Ontario appeal court: No reasonable expectation of privacy in using IP address to obtain customer info

In R. v. Ward,2012 ONCA 660, the Court of Appeal for Ontario has confirmed that that there is no reasonable expectation of privacy in identifying an internet user through his IP address in the course of a child pornography investigation. 

In R. v. Ward, an anonymous user posted and exchanged child pornography files in an online forum on a German website, Carookee.com.  Access to the carookee.com site required a person to provide an e-mail address, but in this case, the child pornographer used temporary e-mail addresses obtained anonymously.

In July 2006, the owner of the website filed a criminal complaint with the German police. The German authorities, by reference to the IP addresses provided to them by the owner of the website, determined that some of the child pornographic material was being accessed through Canadian ISPs, which was then forwarded to the RCMP, along with copies of the related child pornography.  By accessing a public website, the RCMP determined that three of the IP addresses belonged to Bell Sympatico and were connected to the Sudbury area.

The RCMP then sought the name and address of a Bell Sympatico customer’s subscriber information. Bell Sympatico chose to co-operate with the police and provided what turned out to be the accused’s, David Ward’s name and address, which, coupled with other investigative information enabled the police to obtain a search warrant for the Ward’s residence and his computer.

The search of Ward’s home and computer yielded over 30,000 images of child porn, along with about 373 child porn videos.  Ward was charged with and convicted on one count of possession of child pornography and one count of accessing child pornography.

At trial, Ward defended the charges exclusively on the basis that the search of his residence and computer violated his rights under s. 8 of the Charter, and that sought exclusion of the evidence under s. 24(2) of the Charter.  The trial judge rejected the Charter claim and admitted the evidence: R. v. Ward, 2008 ONCJ 355, 176 C.R.R. (2d) 90.  Convictions followed and Ward was sentenced to 11 months’ imprisonment and three years’ probation.  He appealed his convictions and sentences, but later abandoned his sentence appeal.

On appeal, Ward argued that he had a reasonable expectation of privacy in his subscriber information held by Bell Sympatico and that his constitutional right to be free from unreasonable search and seizure was violated when Bell Sympatico turned over that information to the police. The gist of the appeal argument was that the police acted unconstitutionally in requesting and obtaining his personal customer information without prior judicial authorization, other lawful authority, prior consent or exigent circumstances.

Doherty J.A. (Winkler C.J.O. and Goudge J.A. concurring) dismissed the appeal and held that Ward had no reasonable expectation of privacy, either contractually or under the Personal Information Protection Electronic Documents Act”, S.C. 2000, c. 5 (“PIPEDA”). Accordingly, there was no breach of the s. 8 Charter right against unreasonable search and seizure. Justice Doherty writes,

[107]    The contractual provisions in this case tend to reinforce my reliance on PIPEDA as indicative of the nature of the appellant’s reasonable expectation of privacy.  Like PIPEDA, the contractual terms speak both of Bell Sympatico’s duty to protect the privacy of clients’ information and its willingness to disclose information in relation to investigations involving the alleged criminal misuse of its services.  That willingness clearly qualifies any duty of confidentiality assumed by Bell Sympatico.  While there is no single provision in the agreement or related documents that spells out Bell Sympatico’s willingness to disclose information to the police as clearly as did the regulation under consideration in Gomboc, the overall thrust of the documentation is to the same effect.  In particular, the Accepted Use Policy (“AUP”) makes it clear that uploading or downloading child pornography is a breach of the AUP and that Bell Sympatico would “offer full cooperation with law enforcement agencies in connection with any investigation arising from a breach of this AUP.”  That cooperation would, it seems to me, obviously extend to the disclosure of subscriber information which, by the terms of the service agreement, could be disclosed if “[n]ecessary to satisfy any laws, regulations or other governmental request … or as necessary … to protect … others.”

[108]    My review of the terms of the service agreement and related documents reinforces my view that a reasonable and informed person would not expect that society should recognize that the appellant had a reasonable expectation of privacy in respect of the subscriber information held by Bell Sympatico.

[109]    I stress that the conclusion in this case is based on the specific circumstances revealed by this record and is not intended to suggest that disclosure of customer information by an ISP can never infringe the customer’s reasonable expectation of privacy.  If, for example, the ISP disclosed more detailed information, or made the disclosure in relation to an investigation of an offence in which the service was not directly implicated, the reasonable expectation of privacy analysis might yield a different result.  Similarly, if there was evidence that the police, armed with the subscriber’s name and address, could actually form a detailed picture of the subscriber’s Internet usage, a court might well find that the subscriber had a reasonable expectation of privacy.  Those cases will be considered using the totality of the circumstances analysis when and if they arise.

