Just as it’s nice to know what number someone is using when they call you, wouldn’t it be useful to see where someone was when they sent an email? That information is often contained in the “fine print” of an email known as the “header.”
In brief, the header describes the route an email takes from sender to recipient, sometimes bouncing eight or ten times across the internet in the space of a second or two. It’s composed of a series of internet protocol (IP) addresses –unique numbers assigned to servers that handle your computer traffic.
Most people don’t know the header is there and how to read it but it’s worth learning and it doesn’t take long.
Imagine you are looking at the computer you and your husband share, and you see that he received an email that says: “Sounds good. We’ll transfer the funds when you get over here. Have a good trip. –Tony.”
Wouldn’t it be nice to know if Tony is in Bermuda, Isle of Man, Grand Cayman or Cyprus? Figuring out where to look at overseas assets is sometimes a crapshoot because the money could be anywhere. If you knew where someone banked abroad, you would have a wonderful head start.
It sounds too good to be true, and while header information can be a goldmine, there are some cases in which it won’t cough up the full story.
If your subject is using a virtual private network (VPN), he is able to mask the true location of his computer at the time he sends the email.
Also, even without a VPN a Gmail account will often suppress the IP address linked to the sender of the email (but sometimes the location of the sender’s cell phone or server will come through even with a Gmail account).
On the other hand, in the example above a Bermuda banker is unlikely to be using a Gmail account, because Google admits to reading the contents of Gmail for marketing purposes. Not what a secretive offshore banker would want.
Most importantly, you must remember that to see the email’s header, you need the original email. If someone forwards you an email the header information from the one they are forwarding will be lost to you. You will only see the header information of the forwarder.
For someone to send you header information from an email they have received, they need to capture the header information and then send that to you. There are lots of free header analyzers available to decode the information. Once you have the IP address of the sender, you can do a reverse Google search for the location.
But it may not end there. Say the IP address of the sender turns out to be a hotel in Paris. Only the IT department of that hotel will be able to tell you who was registered to the room responsible for sending the email from the hotel. For that you may need a court order or an investigator in France who can ask the hotel nicely.
This is why we always recommend that when it would be helpful, clients in discovery ask not only for emails, but header information from those emails.
One final word of caution: in the example above when you are looking at someone’s computer, you should only be looking at electronic information to which you have a right. Your lawyer can advise on that.
As we tell our clients, if there is any doubt about whether you can look at a computer, you always have the choice of gathering the evidence without reading it and then asking a judge if you may look at it. If so, go ahead. If not, your damages will be much lower than if you plow ahead into forbidden territory.