Getting disclosure from Facebook: how to unmask anonymous Facebook and Instagram users
Someone is attacking you, your business or your family from an anonymous Facebook account, an unnamed Facebook Page or an Instagram profile that you cannot trace. The conduct may be defamation, online harassment or internet blackmail. The first question is whether the people behind those accounts can be identified at all. The answer, in most serious cases, is yes. Identification work runs on three streams. The first is open-source intelligence, often shortened to OSINT, where our investigators piece together a real-world identity from public sources without involving Meta at all. The second is the cooperative legal-team channel that Meta runs for civil litigation disclosure, used where the matter is clear and the data is straightforward. The third is a court order, used where the cooperative route falls short, where the matter is serious enough that Meta will expect an order anyway, or where the application is contested. All three sit inside the broader identification work set out in our guide on how to unmask someone behind anonymous online posts.
The starting point is to keep expectations realistic. Meta will hand over the data once the threshold is cleared. What you do with that data, once you have it, is where the real work usually sits. The registered email may be a throwaway. The IP may resolve to a public Wi-Fi connection or a mobile carrier. The page admin may be a registered company that exists only on paper. Disclosure from Facebook tends to give us a starting point, not a finishing point. OSINT is what converts the starting point into a named person at a real address.
Meta will hand over the data once the application clears the threshold. The harder work is what to do with the data once you have it.
What Facebook actually holds on an account
The question that decides whether a Facebook disclosure application is worth bringing is what Meta will actually be able to disclose. The answer varies by account, but the data Meta typically holds on a Facebook profile, a Facebook Page or an Instagram account includes the email address and phone number the user signed up with, the IP address used at sign-up, the IPs used for recent logins and sessions, the dates the account was created and last used, the names and email addresses of the administrators of any Page connected to the account, and, where the account has run paid advertising, the payment instrument used to fund those campaigns.
The data that is not part of a standard civil-disclosure application is the content of private messages. Message content sits behind a separate process, governed in part by US law and in part by the platform's own escalation rules. Where private-message content is genuinely needed for the substantive claim, we run the disclosure work in two stages: the civil identification application here, and the content-disclosure application against the US-incorporated parent under 28 U.S.C. § 1782(a). Our guide on disclosure from USA websites and companies sets out the US-side mechanics in fuller detail.
When you need a disclosure order against Facebook
Three situations come up most often, and the choice between the cooperative and court-ordered routes tends to fall out of which one you are in.
Meta will not engage on a voluntary basis. This is the rarer of the three. Where the substantive matter is light, where the offending posts are borderline, or where the requester is unrepresented, Meta's legal team can decline to act without a court order. The Norwich Pharmacal application is what moves the question from a voluntary disclosure into a compelled one.
The conduct is serious enough that Meta expects a court order anyway. Where the underlying matter is sensitive, where the disclosure could prompt a complaint from the account holder, or where the data being sought is unusually broad, Meta often prefers to act on the back of an order. A Norwich Pharmacal order against Meta Platforms Ireland Ltd, or a US disclosure order against the US parent, gives Meta the procedural cover it wants and gives you a clean record of how the data was obtained. Even cooperative platforms work this way when the matter calls for it.
The OSINT work has narrowed the field but not closed it. Sometimes the open-source investigation that our internet law solicitors run on a matter produces a small set of plausible candidates without identifying the right one. A targeted disclosure application against Meta can put a name to a specific account in that set, and the OSINT work then converts the disclosure into a real person at a real address.
The cooperative route through Meta's legal team
Meta runs a defined channel for civil litigation disclosure requests. We use that channel as the first step on most Facebook and Instagram identification matters. The opening exchange sets out the wrong, identifies the accounts in question by URL and by user ID, sets out the legal basis for disclosure, and confirms that the data will be used only for the purposes of the substantive claim. Meta's legal team responds with their position on whether they will engage voluntarily or whether they would prefer to act on an order. Where they will engage, the timetable for the disclosure tends to run in weeks rather than months. The mechanics are similar to the cooperative channel Google runs for disclosure against Google accounts, set out in our guide on how to get a disclosure request through to Google.
The cooperative route is not a back-door round the court. Where it ends in a court application, the application is made on agreed terms and dealt with on paper, without anyone attending a contested hearing. The cost saving on the cooperative route is substantial. The work that would otherwise go into a contested application goes instead into pinning down what we are asking for, narrowing the disclosure to what the substantive claim genuinely needs, and dealing cleanly with any data-protection points Meta raises along the way.
The Norwich Pharmacal application against Meta Platforms Ireland Ltd
Where the cooperative route is not available or is not the right fit, the route is a Norwich Pharmacal order. Meta Platforms Ireland Ltd, the Meta entity that holds data on UK and EU users, is the respondent in most cases brought from the UK. The application goes in under Part 8 of the Civil Procedure Rules. The evidence package covers the offending content, the harm it has caused, the steps already taken to try to identify the user behind it, and the reasons disclosure is necessary and proportionate.
