signature in question is computer generated. The finance company has a record of someone accessing the contract electronically, reviewing it, and signing it remotely. They have an internet protocol address (IP address) from which all these actions had been performed. Finance is approved and a brand-new washing machine is delivered to Mr McGinty's business premises. Mr McGinty accepts delivery of the machine.
A few weeks go by (more than two) and a direct debit payment is taken from Mr McGinty's account. He immediately calls his bank and states that he did not authorise this payment - the payment is reversed and the direct debit cancelled.
The Finance company gets in touch with Mr McGinty asking why he stopped the payment. He refuses to engage with them. They take him to court for breach of contract. Mr McGinty defends the claim by saying that he had never wanted a washing machine, that he accepted the delivery of the machine under protest, that he never provided his details to the finance company, and that someone had fraudulently used his details in the finance application. He denies owning the email address in question and ever signing the finance contract.
What is the finance company to do? Bearing in mind that this is a relatively low-value claim, the finance company know that they cannot spend much on prosecuting the claim. Mr McGinty knows this too, as he happens to benefit from sound legal advice. How can the claim be pursued in a financially viable way? A solution appears on the horizon - surely, if Mr McGinty could be linked with the email address, it would be a strong argument that it was he who signed the contract. And surely this would be a simple matter of finding out if Mr McGinty is behind the IP address which was used to access and sign the contract. Surely.
Recovery of Information/ISP
The above scenario (based on a real court action, names having been changed) raises a number of legal issues. But a key one is the ability to prove that a contract was signed online by an individual by linking that individual and IP address used. This is especially so where the individual denies having signed the contract at all and denies owning the relevant email address.
In the context of a court action in Scotland, the Court can order the recovery of information and/or documents (known as an order for commission and diligence). So long as the documents and/or information sought are relevant, the Court can order recovery against any party that has them (the haver). Finding out who is behind an IP address requires such an order. But it is not enough to know the actual IP address – you must also know the identity of the internet service provider (ISP) who makes the IP address available for a person to use. Without knowing this there would be no haver on whom the court order can be served.
Fortunately, and surprisingly, it is usually possible to find which internet service provider supplies the IP address in question online and to do so for free. A number of search engines exist for this purpose. They also provide some useful information about the relative geolocation from which the IP address had been used. The IP address search engines’ reliability is not 100% guaranteed – they are there to give a hint as to who the ISP might be. Discovering if this is correct is only possible by serving the ISP with the court order. Nevertheless, if it transpires that the address of the person sued is within the geolocation area provided by the search engine, it makes it more likely that you are on the right track. It should be noted that the use of virtual private networks (VPN) could prevent discovering the real IP address, but this is a question for another day.
Court in Scotland
Our experience has been that the Court in Scotland is willing to grant such orders where needed. The difficulty arises with the service of the orders on ISPs. Major ISPs all have places of business in Scotland but serving a court order by post is not as simple as you might imagine. Because the major ISPs are often large PLCs, our experience has been that mail may get displaced and often may not quickly reach the ISP's legal department (even if the envelope is clearly marked). All of this causes significant delay to obtaining the information.
This brings us to the next hurdle - obtaining information on the identity of the person behind the IP address. An ISP can simply respond that they are not the ISP providing the IP address in question. Currently, there is no way to independently verify this. But even if the ISP confirms that it does supply the IP address, ISPs are not under an automatic obligation to keep records of who uses a particular IP address at a particular point in time. They might be under what is called a “retention notice” issued by the Home Secretary under s 87 of the Investigatory Powers Act 2016. The existence of such notices and their respective periods of effect are not a matter of public record, but we do know that the period of retention for each notice must not exceed 12 months. Nevertheless, ISPs appear to keep records under their internal rules on the matter which are, unfortunately, not published. Serving a court order for recovery of such information amounts to a stab in the dark - the ISP might have it, they might not, and there is no easy way to verify the response.
Some ISPs seek payment of a charge before releasing the information. A haver is ordinarily entitled to recover its reasonable costs incurred in producing the information/documents which the court order compels them to produce (see Phoenicia Asset Management SAL v Steven Alexander [2010] CSOH 71). These costs could be sought to be recovered in advance (subject to taxation, i.e. determination by the Auditor of Court).
Economic reality
In the case of Mr McGinty, it transpires that the ISP does manage the IP address in question, but that it does not hold the data of who used the IP address at the point in time when the online contract was signed. In the absence of this information, pursuing the claim against Mr McGinty becomes financially unviable, as proving who entered into the contract with the finance company would incur costs exceeding the value of the claim. The claim gets abandoned.
Conclusions
It is important to note that in the above case it took some time before an order for recovery of the IP address information was sought and obtained. If such information is needed, we recommend that an order is obtained as soon as possible following the online interaction. While it does not guarantee that the ISP would have kept the information, it increases the chances significantly.
The wider question is about regulation. So much of our interactions with the rest of the world now proceed online. In the context of disputes, it is important for it to be as difficult as possible for someone to escape liability for their actions simply because the relevant information is stored for a limited period of time. Should there be a minimum period for storage of such data? We would argue that there should be one. The length of any such period should be determined in consultation with ISPs so as not to make the requirement unduly burdensome. What is important is for there to be clear rules on how this information is stored and for how long it is available. This would allow for any person, whose legal rights' vindication is dependent on accessing such information, to know what course of action they can and need to take.
If you have any queries about the above article, please contact a member of our Commercial Dispute Resolution team.