Here’s my takeaway of the decision:

1. Child porn is bad. No argument here.

2. Don’t be a pedophile. Ditto.

3. ISP’s are good corporate citizens. Maybe, but Justice Doherty recognizes the slippery slope argument in respect of the zone of “public privacy” when he states:

[74]       I think that s. 8 encompasses the concept of “public privacy” described above.[1]  Surely, if the state could unilaterally, and without restraint, gather information to identify individuals engaged in public activities of interest to the state, individual freedom and with it meaningful participation in the democratic process would be curtailed.  It is hardly surprising that constant unchecked state surveillance of those engaged in public activities is a feature of many dystopian novels.

4. PIPEDA and Bell Sympatico’s Terms of Service operate in tandem to carve out an exception for law enforcement requests of customer information without judicial authorization.  I remain unconvinced why the RCMP could not have obtained the name of the Bell Sympatico account holder tied to the 3 IP addresses with a search warrant.

Quaere: What would have happened if the search of Ward’s home and computer yielded no corroborating evidence? No harm, no foul?

 

 

 

Tags: , , , , , , ,

3 Responses to “Ontario appeal court: No reasonable expectation of privacy in using IP address to obtain customer info”

  1. Dan Steinberg Says:

    I believe point #4 is interesting, but complicated. Do you get a warrant compelling Sympatico to turn over the information? Why do that if Sympatico is willing. Do you get a warrant to gain access to an unnamed user’s info? I’m not sure you can do that. Who is the warrant served on? If it’s Sympatico, and they were willing already, why need a warrant? I think the issue of a warrant is, begrudgingly, moot. I think the ONLY issue is whether Sympatico has a right to comply if they “feel like it”. I don’t think it should be their choice, regardless of “terms of service”. Terms of service cannot supersede law. If there terms of service stated they can come to your house in the middle of the night and murder your goldfish, I would argue this is an invalid contract. In other words, ISPs should be required, by law, to hold that information as confidential unless otherwise instructed by the court. Maybe this is what you meant and I’m just complicating things :)

    As for your last statement, I think the evidence obtained from the ISP was used to procure a warrant to search the home of the accused. I don’t think there’s any difference between that and any other search warrant, so I think yes, no harm no foul, as long as a judge determined the search was warranted by the evidence gathered at that point.

  2. Antonin I. Pribetic Says:

    Thanks, Dan for your thoughtful comment. I agree that delegating to ISPs the decision of compliance with privacy obligations in the face of a subpoena is problematic. A value-driven exercise is not neutral from the ISPs perspective, which is what I alluded to in point 3 about “good corporate citizens”. As far as “no harm, no foul”, executing a search warrant is obtrusive and disruptive, if not, intimidating to an innocent person. In this case, the fact that Ward had child porn on his computer and in videos stored at his house makes this less offensive. My concern is where an innocent person’s computer is hijacked or subject to SWAT’ing by a vindictive person out for revenge.

    Antonin

  3. Dismoun Says:

    The central point here is that the government did not compel Bell to release that information, Bell chose to release it to a government agency in response to an official request. Had Bell chosen not to provide that information (some Canadian telecoms will not), then the law enforcement agency involved could have sought out a Production Order to require them to provide it, a much lower bar than a Search Warrant, incidentally.

    There is no law (at the moment) requiring Telecommunication companies to provide customer records to police upon demand, and there is no law forbidding them from doing so. This is similar to any other individual or corporation requested by the police to assist in an investigation.

    If police are seeking witnesses (“ma’am, can you identify this photograph”), they do not require court orders to ask questions, and the witnesses are not required to answer. Should a person or business owner feel that they should not divulge information about friends, associates or customers, there is NO law requiring them to do so upon request, and this is as it should be.

    Do you have a legitimate privacy interest in (for example) the detailing shop that cleans out your murder vehicle? Should a court order be required for police to obtain from your local Cafe the approximate time you purchased your latte yesterday? Is an IP address really any different? Just because we enjoy the feeling of anonymity on the internet does not make it a practical reality. Your ISP knows what you do on the ‘net, and their privacy policy (which you didn’t read) spell out exactly what they consider their obligations to be with regard to that information.

    If you don’t like the ISP’s policies, find a different ISP, or take measures to protect your anonymity (TOR, for example)

    Antonin, I’m not sure where SWATing comes into this. Adding the simple extra step of requesting a production order will not significantly slow down any investigation where a SWAT/ERT team is going to be used. No Canadian police force is going to use a team of that nature unless there is a specific indication of violence, or unless the suspect is known to be armed and violent. Not saying that SWATing doesn’t happen, just that forbidding ISPs to cooperate without court order isn’t going to make it any less easy.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Follow

Get every new post delivered to your Inbox.

Join 1,833 other followers

%d bloggers like this: