Twitter will notify users of disclosure applications

Interesting to see Twitter saying at e-G8 that they will notify users if they are the subject of a court application against Twitter to disclose their identities.  As pointed out in a previous post, that is possible under the English Norwich Pharmacal procedure, and was suggested by Aldous L.J. in Totalise v Motley Fool, but rarely if ever happens.  Maybe now it will catch on. 

Mass file-sharing claims - the Norwich Pharmacal fallout begins

A significant step towards changes in the practice governing mass identity disclosure orders in copyright infringement cases has been taken with His Honour Judge Birss QC's judgment in Media Cat Ltd v Adams, a P2P filesharing case, published on 8 February 2011. 

The judgment in substance concerned an unsuccessful attempt by Media Cat to discontinue copyright infringement proceedings against 27 defendants whose internet connections Media Cat claimed had been used for P2P copyright infringement.  After the hearing the court was informed that Media Cat had ceased trading due to insolvency and that its lawyers, ACS Law, were closing permanently on 31 January 2011.  

In the course of his judgment Judge Birss commented on some broader issues surrounding the "Norwich Pharmacal" procedure.  Media Cat used this procedure to obtain court orders against ISPs requiring them to disclose the identities of its customers corresponding to the internet protocol (IP) addresses via which Media Cat believed that unlawful filesharing had taken place. 

The weakness of the Norwich Pharmacal procedure is that the only parties usually present at the hearing are the rightsowner applicant and the judge hearing the application.  The ISP may be present if it chooses, but does not have to be.  The person apart from the rightsowner with a real interest in the application - the customer whose identity will be disclosed - is normally unaware that the application is taking place. 

Judge Birss commented, after explaining the importance of Norwich Pharmacal orders:

"Nevertheless there is a potential difficulty with the Norwich Pharmacal process which is put in focus by the cases before me.  The respondent to the Norwich Pharmacal application for disclosure - while obviously wishing to ensure that an order is not made when it would be inappropriate to do so - has no direct interest in the underlying cause of action relied on." 

This echoes comments made some years ago by Aldous LJ in Totalise v Motley Fool (see here):

“It is difficult to see how the court can carry out this task if what it is refereeing is a contest between two parties, neither of whom is the person most concerned, the data subject; one of whom is the data subject's prospective antagonist; and the other of whom knows the data subject's identity, has undertaken to keep it confidential so far as the law permits, and would like to get out of the cross-fire as rapidly and as cheaply as possible.”

Judge Birss went on to comment:

"in my judgment when a Norwich Pharmacal order is sought of the kind made in this case, it may well be worth considering how to manage the subsequent use of the identities disclosed.  Perhaps consideration should be given to making a Group Litigation Order under CPR Part 19 from the outset and providing a mechanism for identifying test cases at an early stage before a letter writing campaign begins.  ... Perhaps a court asked for a Norwich Pharmacal order of the kind made here should consider some similar form of supervision [to that in a search and seize order] from an experienced neutral solicitor."

My previous post on this topic suggested some other possible safeguards: that a technical assessor might sit with the judge hearing the application for disclosure of identities; and that the customers whose identities stood to be disclosed might be notified of the application and permitted to make anonymous representations to the court hearing the application.  Whatever the measures adopted, we may now seeing the beginning of a move towards introducing greater safeguards, at least in mass application cases.

Norwich Pharmacal orders and file-sharing

Attention has suddenly focused on the arcane but highly significant topic of the Norwich Pharmacal order. Quantities of ISP customer details apparently linked to Norwich Pharmacal orders obtained in pursuit of alleged unlawful file-sharers have leaked onto the internet following a denial of service attack against the website of solicitors ACS Law. And last week Chief Master Winegarten was reported to have adjourned an application by Ministry of Sound for a Norwich Pharmacal order against a number of ISPs after receiving letters expressing concern from members of the public.


The Norwich Pharmacal procedure is available when someone wants to sue in respect of some wrong, but does not know who did it. If an innocent third party is in possession of information that can identify the alleged wrongdoer, then the plaintiff (in England we are supposed to call them claimants, but let’s stick to the terminology familiar to the rest of the world) can ask the court to order the third party to produce the identifying information. If the court grants the order the plaintiff is then able to pursue legal action against the alleged wrongdoer on the basis of the disclosed information.

So a copyright owner may have gathered evidence that someone has been infringing its copyright, say using P2P file-sharing software to upload a music file.  But if the only identifying information is an IP address, the copyright owner can ask the court to grant an order against the internet service provider requiring it to disclose details of its customer to whom it allocated the IP address at the time of the upload.

In principle the Norwich Pharmacal procedure, or something like it, is a valuable aid to achieving justice. However it is inherently intrusive, and has the potential to wreak injustice if it is applied with insufficient safeguards.

The present controversy has the potential to expose some weaknesses inherent in the procedure. Here are a couple.

First, there is no mandatory requirement that the person whose identity may be disclosed should be notified of the court application and have a chance to make anonymous representations. However it may be possible to make such a notification. In 2001 the Court of Appeal in Totalise v Motley Fool said that the intermediary (in that case a website operator) can, where appropriate, “tell the user what is going on and offer to pass on in writing to the plaintiff and the court any worthwhile reason the user wants to put forward for not having his or her identity disclosed”.

Aldous LJ went on to say: “Further, the Court could require that to be done before making an order. Doing so will enable the court to do what is required of it with slightly more confidence that it is respecting the law laid down in more than one statute by Parliament and doing no injustice to a third party, in particular not violating his convention rights.”

However this has not become standard practice and indeed appears to happen hardly at all, if ever. This is in contrast to US procedure, where the plaintiff has to bring its claim against an anonymous ‘John Doe’ defendant and seek to subpoena the third party. The procedure allows the anonymous defendants to be notified and to make representations about whether the subpoena should be ordered without identifying themselves.

Second, in file-sharing cases the evidence is highly technical. The only explanation of the technical aspects before the court is likely to be the evidence adduced on behalf of the applicant, since many ISPs take a neutral stance and, while not consenting to the order, neither file evidence nor appear at the hearing. The procedure depends heavily either on the ability of the court to evaluate the evidence, or on the willingness of the ISP to scrutinise the applicant’s evidence and to make representations to the court or the applicant if the evidence appears on the face of it to be inadequate – for instance if it fails to make clear that an IP address can at best identify only the ISP’s customer, not necessarily the alleged infringer.

However an ISP has no particular reason to do more than satisfy itself that it can comply with the order requested.  ISPs are commercial entities, not the appointed guardians of justice. That task falls to the court. But how is the court supposed to assess the evidence in front of it in the absence of any opposing party, or even of an independent amicus curiae? Perhaps this would be a suitable case for the court to use its power to appoint a technically qualified assessor to sit with and assist the court.  In the 4th edition of my book Internet Law and Regulation I made some suggestions for ‘good practice’ when ISPs receive an application for a Norwich Pharmacal order. But in truth there is no obligation on an ISP to do anything more than stand by and allow the application to proceed to court. As Aldous L.J. said in Totalise v Motley Fool:

“It is difficult to see how the court can carry out this task if what it is refereeing is a contest between two parties, neither of whom is the person most concerned, the data subject; one of whom is the data subject's prospective antagonist; and the other of whom knows the data subject's identity, has undertaken to keep it confidential so far as the law permits, and would like to get out of the cross-fire as rapidly and as cheaply as possible.”

The problem identified by Aldous L.J. has only increased over time. The current controversy may refocus minds on whether the correct balance is being found and, if not, what should be done to restore it.