On June 13, the Supreme Court of Canada released its much awaited decision in Spencer v. The Queen. The core issue in this crucially important privacy case was whether there was a reasonable expectation of privacy in Internet Service Provider (ISP) subscriber information linked to a particular Internet Protocol (IP) address. Although privacy experts have for some time considered this question to be a no-brainer, the federal government had stubbornly held to the position that customer name and address information, viewed in isolation, was the kind of data in which none of us has a reasonable expectation of privacy.
Concurrent with the deliberations of the Supreme Court of Canada in Spencer were debates in the House of Commons and in Committee over the Conservative government’s controversial Bill C-13. This Bill will further pave the way for government authorities to gain easy and warrantless access to subscriber information. Among other things, the Bill gives ISPs immunity from any liability for handing subscriber information over to police without notice to or consent from their customers, and upon a simple request for this information to be shared.
Even prior to Bill C-13, provisions in both the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Criminal Code had been argued to grant permission to private sector companies to share personal information with authorities, at the request of those authorities, without a warrant and without notice or consent to the affected customers. The application of these provisions had led to numerous Charter challenges in the lower courts, and these courts were divided as to the interpretation these clauses should be given. Essentially, although the anonymous IP address could reveal a trail of internet-based activities, Crown lawyers argued (and some courts accepted) that the police were ultimately only seeking a simple name and address – information in which there could be little expectation of privacy – and no warrant was required.
The Supreme Court of Canada itself had been a bit iffy when it came to informational privacy. A number of split decisions in the past years showed a lack of consensus on key privacy issues, and some recent decisions were not particularly privacy-friendly. In 2004, a narrow majority of the Supreme Court of Canada found that infra-red technology used by police in fly-overs to measure the heat signature of houses was not privacy invasive, because it did not lead to precise inferences about activities taking place in the house (notwithstanding the fact that the police used the technology to draw inferences regarding the presence of a grow-ops the accused’s home). There was genuine concern that this approach placed an artificial distance between the individual and the information that could be gleaned about their activities through technology. This concern was augmented by the Court’s 2010 decision in R. v. Gomboc, where 4 of the judges found that a very precise recording of daily patterns of electrical use in a home “reveals nothing about the intimate or core personal activities of the occupants. It reveals nothing but one particular piece of information: the consumption of electricity.” (at para 14). This approach, which distanced particular pieces of information from the inferences that could be drawn from them, and that minimized the importance of the decontextualized information, was a matter of great concern to privacy advocates.
This is why the Court’s unanimous decision in Spencer v. the Queen is so important, and why so many privacy advocates awaited it with both anticipation and dread. It is perhaps fortuitous that the backdrop to the Supreme Court of Canada’s deliberations in Spencer was one of ongoing disclosures by Edward Snowden of intrusive and warrantless government surveillance of the online activities of individuals in Canada and elsewhere, and the heated debates over the Conservative government’s latest attempt to facilitate police access to information about Canadians’ online and mobile activities.
The Court in Spencer dismissed the approach that separated the name and address information from the information gleaned from the IP address. Justice Cromwell wrote: “the subject matter of the search is the identity of a subscriber whose Internet connection is linked to particular, monitored Internet activity.” (at para 33). He found as well that anonymity is an important dimension of privacy – one that is “particularly important in the context of Internet usage.” (at para 45) Noting that there is an almost unavoidable tracking of individual activity on the Internet, Justice Cromwell wrote:
The user cannot fully control or even necessarily be aware of who may observe a pattern of online activity, but by remaining anonymous — by guarding the link between the information and the identity of the person to whom it relates — the user can in large measure be assured that the activity remains private. (at para 46)
According to the Court subscriber information links certain types of information to identifiable individuals, and is thus revelatory of a great deal more information than simply a name and address. This in turn triggers a strong privacy interest.
On the issue of the provisions of both PIPEDA and the Criminal Code that permit companies to voluntarily share personal information with law enforcement officials, the Court ruled that these provisions do not override a reasonable expectation of privacy. Since a request by police for subscriber identification engages this privacy interest, it amounts to a search for which a warrant is required. The permissive provision in PIPEDA depends upon police having a lawful authority to obtain the information sought – if a warrant is required, then a request absent a warrant is not made with lawful authority. The Court also ruled that s. 487.014 of the Criminal Code merely confirms existing police powers to make enquiries, but does not give them any authority to circumvent requirements to obtain a warrant.
This decision is extremely important, and should prompt a reconsideration of parts of Bill C-13. Some caution is nonetheless warranted. The Court noted that the reasonableness of a person’s expectation of privacy in their subscriber information in the hands of their ISP may depend upon the wording of their Terms of Service and their ISP’s privacy policy. Essentially, if these documents state that the ISP will hand over customer data to police upon their request; this will undermine the reasonableness of any expectation that this information will remain protected. In an age of consumer helplessness in the face of lengthy, impenetrable and take-it-or-leave it terms of service, it is important to press ISPs – and other service providers – to respect basic privacy values.