Protecting Privacy in the Age of the Internet
Authors
The Supreme Court of Canada (SCC) has recognized Canadians’ right to Internet privacy in a recent decision involving Internet Protocol (IP) address information provided to police by an Internet Service Provider (ISP). In R. v. Spencer (Spencer),1 the SCC unanimously held that (i) there is a reasonable expectation of privacy in IP account information; and (ii) a violation of this reasonable expectation is not authorized by the Criminal Code or the Personal Information Protection and Electronic Documents Act (PIPEDA).
Background
In Spencer, police monitored an online public peer-to-peer file-sharing site for shared folders used for storing and sharing child pornography. Police identified the IP address—the number corresponding to the particular Internet connection through which a computer accesses the Internet—associated with the accused’s shared folder on the file-sharing site. This enabled police to use publicly available information to find the computer’s approximate location and ISP. Police then made a "law enforcement request" to the ISP for the subscriber information (i.e., the name and address of the person using that computer), citing PIPEDA, and indicating they were investigating an offence under the Criminal Code. The ISP responded to the request by providing the subscriber information.
Using the information provided by the ISP, police obtained a warrant to search the accused’s residence; after seizing a computer containing child pornography, the accused was subsequently charged with several child pornography-related offences. At his trial, the accused argued that the "law enforcement request" that was made infringed the prohibition against unreasonable search and seizure under Section 8 of the Canadian Charter of Rights and Freedoms, and that police should be required to obtain a warrant before ISPs provide subscriber information.
Reasonable expectation of privacy
In assessing whether Section 8 was engaged, the Supreme Court first assessed whether the law enforcement request constituted a search. The Court applied the traditional Section 8 analysis and found that it would if the accused had a reasonable expectation of privacy in the information provided to the police. The Court conducted this analysis by considering the "totality of the circumstances," including the subject matter of the alleged search, the claimant’s interest in the subject matter, the claimant’s subjective expectation of privacy in the subject matter, and whether the claimant’s subjective expectation was objectively reasonable.
In this case, the Court defined the accused’s privacy interest broadly "to account for the role that anonymity plays in protecting privacy interests online." The Court inferred a subjective expectation of privacy based on the accused’s "use of the network connection to transmit sensitive information," and found that, objectively, a reasonable and informed person concerned about the protection of privacy would expect one’s activities on one’s own computer used in one’s own home would be private, engaging a direct and personal informational privacy interest. In light of the ISP’s terms of service and PIPEDA, the Court concluded that an Internet user would not reasonably expect that a simple request by police would trigger an obligation to disclose personal information or defeat the general PIPEDA prohibition against the disclosure of personal information without consent.
Violation of privacy not authorized by law
The Court held that because the accused had a reasonable expectation of privacy, his Section 8 rights were engaged. It then found that the accused’s rights were infringed because the search was not authorized by law. The Court noted that the Criminal Code did not create search and seizure powers, as the relevant provision requires a production order for a search unless disclosure of the information is not prohibited by law. The Court also found that PIPEDA similarly prohibits disclosure of information unless the requesting government institution has "lawful authority" to compel disclosure of the information, and so did not create a new police search power.
Because the warrant to search the residence was obtained based on subscriber information that was unconstitutionally obtained, there were not adequate grounds to sustain the warrant, and the search of the residence was therefore unlawful (though it went on to find the evidence admissible as its exclusion would bring the administration of justice into disrepute).
Implications
The decision in Spencer has implications beyond IP address information for third-party individuals or companies possessing customer or user personal information. In particular, the Supreme Court has made it clear that the threshold for engaging constitutional protection of privacy rights over Internet-accessible personal information is low, and the threshold for justifying disclosure of this personal information is high.
When is there a reasonable expectation of privacy?
The Court extended the definition of privacy interests to account for the unique role anonymity plays in protecting privacy interests of Internet users. Third parties should be aware that, even where user information may be tracked and where users are publically communicating information online, users expect that online activity will not be identified with the person performing that activity. Where personal information would tend to link particular kinds of information to identifiable individuals (for example, in the way that subscriber information effectively links a specific person to specific activities), by the Court’s definition, a reasonable expectation of anonymity—and constitutional protection—is engaged. Indeed, it is clear that even where contract terms or terms of use stipulate that personal information may be provided to police without a user’s consent where required by law, a user may still have a reasonable expectation of privacy.
When should personal information be disclosed?
The Court emphasized that third parties holding personal information are not required to, and in many instances should not, disclose personal information in response to a simple request for information without a warrant, even where the request is from police. The Court recognized that a third party may detect illegal activity and "of its own motion" report it to the police. However, third parties should have clear and consistent disclosure procedures or policies for dealing with requests for this information to properly inform and comply with the reasonable expectations of privacy of customers or users.
Potential legislative impact
It remains to be seen whether Spencer will impact currently proposed legislation that trends toward lowering protection of Internet users. The more controversial provisions of Bill C-13 (the Protecting Canadians from Online Crime Act or the "cyberbullying bill") and Bill S-4 (the Digital Privacy Act) lower the threshold for police to obtain a warrant (requiring only "reasonable grounds for suspicion"), grant immunity for ISPs who voluntarily provide information that they are not prohibited from disclosing, and extend disclosure of subscriber information without a warrant by allowing organizations to disclose personal information without consent to any organization that is investigating a contractual breach or possible violation of any law. These bills were preceded by the withdrawn Bill C-30 (the Protecting Children from Internet Predators Act), which proposed warrantless mandatory disclosure of basic subscriber information (including name, address, telephone number, email address and IP address) and required ISPs to maintain systems that allowed police to intercept and track online communications.
_________________________
1 2014 SCC 43