Finding the person behind a cyberbashing or cyberattack...cyberbreabcrumbs and discovery online

Peek-a-Boo…I can find you!

People often mistakenly believe they can surf and communicate online anonymously. The reality is that no one is truly anonymous online. We leave a trail of cyber-breadcrumbs behind us wherever we go, whatever we do online. But most times no one cares about piercing the veil of anonymity. Unless they are the recording industry, an irate spouse, or someone being bashed unfairly online.

Luckily, these cyber-breadcrumbs almost always lead you to the basher. Each e-mail (and even IM) and every cyber-communication contains an IP address. The IP address (Internet protocol) tracks back to the IP address owner, and sometimes to the Ethernet card in a computer in an office or home network.

When you have your own server, or use certain ISPs, you have a static IP address. That means it’s always your IP as long as you use the same computer and the same ISP access. Tracking you is then as simple as tracking your IP address. Most larger companies, especially the technology-based companies, educational institutions and governmental agencies have their own static IP addresses.

When you use AOL and other Internet service providers to access the Internet, you typically have a dynamic IP address, which means it’s yours for the period you are logged on, like subletting from the server’s IP address pool. But the only way it can be tied to you is by knowing when the IP address was recorded and tracking which subscriber was using it at that time. For that they need the cooperation of the ISP or online service, which has to check their records to tie the IP address to you, as their customer.

Given how many subscribers they have and the high turnover of IP address assignments, many ISPs only retain the subscriber/IP address records for a short period of time, usually ranging from three weeks to three months. Problems arise when someone needs those IP records and they are no longer being stored by the ISP. Unless the situation and IP address is discovered quickly, important evidence linking the suspect to the cyberabuse and possible cybercrime may be lost.

Most leading ISPs will retain these records for longer periods of time, if requested to do so by a litigant or law enforcement official. Some statutes permit law enforcement and lawyers to send a letter to the ISPs requesting that they maintain their records on a particular user for ninety days, and that request can be extended for an additional ninety days, if necessary.

But even with extended retention periods, this requires that the victim of a cyber-bashing moves quickly. Counsel is usually retained to bring a lawsuit and moves for expedited discovery. That means the lawyer asks the judge to permit her to subpoena the IP records from the ISP before the complaint is even served in many cases. The lawsuit typically alleges defamation and is brought against John or Jane Does. The ISP may or may not notify the subscriber of the subpoena. (Recently in response to lawsuits brought by the Recording Industry Association of America, some courts have demanded that the subscriber be notified and have an opportunity to contest the disclosure of their identity before the ISP is permitted to turn over that information. AOL and MSN both promise their subscribers that, in the case of a civil case, they will receive notice before their information is turned over. Once the defendant is identified in the discovery process, the complaint is amended to include the real defendant.

That may be enough. If the cyberbasher is using only one computer, or the IP address traces back to one particular computer in a network, especially if the user needs to sign in and sign off, you may not have to prove much else. But in some cases, tracing the message to a computer isn’t enough. Sometimes you need to trace it to a person and a file.

Lawyers love conducting computer hard-drive discovery. They can usually find far more than in conventional discovery methods. And defendants often think that getting rid of evidence on your computer is as simple as clicking on the delete button. But all that does is take it off your desktop so you can’t see it. But your computer knows it’s there and can retrieve it with the right programs. The only way to know it’s really gone is by reformatting your hard drive. That means you write over the old information, like recording over an old audio- or videotape. (Law enforcement and good cyberforensic experts can often still retrieve it after reformatting.) And back-up drives, programs and tapes often keep copies even if you are able to truly delete the file from one computer.

It is very difficult to ever be sure that something is deleted entirely. If someone wants it badly enough, like the RIAA, an irate spouse or someone you’ve attacked online, they will almost always find it. If you’re the lawyer and on the side seeking the information, always ask for a mirror-image of the drive and a copy of whatever software is needed to read it. If you’re on the other side, offer to print out whatever they need. If they are naïve enough to accept that offer, they deserve what they get.