United States: Discovering And Proving The Source Of E-Mail Or Web Site Communications

Co-Written by Yun G. Lee, Esq.

E-mail and web sites are used to transmit enormous amounts of information and volumes of communications. Like any other means of communication, e-mail and web sites may be used to commit torts (such as tortious interference with a contract and the property damage hackers can do) or crimes (such as manipulation of securities markets). Where e-mail systems are used to commit such torts and crimes, a threshold issue for counsel is whether the wrongdoer’s identity can be established and proven.

From the perspective of the investigating litigator, there are significant distinctions between e-mail and web site (including Internet Relay Chat and Usenet sites) communications. Web site communications (sometimes called bulletin board messages) are publicly available and discoverable; the internet may be viewed in many ways as a single, searchable public domain document which has been culled and indexed by numerous "search engines," such as DogPile and Yahoo. In contrast, e-mail messages are private communications which generally may not legally be searched, unless the sender or recipient of the e-mail cooperates or is compelled to allow access to its computers. Although e-mail messages are generally encrypted and intended to be private, President Clinton recently indicated that he does not use e-mail to communicate with his daughter while she is at college because of privacy concerns, the danger of a hacker obtaining or corrupting the e-mails.¹

The New York Court of Appeals has contrasted e-mail and web sites in the context of holding that an Internet Service Provider was entitled to summary judgment dismissing defamation claims based upon certain e-mail and electronic bulletin board messages.² The Court described e-mail as "the day’s evolutionary hybrid of traditional telephone line communications and regular postal service mail," and noted that "a person may communicate by composing a message in the e-mail computer system and dispatching it telephonically (or through some other dedicated electronic line) to one or more recipients’ electronic mailboxes."³ Thus, the ISP’s "role in transmitting e-mail is akin to that of a telephone company, which one neither wants nor expects to superintend the content of its subscribers’ conversations."⁴ In contrast, "an ISP bulletin board may serve much the same purpose as its ancestral version, but uses electronics in place of plywood and thumbtacks."⁵

A further important distinction is that a message left on a web site bulletin board, "signed" using a pseudonym, is essentially untraceable, although the author’s chosen pseudonym may yield some clue concerning the identity of author. In contrast, e-mail (and even pseudonymous e-mail sent through web sites like HotMail) are, at least to some extent, traceable. For example, the internet hacker who used "Mafiaboy" as a pseudonym when bragging about his exploits on various bulletin boards had reportedly included his e-mail address in a bulletin board message concerning computer equipment posted years earlier; unfortunately the trail was cold because the e-mail account had been closed.⁶

This article will discuss a procedure recently successfully employed by the authors to identify the author (the "Author") of false and disparaging e-mails sent to a financing company executive (the "Financier") concerning the principal of a firm (the "Plaintiff") in which the financing company had invested. The "header" information appended to the offending e-mail received by the Financier indicated that the pseudonymous Author had sent the e-mail messages via HotMail, one of the many web sites that provide internet services. HotMail, in turn, had apparently routed the e-mail

a Texas wholesaler (the "Wholesaler") of internet services. The evidence of this was the "X-Originating-IP:" field in the message header. This field captures the IP, or internet protocol address from which the sign in session originated. ⁷ Through a computer consultant, plaintiff’s counsel was able to determine that the 11 digit IP address belonged to a machine operated by the Wholesaler.

Plaintiff’s counsel then immediately wrote to the Wholesaler, alerting the Wholesaler to the wrongful use of its services and requesting that the relevant data be preserved. An action was commenced in New York State Supreme Court, asserting claims for tortious interference with contract and tortious interference with advantageous business relations.

CPLR § 1024 (providing for commencement of actions against unknown parties). On plaintiff’s application for issuance of a subpoena for documents and to take the deposition upon written questions of the Wholesaler,⁸ a commission was issued to Texas co-counsel who served the Wholesaler located in Texas with a subpoena for the relevant data, schedules identifying the actual (not HotMail) e-mail address and telephone number of the user who accessed the specific IP address at the relevant time. The data concerning certain of the earliest e-mails had already been overwritten. However, the information provided by the Wholesaler,the Author's e-mail address, adequately revealed the identity of the Author concerning the later e-mails. Had that not been the case, the Plaintiff could have compelled with relative ease the account information for the Author’s e-mail address from the internet service provider.

The example described above illustrates the point that e-mail, unlike web site messages, may be traced even if sent via web sites using pseudonyms. One significant concern is that computer data, while relatively easily accessible, sortable and searchable, is also easily overwritten. Interestingly, the critical information used in identifying the Author was compelled from a third-party whom the Author never dealt with directly and likely did not know.

1. Clinton Calls for Stronger Measures to Protect the Privacy of Computer Users, The New York Times, Mar. 4, 2000, at A9.

2. No. 164, 1999 WL 1082126 (N.Y. App Ct. Dec. 2, 1999)

3. at *2.

4. at *3.

5. Id.

6. Hacker Hunters Follow Crumbs on Cybertrail, The Wall Street Journal, Feb. 24, 2000, at B1.

7. In fact, Hotmail’s policy and member conduct statement provides that "[a]t Hotmail, the registered first name and last name are sent with each e-mail message, no 'handles' or nicknames are substituted. Furthermore, each e-mail message sent from a Hotmail account includes the Internet Protocol (IP) address from which the sign in session originated. With this additional header information, the source of a message can be narrowed dramatically. Hotmail records and stores all sign ins, including IP addresses, dates, and times."

8. CPLR Rule 3109.