Should websites and social media pages be liable for users’ comments


The Internet represents a communications revolution. It makes instantaneous global communication available cheaply to anyone with a computer and an Internet connection … the Internet is also potentially a medium of virtually limitless international defamation. Barrick Gold Corporation v. Lopehandia, 2004 CanLII 12938 (Ont. C.A.), (2005) 71 O.R. (3d) 416 (C.A.)

Since it’s launch in February of 2004, Facebook (the most popular social networking site) has grown to over 500 million active users. If Facebook was a nation, it would be the world’s third most populous.

In this “nation”, a reputation can be destroyed in an instant through a drunken post, an anonymous email or a “trigger-happy” Tweet.

Almost all Internet users now interrelate with Facebook & Social Media in some way. Some of us contribute new content while others prefer to simply browse it and occasionally post comments, reviews or bookmark their favorite content for later. Whatever the case, Social Media has had a huge impact on the way we use the Internet to socialize, educate ourselves, do business, and so much more.

Although such platforms are credited for disseminating information and promoting debate, they can also be a source of negative speculation and inadvertent promotion of subversive content. Facebook pages like the now infamous TVO and Timothy Kalyegira’s Kampala Express have been known for thought provoking posts which have Inevitably elicited comments from users that are inappropriate and defamatory.


Social media accounts work in such a way that the owner of a website/account or page has the unfettered discretion to decide what other users will see (or won’t see) on their platform. It is thus left to the page/account owner, to allow or disallow defamatory or seditious content to remain on their page.

Nevertheless, people are exceptionally adept at discovering new ways to defame one another. This is aggravated by the nature of the Internet where communication is immediate & transcends borders.

In Canada, the Supreme Court in the recent case of Grant v. Torstar Corp., 2009 SCC 61. , extended the need for “responsible communication on matters of public interest” to defamation not just to journalists, but to bloggers and online posters. This means that online archives of news stories or articles, must be changed to reflect new developments.

The Court of Appeal re-affirmed this position in the recent English case of Flood v. Times Newspapers Ltd., [2010] EWCA Civ 804. In that case, a police officer was accused, in a newspaper article, of taking bribes from Russian exiles with criminal connections. The article was printed in the paper edition of the Sunday Times, and was also made available in its entirety online. Approximately a year after the article was first published, a report cleared the police officer of any wrongdoing. and held that online archive of a story must be updated to take account of exculpatory developments.


In Uganda, ISP liability is provided for under PART V of the Electronic Transactions Act 2011.

Section 29 reads;

Liability of a service provider

(1) A service provider shall not be subject to civil or criminal liability in respect of third-party material which is in the form of electronic records to which he or she merely provides access if the liability is founded on—

(a) the making, publication, dissemination or distribution of the material or a statement made in the material; or

(b) the infringement of any rights subsisting in or in relation to the material.

Under Section 30, where a service provider refers or links users to a data message containing an infringing data message or infringing activity, the service provider is not liable for damage incurred by the user if the service provider—

(a) does not have actual knowledge that the data message or an activity relating to the data message is infringing the rights of the user;

(b) is not aware of the facts or circumstances from which the infringing activity or the infringing nature of the data message is apparent;

(c) does not receive a financial benefit directly attributable to the infringing activity; or

(d) removes or disables access to the reference or link to the data message or activity within a reasonable time after being informed that the data message or the activity relating to the data message infringes the rights of the user.

Section 30, suggest a “notice-and- takedown” requirement on ISP’s to remove infringing content once they receive notice of it.

In Godfrey v. Demon Internet Limited, [1999] EWHC QB 244, the English Court of Queen’s Bench found the host of a bulletin board service liable for failing to remove defamatory postings once they were made aware of the content.

In 2015, the European Court of Human Rights (ECHR) in Grand Chamber Case of Delfi AS v Estonia (Application no. 64569/09), departed from the “notice and take down requirement” when it held that an Estonian news site (Delfi) could be held responsible for anonymous and allegedly defamatory comments from its readers even after the information had been taken down.

