In K.U. v. Finland the European Court of Human Rights has decided to hear a potentially very significant case considering whether victims of online activity may have a right to identify the internet users alleged to be responsible.
In this case the applicant, who was then aged 12, was the victim of a fake personal ad giving his name, phone number, date of birth and his picture and claiming that he was looking for a homosexual relationship. The applicant learned of this when he received a phone call from an older man. Although that man was eventually identified and charged with an offence the person who placed the ad remained unidentified. The police sought to find out (from the ISP) the name of the subscriber behind the dynamic IP address used to place the ad. The service provider however was advised that it was bound by the duty of the confidentiality of telecommunications and could not reveal the user's identity. The Finnish courts ultimately agreed, holding that the law as it stood provided for this information to be revealed only in respect of specified criminal offences - and although defamation ("calumny") was a criminal offence, it was not a sufficiently serious offence to fall within the scope of the legislation.
The applicant applied to the European Court of Human Rights, claiming simply that the fake ad constituted a violation of his right to a private life under Art. 8 of the ECHR, and that as he could not identify the person responsible he had been denied an effective remedy for that violation under Art. 13 ECHR. The case is currently pending.
So why does the case matter? Although the facts are narrow, the implications may be quite wide and may require states to introduce much more extensive rules for identifying internet users. In particular (and I'm obliged to Patrick Breyer for these points) the action presupposes that an effective remedy for a victim requires the identification of (alleged) wrongdoers. But this overlooks the fact that other effective remedies (such as notice and takedown procedures and host liability) already exist and were provided for in Finnish law. In addition, the claim that access to this information must be available even in respect of minor crimes ignores the principle of proportionality - respected even in the Data Retention Directive - under which access to communications data should generally be limited to cases of serious crime. Similarly, most national caselaw has required a showing of proportionality before courts will order users' identities to be disclosed. I've written before about the issues involved in identifying internet users.