I read a heck of a story in Ars Technica today, called “Paper outs ‘anonymous’ commenter, job loss ensues.” Let me lay out the sequence of events for you, okay?

  1. Kurt Greenbaum, director of social media for the St. Louis Post-Dispatch, writes a brief post for the newspaper’s “Talk of the Day” blog. The topic is “What’s the craziest thing you’ve ever eaten? And did you like it?”
  2. Readers begin adding comments. Later, in Greenbaum’s words, “someone posted in reply a single word, a vulgar expression for a part of a woman’s anatomy.”
  3. The comment is deleted a minute later, and a few minutes after that, the same person added the same comment again.
  4. Comment notification messages list the poster’s IP and the IP’s DNS information, which in this case clearly indicated the comment came from a school.
  5. Greenbaum called the school and explained the situation. He also sent them the comment notification message.
  6. The head of the school’s IT department used the IP address Greenbaum provided, the time of the comment, and the newspaper’s web site address to narrow the comment’s source to a single computer.
  7. The headmaster confronted an employee about the comment and the employee resigned on the spot.

Did Greenbaum do the right thing? Was what he did ethical?

Despite the uproar, he believes he did nothing wrong. He described the sequence of events in a column called, “Post a vulgar comment while you’re at work, lose your job.” Even the title of the column rubs me the wrong way.

Greenbaum insists that supplying the IP address from which the comment was posted does not violate the newspaper’s privacy policy. The paper’s privacy policy states:

Our web servers automatically collect limited information about your computer’s connection to the Internet, including your IP address (but not the e‑mail address), when you visit our sites. Your IP address does not contain personally identifiable information, nor does it identify you personally.

It’s true that we don’t each have a unique IP address that is used for all our posts and e‑mail messages. On its own, an IP address isn’t a direct path to a person, but with other information, it certainly can be. A simple example of this is the story we’re discussing. Greenbaum gave the IP address to the school and six hours later, someone was out of a job. The IP address was the lynch pin in determining the commenter’s identity.

The IP address is analogous to your street address. You address doesn’t identify you. It could lead to you, your spouse, or your children. With the address alone, there’s no way to be more specific. But as you certainly know, a street address narrows down the possibilities and a blanket claim that a street address is not a form of personally identifiable information is naïve at best.

Getting the IP address of a user often requires a court order. Any ISP or web site is within their rights to refuse such a request without being compelled to comply by a court. Yet here we have a newspaper editor not only offering up an IP address, but he’s actively seeking out those who might want it.

Back to the newspaper’s privacy policy, it clearly describes how they use the information they gather about web site visitors:

  • We or one of our affiliated companies may perform statistical, marketing and demographic analyses of our delivery subscribers and their subscription patterns.
  • …we may generally inform our advertisers about our subscriber base.
  • We will not share individual user information with third parties unless the user has specifically approved the release of that information.
  • …we may provide information to legal officials as described in “Compliance with Legal Process” below.
  • …we contract with third parties to provide services on our behalf, including credit-card and bill processing, shipping, e‑mail distribution, list processing and analytics or promotions management.

So to which of these uses was Greenbaum putting the commenter’s information? None of them, of course.

The biggest issue is trust. The commenter wrote anonymously. There have been many stories in recent years about events which reveal that keeping one’s identity a secret on the Internet isn’t easy. The newspaper allows anonymous posts. The newspaper is therefore suggesting that anyone who takes advantage of not leaving their name will remain anonymous. Certainly someone posting a bomb threat wouldn’t expect their identity to be kept secret, but this commenter can’t be categorized in that way. I don’t mean to say that revealing the commentator’s identity was illegal, but many members of the public will see Greenbaum’s actions as a betrayal of their trust. Hiding behind technicalities only worsens public perception of what Greenbaum did.

Should the paper deem Greenbaum’s conduct as acceptable by issuing no statements about this event and taking no action against him, journalists for the paper can expect information from confidential sources to dry up.

I’m not even going to get into the severity of commentator’s actions. What that person did was offensive, but not illegal, immoral, or threatening in any way. The paper claimed that they needed to take action because the comment violated commenting guidelines. There are a number of technical means by which they could have stopped further comments from the user, yet they did not take them. No, Greenbaum decided to go after the commenter, seeing what he called ‘a teachable moment,’ despite the fact that he’s not a teacher or the arbiter of proper behaviour. Finally, he then wrote a post about the event that seemed to carry a hint of ‘this is what happens when you mess with me.’

He may not have broken the law, but this should be cold comfort when one damages the reputation of one’s employer on an international scale by overstepping the boundaries of one’s job.