The Norwich Pharmacal jurisdiction itself comes from Norwich Pharmacal Co. v Customs and Excise Commissioners [1974] AC 133. The court's reasoning is set out in fuller depth in our guide on how to compel a platform to reveal an anonymous user. The three-limb test the court applies is the same against Meta as it is against any other respondent. A wrong has been committed, or is arguable. The respondent is mixed up in that wrong, even innocently. The disclosure sought is necessary to enable the claim to be brought or continued.
Service is on Meta Platforms Ireland Ltd at its registered office in Dublin. Meta's legal team typically accepts service through the cooperative channel rather than insisting on physical service at the registered office, which keeps the application moving. Where the order is consented to, the hearing is dealt with on paper. Where Meta takes a position on the scope of the disclosure, the application becomes contested, and the timetable and cost rise accordingly.
How we did it the first time: Nicola Brookes v Persons Unknown
The historic example on Facebook disclosure work is the case of Nicola Brookes. Nicola became the subject of a sustained campaign of anonymous abuse on Facebook after defending an X Factor contestant who was himself being bullied online. The trolling escalated. She went to the police and got nowhere. She then approached dozens of law firms looking for someone who would help her identify the people behind the accounts. Yair Cohen agreed to take the matter on a pro-bono basis.
The application went to the High Court in London. Facebook was ordered to disclose the identifying information it held on the accounts in question. It was the first time a UK court had compelled Facebook to release user information of this kind. The disclosure produced a piece of information that, with hindsight, helps explain why the police response had been thin. The principal troll was himself a serving police officer.
The Nicola Brookes case opened the route that thousands of online harassment victims have used since. The cooperative channel Meta now runs, and the on-paper consent orders that follow most cooperative applications, did not exist in their current form before that case. The threshold the court asks the applicant to clear, however, remains the same.
Disclosure against a Facebook Page Administrator
An attack on a Facebook Page often has two layers. The Page itself is the vehicle, and the posts on it are the wrong. The user accounts behind the Page, the Page administrators, can be held legally responsible for what the Page publishes. The framework on Facebook Page admin liability is set out in fuller depth on our sister-site guide on defamation on Facebook. A disclosure application can ask for the identity of both layers: the users behind the offending posts, and the administrators of the Page that hosts them. Both are typically captured in a single order.
Where the Page has run paid advertising on Meta's platform, an additional public-facing data point can sit in the Page Transparency feature. For Pages that have run ads, Meta may publish the country in which the Page is managed and, in some cases, the name of the administrator's organisation. Where that information is available, it can be useful before the application is even brought. It narrows the field. It may also, in the right case, allow us to identify and serve a claim on a named legal entity rather than going through Meta at all.
Where the Page is connected to a verified business advertiser, Meta also holds the payment instrument used to fund those ad campaigns. That is one of the more revealing data points an order against Meta can produce, because the payment instrument almost always resolves to a real person, a real company or a real bank account.
When the disclosure leads to a person and when it does not
The disclosure from Meta is rarely a single tidy name and address. The data tends to come in pieces. A registered email, a sign-up IP, a set of recent login IPs, a date of account creation, sometimes a phone number. The IP can resolve to a coffee shop, a residential broadband connection, a mobile network or a VPN exit node. The email may be a single-use account. The registered name, where there is one, can be false. What the order delivers, in many cases, is a set of clues that still need running down. The OSINT work runs again on the disclosed material. What emerges at the end is a real person at a real address.
That second OSINT pass is described in fuller depth in our guide on how to unmask someone behind anonymous online posts. Where the OSINT pass still does not produce a named individual, the substantive claim can be brought against persons unknown identified by reference to the conduct. The persons-unknown route works in both the pre-action stage (covered in our guide on the letter before legal action in defamation) and at the substantive stage, where a final injunction can be obtained against a defendant identified only by the wrong they have committed. The leading modern example on the privacy side, our own matter in GYH v Persons Unknown, ran in exactly that way: the harasser could not be identified to the named-claim standard, the proceedings were issued against persons unknown, and the court granted the injunction on that basis.
Cross-border disclosure: Instagram, WhatsApp and the US parent
Instagram, WhatsApp and Facebook all sit under the Meta umbrella, and they share infrastructure for civil disclosure purposes. An Instagram account holder's data and a WhatsApp account holder's data are held by the same Meta entities that hold Facebook data. For UK and EU users that is Meta Platforms Ireland Ltd. For users elsewhere it is Meta Platforms Inc, the US parent. Where the order needs to reach the US parent, the route is the US-side disclosure application. The federal application under 28 U.S.C. § 1782(a) allows discovery in a US court in aid of foreign proceedings, including proceedings that have not yet been issued in the UK. The state-court John Doe action and the domestication of a UK Norwich Pharmacal order in a US state court are the other two routes, and the choice between the three is fact-specific.