Prior to the decision, intermediaries were guaranteed protection from liability arising from defamatory content as long as the said intermediary implemented a notice-and-takedown mechanism on third-party comments. The decision has thus been seen by many as a dramatic shift away from the free expression and privacy protections that created the internet.

The ECHR cited “the ‘extreme’ nature of the comments which the court considered to amount to hate speech, the fact that they were published on a professionally-run and commercial news website,” as well as the “insufficient measures taken by Delfi to weed out the comments in question and the low likelihood of a prosecution of the users who posted the comments,” and the moderate sanction imposed on Delfi.

Although the decision doesn’t have any direct legal effect, it simply finds that Estonia’s laws on site liability aren’t incompatible with the ECHR. It doesn’t directly require any change in national or EU law. Indirectly, however, it may be influential in further development of the law in a way which undermines freedom of expression. As a decision of the Grand Chamber of the ECHR it will be given weight by other courts and by legislative bodies.

In the US, the protection afforded ISPs is even broader. Section 230 of the Communications Decency Act provides statutory immunity for online services, including blogs, forums and ISPs, who publish defamatory content, so long as that content is authored by a third party. This immunity applies even if the ISP receives notice of the defamatory material.


Whenever seemingly libelous content is posted on blog or a website, the perpetrators (who are often anonymous) are shielded by the right to privacy and freedom of speech. However, some of the victims of the defamation have valiantly fought to expose these cyber vigilantes.

In January of 2009, a fashion model instituted proceedings in the Supreme Court of New York in Cohen v. Google Inc. (N.Y.S.C. Index No. 100012/09, August 17, 2009) seeking to compel Google to disclose the identity of the author who had started a Google-hosted website describing her in disparaging and allegedly defamatory terms.

The “Anonymous Blogger,” as she was referred to in the action, was notified by Google of the proceedings and filed a brief in opposition to the application. In her brief, the Anonymous Blogger (through counsel) argued that the Internet has “evolved as the modern day soapbox for one’s personal opinion” and that “blogs have become a phenomenon, providing an excessively popular medium not only for conveying ideas, but also for mere venting purposes, affording the less outspoken a protected forum for voicing gripes, levelling invectives, and ranting about anything at all.”

In granting the application for disclosure, the court noted that the anonymous nature of the internet must be measured against the protection of reputation.

The court further opined that protection of the right to communicate anonymously must be balanced against the need to assure that those persons who choose to abuse the opportunities presented by this medium can be made to answer for such transgressions.

Before turning to the courts to compel disclosure of identifying information of online publishers, as a first step one should always write to the ISP, website or email provider requesting that they disclose the identifying information.

Section 31 of the Electronic Transactions Act 2011 provides for notification of infringing data message or activity and provides that;

(1) A person who complains that a data message or an activity relating to the data message is unlawful shall notify the service provider or his or her designated agent in writing and the notification shall include—

(a) the full name and address of the person complaining;

(b) the written or electronic signature of the person complaining;

(c) the right that has allegedly been infringed;

(d) a description of the material or activity which is alleged to be the subject of infringing activity;

(e) the remedial action required to be taken by the service provider in respect of the complaint;

(f) telephone and electronic contact details of the person complaining;

(g) a declaration that the person complaining is acting in good faith; and

(h) a declaration that the information in the notification is correct to his or her knowledge.

In the UK case of Norwich Pharmacal Co. v. Commissioners of Customs & Excise, [1974] A.C. 133 (H.L.). the House of Lords held that where a person becomes involved in the tortious acts of others, even innocently, that person has a duty to give full information to the injured party, by way of discovery, to disclose the identity of the wrongdoer.

This case was re-affirmed in the 2009 Ontario case of York University v. Bell Canada Enterprises, 2009 CanLII 46447 (ON S.C.), where York University sought a Norwich Pharmacal order compelling Internet service providers to disclose the identity of the anonymous author of allegedly defamatory emails and web postings that accused York University’s president of fraud.


Many Internet users have online aliases or code name they use to protect their identities. At times, this anonymity may lead some to believe that they can write whatever they wish without fear of repercussions. However, in most cases it is possible to obtain evidence about the author of online defamation.

