The Supreme Court of Canada has ruled that we need a warrant to obtain subscriber information matching to an IP address from an Internet service provider

R. v. Spencer 2014 SCC 43 – Mr. Spencer, who lived with his sister, connected to the Internet through an account registered in his sister’s name. He used the file-sharing program LimeWire on his desktop computer to download child pornography from the Internet. It was Mr. Spencer’s use of the file-sharing software that brought him to the attention of the police and which ultimately led to the search at issue in this case. The Saskatoon Police Service, by using publicly available software, were searching for anyone sharing child pornography. The officer could access whatever another user of the software had in his or her shared folder. In other words, he could “see” what other users of the file sharing software could “see”. He could also obtain two numbers related to a given user: the IP address that corresponds to the particular Internet connection through which a computer accesses the Internet at the time and the globally unique identifier (GUID) number assigned to each computer using particular software. The IP address of the computer from which shared material was obtained was displayed as part of the file-sharing process. There was little information in the record about the nature of IP addresses in general or the IP addresses provided by Shaw to its subscribers.

The officer generated a list of IP addresses for computers that had shared what he believed to be child pornography. He then ran that list of IP addresses against a database which matches IP addresses with approximate locations. He found that one of the IP addresses was suspected to be in Saskatoon, with Shaw as the ISP. The officer then determined that Mr. Spencer’s computer was online and connected to LimeWire. As a result, he (along with any LimeWire user) was able to browse the shared folder. He saw an extensive amount of what he believed to be child pornography. What he lacked was knowledge of where exactly the computer was and who was using it.

To connect the computer usage to a location and potentially a person, investigators made a written “law enforcement request” to Shaw for the subscriber information including the name, address and telephone number of the customer using that IP address. The request, which was purportedly made pursuant to s. 7(3)(c.1)(ii) of the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (PIPEDA), indicated that police were investigating an offence under the Criminal Code, R.S.C. 1985, c. C-46, pertaining to child pornography and the Internet and that the subscriber information was being sought as part of an ongoing investigation. Investigators did not have or try to obtain a production order (i.e. the equivalent of a search warrant in this context). Shaw complied with the request and provided the name, address and telephone number of the customer associated with the IP address, Mr. Spencer’s sister. With this information in hand, the police obtained a warrant to search Ms. Spencer’s home (where Mr. Spencer lived) and seize his computer, which they did. The search of Mr. Spencer’s computer revealed hundreds of child pornography images and over a hundred child pornography videos in his shared LimeWire folder. Mr. Spencer was charged with possessing child pornography contrary to s. 163.1(4) of the Criminal Code and making child pornography available over the Internet contrary to s. 163.1(3). There was no dispute that the images found in his shared folder were child pornography.

At trial, Mr. Spencer sought to exclude the evidence found on his computer on the basis that the police actions in obtaining his address from Shaw without prior judicial authorization amounted to an unreasonable search contrary to s. 8 of the Canadian Charter Rights and Freedoms. The trial judge rejected this contention and convicted Mr. Spencer of the possession count. On appeal, the Saskatchewan Court of Appeal upheld the conviction for possession of child pornography, agreeing with the trial judge that obtaining the subscriber information was not a search and holding that even if it were a search, it would have been reasonable. The court, however, set aside the acquittal on the making available charge on the basis that the trial judge had been wrong to require proof of positive facilitation of access by others to the material. A new trial was ordered on this charge.

At the core of the appeal to the SCC was the Acceptable Use Policy (last updated on June 18, 2007) that provided that Shaw was authorized to cooperate with law enforcement authorities in the investigation of criminal violations, including supplying information identifying a subscriber in accordance with its Privacy Policy. The provision reads as follows:

You hereby authorize Shaw to cooperate with (i) law enforcement authorities in the investigation of suspected criminal violations, and/or (ii) system administrators at other Internet service providers or other network or computing facilities in order to enforce this Agreement. Such cooperation may include Shaw providing the username, IP address or other identifying information about a subscriber, in accordance with the guidelines set out in Shaw’s Privacy Policy. [Emphasis added.]

The SCC said that Section 7(3)(c.1)(ii) PIPEDA allows for disclosure without consent to a government institution where that institution has identified its lawful authority to obtain the information. But the issue was whether there was such lawful authority which in turn depends in part on whether there was a reasonable expectation of privacy with respect to the subscriber information. PIPEDA thus cannot be used as a factor to weigh against the existence of a reasonable expectation of privacy since the proper interpretation of the relevant provision itself depends on whether such a reasonable expectation of privacy exists. Given that the purpose of PIPEDA is to establish rules governing, among other things, disclosure “of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information” (s. 3), it would be reasonable for an Internet user to expect that a simple request by police would not trigger an obligation to disclose personal information or defeat PIPEDA‘s general prohibition on the disclosure of personal information without consent.

