Tuesday, 28 September 2010

Norwich Pharmacal orders and file-sharing

Attention has suddenly focused on the arcane but highly significant topic of the Norwich Pharmacal order. Quantities of ISP customer details apparently linked to Norwich Pharmacal orders obtained in pursuit of alleged unlawful file-sharers have leaked onto the internet following a denial of service attack against the website of solicitors ACS Law. And last week Chief Master Winegarten was reported to have adjourned an application by Ministry of Sound for a Norwich Pharmacal order against a number of ISPs after receiving letters expressing concern from members of the public.


The Norwich Pharmacal procedure is available when someone wants to sue in respect of some wrong, but does not know who did it. If an innocent third party is in possession of information that can identify the alleged wrongdoer, then the plaintiff (in England we are supposed to call them claimants, but let’s stick to the terminology familiar to the rest of the world) can ask the court to order the third party to produce the identifying information. If the court grants the order the plaintiff is then able to pursue legal action against the alleged wrongdoer on the basis of the disclosed information.

So a copyright owner may have gathered evidence that someone has been infringing its copyright, say using P2P file-sharing software to upload a music file.  But if the only identifying information is an IP address, the copyright owner can ask the court to grant an order against the internet service provider requiring it to disclose details of its customer to whom it allocated the IP address at the time of the upload.

In principle the Norwich Pharmacal procedure, or something like it, is a valuable aid to achieving justice. However it is inherently intrusive, and has the potential to wreak injustice if it is applied with insufficient safeguards.

The present controversy has the potential to expose some weaknesses inherent in the procedure. Here are a couple.

First, there is no mandatory requirement that the person whose identity may be disclosed should be notified of the court application and have a chance to make anonymous representations. However it may be possible to make such a notification. In 2001 the Court of Appeal in Totalise v Motley Fool said that the intermediary (in that case a website operator) can, where appropriate, “tell the user what is going on and offer to pass on in writing to the plaintiff and the court any worthwhile reason the user wants to put forward for not having his or her identity disclosed”.

Aldous LJ went on to say: “Further, the Court could require that to be done before making an order. Doing so will enable the court to do what is required of it with slightly more confidence that it is respecting the law laid down in more than one statute by Parliament and doing no injustice to a third party, in particular not violating his convention rights.”

However this has not become standard practice and indeed appears to happen hardly at all, if ever. This is in contrast to US procedure, where the plaintiff has to bring its claim against an anonymous ‘John Doe’ defendant and seek to subpoena the third party. The procedure allows the anonymous defendants to be notified and to make representations about whether the subpoena should be ordered without identifying themselves.

Second, in file-sharing cases the evidence is highly technical. The only explanation of the technical aspects before the court is likely to be the evidence adduced on behalf of the applicant, since many ISPs take a neutral stance and, while not consenting to the order, neither file evidence nor appear at the hearing. The procedure depends heavily either on the ability of the court to evaluate the evidence, or on the willingness of the ISP to scrutinise the applicant’s evidence and to make representations to the court or the applicant if the evidence appears on the face of it to be inadequate – for instance if it fails to make clear that an IP address can at best identify only the ISP’s customer, not necessarily the alleged infringer.

However an ISP has no particular reason to do more than satisfy itself that it can comply with the order requested.  ISPs are commercial entities, not the appointed guardians of justice. That task falls to the court. But how is the court supposed to assess the evidence in front of it in the absence of any opposing party, or even of an independent amicus curiae? Perhaps this would be a suitable case for the court to use its power to appoint a technically qualified assessor to sit with and assist the court.  In the 4th edition of my book Internet Law and Regulation I made some suggestions for ‘good practice’ when ISPs receive an application for a Norwich Pharmacal order. But in truth there is no obligation on an ISP to do anything more than stand by and allow the application to proceed to court. As Aldous L.J. said in Totalise v Motley Fool:

“It is difficult to see how the court can carry out this task if what it is refereeing is a contest between two parties, neither of whom is the person most concerned, the data subject; one of whom is the data subject's prospective antagonist; and the other of whom knows the data subject's identity, has undertaken to keep it confidential so far as the law permits, and would like to get out of the cross-fire as rapidly and as cheaply as possible.”

The problem identified by Aldous L.J. has only increased over time. The current controversy may refocus minds on whether the correct balance is being found and, if not, what should be done to restore it.

No comments:

Post a Comment