Say you’re the president of Diamond Staffing Services. One morning, your phone is flooded with Twitter notifications. A few taps leads you to the source of the buzz: Someone opened a Twitter account parodying your company’s name and tweeted: “Work for Diamond? Pregnant = fired. We’re Diamond – we don’t care, LOL!” The tweet links to your company’s official Twitter account. Livid, you instruct your attorney to file a defamation lawsuit. Not so fast, your attorney says. First, you need to know who you’re suing, and the Twitter account was probably opened using fake information. What do you do?

This scenario is becoming more common as disgruntled employees and customers take to social media sites to air their grievances. Such users often post anonymously, and they have a First Amendment right to do so. To discover the identity of anonymous users, one must overcome First Amendment protections for anonymous speech.

A recent case illustrates the challenges of suing for defamation based on anonymous online statements. In Music Group Macao Commercial Offshore Ltd v. Does, 2015 WL 75073 (N.D. Cal. Mar. 2, 2015), a Washington-based company (Music Group) alleged that the defendants used anonymous Twitter accounts to defame the company and its CEO. Among other things, the anonymous users tweeted that Music Group “designs its products to break in 3-6 months,” “encourages domestic violence and misogyny,” and that its CEO “engages with prostitutes.” Music Group originally subpoenaed Twitter in Washington to reveal “the name, address, email address and any proxy address” of owners of the accounts. Twitter, which is based in San Francisco, did not agree to have a court in Washington decide wither it had to comply with the subpoenas. Music Group then filed a miscellaneous proceeding in the district court in the Northern District of California to enforce the subpoenas.

The district court initially granted Music Group’s motion to enforce the subpoena, but after reviewing an amicus brief filed by Public Citizen, Inc. (a public interest law firm), the court corrected its order and denied the motion. The court first took stock of the various tests used by courts in analyzing First Amendment protection of anonymous online speech. The court chose to apply a test that focuses on the nature of the speech. Under that test, a party seeking to discovery the identity of an anonymous speaker must first persuade the court that there is a “real evidentiary basis” for believing that the defendant has engaged in wrongful conduct that has caused real harm to the plaintiff’s interests. If the plaintiff makes this showing, then the court must weigh the harm to the plaintiff caused by allowing the speaker to remain anonymous versus the harm to the speaker’s interests in anonymity.

The court ruled that the tweet stating that Music Group “designs its products to break in 3-6 months” was legitimate commercial criticism, which is protected by the First Amendment. The tweet directed at Music Group’s CEO personally could not support a defamation claim brought by Music Group. The tweet alleging that Music Group “encourages domestic violence and misogyny” could be defamatory, the court noted, but there was more to it than just the words. The tweet linked to a video commercial promoting an audio mixer sold by Music Group. The commercial shows a man using the audio mixer to rebuff a woman’s demands that he stop working and come with her to a social function. The video was comedic in nature. Understood in context, the tweet was “joking and ironic” and did not “fall outside the First Amendment for being in poor taste,” the court wrote. The court ultimately decided that the balance of harms did not justify enforcing the subpoenas.

Music Group highlights some of the questions one should ask before launching into a lawsuit against an anonymous online poster:

  1. Do I have legitimate claims? You’ll need some evidence to support your claims to overcome the speaker’s First Amendment right to anonymity.
  1. Where do I find the identifying information? Typically, you’ll need to ask the owner of the website where the offending comments were posted. Sometimes that’s not enough because the user might have set up the account using a fake name and email address. In that case, you need to get other identifying information like the IP address of the user, determine the Internet Service Provider (ISP) associated with that IP address, and ask the ISP to disclose the user’s account information.
  1. How do I get the identifying information? A subpoena is typically the tool of choice. The rules governing subpoenas can be highly technical, so consulting an attorney is advisable. For example, in Music Group, Twitter, which is based in San Francisco, refused to comply with an order enforcing the subpoena issued by a Washington court. The plaintiffs in the case had to open a special proceeding in California to enforce the subpoena.

Working through these questions will help you determine if it’s worth suing an anonymous online speaker.

Single words and subject lines in electronic messages are “content” protected by the Stored Communications ActOptiver Australia Pty, Ltd. v. Tibra Trading Pty. Ltd. & Ors., 2013 WL 256771 (N.D. Cal. Jan. 23, 2013)

Optiver sued its former employees in Australia for allegedly stealing its proprietary source code and using the code to start a competing company, Tibra.  The Australian court allowed Tibra to conduct discovery of emails from Google after finding Tibra’s discovery responses inadequate.  Optiver subpoenaed Google to produce documents relating to emails and Google Talk messages containing the terms “PGP” or “Optiver.”  Tibra moved to quash the subpoena, arguing that the Optiver was improperly requesting the content of communications in violation of the Stored Communications Act (SCA).

Optiver countered with three arguments.  First, “PGP” is the name of an encryption system, not content.  Second, Optiver said that it wanted the documents not to discover the substance of the communications, but to locate communications that might be relevant to the foreign litigation.  Third, if the email has been encrypted through PGP, Optiver cannot access the content without the proper encryption key and pass phrase, which it did not have.  The court was unpersuaded.  Content is content, no matter how insignificant, the court said.  The words “PGP” or “Optiver” in the body of a message qualify as content that the SCA protects.

Optiver also argued that subject lines of email communications and Google Talk messages are not protected by the SCA and should be disclosed.  Wrong again, the court said.  The subject line is “nothing less than a pithy summary of the message’s content.”  For support, the court pointed to the legislative history of the SCA.

Court finds no expectation of privacy in tweetsPeople v. Harris, 2012 WL 2533640 (N.Y. City Crim. Ct. June 30, 2012)

A New York court ruled last week that Twitter must hand over subpoenaed information about one of its users, including tweets.  Let’s cut to the chase.  The most important statement in the ruling is this: “There can be no reasonable expectation of privacy in a tweet sent around the world.”  The court compared a tweet to shouting out the window — you can’t take back what you said, and anyone who heard you could testify about the statement.

The ruling has drawn criticism from online privacy advocates like the Electronic Freedom Frontier.  On a basic level, the court’s logic makes sense.  The problem is, will the ruling be used to justify refusal to recognize privacy interests in other forms of social media interactions?  Some courts already regard social media content as public per se.

Not all social media content is the same.  And the way content is shared (or not shared) should also be part of the privacy analysis. For instance, a Twitter user could set his account to private to exclude general access to his tweets.  By doing that, the user shows his intent not to communicate to the entire world.  Unlike shouting out a window, private tweets are more like striking a conversation with selected neighbors in your apartment building.

It’s unclear from the ruling if the Twitter user in this case protected his account.  Some commentators say the account was protected.  Regardless, the court made a sweeping statement about the lack of privacy interests in tweets without any attempt to differentiate between public and private Twitter accounts.  Such a broad-brushed approach seems to gloss over the legal significance of privacy settings.