Shame On Weebly For Revealing Info On Anonymous User It Promised Not To Reveal
from the gotta-trust-your-ISP dept
We’ve already written about some of the questionable activities by the lawyer hired by the Thomas Cooley law school in its lawsuit against some former students who have become anonymous critics. However, that same blog post from Paul Alan Levy also spent time discussing behavior on the part of Weebly, the service provider who coughed up the identifying information requested by Cooley’s lawyer, despite first promising not to reveal the information at all, and later promising not to reveal if it received information on a motion to quash within a certain time frame. Even with all of that, when the second subpoena came in… Weebly handed over the info, well before the promised deadline it had provided the lawyer for the defendant.
Levy contacted Weebly’s CEO, who gave a variety of reasons why they handed over this info, despite promising not to:
Weebly?s first point to me was that its email to Hermann saying that he could consider the subpoena ?squashed at this point? really wasn?t intended to make any commitments ? Hermann has been writing ?over and over? about keeping his client?s identity private, and ?I had no idea what he was talking about, so I said it?s ?squashed for now? just so he?d leave me alone.?
Weebly also said that after it got the California subpoena, it told Hermann that he would actually need to get a ruling from the judge quashing that subpoena no later than August 22, or it would have to obey the subpoena. I have two problems with that ? first, even the subpoena did not require compliance until August 25, and the information was furnished on August 17. But more important, Weebly?s stance falls well short of the industry standard. In our experience, responsible ISP?s, such as Google, and Yahoo!, and Twitter, will simply insist to parties sending them subpoenas that they won?t comply with subpoenas to identify users if a motion to quash is filed within a given period, normally about two weeks.
Weebly also told me that the disclosure was made in part because Hermann gave shifting stories about whether the subpoena would be issued by a Michigan court or a California court. I found that argument unconvincing. Hermann was plainly uncertain about the actual subpoena documents, but I could not find the shifting accounts. And in any event, should discomfort with the Doe?s lawyer be a reason to shed the Doe?s privacy?
Next, Weebly said that its disclosures didn?t really matter because it did not provide the customer?s actual name, just an email address and various IP addresses. This is not the first ISP that has rationalized subpoena compliance on such grounds. I have got that line from Wikipedia twice, for example. But this case shows why the argument is delusional. The Doe was a former student at plaintiff law school, and the same email address that he gave Weebly was one that he has used while in law school. Thus, when plaintiff got the email address it was able to identify the Doe, and in fact it named the Doe in its amended complaint and cited his name throughout its opposition to the motion to quash.
Weebly?s final explanation to me struck me as the real reason, and it was perhaps the worst part of the explanation. Huffaker said, the subpoena came in on a day when I was out of the office, we have a small staff, we work long hours, we don?t have a lawyer on staff, we don?t get many subpoenas, and we strongly resist requests to remove material at the request of the targets of its customers? criticism. All of this is understandable, and much of it praiseworthy, but to my mind, protecting customers? privacy is also important, and if an ISP doesn?t have a lawyer, it has a responsibility to inform itself of the law governing subpoenas to identify customers and of the industry standard on responding to subpoenas. Moreover, although legal representation can be expensive, Public Citizen often represents smaller ISP?s pro bono in opposing subpoenas when the plaintiff does not meet the Dendrite test. Indeed, California has made it easy to fund the defense against subpoenas in these cases by passing a SLAPP-like law providing for awards of attorney fees; and Hermann made a point of suggesting that angle. Weebly says that it cares about protecting its customers, but it is hard to take those protestations seriously. Potential customers of Weebly, beware.
This may seem harsh on a small service provider like Weebly, and it’s recognizable that it’s tough for service providers to keep up on every law that they have to deal with, but if you’re in the business of providing websites, it’s important to know some basic laws concerning free speech and privacy.
And Weebly isn’t just some mom-and-pop ISP as you might get from Levy’s writeup. The company is funded by Sequoia Capital, considered one of the top 5 (if not the top) venture capital firms out there, went through the famous YCombinator program, and has other famous investors including Ron Conway, Mike Maples, Aydein Senkut and Paul Buchheit. In other words, this is a company that has both the resources and the connections to get the proper legal help when it receives a subpoena (questionable or legit), and never should have revealed this info — especially after promising not to.
That said, companies do make mistakes. One would hope that Weebly’s response in this case will be to apologize for handing over the info without properly allowing the court to consider the motion to quash, and will (1) make its policies much clearer and (2) make sure that its entire staff is familiar with how to deal with such subpoenas in the future. Hopefully this is a lesson for the company.
Filed Under: anonymity, privacy, subpoenas
Comments on “Shame On Weebly For Revealing Info On Anonymous User It Promised Not To Reveal”
“… responsible ISP?s, such as Google, and Yahoo!, and Twitter,…”
Thought ISPs were the ones that supplied connectivity, not web site/services.
You’re thinking of what are called Access ISPs, which I think are more deserving of the ISP name. The ones listed, however, are commonly called Hosting ISPs.
Re: Access v HJosting ISP's
Some people refer to hosting ISP’s as “Online Service Providers” or “OSP’s” to reflect that distinction. However, because both enjoy the protection of section 230 immunity, I prefer to use a common term for both.
Know what works?
Fear of a terribly painful death.
Corporate Psychopath At Work
Weebly’s CEO gave the game away. He said, ?I had no idea what he was talking about”. That was a lie, he knew precisely why some of his users wanted to keep their names private — to avoid retaliation. He clearly really did know that because he was offering privacy as a sales feature of the service.
Then he said, “so I said it?s ?squashed for now?”. That is a most artfully created lie, done with full knowledge. He knew that it had not been squashed, but said that it had been, knowing that his listener might be fooled. That was clever, but utterly immoral. The definition of a psychopath is that they are a person who has no conscience.
Then he said, “just so he?d leave me alone.? That was honest. Sometimes psychopaths reveal their true motivation. Take note, people, the psychopaths are out there. It is nothing unusual for one of them to achieve the rank of CEO. You will meet them. Forewarned is forearmed.
Adult supervision needed
No doubt the Weebly guys – likely young startuppers all – were pressured by Cooley’s counsel into turning the info over, not realizing that a) they could simply ignore the Michigan subpoena and b) they didn’t need to do anything with the CA subpoena until the motion to quash was resolved.
And “squashed”? Cute.
I find it quite odd to read about Weebly complying with an outside request that they didn’t have to and probably shouldn’t have, considering another recent experience I had with Weebly.
Someone had set up a site on Weebly for an event, and was asking for registration fees via Paypal. Most people who had attended similar events readily spotted that the site was a fake and there was no real event. Yet when we attempted to notify Weebly, we ran into difficulty. First, the only e-mail address that could be found for notifying them of TOS violations was one intended for legal and law enforcement authorities, and when we used that one to notify them of scam site, their reply was that they couldn’t be the judge of whether the site was legitimate or not. The impression that I and others who contacted them about this site was clear – “Unless you are someone in authority we can’t ignore, don’t bother us. We don’t care.”