Teresa Scassa - Blog

Displaying items by tag: information privacy

Apologies for a somewhat longer than usual post - but the Supreme Court of Canada's decision in R. v. Bykovets both interesting and important....

The Supreme Court of Canada’s decision in R v. Bykovets is significant for two reasons. The first is that it affirms an understanding of privacy that is in keeping with the realities of contemporary and emerging technologies. The second is that it does so by the narrowest of margins, laying bare the tension between two very different ways of understanding privacy in a technological age. While this is a victory for privacy rights, it should leave celebrants in a sober mood.

The appellant Bykovets had been convicted of 14 offences relating to credit card fraud and unlawful credit card purchases. During their investigation, Calgary police approached Moneris, a third-party payment processing company, to obtain the IP address linked to specific fraudulent online purchases. Moneris complied with the request. Police then sought a production order to compel the relevant internet service provider (ISP) to provide the customer name and address (CNA) information associated with the IP address. With this information, they were able to obtain search warrants for the accused’s home. At trial, the appellant challenged these search warrants, arguing that when the police obtained his IP address from Moneris without a production order, they violated his right to privacy under the Canadian Charter of Rights and Freedoms. Bykovets was convicted. The trial judge found that there was no reasonable expectation of privacy in an IP address because an IP address on its own did not disclose a “biographical core” of information (at para 24). The majority of the Court of Appeal agreed with a strong dissent from Justice Veldhuis.

R v. Bykovets builds on the 2014 decision of the Supreme Court of Canada in R. v. Spencer. In Spencer, the Court tackled an issue that had bedeviled lower courts for several years, resulting in inconsistent decisions. The issue was whether there was a reasonable expectation of privacy in CNA information. Until Spencer, it was unclear whether police could simply ask ISPs for CNA information linked to an IP address without the need for a production order. The argument was that a person had no reasonable expectation of privacy in their name and address, and so police did not require judicial authorization to access it. The Supreme Court of Canada ruled in Spencer that a request for this information in a context where it would be linked to online activities raised a reasonable expectation of privacy. Bykovets addresses the issue of the status of the address itself – prior to its linkage with CNA information.

Justice Karakatsanis, writing for a majority of the Supreme Court of Canada in Bykovets, emphasized the importance of a robust right to privacy in a data-driven society. The first line of her decision states: “The Internet has shifted much of the human experience from physical spaces to cyberspace” (at para 1). The IP address is a vital connector between online activities and the individual who engages in them. Justice Karakatsanis rejects an approach that assesses privacy rights in this information “based on police’s stated intention to use the information they gather in only one way” (at para 6), namely to obtain a production order to further link the IP address to an ISP who can provide the CNA information. In her view, the reasonable expectation of privacy must be understood according to a normative standard, which focuses on “what privacy should be – in a free, democratic and open society – balancing the individual’s right to be left alone against the community’s insistence on protection” (at para 7). In her view, an IP address can be linked to deeply personal information about online activities that can, on its own, reveal the identity of the individual even if a further production order for CNA information is not sought. According to Justice Karakatsanis, “an IP address is the first digital breadcrumb that can lead the state on the trail of an individual’s Internet activity” (at para 9). It is “the key that can lead the state through the maze of a user’s Internet activity and is the link through which intermediaries can volunteer that user’s information to the state.” (at para 13). She goes on to note that “[i]f s. 8 is to meaningfully protect the online privacy of Canadians in today’s overwhelmingly digital world, it must protect their IP addresses” (at para 28).

All parties agreed that there was a subjective expectation of privacy in IP addresses. The real issue was whether this expectation was objectively reasonable. In order to assess the reasonableness of the expectation, it is necessary first to define the subject matter of the search. The Crown characterized it as an IP address that would allow police to continue their investigation. Justice Karakatsanis found that the Crown’s description was “artificially narrow” (at para 37) and rejected an approach that focused on the declared intent of an agent of the state. In her view, additional caution is warranted when the subject matter of a search relates to digital data. She noted that the police were not really interested in an IP address; rather, they were interested in what it would reveal. Although the police planned to get a Spencer warrant before linking the IP address to CNA information, Justice Karakatsanis observed that this was not the only way in which an IP address could be used to derive information about an individual. She stated: “Online activity associated to the IP address may itself betray highly person information without the safeguards of judicial pre-authorization” (at para 43).

