Blog

Class aptent taciti sociosqu ad litora

From the Hands of Third Parties: Privacy and Internet Protocol Addresses

  • March 15, 2024
  • Clayton Rice, K.C.

The Supreme Court of Canada has held that internet protocol addresses attract a reasonable expectation of privacy in a ruling that will have wider implications for the private sector including internet service providers, search engines and artificial intelligence generators. The concentration of personal data in the hands of private corporations has added a third party to the horizontal relationship between the individual and the state. The new tripartite relationship had previously allowed Canadian law enforcement to obtain an IP address from an internet service provider without a warrant. That has now changed.

1. Introduction

An internet protocol address is a unique numerical designation assigned to a device that uses the internet protocol for communication. An IP address serves two functions: network interface identification and location addressing. (here) Ten years ago the Supreme Court of Canada held in R. v. Spencer that Canadians have a reasonable expectation of privacy in their subscriber information associated with an IP address. A request for subscriber information by the state is a search under s. 8 of the Charter of Rights and Freedoms and thus requires prior judicial authorization. (here) However, the question not raised in Spencer was whether there is a corresponding privacy interest in the related IP address. On March 1, 2024, the Supreme Court of Canada released a split 5-4 ruling in R. v. Bykovets concluding that the answer is: Yes. “Viewed normatively, an IP address is the key to unlocking a user’s Internet activity and, ultimately, their identity, such that it attracts a reasonable expectation of privacy,” said Justice Andromache Karakatsanis in the majority opinion. “If s. 8 is to meaningfully protect the online privacy of Canadians in today’s overwhelmingly digital world, it must protect their IP addresses.” (here)

2. Background

During an investigation into fraudulent online purchases from a liquor store, the Calgary Police Service learned the sales were managed by Moneris, a third party payment processing company. The police contacted Moneris to obtain the IP addresses used for the transactions and Moneris voluntarily identified two addresses. The investigators then obtained a Spencer warrant (in this case a production order) that compelled an internet service provider to disclose the subscriber information for each IP address. One was registered to Andrei Bykovets and the other to his father. The police then used the subscriber information to obtain search warrants for the residential address of Mr. Bykovets and his father. Mr. Bykovets was arrested and charged with fourteen offences for using unauthorized credit card data to buy gift cards online. He initiated a pre-trial application asserting the police violated his privacy rights when his IP address was seized from Moneris without a warrant.

An expert report was entered in evidence at the hearing of the application. The expert said a user’s identity could be determined, without resorting to an internet service provider, through the information logged on the website of a third party company. Third party companies, such as Google or Facebook, can track the external IP addresses of each user who visits their sites and log this information to varying degrees. These companies can determine the identity of those individual users based on their internet activity on their sites. The effect is compounded when information from multiple sites is collected. In the expert’s opinion, if those seeking to identify a particular internet user have access to information logged by third party companies, “it is not necessary to obtain ISP-held subscriber information in order to accurately identify a particular internet user.”

On January 29, 2020, the application was dismissed by Justice L.B. Ho in the Alberta Court of King’s Bench who held the police request to Moneris was not a search because Mr. Bykovets did not have a reasonable expectation of privacy in his IP address. She characterized the subject matter of the search as “IP addresses sought for the purpose of furthering the investigation” and reasoned that IP addresses on their own “do not provide a link to, or any other information about, an Internet user.” (here) Mr. Bykovets was convicted after trial and his appeal was dismissed by the Alberta Court of Appeal in a split 2-1 ruling. In the majority opinion, Justice F.L. Schutz and Justice M.G. Crighton held there was no reasonable expectation of privacy in an IP address because “an IP address does not reveal intimate details of a person’s lifestyle nor does it, without more, disclose core biographical information, nor communicate confidential information.” Justice Barbara Veldhuis, in dissent, held the trial judge failed to recognize “there is a parallel method to identify an internet user” through an IP address without grounds to support judicial authorization. (here)

3. Balancing the Privacy Interest

In a section of the majority opinion titled “Does the Balance Weigh in Favour of a Reasonable Expectation of Privacy?” Justice Karakatsanis reaffirmed that “[d]efining a reasonable expectation of privacy is an exercise in balance.” In weighing the community demands of privacy and protection, she concluded the public’s interest in “being left alone” should prevail over the “government’s interest in advancing its law enforcement goals.” The right of the individual to be left alone lies at the heart of the right to be protected against unreasonable search and seizure and has been the subject of discussion in many posts to On The Wire. (See e.g., here, here and here) The analysis led Justice Karakatsanis to consider how the internet has altered the “typography of privacy” under the Charter by “making the horizontal relationship between the individual and the state tripartite”. The tripartite relationship, a phenomenon of the digital age, facilitates the collection and retention of vast stores of personal data in the hands of private corporations.