Every publication on the Internet, be it a posting to a bulletin board, blog, email message, or Facebook posting leaves behind an evidentiary trail that can be used to track the identity of the publisher.

The easiest way to obtain the identity of an anonymous online publisher is through the tracking of an IP address. An IP address is a numerical label that is assigned to devices that access the internet, and contains information about the routes by which information travels across the Internet. Every device that accesses the Internet, be it a computer, server or router, has a unique IP address, and this IP address can often be followed back to the original author.

By way of example, an email sent from Computer A will typically carry with it the IP information of Computer A. This email might be routed through Email Server B, on to Router C before arriving at Computer D. Each device on this route will have its own IP address. Depending on the nature of the online services involved, some or all of the IP addresses of the devices may be visible as part of the email delivered to Computer D. A perhaps overly-simple analogy can be drawn to a telephone number—Computer D will be able to see that it was called by Router C, which will know that it was called by Email Server B, which will keep a record of the original call from Computer A. Similarly, each server hosting a website will have its own unique IP address. Many websites also keep track of the IP addresses of those computers that access it, or of those users that post content to their site.

A detailed overview of the process for obtaining IP addresses is beyond the purview of this paper, however one or more IP addresses (for some or all of the various devices along the route) will typically accompany an email message. For an excellent overview of electronic evidence, see Crerar, David and Purita, Ryan. No Hiding Place in Cyberspace: Electronic Discovery from Non-Parties (The Advocate Vol. 64, Part 6, November 2006 at 781).

In the event the online defamation is in the form of a posting to a website, the website administrator will usually have a record of the IP address or email from which the publication originated, and the IP address can be obtained (usually by way of court order, the processes for which are outlined below). Finally, if the entire website itself is defamatory, there are a number of free online tools that provide the IP address of the individual or company hosting the website.

Armed with an IP address, it is then possible to look up the device or company that assigned the IP address. The IP address will usually point to a company that provides internet access or email services, such as Shaw, Telus, Microsoft or Google, however the IP address alone will not typically reveal the identity of the online author.

These companies usually will have additional identifying information about the author, either in the form of a further IP address pointing to an ISP (in the case of email providers) or the identity of the ISP account holder.

A note of caution: it is relatively easy for an individual to mask or disguise their IP address—there are numerous free online “IP masking” services that provide false IP addresses and make it exceedingly difficult to track down the true identity of an online author. However, while such services are readily available, in practical terms they are rarely used by the authors of online defamation. Due to the personal and often emotional nature of attacks on reputation, defamatory postings or emails are typically spur of the moment in nature, and more often than not the author will not take these additional steps to mask their online identity.

A greater concern lies with the proliferation of public wireless internet (“Wi-Fi”) networks, from which anyone can access the internet anonymously and freely. The concern with these public Wi-Fi networks, which can increasingly be found in coffee shops, libraries and restaurants, is that even if one were to obtain the identifying information of the source of the online publication, it may only lead back so far as the place where the author accessed the Internet.

A potential ray of hope lies in the emergence of the cellular networks as a means of accessing the Internet. Increasingly, people are relying on cell phones, laptops with built in “3G” cellular wireless and devices such as Apples iPad to write emails, post on Facebook and update their blogs. Due to the way these devices access the Internet through the wireless carrier’s data services, it is more difficult for a user to hide their online identity.


A Norwich Pharmacal order is a form of discovery which permits a Applicant or potential Applicant  to identify a potential defendant by way of an “equitable bill of discovery.” Although typically used as a form of pre-action discovery, there is nothing which precludes this order from being sought in the context of ongoing litigation.

The order is named after the UK case of Norwich Pharmacal Co. v. Commissioners of Customs & Excise, [1974] A.C. 133 (H.L.). In this case, the House of Lords held that where a person becomes involved in the tortious acts of others, even innocently, that person has a duty to give full information to the injured party, by way of discovery, to disclose the identity of the wrongdoer. The authority for granting this order was found in a number of historical cases dating back to the 19th century.

