Should Internet Service Providers Become Information Providers for the Police?

Two recent Ontario Superior Court of Justice judgments have allowed for law enforcement agencies to obtain subscriber information from internet service providers without a warrant. In both cases police officers used IP addresses of suspected child pornography carriers, which they had obtained themselves, to get corresponding names and addresses. This has alarmed privacy advocates, and some even believe that Ontario is on its way to a system of mass surveillance.

In the case of R. v. Wilson, a police officer obtained the IP address of a computer that had been found to be accessing child pornography. The officer then contacted Bell Canada, without a warrant, for subscriber information related to that IP address, and Bell complied. The judge, in considering the totality of the circumstances, as per the SCC decision of R. v. Edwards that outlines the test for determining whether a reasonable expectation of privacy existed, found that there was no breach of the defendant’s section 8 Charter rights (against unreasonable search and seizure). The case of R. v. Vasic had a fact pattern that was quite similar, at least when solely considering the privacy issue. The judge here also determined that the section 8 Charter rights of the defendant were not breached when the police officer obtained the name and address from Rogers Cable, after already having possession of the IP address.

The judge in Wilson reasoned that the information obtained by Bell was only the name and address, which was not enough for the defendant to have a reasonable expectation of privacy, since such information can even be found in a public telephone directory. It should be noted that this was made in disagreement to the previous decision of R. v. Kwok, which had similar facts, but where the judge found that names and addresses found in ISP subscriber information was deemed to disclose details of the lifestyle and personal choices of the individual, which is determinative of an existing privacy interest by the reasoning of the SCC in R. v. Plant. The judge in Vasic, however, considered the fact that the name and address information was held in conjunction with the IP address information, and that together they were revealing of intimate details.

Another factor that the Wilson judge believed weighed in favour of concluding that there was no section 8 breach was the fact that the Bell Customer Privacy Policy and the Bell Code of Fair Information Practices, which allowed for Bell to disclose collected personal information in specific cases, were said to be agreed upon by the defendant through his use of the internet services. This same issue was actually the deciding factor in the Vasic case, with respect to the section 8 analysis, as the defendant conceded that he was bound to the Rogers Yahoo! Acceptable Use Policy. However, it is problematic to use an electronic adhesion contract to discern the privacy expectations of a party using a product.  By simply using their ISP’s services, it is unlikely that the defendants expected that their information would be made so easily accessible. Due to the reality that most users do not look over privacy notices or other terms of use when using online services, some groups have called for greater clarity.

The Wilson judge also found that section 7(3)(c.1(ii)) of PIPEDA justified the actions of both the officer and Bell Canada in the transmission of the information. Though the statute’s main objective is the protection of personal information, this specific provision is explicit in its allowance of such information to be disclosed, without consent from the affected party, to the proper authority for the purposes of carrying out an investigation in order to enforce a law. Both Bell and Rogers voluntarily handed over the subscriber information, and Rogers even had a standard form to be filled out for requests for information when investigating child sexual exploitation. It may be worrisome that the ISPs so easily divulged their users’ information when they were not required to do so. However, it may be their policy of taking measures to prevent their services from being used for such a despised crime.

Another issue that can be considered is the freedom of police to obtain IP addresses in the first place. The Wilson decision described the procurement of the defendant’s IP address through a “plain view search”, after learning how to find this online. It can be argued that knowledge of an individual’s IP address, even with name and address information, may not per se be revealing of intimate details of lifestyle and personal choices. The additional step of using an IP address in a particular way, such as to find out information about an individual’s internet history, would be required in order for such information to be revealed. Of course it can be said that this piece of information is quite powerful in that it is necessary to lead to the other revealing information. But at the same time, one’s name, address and birth date, if used in a particular manner, can also lead to further information that one would have a reasonable expectation of privacy in. And as the judge in the Wilson decision stated, “one’s name and address or the name and address of your spouse are not “biographical information” one expects would be kept private from the state” (though as mentioned earlier, this was made in disagreement with a previous case).

Both the Wilson and Vasic decisions are binding on the lower courts in Ontario, and it will be interesting to see how future decisions will be made considering the disagreement about whether such information collected is revealing of intimate details about lifestyle and personal choice. With increased efforts by law enforcement agencies to fight child pornography, it may only be a matter of time before this issue is appealed to a higher court.

  1. It will be interesting to see how this parallel between IP addresses and a “name and address” develops.
    There seem to be two main issues: whether the reasonable expectation of privacy most people have when using the Internet is actually reasonable and the reality that customers usually unwittingly sign all of their rights away when agreeing to their ISP’s Terms of Service.
    One technical issue that seems to have been overlooked is the way IP addresses work. While they can be traced back to a customer, and possibly a physical residence, they can’t be easily narrowed down to a specific occupant of a house. Though the location may be sufficient for a warrant, it should be noted that just a poorly configured wireless access point could allow internet access under that customer’s name to people in adjoining apartments, neighboring houses or even on the sidewalk outside the targeted address.
    It seems the visceral response to child pornography may be allowing police officers to make bad judgments about what reasonable grounds for searching a residence are.

  2. I agree with the above comments, especially in relation to the concerns over not being able to determine specifically who is using the IP address to access illegal content. If we give police too much leeway in this area of law, it could lead to destruction of lives that creates irreversible damage. Accusing someone of such criminal acts is a devastating experience which can lead to the destruction of careers and family. Even if someone is not found guilty, the stigma is carried with the accused throughout his or her life.

    It would be much more prudent for regulations to be put into place to allow for police to obtain a warrant once they meet sufficient criteria that perhaps is held to a lower standard rather than just going straight to companies to ask for permission. It seems to me that currently, the police could speak to any number of employees at one of these companies and ask for information. The employees could be easily intimidated, intentionally or unintentionally, to listen to the police. By allowing the police to simply ‘ask’ for the information without a warrant, we are weakening the system meant to protect people’s privacy rights.

    In general, I find it interesting that society finds it acceptable that information that was once considered to be private to be distributed without the person’s knowledge due to the technology age we are in. People are more willing to share very personal information on websites including Facebook and Twitter in comparison to fifty years ago. Just because the recent trend has been to divulge greater amounts of personal information to the public at large, I do not think the law should follow suit. This is a very recent trend which should be treated with caution. In regards to the comment that phone books contain similar personal information, I think it is important to note that including your telephone number in the phone book is not technically voluntary. You have to ask to have your phone number removed from the listing; in fact, the person requesting such privacy must pay a fee. Why should the default behaviour encourage distributing information that is considered very private to many people in our society?

    The law should be cautious before it allows such behaviour to continue. Once it becomes easier to obtain information without a warrant, one could argue that it becomes increasingly easier to justify infringing on privacy rights in other situations. While I am not arguing that by allowing police access to IP address information will result in total lack of privacy, we must consider the fates of those involved in the trials at issue carefully. As private information becomes more and more public, there will most likely be a backlash to some extent against publicizing private information from a large portion of society whose interests should be protected in the law.

  3. Just a clarification that seems to get lost in these discussions: IP addresses are not private. IP addresses are left behind everywhere you go on the Internet. The police do not have to ask anyone for the IP address you are using, and neither does anyone else — it’s right there attached to your communication (email, chat, whatever). What we’re talking about here is situations where the police have an IP address that was used at a particular time to commit an illegal act, and they then go to the ISP to ask which subscriber account was using that IP address at that time (the fact that this IP address is assigned to this particular ISP is also not private information). The ISP then has the discretion whether to disclose the subscriber name and address or to ask that the police get a warrant. Once the police have the subscriber name and address, then they have to investigate further (i.e. if there are multiple people living at that address) before any charges are laid. If people want to argue that customer name and address information should be subject to a warrant, that’s one thing — but don’t confuse that with privacy in the IP address itself.

  4. I’d have to agree that an IP address by itself is not private because it isn’t revealing of intimate details of lifestyle and personal choice, since it’s anonymous. (I think it’s potentially problematic to suggest that IP addresses aren’t private just because they are left behind everywhere we go online, since it can be envisioned that a lot of information that is not easily obtainable now may be made accessible in the future through a then “plain view search” if new technological platforms automatically incorporate such information.) I’d also have to say that name and address information is not private in itself either. So I really don’t see any information here that was once considered private in the past. The issue with the Wilson judgment, in my opinion, is that it didn’t really consider the fact that this wasn’t just name and address information, but rather name and address information that corresponded to a specific IP address (i.e. a third piece of information that I would argue should be considered private), which essentially eliminates the anonymity.

    I think the reality is that most users have a subjective expectation of privacy regarding information relating to what they do online, and that’s what is essentially at stake here. Though it is the current practice of ISPs to have their terms of service allow them to divulge subscriber information that corresponds to an IP address, a major question is whether or not this should be so. Since it’s quite obvious that there is rarely ever consensus ad idem with agreements such as these, perhaps it should be up to the legislature to put forth regulation trumping such terms when privacy stakes are so high. I think it should again be noted that the ISPs in these two cases could have refused to give up the information unless shown a warrant.

Comments are closed.