A Lawyer Can Turn Sleuth to Track Down a Harasser, as appeared in The National Law Journal

When employees are harassed in the workplace with e-mail from unknown sources, the attorney called in to help must wear three hats: lawyer, technician and private eye. As employees have become increasingly Internet and e-mail savvy, e-mail mischief has become yet another nuisance for employers.

Most employees are shrewd enough not to send a harassing or threatening workplace e-mail under their own names using their employer's e-mail system. Many, however, have begun sending such e-mail via personal e-mail accounts, using either a phony name or an innocent person's name. Imagine a "joke" e-mail in which a supervisor purportedly propositions a subordinate, fires a subordinate or announces an across-the-board pay cut? Or perhaps an e-mail that purports to be from a sexual predator or that physically or sexually threatens an employee?

One might assume that the legal department surely can identify the perpetrator of such nonsense. Or if legal can't, then the information security staff can. Or can they? Although there are solutions to many of those problems, they are neither as obvious nor as simple as one might expect — nor are they foolproof.

There are many legal and nonlegal reasons why an employer should not ignore anonymous harassing e-mails received by its employees at the workplace. In the context of discrimination law, harassing e-mail, whether from co-workers, supervisors, customers or clients, can be evidence not only of a hostile work environment, but also "smoking gun' evidence of discriminatory treatment or intent.

Moreover, a key affirmative defense in cases of supervisory harassment is whether an employer exercised reasonable care to prevent and correct promptly any sexually harassing behavior.1 A failure to investigate or at least to try to stop further anonymous, harassing e-mail could well preclude an employer's reliance on this affirmative defense.

Other potential areas for liability include negligent retention or supervision of a dangerous employee and negligent failure to warn. Each of these potential sources or liability is in addition to the drain on productivity and morale that a harasser or practical joker can inflict on a work force. So, when an exasperated client calls his crafty lawyer regarding an anonymous e-mail harasser and he wants to know how to catch the rascal, what should the lawyer advise him to do?

Tracing the IP address

There are a variety of techniques that an e-mail harasser may use to hide his identity. At a most elementary level, the harasser can simply register and use an e-mail screen name other than his real name. Unless the e-mail itself or a subsequent communication reveals the sender's true identity, there is no simple way for the recipient ever to know the identity of the message's author. A slightly more sophisticated technique is to do the same thing, but by means of an e-mail account opened with a free e-mail service using phony registration information. A relatively simple third technique is to edit the caption of the e-mail to both conceal the author's identity and indicate that the e-mail was sent via an e-mail service provider other than the one from which it was actually sent. This technique is known as "spoofing."

Although these simple techniques may temporarily conceal the sender's identity, with a little effort they can usually be overcome. In contrast, computer hackers also can hide their tracks by altering the technical "footprints" that accompany their e-mail. These hacker tricks may render e-mail either untraceable or, at best, very difficult to trace. Moreover, it is a stealth operation; in certain circumstances it is almost impossible to tell whether one of these hacker tricks has been used.

Serve it up

Whether the sender is truly sophisticated, or merely thinks he is, the first step in tracing e-mail is to determine the actual Internet service provider from which the message originated. Identification of the actual source of e-mail is accomplished by locating the Internet protocol (IP) address associated with the e-mail, and then identifying the Internet service provider that is the registered holder of that IP address.

Every e-mail message contains a header, which is basically a road map showing the path that the e-mail traveled from its point of origin to its ultimate destination. Depending on the software, sometimes the header will appear at bottom of an e-mail message; in other cases the header is hidden, but it can be pulled up with a modicum of effort.

The header of an e-mail message contains the sender's IP address.2 Internet service providers obtain blocks of IP addresses and assign them to individual users either on a permanent basis, in the case of a constant Internet hook-up such as a cable hook-up, or on a temporary basis, as with ordinary Internet users.

When the hook-up is permanent, every e-mail sent by that Internet user will contain the same IP address. This is known as a "static" IP address. In contrast, when an Internet user must dial up before access to the Internet is gained, the user will have a different IP address for each Internet session — referred to as a "dynamic" IP address. During each such session, every e-mail message sent will share the same IP address. New sessions mean new IP addresses.

The ownership of an IP address can be determined by contacting a "reverse look-up" or "who is" service on the Internet. For example, the site http://swhois.net will identify the Internet service provider that owns a particular IP address. By logging on to that site and punching in a particular IP address, the owner of that address will be revealed. So, the first step is to locate the e-mail's header, identify the sender's IP address in the header, and determine the Internet service provider that is the registered holder of that IP address.

Subpoena a phantom?

Once the IP address has been traced to an Internet service provider, the next step is to identify the precise account that used the IP address on the date and time when the e-mail message was sent. Doing so generally requires the issuance and service of a subpoena.

Nevertheless, before taking legal action to obtain a subpoena, the person in the Internet service provider's legal department who is responsible for subpoena compliance should be contacted. He or she should be advised that a subpoena is forthcoming and that any and all responsible data or documents should be preserved, including any and all IP addresses associated with the e-mail at issue.

Additionally, the original e-mail message, including its full header, should reported to the local police or the FBI, if appropriate, and to the e-mail "abuse address" provided by the Internet service provider through which the e-mail was sent.3

Then it is time to make an application to a court to issue a subpoena. Unfortunately, even though it is far easier to subpoena an out-of-state witness in a federal court proceeding than in a state proceeding, there are no federal causes of action against an ordinary e-mail harasser. Moreover, most courts have held that there is also no basis for federal diversity jurisdiction when the citizenship of the defendant is unknown as of the time the lawsuit is filed.4 Accordingly, any legal action intended as a discovery vehicle to unmask the harasser must proceed initially in state court. Later, it may be possible to refile the action in federal court once the citizenship of the harasser is discovered.

