Matthew Spencer used a popular file-sharing program called “LimeWire” to obtain a large number of files containing child pornography. He kept these files in a shared folder on his computer. Others similar users of the file-sharing program could view and download these files.
An officer with the Saskatoon Police Service used the “LimeWire” program and discovered the child pornography files in this shared folder. The IP address associated with the computer hosting the shared folder was publicly available and easily ascertainable by the police. The police wrote to Shaw Communications, the ISP, requesting the customer information associated with the IP address at the date and time relevant to the discovery. This kind of information is often referred to as customer name and address or CNA. The request was made pursuant to the Personal Information Protection and Electronic Documents Act (PIPEDA).
Shaw complied with the PIPEDA request and armed with this information, the police obtained a search warrant to search the home. The computer was located, seized and searched. Child pornography was located on the hard drive of the computer.
Unlike the decision in Trapp, two of the three judges in Spencer found that there was no reasonable expectation of privacy in the circumstances of the latter case.
The Court made the following observation about the level of intrusiveness of the request:
In these circumstances, under the traditional approach to determining the intrusiveness of a search, the written request of Shaw was minimally intrusive. It did not require physical access to Mr. Spencer’s residence, his personal computer or its files, or any of his other possessions, nor did it interfere with his personal or bodily integrity. In other words, accessing the Disclosed Information did not involve intrusion into places ordinarily considered private. Sergeant Altrogge’s request had none of the traditional hallmarks of an intrusive search and this absence of intrusiveness would traditionally augur against a reasonable expectation of privacy [para 43].
The next paragraph of the analysis appears somewhat outside of the conventional approach to reasonable expectation of privacy:
However, in an era in which technology increasingly facilitates the circulation, exchange and storage of personal information by third parties, it is my view that an inquiry of a third party in the nature of that which occurred in this case is intrusive. An inquiry of an ISP as occurred in this case has the inherent potential to disclose highly personal information or “to reveal intimate details of lifestyle and personal choices”. In this respect, I recall to mind the purpose for which the police sought to obtain the Disclosed Information. Nevertheless, even given that purpose, it cannot be said the police inquiry in this matter was overly intrusive as it was most certainly carried out in a perfunctory manner [para 44]; [emphasis added].
While the Court ultimately concluded that Mr. Spencer’s expectation of privacy in the disclosed information was not reasonable, the comments in bold above are interesting. The Court characterized the request in this case as intrusive although the information requested by the police, the customer name and address, by itself, reveals nothing about the details of lifestyle and personal choices made by Mr. Spencer. The fact that the CNA has the potential to be used to obtain a judicial authorization where highly personal information may be revealed is not traditionally a factor in determining whether a reasonable expectation of privacy exists in the first instance.
It should be interesting to see what the Supreme Court of Canada has to say about this issue and others flowing from this case.