In a blog posting on February 11, 2013 Brian Holowka discussed the case of Matthew Spencer – a case decided by the Saskatchewan Court of Appeal: 2011 SKCA 144 – which dealt with the issue of whether persons have a reasonable expectation of privacy in their personal identifiers held by their ISP company.
Today the Supreme Court released its ruling on appeal from that decision: 2014 SCC 43. In short, it held that Spencer did have a reasonable expectation of privacy in his name and other personal identifiers as held by his ISP, Shaw Communications, that related to the IP address linked to his computer.
The facts – as set out in the previous post – may be succinctly summarized as follows:
Matthew Spencer used a popular file-sharing program called “LimeWire” to obtain a large number of files containing child pornography. He kept these files in a shared folder on his computer. Others similar users of the file-sharing program could view and download these files.
An officer with the Saskatoon Police Service used the “LimeWire” program and discovered the child pornography files in this shared folder. The IP address associated with the computer hosting the shared folder was publicly available and easily ascertainable by the police. The police wrote to Shaw Communications, the ISP, requesting the customer information associated with the IP address at the date and time relevant to the discovery. This kind of information is often referred to as customer name and address or CNA. The request was made pursuant to the Personal Information Protection and Electronic Documents Act (PIPEDA).
Shaw complied with the PIPEDA request and armed with this information, the police obtained a search warrant to search the home. The computer was located, seized and searched. Child pornography was located on the hard drive of the computer.
On appeal the Court considered whether Spencer had a reasonable expectation of privacy. That consideration began by determining his subjective expectation which was driven by two considerations: (i) the subject matter of the search; and (ii) the nature of the privacy interest potentially compromised.
With respect to the subject matter, the court noted that in some cases this is easily discerned, in others it is more nuanced and complex. In this case, the determination of the subject matter fell into the latter category and in such cases the court should take “a broad and functional approach to the question, examining the connection between the police investigative technique and the privacy interest at stake” [para 26]. In doing so courts should looked “not only the nature of the precise information sought, but also at the nature of the information that it reveals” [emphasis added]; [para 26].
Put another way, the Court held that courts should not look “narrowly at physical acts involved but should consider the nature of the privacy interest impact: para 31.
In the present case the Court concluded on this point with the following:
The subject matter of the search was not simply a name and address of someone in a contractual relationship with Shaw. Rather, it was the identity of an Internet subscriber which corresponded to particular Internet usage. As Cameron J.A. put it, at para. 35 of Trapp:
To label information of this kind as mere “subscriber information” or “customer information”, or nothing but “name, address, and telephone number information”, tends to obscure its true nature. I say this because these characterizations gloss over the significance of an IP address and what such an address, once identified with a particular individual, is capable of revealing about that individual, including the individual’s online activity in the home.
Here, the subject matter of the search is the identity of a subscriber whose Internet connection is linked to particular, monitored Internet activity [emphasis added]; [paras 32-33].
With respect to the nature of the privacy interest, the Court first identified the privacy interest at stake as being “informational” and noted:
To return to informational privacy, it seems to me that privacy in relation to information includes at least three conceptually distinct although overlapping understandings of what privacy is. These are privacy as secrecy, privacy as control and privacy as anonymity [para 38].
After setting out the framework for the analysis of each of these privacy interests, the Court identified an intrusion into the “privacy as anonymity” and concluded:
In the circumstances of this case, the police request to link a given IP address to subscriber information was in effect a request to link a specific person (or a limited number of persons in the case of shared Internet services) to specific online activities. This sort of request engages the anonymity aspect of the informational privacy interest by attempting to link the suspect with anonymously undertaken online activities, activities which have been recognized by the Court in other circumstances as engaging significant privacy interests: R. v. Morelli, 2010 SCC 8,  1 S.C.R. 253, at para. 3; Cole, at para. 47; R. v. Vu, 2013 SCC 60,  3 S.C.R. 657, at paras. 40-45.
I conclude therefore that the police request to Shaw for subscriber information corresponding to specifically observed, anonymous Internet activity engages a high level of informational privacy [emphasis added]; [para 50-51].
In undertaking this analysis the Court drew the conclusion that Spencer had a subjective expectation of privacy.
Turning to determine whether such an expectation was reasonable, the Court discussed the implications of PIPEDA and the reliance thereon for the disclosure in question. In particular, Spencer argued that the contractual and statutory terms of his agreement with Shaw (the ISP) did not undermine his expectation of privacy. While recognizing that PIPEDA sets outs as a guiding principle that an organization may disclose personal information as they feel appropriate, this principle does not apply where the police seek such information – as opposed to the ISP discovering it and providing it on their own initiative. Where the police request the information they must have a “lawful authority”.
...s. 7(3)(c.1)(ii) of PIPEDA…permits disclosure only if a request is made by a government institution with “lawful authority” to request the disclosure. It is reasonable to expect that an organization bound by PIPEDA will respect its statutory obligations with respect to personal information [para 63].
The Court concluded that Spencer’s expectation of privacy was reasonable:
In my view, in the totality of the circumstances of this case, there is a reasonable expectation of privacy in the subscriber information. The disclosure of this information will often amount to the identification of a user with intimate or sensitive activities being carried out online, usually on the understanding that these activities would be anonymous. A request by a police officer that an ISP voluntarily disclose such information amounts to a search [para 66].