Middleton & Matthews v Persons Unknown [2016] EWHC 2354 (QB)
The sister of the Duchess of Cambridge and her fiancé have been granted an interim injunction against 'persons unknown' after an unidentified person or persons hacked Ms Middleton's iCloud account and offered to sell over 3000 personal photos to the The Sun and The Daily Mail.
There has been a recent spate of hacking of celebrity iCloud accounts and this post examines the extent to which the courts can protect victims of such hacks in the UK.
Facts
Ms Middleton was informed by a journalist from The Sun that an unidentified person had offered to sell the newspaper photos from her iCloud account. That same evening, Ms Middleton and her fiancé, James Matthews, were granted an injunction by Mr Justice Dove against persons unknown. The Claimants then sought a continuation of the injunction (but in broader terms) upon the return date before Mrs Justice Whipple two days later.
Judgment
Whipple J was first required to determine whether under section 12 of the Human Rights Act all reasonable steps had been taken to notify the defendant. Given that the identity of the defendants was unknown, notification was not possible and therefore the statutory criterion was met.
The judge then determined that the Claimants were likely to establish at trial that publication should not be allowed. Any use by publication or sale of the information would be a misuse of private information which had no genuine public interest attached to it. If the hacking could be proved, it would be a criminal act.
Whipple J accordingly widened the terms of the order to extend the injunction to all material and information held on Ms Middleton's iCloud account and extended the time for service of the Claim Form in order to allow time for the defendant or defendants to be identified.
Comment
Following the cases of TUV v Persons Unknown and X &Y v Persons Unknown, the 'persons unknown' privacy injunction is well-established under English law and is a useful mechanism whereby a claimant can prevent publication of information without having to serve all media organisations who may be affected by the grant of an injunction.
One of the downsides for Ms Middleton and Mr Matthews is that whilst they have successfully obtained an injunction, their costs and any damages may never be recoverable if the hacker responsible ultimately eludes identification. In the case of Brett Wilson LLP v Persons Unknown the author of a defamatory website was ordered to pay £10,000 in damages but at the time of the judgment had still not been identified.
In this instance the injunction appears to have achieved its goal. However, even a court injunction may not in all circumstances prevent publication by a hacker who is skilled enough to remain anonymous and chooses to distribute the relevant information through the internet in spite of any injunction. In this case, the photos were offered to The Sun through an untraceable electronic communication. Hackers can remain anonymous through the use of VPN and TOR services which are able to conceal a user's location. Once information has been released onto the internet, it can be very difficult to stem further spread, as the case of AMP v Persons Unknown (where sexually explicit images of the claimant were uploaded to a BitTorrent protocol) demonstrates.
With hackers continually finding ways in which to breach and access secured data, individuals need to be particularly careful with what they upload to cloud accounts. That does not necessarily mean that all hacks are particularly sophisticated and individuals must also be extremely careful when disclosing any account details and passwords. The man who in the US earlier this year is being charged with stealing photos from at least 50 iCloud and 72 Gmail accounts (most of which belonged to celebrities) had no technical hacking skills at all, but rather employed a simple 'phishing' method using fake email addresses that appeared to come from Apple and Google sources. He simply emailed the celebrities and asked for their login details, which they then mistakenly handed over.
This case is the first privacy injunction to result from the hacking of a cloud account, but it is unlikely to be the last.