The majority next considered other relevant factors in the assessment of a reasonable expectation of privacy, including the place where the search takes place. In the U.S., an individual cannot have a reasonable expectation of privacy in information in the hands of third parties. Justice Karakatsanis affirmed the Supreme Court of Canada’s rejection of this ‘third-party doctrine’ in section 8 jurisprudence. Control is not a determinative factor. In the context of ISP’s, the only way to keep an IP address out of the hands of third parties is to not use the internet – which in today’s society is not a meaningful choice.

Although the place of a search can be relevant to the reasonableness of an expectation of privacy, it is also not determinative. Justice Karakatsanis noted that “’online spaces are qualitatively different’ from physical spaces” (at para 49, citing R. v. Ramelson at para 49). She referred to the internet as creating “a broad, accurate, and continuously expanding permanent record” (at para 50), that can be more revealing than most physical spaces. As a result, the fact that the search did not intrude on the territorial privacy rights of the accused was not significant.

Another factor is the private nature of the subject matter, often referred to as the “biographical core of personal information which individuals in a free and democratic society would wish to maintain and control from dissemination to the state” (at para 51, quoting R. v. Plant at p. 293). Justice Karakatsanis adoped a normative approach with aspirational qualities. On this view, a reasonable expectation of privacy “cannot be assessed according to only one use of the evidence” (at para 53) as asserted by the police. She stated: “The unique and heightened privacy interests in personal computer data flows from its potential to expose deeply revealing information” (at para 55). This is not a suggestion that police hide behind innocuous explanations of purported use; rather, the key is “the potential of a particular subject matter to reveal an individual’s biographical core to the state” (at para 57). According to Justice Karakatsanis,

. . . the ever-increasing intrusion of the Internet into our private lives must be kept in mind in deciding this case. It is widely accepted that the Internet is ubiquitous and that vast numbers of Internet users leave behind them a trail of information that others gather up to different ends, information that may be pieced together to disclose deeply private details. [. . . ] This social context of the digital world is necessary to a functional approach in defining the privacy interest afforded under the Charter to the information that could be revealed by an IP address (at para 58).

Justice Karakatsanis rebuffed arguments by the Crown that the IP address is useless without the CNA obtained with a Spencer warrant. An IP address can convey intimate information about online user activity even absent CNA data. Further, the online activity can be correlated with other available data which could ultimately lead to the identification of the individual. In such a context, a Spencer warrant offers little practical protection. It is the IP address which is “the key to unlocking an Internet user’s online activity” (at para 69).

Given this analysis, it is unsurprising that the majority of the Court concludes that there is a reasonable expectation of privacy in IP addresses. The majority centres the role of the private sector in the amassing of information about online activities, giving these third parties “immense informational power” (at para 75). Justice Karakatsanis observes that “By concentrating this mass of information with private third parties and granting them the tools to aggregate and dissect that data, the Internet has essentially altered the topography of privacy under the Charter. It has added a third party to the constitutional ecosystem, making the horizontal relationship between the individual and state tripartite” (at para 78). The result is that the state has an enhanced information capacity, as they have many routes for access to this information. Justice Karakatsanis observes that these companies “respond to frequent requests by law enforcement and can volunteer all activity associated with the requested IP address. Private corporate citizens can volunteer granular profiles of an individual user’s Internet activity over days, weeks, or months without ever coming under the aegis of the Charter” (at para 10).

The majority acknowledges that the important privacy concerns flowing from this massive concentration of personal information need to be balanced against the legitimate interest in “[s]afety, security and the suppression of crime” (at para 11, citing R v. Tessling, at para 17). Justice Karakatsanis notes that digital technologies have enhanced the ability of criminals to perpetrate crime and to evade law enforcement. However, she observes that judicial authorization is “readily available” (at para 11). She characterizes the burden on state authorities to obtain the necessary authorizations as “not onerous” (at para 12), given the increased availability of telewarrants. Further, she states that “the burden imposed on the state by recognizing a reasonable expectation of privacy in IP addresses pales compared to the substantial privacy concerns implicated in this case” (at para 86).