One means of obtaining a subpoena is to file a lawsuit against John Doe, the unknown e-mail harasser, in state court. Such a lawsuit then can be used as the basis for subpoenaing from third parties necessary information about the John Doe harasser. Because discovery may not be permissible before the appearance or answer of John Doe, however, the John Doe action may need to be accompanied by an emergency motion for leave to take discovery before the appearance or answer of John Doe.

Additionally, an out-of-state Internet or e-mail service provider that is not registered to do business in the forum state may challenge the subpoena and require the issuance of a subpoena by its hometown court. Although such a challenge will add another layer of expense to the process, obtaining a locally issued subpoena is a routine matter accomplished by filing a petition for issuance of subpoena with the hometown court. Some entities, however, are fairly loose about their procedures and will accept service of a faxed subpoena issued by an out-of-state court. Hence, it is prudent to contact the Internet or e-mail service providers' legal department in advance to confirm its procedures for accepting service of a subpoena.

An alternative to filing a John Doe action is to file a petition for discovery, a type of legal action permissible in many states that provides for discovery before the filing of a lawsuit in order to identify responsible persons and entities.5 By filing a petition for discovery, an employer can compel an Internet service provider to identify the sender of the e-mail at issue, which then can be named in a subsequent lawsuit.

Harasser a/k/a/ John Doe

Depending on the procedural niceties of the jurisdiction at issue, the John Doe route may be preferable for a number of reasons. First, the employer has an actual lawsuit on the books, which may frighten John Doe into cooperating voluntarily. Second a John Doe suit skirts the need to formally name the Internet or e-mail service provider as a respondent in discovery, as is required with petitions for discovery. Third, once John Doe is identified, amending the complaint to substitute him as the party defendant becomes a routine matter.

Just as the identity of the defendant may be a bit of a mystery, it is not always obvious whom the proper party plaintiff would be. And, as with any other legal action, a John Doe suit or petition for discovery not only raises questions regarding the proper parties, but also raises questions about causes of action and venue. In terms or the proper plaintiff, the company may prefer to sue in its own name. Not only will this permit complete control over the litigation, but it will also avoid burdening an employee with being the named plaintiff.

Rely on common law

A corporate plaintiff in a John Doe suit has a number of potential common-law causes of action available to it. These include the following: trespass to chattel, based upon the use of the employer's e-mail system for an improper unauthorized purpose6; breach of the duty of fidelity and loyalty that every employee owes to his or her employer, if the anonymous e-mail appears to have been sent by an employee7; and corporate defamation, if a phony e-mail discredits the methods by which the company conducts its business and thereby causes harm to the employer in the conduct of its business.8

Finally, because the location of the e-mailer is unknown as of the time of the initial filing, the choices of where to file are, largely: the location where the e-mail was received; the location of the company's headquarters; or some other location with at least some nexus to the phony e-mail. Once the e-mailer is identified and the facts and circumstances surrounding the sending of the e-mail are known refiling in a new jurisdiction may be necessary.

Closing in on John Doe

Each of the foregoing steps is directed at identifying the account from which the anonymous e-mail was sent. Once that occurs, the registered account holder should be contacted by the attorney handling the investigation, or by a law enforcement representative if the police have been called in. The account holder may cooperate. If necessary, he and all other suspects can be subpoenaed for a deposition. The goal of any such deposition is to establish who had access to the account and who had the motive and the opportunity to send the e-mail at issue. A confession is a grand slam.

After that, the John Doe lawsuit can be dismissed, amended to name the e-mailer or refiled in another jurisdiction, including federal court, if appropriate.

Although the foregoing steps are by no means foolproof, if promptly implemented, they should snare all but the most devious and/or sophisticated anonymous e-mail harassers.

ENDNOTES

1 See Burlington Industries Inc. v. Ellerth, 524 U.S. 742, 765 (1998); Faragher v. City of Boca Raton, 524 U.S. 775, 807 (1998)

2 A useful primer on interpreting e-mail headers can be found at www.help.mindspring.com/docs/006/emailheaders/.

3 Examples of such abuse addresses include [email protected] and [email protected]

4 See 2 Moore's Federal Practice § 10.02(2)(d)(ii) (3d ed. 1999).

5 See, e.g., Illinois Supreme Court Rule 224; Texas Rule of Civil Procedure 202.

6 See Restatement (2d) of Torts §§ 217-218, 252 (1965). See also Register.com Inc. v. Verio Inc., 126 F. Supp.2d 238, 249-250 (S.D.N.Y. 2000); America Online Inc. v. IMS, 24 F. Supp.2d 548, 550-552 (E.D. Va. 1998).

7 See, e.g., Dames & Moore v. Baxter & Woodman Inc., 21 F. Supp.2d 817,823 (N.D. Ill. 1998).

8 See Restatement (2d) of Torts § 561 (1977).

                                                              *             *             *                                       

This article is reprinted with permission from the Monday June 11, 2001 edition of THE NATIONAL LAW JOURNAL. © 2001 NLP IP Company. All rights reserved. Further duplication without permission is prohibited.