The Instagram side of this work has its own settled body of UK case law. The leading example on the harassment side is DDF v YYZ, the first UK case in which the court permitted service of a harassment injunction on the defendant via the social media platform itself. Our guide on harassment injunctions served via Instagram covers that matter in fuller depth. The identification work that ran in parallel to the injunction in that case used both Meta disclosure and open-source investigation, the same combination of techniques that runs on most serious Instagram and Facebook matters.
What it costs
We publish starting fees for the main Facebook and Meta disclosure routes. The figures below are floors, not fixed prices. The actual cost on a given matter depends on whether Meta cooperates, whether a contested hearing is needed, whether the disclosed material needs OSINT work to convert it into a real person, and whether the disclosure has to reach into the US parent as well as Meta Platforms Ireland Ltd.
| Route | From |
|---|---|
| Cooperative disclosure via Meta's legal team (on-paper consent order) | £5,000 |
| UK Norwich Pharmacal order against Meta Platforms Ireland Ltd, contested | £10,000 |
| US federal application under 28 U.S.C. § 1782(a) against Meta Platforms Inc | £12,000 |
| OSINT identification work converting disclosed data into a named person | quoted per matter |
The figures here align with the broader cost framework on our how to unmask someone behind anonymous online posts guide. The reason we use "from" rather than fixed prices is that the variation between matters is real. A cooperative application that turns into a contested one because Meta raises a scoping point can move from the first row of the table to the second. A matter that needs both Meta Ireland disclosure and US-side § 1782(a) work runs in both jurisdictions in parallel. We give a written cost estimate at the start of every matter and update it if the work moves.
Frequently asked questions
Will Facebook tell me who is behind an anonymous account?
In most serious cases, yes. The cooperative legal-team channel and the Norwich Pharmacal application against Meta Platforms Ireland Ltd both produce identifying information on the account holder. The information typically includes the registered email, sign-up IP, recent login IPs and, in some cases, a phone number and a payment instrument. Whether that information identifies a real person depends on what the account holder gave Meta at sign-up and on how diligent they have been about hiding behind a VPN or a throwaway email." } }, { "@type": "Question", "name": "Do I have to involve Meta to identify someone on Facebook?", "acceptedAnswer": { "@type": "Answer", "text": "Not always. Open-source intelligence (OSINhere the OSINT trail produces a confident identification on its own, no disclosure application is needed. Meta disclosure becomes the right next step when the OSINT trail narrows the field without closing it, or when the substantive claim needs a clean evidential record of how the identification was reached.
How long does disclosure from Facebook take?
The cooperative route, where Meta engages and the order is dealt with on paper, tends to deliver disclosure within eight to twelve weeks of the first contact. A contested application can run to four to six months, depending on the court's listing. Cross-border applications under § 1782(a) typically add another two to three months on the US side.
Does Facebook tell the user that disclosure has been requested?
Meta's practice is not to notify the account holder while the application is pending. Once the disclosure has been made and the substantive claim has been issued, the account holder is served and at that point becomes aware of both the order and the claim. The order itself can include a non-disclosure provision restricting notification, where the circumstances justify it.
What if the offender is on Instagram or WhatsApp rather than Facebook?
The respondent is the same Meta entity, and the disclosure mechanics are the same. Instagram account data, WhatsApp account data and Facebook account data all sit with Meta Platforms Ireland Ltd for UK and EU users and with Meta Platforms Inc for users elsewhere. The application is brought against the right Meta entity for the platform and the user base in question.
Can I get disclosure from Facebook without going to court?
Sometimes. Where the matter is clear, the offending content is straightforward, and Meta is prepared to engage voluntarily, the cooperative channel can produce a disclosure that does not require any court order at all. More often, the cooperative route ends in an order that is consented to and dealt with on paper, without anyone attending court. The court application itself is not avoided in the latter case, but the contested hearing is.
Does the order get me the content of private messages?
Not as a matter of course. The civil disclosure routes here focus on identifying the account holder. The content of private messages sits behind a separate process, governed in part by US law. Where the substantive claim genuinely needs message content, the work runs in two stages: identification disclosure first, then a separate content-disclosure application against the US parent under 28 U.S.C. § 1782(a).
What happens if Facebook genuinely does not have a real name on the account?
The disclosed data is then a set of clues rather than a name. Open-source work runs again on the disclosed material, often producing a confident identification at the end of the second pass. Where it does not, the substantive claim can still be brought against persons unknown identified by reference to the conduct, and the court can grant a final injunction on that basis. Our guide on the letter before legal action in defamation covers the persons-unknown route in the pre-action stage.