The applicant need only demonstrate a bona fide claim against the alleged wrongdoer, as opposed to the “strong prima facie” case required to obtain other forms of interlocutory relief.

In GEA Group AG v. Ventra Group Co., 2009 ONCA 619, the Ontario Court of Appeal conducted an extensive review of Canadian cases in which bills of discovery had been sought, and formulated a set of factors to be considered in determining whether this equitable remedy should be granted. While agreeing with jurisprudence that held that the “scope and nature of Norwich Pharmacal principle is far from settled” (at para. 54), the Ontario Court of Appeal set out the following principles as central to the inquiry of the court:

1. Whether the applicant has provided evidence sufficient to raise a valid, bona fide or reasonable claim;

2. Whether the applicant has established a relationship with the third party from whom the information is sought such that it establishes that the third party is somehow involved in the acts complained of;

3. Whether the third party is the only practicable source of the information available;

4. Whether the third party can be indemnified for costs to which the third party may be exposed because of the disclosure, some [authorities] refer to the associated expenses of complying with the orders, while others speak of damages; and

5. Whether the interests of justice favour the obtaining of the disclosure.

Similar factors were recently identified by the BC Supreme Court in College of Opticians of British Columbia v. Coastal Contacts Inc 2010 BCSC 104.  In this case, the College of Opticians attempted to obtain a Norwich Pharmacal order to compel Coastal Contacts to disclose the identity of the optician or eye care professional it employed. After reviewing Kenney, Madam Justice Gerow set out the following test for granting a Norwich Pharmacal order:

1. the Applicant  must show that a bona fide claim exists against the unknown wrongdoer;

2. the Applicant  must establish that disclosure will facilitate rectification of the wrong;

3. the defendant must be the only practicable source of the information;

4. there is no immunity from disclosure;

5. the Applicant  must establish a relationship with the defendant in which the defendant is mixed up in the wrongdoing. Without connoting impropriety, this requires some active involvement in the transactions underlying the intended cause of action;

6. disclosure by the defendant will not cause the defendant irreparable harm; and

7. the interests of justice favour granting the relief.


In the 2009 Ontario case of York University v. Bell Canada Enterprises, York University sought a Norwich Pharmacal order compelling Internet service providers to disclose the identity of the anonymous author of allegedly defamatory emails and web postings that accused York University’s president of fraud.

Applying the test set out in GEA Group AG v. Ventra Group Co., Mr. Justice Strathy examined the role of the anonymous author(s) privacy expectations as they related to the interests of justice in granting the application. The court looked at the service agreements and privacy policies of the Bell and Rogers ISPs, both which prohibited use of the internet services for the purposes of posting defamatory material and both of which provided that identifying information could be disclosed by court order. In granting the application, Mr. Justice Strathy found as follows:

A Bell customer can reasonably contemplate, therefore, that his or her identity may be disclosed by order of the court in the event he or she engages in unlawful, abusive or tortious activity.

The courts concern for the privacy interests of the anonymous author was also reflected in the order granted, which included a term requiring the University to serve the author with a copy of the order, once identified. The author could then apply, on notice to the University, to vary or vacate the order.


The affidavit in support of an application for disclosure should include the following:

1. It should set out the defamatory postings, to establish that a bona fide claim exists against the unknown wrongdoer. Print outs of the defamatory publications can be attached as exhibits.

On October 22, 2008, a user identified as “ANONYMOUS” posted a message on the Forum, an online bulletin board service hosted by the Respondent, as part of a message thread concerning the Applicant. Attached as Exhibit “A” to this my affidavit is a copy of the October 22, 2008 posting by ANONYMOUS.

2. It should set out that, in order to proceed with the action/a proposed action against the anonymous defendant, the information being sought is required.

I do not know the identity of the author or authors responsible for the forum postings. I understand that in order to proceed with a lawsuit against the author or authors, it is necessary for the Applicant  to ascertain the identity of the author or authors of the above messages.

3. The affidavit should set out the involvement of the ISP or email service provider.

I understand that in order to post messages to the Forum, it is necessary for an individual to set up an account with To set up an account with, an account holder must provide an e-mail address to Example Corp.

Example Corp. may also be in possession of other personal information about ANONYMOUS, including but not limited to the internet protocol (“IP”) address(es) of the computer(s) utilized by ANONYMOUS to send the postings.

4. It should set the defendant is the only practicable source of the information, and set out the previous steps that have been taken to obtain the information.

Under cover of letter dated October 30, 2009, counsel for the Applicant wrote to Example Corp., requesting that Example Corp. disclose information necessary to aid in the identification of the author(s) of the defamatory communications, including any and all registration data, internet protocol addresses (“IP addresses”) , and e-mail addresses associated with the ANONYMOUS account. Attached as Exhibit “B” to this my affidavit is a copy of the October 30, 2009 letter.

By way of email dated November 1, 2009, John Doe, Senior Editor of Example Corp., wrote to counsel for the Applicant  and stated that Example Corp. would not turn over the requested information without a court order. Attached as Exhibit “C” to this my affidavit is a copy of the November 1, 2009 letter.

5. It should include the terms of use of the ISP or email service provider. The terms of use typically include a term that the user will not use the services provided to defame, harass or conduct criminal activity.

I understand that by signing up for a Forum account, Forum users agree to be bound by the Service Agreement. The Service Agreement includes a “Code of Conduct”, which states the following:

You will not upload, post, transmit, transfer, distribute or facilitate distribution of any content (including text, images, sound, video, data, information or software) or otherwise use the service in a way that:

…incites, advocates, or expresses pornography, obscenity, vulgarity, profanity, hatred, bigotry, racism, or gratuitous violence.

threatens, stalks, defames, defrauds, degrades, victimizes or intimidates an individual or group of individuals for any reason; including on the basis of age, gender, disability, ethnicity, sexual orientation, race or religion; or incites or encourages anyone else to do so.

Attached as Exhibit “D” to this my affidavit is a copy of the Service Agreement and Code of Conduct.

6. Finally, the affidavit should set out the privacy policy of the service provider. The privacy policy will typically inform the user that personal information can be disclosed pursuant to a court order.

The privacy affords its customers is outlined in Privacy Policy, which states “ collects personal information to provide you with the best and most personalized experienced possible.” It goes on to state that: will not disclose any personally identifiable information about individual users, except as described in this Privacy Statement… As for individually identifiable information, we may disclose it only under the following circumstances.

We may disclose your personal information as required by applicable law, or in response to legal process, to protect the rights or property of, or to protect the safety of, our users, or others.

Attached as Exhibit “E” to this my affidavit is a copy of the Privacy Policy.

It is important to include the Terms of Use and Privacy Policy. Together, these documents may provide a basis for arguing that the privacy rights of the anonymous author are limited, and further, that it should be within the anonymous author’s contemplation that their identifying information may be turned over pursuant to a court order.

The order may be drafted as follows;


1. Google Inc. disclose to the Applicant /Petitioner email address(es), name(s), IP address(es), and any other identifying information of the account holder(s) associated with the email addresses “[email protected]”;

2. The Applicant pay to Google all reasonable costs incurred by Google for the retrieval, production, inspection and delivery of the identifying information forthwith in the agreed amount of $150.00; and

3. This Order shall be served by the Applicant /Petitioner on the account holder(s) identified by Google Inc. and those person(s) and any person(s) affected by this order may apply on two days notice to the Applicant /Petitioner to vary or vacate this Order.


Not only have Commonwealth courts adapted to the electronic frontier, but they have managed to thrive. Ancient common law remedies such as the Norwich Pharmacal order have been repurposed for the information age, questions of limitation periods and jurisdiction have mostly been settled, and while there remains tension between the competing privacy interests of Internet users and Applicant s, it is generally possible to obtain orders for the disclosure of the identity of anonymous authors.

Kenneth Muhangi

Partner - KTA Advocates
LLB Hons (UCU) LLM (Wales) Dip Lp. LDC
Technology, Media, Telecommunications & Intellectual Property Law Practitioner

All author posts