Modern problems require modern solutions and that’s exactly what individuals and companies that are victims of cybercrime are doing by fighting hackers with injunctions against persons unknown. Being hacked has become more common as the technology required has become more accessible in addition to the blackmail prizes becoming larger. This article details how innovative methods are being used to fight back.
How can injunctions against persons unknown be used against hackers?
The theft of data, intellectual property or personal information via hackers has become a regular occurrence and those seeking to fight back have had to be more inventive with their techniques. By having an injunction granted against persons unknown you cannot necessarily stop the hacker from distributing the content but you can prevent websites and other forms of media from redistributing further.
An injunction against persons unknown is an injunction where you identify by a description as opposed to a specific named identity. Breaching an injunction would mean being in contempt of court and can lead to imprisonment so therefore the injunction must only cover the (unknown) defendants in the specific circumstances. Ensuring this specificity prevents innocent individuals from getting caught up in the dispute. This does however provide an incentive for third parties to take action when served with the injunction.
As mentioned a skilled hacker will be able to conceal their identity and post up the disputed content online without much risk of being caught breaking the terms of the injunction. Contact can be made using untraceable email communications and IP addresses can be concealed through Virtual Private Networks (VPNs) meaning internet service providers (ISPs) cannot locate the user.
Once the hacker has posted the material online the injunction can be served onto the website host forcing the material to be removed however this takes time and doesn’t stop the content from being copied and taken offline. It the content reappears, either from being posted by the hacker or somebody who copied the content, the injunction can simply be served on the next website host. This creates a game of virtual whack-a-mole but with the right resources, it can prove an effective way of maintaining data privacy.
When can you be granted an injunction against persons unknown?
In Boyd v Ineos Upstream a basic set of principles were “tentatively” outlined for when an injunction against persons unknown could be granted. Other rulings including Cameron v Liverpool Victoria Insurance Co Ltd and Cuadrilla Bowland Ltd and others v Persons Unknown were handily drawn together in Canada Goose UK Retail v Persons Unknown where the following principles would need to be met with regards to a “persons unknown”:
- The “persons unknown” defendants in the claim form are, by definition, people who have not been identified at the time of the commencement of the proceedings. The “persons unknown” defendants must be people who have not been identified but are capable of being identified and served with the proceedings, if necessary by alternative service such as can reasonably be expected to bring the proceedings to their attention.
- The “persons unknown” must be defined in the originating process by reference to their conduct which is alleged to be unlawful.
- Interim injunctive relief may only be granted if there is a sufficiently real and imminent risk of a tort being committed to justify quia timet relief.
- The defendants subject to the interim injunction must be individually named if known and identified or, if not and described as “persons unknown”, must be capable of being identified and served with the order, if necessary by alternative service, the method of which must be set out in the order.
- The prohibited acts must correspond to the threatened tort. They may include lawful conduct if, and only to the extent that, there is no other proportionate means of protecting the claimant’s rights.
- The terms of the injunction must be sufficiently clear and precise as to enable persons potentially affected to know what they must not do.
- The interim injunction should have clear geographical and temporal limits. It must be time limited because it is an interim and not a final injunction.
Examples of using injunctions to take on hackers
Middleton & Matthews v Persons Unknown
There have been several real-world examples of when injunctions have been granted against hackers. Pippa Middleton, the sister of the Duchess of Cambridge, had an interim injunction granted against persons unknown after it was brought to her attention by a journalist of The Sun newspaper that a hacker had offered to sell them a collection of 3000 photos. The judge determined that should the individual be identified and be brought before the court then publication would not be permitted as there was no public interest and therefore the injunction was granted.
PML v Persons Unknown
In PML v Persons Unknown an anonymous company had a high court injunction granted after a large quantity of data was stolen. The hacker attempted to extort the victim company through blackmail initially demanding £300,000 before raising the demand to £350,000. They were unable to identify the hacker but had received contact via email informing them of the hack threatening to release the data if they weren’t paid the ransom. With the injunction, the anonymous company ‘PML’ was able to order web hosting companies to remove data from various online forums. Realising that they weren’t likely to be paid, the hacker reduced their demand to £100,000. This and the ease with which the web hosting companies complied showed the effectiveness of the method in this particular case.
CMOC Sales & Marketing Ltd v Person Unknown & 30 others
Another interesting case was CMOC Sales & Marketing Ltd v Person Unknown & 30 others where CMOC was the victim of email compromise fraud with hackers using this information to get into the company system and impersonating the company to send payment instructions to CMOC’s bank. The bank paid $6.91m and €1.27m in multiple transfers. The judge granted a worldwide freezing order against the persons unknown with several banks that received the funds added to the order once CMOC was able to obtain their identity.
This is considered a landmark case because it is considered the first time a freezing order was awarded against persons unknown. The judge determined that despite many challenging procedural issues the court had jurisdiction to make the freezing order which could allow the account holders receiving the payment to be revealed via Norwich Pharmacal orders.
Citing Braspetro Oil Services v FPSO Construction Inc. the judge discussed the obligation of fair presentation. The Braspetro case involved a defendant who decided to no longer take part in proceedings but the claimant had taken the necessary steps to make the defendant aware of what was happening. The judge in the CMOC case decided that the claimant had followed these principles so this wasn’t a barrier to the injunction being granted.
Another interesting feature of this case was that the judge permitted service to the persons unknown via WhatsApp and Facebook Messenger. Both messenger services have the ability to identify when messages are sent and received and of course any messages in reply. The judge deemed that in the circumstances this method was permissible and that the defendants had voluntarily not taken part in the proceedings having been fully informed. From this order CMOC was awarded repayment of the stolen money, damages and legal costs.
AA v Persons Unknown
In this particular case, a hacker managed to break into the computer systems of a Canadian insurance company and extorted $1.2m in Bitcoin from the victim. The cybercrime insurer of the victim had paid this ransom but was able to identify the wallet where the ransom was paid in cryptocurrency which was controlled by Bitfinex in the British Virgin Islands. Having established that the cryptocurrency was property and a proprietary injunction was granted. The judge also ordered Bitfinex to identify the hackers via the information they possessed to ensure the injunction was adhered to.
Summary of how to take on hackers
Innovative cases such as the ones outlined show that victims of cybercrime are not weaponless in their fight against hackers. Injunctions against persons unknown are powerful tool however the principles in the Canada Goose case must be met as well as ensuring procedure followed. Success is dependent on a meticulous methodical approach but doing so can be a route to recovering losses.
Are you concerned about the development of hackers committing cybercrime? Alston Asquith has offices in London and Hertfordshire and can arrange a call to provide some initial advice and if your case could be eligible for an injunction against persons unknown.
We pride ourselves on our relationship with our clients as well as the service we provide. View some of our feedback on Trustpilot.
Visit our contact page to find out how we can help.
Read more
Injunction Against Persons Unknown
Insights: Injunctions
Services: Injunctions