IP Addresses and the Expectation of Online Privacy

Amanda Carpenter is a JD Candidate at Osgoode Hall Law School.

The recent Ontario case R. v. Cuttell, 2009 ONCJ 471 concerns the issue of online privacy, more specifically the issue as to what the privacy expectations are in regards to finding a user’s name and physical address based on their IP address. In this case the police identified an IP address used in sharing child pornography. They determined who the Internet Service Provider (ISP) was for that IP and sent them a request for the name and address of the user of that IP for that particular date and time. Since it was a case involving a child sexual exploitation investigation, the ISP complied.

The question here is whether the police needed to have a warrant to obtain the subscriber information from the ISP to comply with Section 8 of the Charter. In order to determine whether the police needed to obtain a warrant, it must first be determined whether there is a reasonable expectation of privacy in the name attached to an IP address. It was determined that such an expectation exists because this information discloses revealing personal biographical information about the user. A reasonable expectation of privacy doesn’t exist if the contract between the subscriber and ISP demonstrates an agreement to disclose the subscriber’s information to groups such as the police which relieves the ISP of an obligation of confidentiality. Since a contract where it was written that the subscriber’s information could be disclosed to the police could not be found in this case, it was determined by the judge that the reasonable expectation of privacy was not rendered void. Therefore, the police, by obtaining the subscriber information from the ISP without a warrant, breached Section 8 of the Charter. It was also found that neither the Personal Information Protection and Electronic Documents Act, R.S. 2000, c.5 (PIPEDA) or s.487.014(1) of the Criminal Code confers authority for a warrantless search.

What does one think of the idea that the reasonable expectation of privacy would be voided if there was an agreement to disclose information to groups such as the police? Most ISPs, among them Bell, Rogers, Telus, and Shaw all have contracts with their subscribers where the disclosure of a subscriber’s information attached to an IP address is allowed for certain groups such as the police. This seems to go against what some Canadian judges have decided is good public policy.  In Irwin Toy Ltd. v. Doe, [2000] O.J. No. 3318 (S.C.J.), it was held that “some degree of privacy or confidentiality with respect to the identity of the internet protocol address of the originator of a message has significant safety value”. If most of the ISPs require that users waive their right to privacy, it wouldn’t give individuals any choice regarding the privacy of the information attached to their IP address. Is this okay if the groups that can access this information would only do so in the interests of the protection of society (for example, to catch child molesters)?  Or is this just continuing a trend in Ontario towards limiting the scope of reasonable expectations of privacy? More information regarding this trend can be found in the IPilogue article written by George Nathanael by clicking here. Concerned citizens might need to start taking greater precautions to protect the privacy of their online behaviour if these trends continue.

If it is believed that the waiving of the reasonable expectation of privacy in contracts would be a positive development, it is noted in paragraph 48 of this case that in the United States, disclosure of subscriber information is permitted because any privacy expectation is destroyed by giving it to a third party such as an ISP.  Should Canada follow the US law? Perhaps the consequences of voiding the reasonable expectation of privacy by ISPs in Canada could be examined by looking at what the consequences of destroying privacy expectations by giving it to a third party has been in the United States. Regardless, whether one thinks this would be a positive development there is enough case law upholding the requirement for judicial authorization for access to information disclosed to third parties in Canada that it would be difficult for this court to overturn the precedents and decide that this judicial authorization is not required.

Despite the ruling that the police carried out an improper search, the evidence obtained was still admitted based on s.24(2) of the Criminal Code. This is because the police had consulted with the RCMP who advised them of the correctness of this course of action, and had told the judge issuing the warrant for the search on the user’s property about the origin of the address information who was free to refuse to issue a warrant on these grounds but let them conduct the search anyways. Thus they acted in good faith and not in a manner that “would bring the administration of justice into disrepute.”