As I blogged yesterday, the Supreme Court of Canada has announced that it will release its decision in the appeal from Saskatchewan Court of Appeal in R v Spencer, 2011 SKCA 144. This decision, regardless of how the Court rules, will likely be a very big deal for privacy rights of customers of telecommunications service providers in Canada. It will hopefully decide whether Canadians have a reasonable expectation of privacy in information that is attached to an IP address.
Here's some background (mainly drawn from the Court of Appeal decision) and why this is a big deal.
The police detected somebody -- at that time unknown -- using the the file sharing program and protocol LimeWire to share child pornography. At that stage, all they had was the IP address of the computer or network connection being used. Using publicly available tools, they determined the IP address was allocated by the internet service provider, Shaw Communications. The police officer, though he likely had sufficient grounds to get a production order under the Criminal Code simply wrote to the ISP with the following request:
Constable Darren Parisien … is investigating a criminal code offence pertaining to child pornography and the internet. We have opened [sic] file investigation in relation to this investigation.
Pursuant to the Personal Information Protection and Electronic Documents Act (PIPEDA), we request the disclosure of customer identifying information including but not limited to name, internet service provider records, address of service, current service status and phone number relevant to the following:
1. Internet Protocol Address 188.8.131.52 on 2007-August-31 at 1246 hours (Local Saskatchewan time)
This information is being requested to assist in an ongoing investigation. We declare that Constable Darren Parisien of the Saskatoon Police Service Organized Crime Unit – Vice Section [sic] has the lawful authority to obtain the information and that the following section of PIPEDA is satisfied for this request: [full text of s. 7(3)(c.1) omitted]
This request specifically satisfies Paragraph 7(3)(c.1)(ii).
And, with that, the police got the customer name and address from the ISP. That information was used to get a search warrant of Spencer's house and he was subsequently arrested. At the trial, Spencer argued that the warrantless disclosure of his information by Shaw was a violation of his Charter rights. This motion was denied and he appealed to the Court of Appeal on this issue.
 In summary, neither its contractual relationship with Mr. Spencer’s sister, as set out in the Services Agreement, nor PIPEDA prohibited Shaw from disclosing the Disclosed Information in the circumstances of this case; rather, each clearly provided Shaw with the discretion to disclose information to the police in these exact circumstances, and Shaw had Mr. Spencer’s sister’s express, informed consent to do so. The sum of these factors militates very strongly against a finding that Mr. Spencer’s privacy expectation was reasonable.
In short, the police can ask for and, under the Court's reading of PIPEDA, the internet service provider can provide the customer's personal information.
So what's the big deal? This is not an exceptional case; what's exceptional is that the Supreme Court of Canada is going to weigh in on whether a Canadian has an expectation of privacy in his or her internet activities. We know that thousands of times a year the police go to internet service providers asking for information about their customers and thousands of times a year, this information is provided. Just a quick search of CanLII shows this. Just search for "pipeda request" and you'll get a dozen reported cases. They show voluntary cooperation by such internet service providers as Uniserve, Shaw, Bell Sympatico, Northwestel, and Rogers. (Recently, Rogers and Teksavvy disclosed in their respective transparency reports a high level of providing customer information in similar circumstances withou a warrant. For Rogers, it provided customer information 711 times in 2012/2013.)
As I understand it, the form of letter was a result of the coordinated effort of law enforcement and a group of internet service providers who have agreed to provide warrantless access to customer account information in connection with child exploitation investigations. They are designed to satisfy the requirements of Section 7(3)(c.1)(ii) of PIPEDA which permits disclosures of personal information to the police where they have the "lawful authority" to obtain the information and the information relates to "enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law".
It was exactly this sort of disclosure that was so controversial in Vic Toews' Bill C-30. That bill, if passed, would have permitted police officers to demand customer names and addresses connected to a known IP address. ISPs would have been required to hand over the information. The controversy stemmed from the fact that these demands are unaccountable and are not subject to ANY supervision by the courts. The "request" at issue in R v Spencer is the same: made without a warrant based on reasonable grounds, completely unaccountable and with no judicial oversight. In addition, the relevant individual is NEVER informed of the fact that the request was made or that the information was disclosed. To top it off, there is no information under oath so there is no disincentive to lie in these PIPEDA requests. (I find it to be telling that nowhere near 711 charges resulted from the requests made of Rogers.)
So what's the big deal with having an ISP connect an IP address with a customer's name and address? There has been some suggestion by the law enforcement community that a customer's name and address is just "phone book information" and there's no expectation of privacy in that. That misses the point and shows contempt for the right to privacy. A customer’s name and address, when connected with an IP address is never used in isolation. It is always connected with other information relating to that individual’s behaviours or activities. An individual citizen can carry on their "offline" life in relative anonymity without having to produce identification every time they visit a store or look at a particular book in a library. The realities of network communications mean that every activity undertaken by an individual on the internet, lawful or not, leaves a record of that IP address that can often be traced back to an individual or a small group of people. The only protection for that individual’s anonymity is that the connection between the IP address and other identifiers can only be made by the telecommunications service provider. Connecting the identity of an individual to his or her online activities pierces the reasonable expectation of anonymity and amounts to a collection of personal information that should only be done by law enforcement where the circumstances are sufficiently compelling to tilt the balance in favour of law enforcement/public safety. This is why, in my view, judicial supervision should be required. We'll see whether the Supreme Court of Canada agrees with this view ...
At the very least, I expect the Supreme Court of Canada will provide some clear guidance on whether -- under the Charter of Rights and Freedoms -- there is a reasonable expectation of privacy and anonymity on the internet that can only be pierced by an order from a judge, who is satisfied on information under oath that there are reasonable grounds to believe a crime has been committed and that the order is necessary to uncover evidence of the offender. Stay tuned ...