Risk
6/11/2012
01:44 PM
50%
50%

British Judge Forces Facebook To Identify Trolls

Harassment case billed as the first instance in Britain in which a private suit is used to unmask people who allegedly made offensive, anonymous taunts.

Facebook's History: From Dorm To IPO Darling
Facebook's History: From Dorm To IPO Darling
(click image for larger view and for slideshow)
A British judge has ruled that Facebook must help identify multiple people who allegedly created a fake Facebook page and used it to harass a British woman.

According to court documents, the online abuse began minutes after Nicola Brookes, 45, left a message in support of U.K. X Factor participant Frankie Cocozza. "The abuse was vile and unwarranted to the extent that anonymous Internet trolls set up a fake Facebook profile account in Nicola's name and image to post indecent comments and lure young girls," read a statement released by British law firm Bains Cohen, which argued the case before an English high court.

On May 30, the high court agreed with Brookes' request that Facebook should be forced to reveal the identities of the alleged harassers, including their names, email addresses, and IP addresses, allowing her to trace their real identities via requests to their service providers. As a result, Brookes would be able to file a private suit against at least four people who allegedly wrote the harassing online posts.

According to legal experts, her case is the first-ever private prosecution in Britain involving online harassment, although Facebook reportedly has yet to receive the official legal papers, which must be served in the United States, since that's the primary place Facebook stores its data.

[ Does Facebook care what its users think? Read How Facebook Ignores Its Users. ]

Reached for comment about the case, a Facebook official stressed that the social network encourages people to use their real names when creating accounts. "Nothing is more important to us than the safety of the people [who] use our service. Unlike many other websites and forums, Facebook has a real-name culture, which provides greater accountability and a safer and more trusted environment," said Facebook spokesman Iain Mackenzie via email.

What happens when harassment or other types of inappropriate posts get made online? "We are clear that there is no place for bullying or harassment on Facebook and we respond aggressively to reports of potential abuse," Mackenzie said. "We provide our users with the tools to report abuse on every page and the option to block people from having any further contact with them. Reports involving harassment are prioritized, reviewed by a trained team of reviewers, and [the harasser is] removed if they violate our terms."

But Brookes contended that Facebook's complaint-reporting system was unequal to the task of dealing with serious cases of harassment, especially since she had trouble keeping up with--and reporting all of--the abusive content, and she couldn't block the abuse because she needed to make screen grabs to illustrate to Facebook what was happening.

"A few days after the fake profile started, I realized I needed proper legal help about this because the reporting system on Facebook doesn't work. There's nowhere else for you to contact," Brookes told The Telegraph newspaper in Britain. She also told the newspaper that her attackers were well-organized and appeared to operate with impunity. "These people are not random people who are bored. These are a group of people that share information and pick people out and target them on purpose," she said.

Brookes' law firm said the case highlighted the need--at least in Britain--for some type of mechanism that would help police Internet abuse and unmask taunters. In particular, it noted that after Brookes went to local police in Sussex, England, with hundreds of pages of printouts of the abusive comments, they'd told her that there was nothing they could do. "After getting involved, we contacted Facebook on several occasions and the fake profile page that was set up in Ms. Brookes' name was successfully taken down," read some of the details of the case released by Bains Cohen.

But after that takedown, someone posted new comments--not on Facebook--using Brookes' name, image, and real address, along with lewd comments about her daughter. When Brookes again alerted local police, they offered to install panic alarms in her home, but according to her lawyers, otherwise they "had no idea what to do."

"There is a clear anomaly in the law and the way in which Internet abuse is treated and investigated by the police--depending on whether the victim is in the public eye, or an ordinary member of the public," said Bains Cohen.

According to the law firm, "The only long-term solution is for the government to establish a body with some judicial powers to make it easier and cheaper for individuals or the police to have the identity of their abusers revealed to them, for the police to have specialist divisions trained to deal with this issue, and having the tools and powers to obtain identities from the likes of Facebook and Twitter."

New apps promise to inject social features across entire workflows, raising new problems for IT. In the new, all-digital Social Networking issue of InformationWeek, find out how companies are making social networking part of the way their employees work. Also in this issue: How to better manage your video data. (Free with registration.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

CVE-2014-2716
Published: 2014-12-19
Ekahau B4 staff badge tag 5.7 with firmware 1.4.52, Real-Time Location System (RTLS) Controller 6.0.5-FINAL, and Activator 3 reuses the RC4 cipher stream, which makes it easier for remote attackers to obtain plaintext messages via an XOR operation on two ciphertexts.

CVE-2014-6395
Published: 2014-12-19
Heap-based buffer overflow in the dissector_postgresql function in dissectors/ec_postgresql.c in Ettercap before 8.1 allows remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted password length value that is inconsistent with the actual length of the password...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.