A Privacy Expert Weighs in on the ‘Shitty Media Men’ Spreadsheet Lawsuit

Stephen Elliott. Photo: Getty

In the aftermath of Stephen Elliott’s lawsuit against “Shitty Media Men” spreadsheet creator Moira Donegan and “Jane Does,” many women are wondering how seriously to take his intention to force Google to hand over the identities of anyone who ever contributed to or shared the document. Some are worried. “I feel sick,” one woman told me, while others are reasonably confident. “There’s no way Google will actually do this, right?” Maybe not. We might not think about it when we’re online but Google is vulnerable to subpoena — and it retains a massive amount of information.

In his suit, Elliott states that he intends to obtain this information through discovery, and that he’ll subpoena Google for “email accounts, Google accounts and ISPs in order to learn the identity of the account holders for the email addresses and IP addresses.” He’s doing this, according to his suit, because he believes that in discovering this information he’ll be able to add more names to his complaint.

Elliott is ultimately suing for libel, and whether he’ll be able to successfully argue that anyone who ever touched the document defamed him remains an open question. But according to Sean O’Brien, a lecturer at Yale Law School and the co-founder of the Yale Privacy Lab, there are all kinds of big ramifications that could play out whether Elliot wins or loses. Here, he explains what women who participated in the spreadsheet need to know.

Elliott’s intention to discover the names of all the women who participated in the list has freaked a lot of people out. Can he really do that?
Yes, unfortunately. It’s actually very straightforward in this case as far as I can tell. When we publish things on the internet, we’re openly advertising our location to the web server we talk to, at the very least, and often other information from our web browser that tells the service provider, in this case Google, who we are. So even though I think the document had some sort of disclaimer at the top saying, “Hey, make sure you’re not logged into your Google account,” the people who were logging into or viewing that document were still volunteering some information. That’s just a basic problem with the way that the web works.

The web is a request-response system, so you request information from a web server, and the web server responds to you. When you send that request command out from your web browser, which is in this case just clicking on the link to the Google Doc, you’re likely volunteering information which can identify you.

Traditionally, courts have not been too kind in this situation, especially in the United States. There’s been a lot of precedent around downloading —media files, audio and video, music and movies — and that data tends to be wide open for courts during the discovery process. So if the music industry wanted to sue me for clicking a link on the Pirate Bay, they’d be able to use the discovery process — a civil process of going through the court to get information for the case to find out who I am, even if I thought I was relatively anonymous.

In order to get the subpoena, what kind of a case does he need to make, and what’s the process for that?
Elliott is making a case of defamation. If the judge decides that he has the right to figure out who his accusers are, then it’s up to Google to say yes or no, and Google is very likely to say yes.

I’m not saying he necessarily has an extremely strong case for libel. But, if the Judge decides he does, the court is almost certainly going to get Google to hand over that information.

So, the question becomes, during the process of discovery, is this information going to end up staying inside of the courtroom. Traditionally it would, but given the nature of the internet, and given the nature of the publicity around the case, it’s possible that some of this information leaks out, and then what happens? I don’t know.

Would there have been a better solution than using Google?
There are a lot of really good anonymous resources on the internet, like Riseup.net. And the Tor browser, which is an anonymity network that’s designed to bounce your internet traffic through multiple intermediaries in a way that makes it nearly impossible to figure out who started the request.

But Google has detailed information. In fact, I would assume they do, in this case, even if the individuals were not logged in with their Google accounts. Beacuse Google may have the ability to correlate the IP address that the visitor is using with their actual Google account. They specialize in that kind of thing.

Let’s say I go out to a Google Doc, and I go from my home computer, and then I say, “Oh, crap! I’m logged into my Google account.” I log out, and then I go back in and edit that Google Doc. Google almost certainly is not fooled by me logging out. And even worse, now they’re able to correlate my home IP address with the not-logged-in user — with the actual user name that I was logged in with. They do this across devices — it’s called cross-device tracking — between cell phones and so on and so forth.

What worries me most about this case is that there’s going to be a lot of people caught in the middle who were not even editors of the document. I’m not sure Google can differentiate, or if they keep the information un-siloed enough that it can tell if you shared the link, but didn’t edit the document, and I don’t know if you’d be pulled into the court case.

