Users of Wikipedia can be traced by third parties

05/01/2010

The Applicants (a mother and young child) applied to the Court for an order requiring the Respondent to disclose the IP address of a registered user of the Wikipedia website (a "Norwich Pharmacal" order). The user in question had made an amendment to an article available on Wikipedia.

The Mother believed that she was the subject of an attempt at blackmail. She had received two anonymous letters, one of which included private information which was included in the amendment.

The Court indicated that:

..."applicants for injunctions to restrain publication of private information, and for related relief, such a Norwich Pharmacal order, are not infrequently in a similar situation in this respect to the mother. But even if there is no link between the person making the claims against the company, the two anonymous letters, and the amendment, the position of the Applicants is no weaker. If there is no such link, there remains a very strong case that private information has been disclosed by someone. The range of suspects would then include professional advisers."

The Respondent indicated that it would not disclose the address without a court order, but nor would it oppose the making of such an order. The Court ordered that the Respondent disclose the IP address. It also made orders restricting what on the Court file was accessible to the public and provisions preventing disclosure of the identity of the Applicants.

In November 2009 the solicitors for the Applicants wrote to the Respondent requesting the IP information and explained the nature of the Applicants' complaints against the author of the amendment and the reasons why they believe it to have been made maliciously and why the amendment ought to be removed.

The Respondent's role in relation to material available on Wikipedia is limited and includes a Privacy Policy in which it is referred to as "the Foundation":

"USER ACCOUNTS AND AUTHORSHIP

The Foundation does not require editors to register with a project. Anyone can edit without logging in with a username, in which case they will be identified by network IP address. Users that do register are identified by their chosen username. . . .

RELEASE: POLICY ON RELEASE OF DATA

It is the policy of Wikimedia that personally identifiable data collected in the server logs, or through records in the database via the CheckUser feature, or through other non-publicly-available methods, may be released by Wikimedia volunteers or staff, in any of the following situations:

1. In response to a valid subpoena or other compulsory request from law enforcement.

2. With permission of the affected user.

3. When necessary for investigation of abuse complaints.

4. Where the information pertains to page views generated by a spider or bot and its dissemination is necessary to illustrate or resolve technical issues.

5. Where the user has been vandalizing articles or persistently behaving in a disruptive way, data may be released to a service provider, carrier, or other third-party entity to assist in the targeting of IP blocks, or to assist in the formulation of a complaint to relevant Internet Service Providers.

6. Where it is reasonably necessary to protect the rights, property or safety of the Wikimedia Foundation, its users or the public.

Except as described above, Wikimedia policy does not permit distribution of personally identifiable information under any circumstances.

Third-party access and notifying registered users when receiving legal process:

As a general principle, the access to, and retention of, personally identifiable data in all projects should be minimal and should be used only internally to serve the well-being of the projects. Occasionally, however, the Foundation may receive a subpoena or other compulsory request from a law-enforcement agency or a court or equivalent government body that requests the disclosure of information about a registered user, and may be compelled by law to comply with the request. In the event of such a legally compulsory request, the Foundation will attempt to notify the affected user within three business days after the arrival of such subpoena by sending a notice by email to the email address (if any) that the affected user has listed in his or her user preferences."

The Applicants told the Respondent that this was a case of abuse and in reply the Respondent said they would refer the request for the deletion of the archived version of the amendment to "the community of volunteer editors, one or more of whom may attempt to address your concerns". They also referred to the immunity under section 230 of the US Communications Decency Act (1996) from most civil liability for content they did not originate or develop. They then stated that the Respondent did not conduct operations within the jurisdiction of this court but that they were happy to forward the Applicants' request to their volunteer community.

The amendment was removed promptly following the request made on behalf of the Applicants.

In their letter the Respondent also stated that it was the policy of the Respondent that such data be released in response to a valid subpoena or equivalent compulsory legal process. They added:

"Without waiving our insistence that no court in the United Kingdom has proper jurisdiction over us as a foreign entity, we nevertheless are willing to comply with a properly issued court order narrowly limited to the material you ask for in your letter."

The Privacy Policy made clear that the Respondent would notify the affected user of any court order within three days of its receiving the order. In the correspondence indicating that it did not oppose the making of this order, the Respondent had not agreed to refrain from notifying the alleged wrongdoer in the present case.

Since the Respondent stated that it did not accept the jurisdiction of this court, there would have been difficulties in making or enforcing an order with which it had not agreed to comply. The Applicants did not then seek to prohibit disclosure of the making of the order against the Respondent.

The Court noted that there may be circumstances where applicants might wish for there to be such a prohibition in order to prevent the wrongdoer from being tipped off about these proceedings before an injunction could be applied for or made against the alleged wrongdoer. In the interval between learning of the intention of the Applicants to bring proceedings, and the receipt by the alleged wrongdoer of an injunction binding upon him or her, the alleged wrongdoer might consider that he or she could disclose the information, and hope to avoid the risk of being in contempt of court. Alternatively, the alleged wrongdoer may destroy any further evidence (in addition to the IP information) which may be needed in order to identify him or her. Tipping off of the alleged wrongdoer can thus defeat the purpose of the order.

(G and G v Wikimedia Foundation Inc. [2009] EWHC 3148 (QB))

Back to news archive