What if someone sets up a website and messes with you. How do you find out who they are so that you can mess with them?
Well, first and obvious, many websites have "Contact Us" links that tell you exactly who they are and how to contact them. That would be a good place to start.
But maybe they aren’t so kind. Maybe they haven’t been considerate enough to make your life easy by leaving a calling card. Well, a website involves accounts. Two accounts to look into are (1) the domain name registration and (2) the web hosting account.
The information behind a domain name registration can be gained through WHOIS. The domain name system is a database that can be queried with the domain name. Ask for the information associated with a domain name, and you can get the registrant's name, address, phone number, email address, and IP number for the site. However, and here's the trick, for DNS to work, only the IP number of the site need be accurate. The rest of the information can be – and frequently is – bunkum (the problem of the accuracy of WHOIS has been a source of great consternation for law enforcement and Internet governance – see the "Fraudulent Online Identity Sanctions Act" which "amends the Trademark Act of 1946 and Federal copyright law to make it a violation of trademark and copyright law if a person knowingly provided, or caused to be provided, materially false contact information in making, maintaining, or renewing the registration of a domain name used in connection with the violation."). If the information in WHOIS is accurate, you've made your man. If not, then it's off to door number three.
The individual setting up the messing-with-you site probably set up an account with the host service to host the site. After all, the host site generally likes to be paid, and to be paid they need to know where to send the bill. That means the host probably has decent records about how to accurately extract money from the messing-with-you individual, and that in turn can be used to find out who that individual is.
Which brings us to today's story. In the case Zynga Game Network, Inc. v Williams et al, Case No. CV-10:01022JF(PVTx) (ND CA May 20, 2010), Plaintiff thought that Defendants were messing with it, but was unable to locate Defendants. Plaintiff wanted to issue subpoenas to GoDaddy, Microsoft Office Live, and to PayPal in order to identify and locate Defendants. According to the Court, Plaintiff sought to issue a subpoena in order to obtain
"all billing and account records (including all Internet domain names), server logs, website content, contact information, transaction histories and correspondence for the persons or entities that have purchased services from" the two hosts in question and from PayPal.
Wow! Really?!?! Plaintiff needs all of the server logs and the transactional records in order to know how to contact Defendants? The Court clarifies that the subpoena is a part of limited discovery, and limited means limited. Fed. R. Civ. Pro. 26(b). The expressed purpose of this limited discovery is to "obtain the true identities and locations of Defendants." Fine, says the Court. Then you wont be needing all that other information which would give you information about "'any person or entit[y] that ha[s] purchased services from' one of the above listed web hosting sites." You don’t need server logs, website content, or other information that is linked to the sites. The Court permits but discovery, but only to "determine Defendants' true identities and locations." Fed. R. Civ. Pro. 4; Fed. R. Civ. Pro. 45.
It is worth noting that in justifying Plaintiff's need for the subpoena, Plaintiff specifically states Plaintiff had engaged in due diligence, and had attempted to locate Defendants using the information from WHOIS.
Let's see what today's lesson is: "Wheel of Morality, turn, turn, turn - Tell us what lesson we should learn." [Whirl, Click, Click, Clock]: "Don’t Mess With A Company That Makes a Product Called Mafia Wars!"