Should Internet Service Providers Become Information Providers for the Police?

Should Internet Service Providers Become Information Providers for the Police?

Two recent Ontario Superior Court of Justice judgments have allowed for law enforcement agencies to obtain subscriber information from internet service providers without a warrant. In both cases police officers used IP addresses of suspected child pornography carriers, which they had obtained themselves, to get corresponding names and addresses. This has alarmed privacy advocates, and some even believe that Ontario is on its way to a system of mass surveillance.

In the case of R. v. Wilson, a police officer obtained the IP address of a computer that had been found to be accessing child pornography. The officer then contacted Bell Canada, without a warrant, for subscriber information related to that IP address, and Bell complied. The judge, in considering the totality of the circumstances, as per the SCC decision of R. v. Edwards that outlines the test for determining whether a reasonable expectation of privacy existed, found that there was no breach of the defendant’s section 8 Charter rights (against unreasonable search and seizure). The case of R. v. Vasic had a fact pattern that was quite similar, at least when solely considering the privacy issue. The judge here also determined that the section 8 Charter rights of the defendant were not breached when the police officer obtained the name and address from Rogers Cable, after already having possession of the IP address.

The judge in Wilson reasoned that the information obtained by Bell was only the name and address, which was not enough for the defendant to have a reasonable expectation of privacy, since such information can even be found in a public telephone directory. It should be noted that this was made in disagreement to the previous decision of R. v. Kwok, which had similar facts, but where the judge found that names and addresses found in ISP subscriber information was deemed to disclose details of the lifestyle and personal choices of the individual, which is determinative of an existing privacy interest by the reasoning of the SCC in R. v. Plant. The judge in Vasic, however, considered the fact that the name and address information was held in conjunction with the IP address information, and that together they were revealing of intimate details.

Another factor that the Wilson judge believed weighed in favour of concluding that there was no section 8 breach was the fact that the Bell Customer Privacy Policy and the Bell Code of Fair Information Practices, which allowed for Bell to disclose collected personal information in specific cases, were said to be agreed upon by the defendant through his use of the internet services. This same issue was actually the deciding factor in the Vasic case, with respect to the section 8 analysis, as the defendant conceded that he was bound to the Rogers Yahoo! Acceptable Use Policy. However, it is problematic to use an electronic adhesion contract to discern the privacy expectations of a party using a product.  By simply using their ISP’s services, it is unlikely that the defendants expected that their information would be made so easily accessible. Due to the reality that most users do not look over privacy notices or other terms of use when using online services, some groups have called for greater clarity.

The Wilson judge also found that section 7(3)(c.1(ii)) of PIPEDA justified the actions of both the officer and Bell Canada in the transmission of the information. Though the statute’s main objective is the protection of personal information, this specific provision is explicit in its allowance of such information to be disclosed, without consent from the affected party, to the proper authority for the purposes of carrying out an investigation in order to enforce a law. Both Bell and Rogers voluntarily handed over the subscriber information, and Rogers even had a standard form to be filled out for requests for information when investigating child sexual exploitation. It may be worrisome that the ISPs so easily divulged their users’ information when they were not required to do so. However, it may be their policy of taking measures to prevent their services from being used for such a despised crime.

Another issue that can be considered is the freedom of police to obtain IP addresses in the first place. The Wilson decision described the procurement of the defendant’s IP address through a “plain view search”, after learning how to find this online. It can be argued that knowledge of an individual’s IP address, even with name and address information, may not per se be revealing of intimate details of lifestyle and personal choices. The additional step of using an IP address in a particular way, such as to find out information about an individual’s internet history, would be required in order for such information to be revealed. Of course it can be said that this piece of information is quite powerful in that it is necessary to lead to the other revealing information. But at the same time, one’s name, address and birth date, if used in a particular manner, can also lead to further information that one would have a reasonable expectation of privacy in. And as the judge in the Wilson decision stated, “one's name and address or the name and address of your spouse are not “biographical information” one expects would be kept private from the state” (though as mentioned earlier, this was made in disagreement with a previous case).

Both the Wilson and Vasic decisions are binding on the lower courts in Ontario, and it will be interesting to see how future decisions will be made considering the disagreement about whether such information collected is revealing of intimate details about lifestyle and personal choice. With increased efforts by law enforcement agencies to fight child pornography, it may only be a matter of time before this issue is appealed to a higher court.