The identity of a person linked to their use of the Internet had to be recognized as giving rise to a privacy interest beyond that inherent in the person’s name, address and telephone number found in the subscriber information, said the SCC. The police request to link a given IP address to subscriber information was in effect a request to link a specific person to specific online activities (in this case, child pornography). This sort of request engaged the anonymity aspect of the informational privacy interest by attempting to link the suspect with anonymously undertaken online activities, activities which were recognized by the Court in other circumstances as engaging significant privacy interests. In the totality of the circumstances of this case, there was a reasonable expectation of privacy in the subscriber information. The disclosure of this information could amount to the identification of a user with intimate or sensitive activities being carried out online, usually on the understanding that these activities would be anonymous. A request by a police officer that an ISP voluntarily disclose such information amounted to a search. Without the subscriber information, the search warrant could not have been obtained and the search of the residence was therefore unlawful.

The intervener, the Director of Public Prosecutions, raised the concern that recognizing a right to online anonymity would carve out a crime-friendly Internet landscape by impeding the effective investigation and prosecution of online crime. In light of the grave nature of the criminal wrongs that can be committed online, this concern cannot be taken lightly. However, in the view of the SCC, recognizing that there may be a privacy interest in anonymity depending on the circumstances failed short of recognizing any “right” to anonymity and did not threaten the effectiveness of law enforcement in relation to offences committed on the Internet. In this case, for example, it seemed clear that the police had ample information to obtain a production order requiring Shaw to release the subscriber information corresponding to the IP address they had obtained.

The SCC concluded that the police request to Shaw for subscriber information corresponding to specifically observed, anonymous Internet activity engaged a high level of informational privacy:

[A] reasonable and informed person concerned about the protection of privacy would expect one’s activities on one’s own computer used in one’s own home would be private … In my judgment, it matters not that the personal attributes of the Disclosed Information pertained to Mr. Spencer’s sister because Mr. Spencer was personally and directly exposed to the consequences of the police conduct in this case. As such, the police conduct prima facie engaged a personal privacy right of Mr. Spencer and, in this respect, his interest in the privacy of the Disclosed Information was direct and personal.

As the SCC ruled in R. v. Plant, [1993] 3 S.C.R. 281, the Court, dealing with informational privacy, stressed the strong claim to privacy in relation to information that is at the “biographical core of personal information which individuals in a free and democratic society would wish to maintain and control from dissemination to the state”: p. 293. Importantly, the Court went on to make clear that s. 8 protection is accorded not only to the information which is itself of that nature, but also to “information which tends to reveal intimate details of the lifestyle and personal choices of the individual”.

Section 487.014(1) of the Criminal Code provides that a peace officer does not need a production order “to ask a person to voluntarily provide to the officer documents, data or information that the person is not prohibited by law from disclosing”. PIPEDA prohibits disclosure of the information unless the requirements of the law enforcement provision are met, including that the government institution discloses a lawful authority to obtain, not simply to ask for the information: s. 7(3)(c.1)(ii). On the Crown’s reading of these provisions, PIPEDA‘s protections become virtually meaningless in the face of a police request for personal information: the “lawful authority” was a simple request without power to compel and, because there was a simple request, the institution is no longer prohibited by law from disclosing the information.

The SCC said “lawful authority” in s. 7(3)(c.1)(ii) of PIPEDA must be contrasted with s. 7(3)(c), which provides that personal information may be disclosed without consent where “required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records”. The reference to “lawful authority” in s. 7(3)(c.1)(ii) must mean something other than a “subpoena or [search] warrant”. “Lawful authority” may include several things. It may refer to the common law authority of the police to ask questions relating to matters that are not subject to a reasonable expectation of privacy. It may refer to the authority of police to conduct warrantless searches under exigent circumstances or where authorized by a reasonable law: Collins. As the intervener the Privacy Commissioner of Canada submitted, interpreting “lawful authority” as requiring more than a bare request by law enforcement gives this term a meaningful role to play in the context of s. 7(3) and should be preferred over alternative meanings that do not do so. In short, the SCC said that neither s. 487.014(1) of the Code, nor PIPEDA, creates any police search and seizure powers.

Following the Grant test, given the uncertainty in the lawfulness of the police request before this case was heard here, the SCC dismissed the appeal by defence, affirmed the conviction on the possession count, and upheld the Court of Appeal’s order for a new trial on the making available count. Going forward, after this decision by the SCC, it is clear that short of where the information is required to prevent imminent bodily harm (exigent circumstances), or some other lawful authority, we will need a warrant (production order) to obtain subscriber information matching to an IP address from an Internet service provider.

Leave a comment

Filed under Recent Case Law, Search and Seizure

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s