Would Google be able to refuse?
Yes, but the company can potentially be held in contempt for doing so. When you start becoming the entity that safeguards personal information, you open yourself up to getting these kinds of court orders.

What they could do instead, of course, is just throw out the data, which is what Riseup.net does. And then when they get such a court order, they can say, well yeah, we don’t have it. But Google makes its business in having that information.

Okay. So let’s say a judge does subpoena Google, they hand over all this information … I mean, it’s not like every single name he’s going to be given has added his name to the list. How would he use all of that information to his benefit in this case?
So the scope of what’s available for discovery is up to the court. So they may say, okay, we don’t want all the IP addresses, we only want the ones pertaining to Stephen Elliott.

Unfortunately the precedent in the U.S. tends to be that the court will get the whole document and it will probably get all the logs pertaining to that document. That’s all going to be a negotiating process.

Although it’s up to the court, it also has a lot to do with how deeply the lawyers want to go. It’s possible that there are going to be other people who get wrapped up in this.

If Individual B, who’s not Stephen Elliott, was also on the Shitty Media Men list, and Stephen Elliott has success getting the court to provide a lot of information, and others see it, then it’s possible that Shitty Media Man B or C or D all of a sudden starts filing suits against the other Jane Does. And this opens up a can of worms for everybody who edited the document. That’s possible.

Why do you think he tacked on the Jane Does to the suit?
It seems to me that he tacked on all those people just to make the scope of discovery seem as wide as possible. I don’t see how he would have a strong case against any of them, because they’re making accusations against other men. At the same time, it’s quite likely that all the information ends up in front of the court. What that could mean is that you see a series of cases whether he loses or not.

Because that information reveals like, Jane Doe added the name of X? And if X finds out, and then comes after Jane?
And, I would say more likely, that dude already actually knows what’s in the document, because there’s cached versions of this, and there’s been a BuzzFeed story on this. So that dude probably already knows, and he’s just waiting to see what happens with this case.

A lot of women have been wondering what the point is of asking for all of this information, because it’s not like he can sue everyone for libel, right?
I mean, he’s trying. But I would say he has an extremely weak case. They’ve got to say something about him, right? That’s the bottom line.

It may be a smart tactic, or a weak tactic depending on your perspective and depending on the judge. Maybe it annoys the court, and they’re like, “Why are you introducing all this other stuff?” But maybe it’s also stuff, a bullying tactic, that actually seems to give him more credibility.

So, he has a very good chance of obtaining all of everybody’s data, and a very low chance of actually being able to sue everybody that’s ever touched the list.
Yeah, I would say that’s a correct statement.

In terms of this subpoenaing of other information, could Google identify exactly who entered the Stephen Elliott entry in the spreadsheet? Is there that level of, I don’t know, data specificity available?
I don’t know if we know, if Google has ever told us that they collect that information and store it. However, generally speaking, there’s tracked changes on these documents, there is software functionality to allow for that. The question would be whether or not Google stores it.

There’s also the question of correlation. I don’t know how detailed the logs are. If the logs from the server that hosts the document say, “Well, this line was edited at 12:10, and it was the Stephen Elliott line, and then 30 minutes ago by …” And then, something else pops up. Then, you might be able to guess by the fact that only one individual or a few individuals were logged in at 12:10, so one of them must have been the one who edited the line.

Is there anything that women who contributed to the list should do or can do in the meantime?
Yeah, so I mean, there’s not much that can be done about what’s already been written. But, one of the things that can contain the damage is not talking about it anymore through social media. And not sending plain text emails, especially through Gmail, which is owned by Google.

I would also say that if you’re going to have these conversations, you have to start getting away from the big social-media platforms and the big email providers and start thinking about actual anonymous communication through the internet.

That’s something that is the kind of work we do at Yale Privacy Lab, like try to help people figure this stuff out. The Electronic Frontier Foundation does great work showing people how to do that. The Tor Project also helps people do that. It’s not an overnight fix.

I don’t really know how to comfort anyone except saying, you know, try to take your communication offline. We’ve locked ourselves into these platforms that are constantly spying on us, and in a case like this, where [there’s] an individual with power and money and the desire to sue a lot of people — they can call everyone out all at once. And our internet service providers, our content providers, and our email providers are not going to protect us from that. They’re going to hand over the keys to the kingdom almost every time.

A Privacy Expert Weighs in on Stephen Elliott’s Lawsuit