Consistent with Supreme Court jurisprudence, the majority opinion took a “broad and functional” view of the subject matter of a search. The pivotal question was this: What were the police really after? The investigators in Bykovets were not after IP addresses in the abstract. The police were really after the information that an IP address tends to reveal about internet users. That information included their online activity and, ultimately, their identity. An IP address, as the identifier of internet activity originating at a specific location, is a “powerful tool” that allows the state to collect a user’s activity over the time period a particular address is linked to that source. “[A]n IP address provided the state with the means through which to draw immediate and direct inferences about the user behind the internet activity,” Justice Karakatsanis said. “The information inferred from a device’s Internet activity can be deeply personal including linking that activity to a particular user’s identity.” Justice Karakatsanis went on to emphasize that, by recognizing the police wanted the IP addresses to acquire more information about the user, a court can then assess the expectation of privacy in relation to all the information the IP address tends to reveal and, therefore, by reference to the nature of the privacy interests potentially compromised by state action. Simply put, an IP address is the key to the digital door. But, does it matter that an IP address is in the hands of a third party?

It is well established in Canadian constitutional law that control over the subject matter of a search is not determinative of whether a reasonable expectation of privacy exists . The self-determination at the heart of informational privacy means that individuals may choose to divulge information for a limited purpose, or to a limited class of persons, and yet retain a reasonable expectation of privacy. In various posts to On The Wire over the years I have referred to this “limited purpose” as the restricted purpose doctrine. (See e.g., here, here and here) The non-determinative nature of control in Charter jurisprudence is particularly relevant in the digital world which requires that users provide subscriber information to their internet service providers to participate in the “new public square.” The only way to retain complete control over the “subject matter of the search” would be to make no use of their services at all. That is not a meaningful choice in the twenty-first century. As Justice Karakatsanis said, “Canadians are not required to become digital recluses in order to maintain some semblance of privacy in their lives.”

The vast numbers of internet users leave behind a trail of information that is vacuumed up by governments and private corporations for purposes ranging from state surveillance to targeted advertising. A data trail may be pieced together to reveal the most intimate details of a person’s life. Described as “breadcrumbs” by Justice Karakatsanis, the data trail may establish a user’s entire daily, weekly or monthly activities leaving an enduring roadmap of the user’s activities in cyberspace. Not only does the internet keep a permanent record, it has concentrated this mass of data in the hands of third parties, investing them with immense power. Large private corporations have the ability to collect vast stores of user information and aggregate that data into “sharp images of their users’ online activity to determine what their users want and when they want it.” The internet not only allows private corporations to track their users but also to build profiles of them with information they never knew they were revealing.

By concentrating personal information in the hands of third parties, and granting them the tools to aggregate and dissect that data, the internet has “altered the typography of privacy under the Charter” by adding a third party to the “constitutional ecosystem”. The internet has made the horizontal relationship between the individual and the state tripartite. Although third parties are not themselves subject to s. 8, they mediate a relationship which is directly governed by the Charter – the relationship between a defendant and the police. This technological development has permitted government actors to expand their surveillance powers by tapping into information collected by the private sector. By requiring the state to obtain prior judicial authorization to acquire an IP address, the Bykovets majority narrowed the state’s online reach and has prevented it from accessing the details of a user’s online life revealed by their IP address that are not relevant to the investigation. Judicial oversight thus removed the decision to disclose information – and how much – from private corporations and returned it “to the purview of the Charter.”

4. Conclusion

Information privacy is the claim of individuals, groups and institutions to determine for themselves when, how and to what extent information about them is communicated to others. It is part of the broader human right to privacy which is vital to personal autonomy and individual dignity. The right to privacy is promoted by the right to self-determination and protects the ability of the individual to make choices about disclosure of personal information that, when used alone or in combination with other data, can identify an individual person. Ten years ago in Spencer the Supreme Court of Canada recognized the right to online anonymity and held that a warrant is required authorizing the police to seize subscriber information from an internet service provider. The warrant requirement, extended by Bykovets to internet protocol addresses, has taken the right to self-determination from the hands of third parties and affirmed where it belongs – in the constitution. It has been a long time coming.

Comments are closed.