Justice Côté writes for the four dissenting justices. The difference in approach between majority and dissent could hardly be more stark. While the majority opinion begins with a discussion of how closely linked IP addresses are to the details of our online activities, the dissenting opinion opens with a discussion of the police investigation into fraudulent activities that led to the charges against the accused. For the dissent, retrieving the IP address from the financial intermediary was just a first step in the investigation. Justice Côté framed the issue as “whether the appellant had a reasonable expectation of privacy in the IP addresses alone – without any other information linking the addresses to him as an Internet user – in the circumstances of this case” (at para 95). This is the crux of the difference between majority and dissenting opinions – how to characterize the information accessed by the police in this case.

Although the dissenting justices accept that an IP address links an individual to their online activities, but they find that there are two ways to make that connection. One is by asking an ISP to provide the CNA information linked to the IP address (as was the case here). The other is to connect an individual to the IP address by linking their various online activities. For the dissenting justices, if the first method is used, and if a warrant will later be obtained to require an ISP to provide the necessary CNA information, an initial warrant is not needed to obtain the IP address from the intermediary. Whether a warrant is needed, then, depends upon the steps the police plan to take – a matter which is not transparent to the company that must decide whether to voluntarily share the information.

In reaching their conclusion, the dissenting justices differ from the majority on the issue of reasonable expectation of privacy. In particular, Justice Côté takes a different approach to characterizing the subject matter of the search, and the reasonable expectation of privacy. On the question of the subject matter of the search, she emphasized that it was important to consider “what the police were really after” (at para 123, citing R v. Marakah, at para 15). In her view, this means considering “the capacity of the precise information sought to give rise to inferences or to reveal further information” (at para 123). In her view, Spencer aligns with this approach – once an IP address is linked to CNA information, then it can reveal the individual’s online activities. In this case, the precise information sought by police was the “raw IP addresses alone” (at para 128), which in isolation reveal very little information. A subsequent production order would be sought to match these addresses to CNA information.

The dissenting justices dismissed the majority’s concerns that the IP address could be used to identify an individual from their online activities. First, they note, this was not what the police did in this case. Second, if the police were to use the second method to identify an individual, they would need a warrant. However, according to Justice Côté, this “is an issue for another day in a case where the situation actually arises on the facts” (at para 135). In her view, the police followed a clear series of steps, and the IP address was only one step, with the identification of the individual as a further step for which a production order would be obtained. According to the dissent, “to effectively hold that any step taken in an investigation engages a reasonable expectation of privacy . . . would upset the careful balance that this Court has struck between the interest of Canadians in actual privacy and the interest of Canadians in not hindering law enforcement” (at para 139).

On the issue of the reasonable expectation of privacy, Justice Côté dismissed the idea that the IP address was itself ‘private’ information. She emphasized that ‘on these facts’, the IP address did not reveal any core biographical information. She insisted that the case be decided only on the actual evidentiary record, not on speculation about what might have been done.

The dissenting justices analogized between leaving behind fingerprints at a crime scene and leaving behind one’s IP address on websites one visits online. Justice Côté writes “[i]t cannot be seriously suggested that a police investigation that involves dusting for fingerprints and keeping them – without more – could engage a reasonable expectation of privacy. The same – again, without more – is true of obtaining an IP address” (at para 154). What this overlooks, however, is the fact that obtaining an IP address requires a request to a private sector organization that holds that information, and that has privacy obligations to its customers. Although the Personal Information Protection and Electronic Documents Act (PIPEDA)allows for the sharing of information with law enforcement without knowledge or consent, this is tricky territory for organizations. It is also different from collecting fingerprints from a crime scene to which the police have access. The very issue before the Court was what steps are necessary in order to gain access to the information held by private sector companies.

For the dissenting justices, another factor in assessing a reasonable expectation of privacy – and another point of difference with the majority – is the place of the search. This is tied to territorial notions of privacy under which the strongest protection is with respect to a person’s home. According to the dissent, the place of the search is the database of the credit card processor, and this diminishes any objectively reasonable expectation of privacy on the part of the accused. With respect, in a context in which people in their homes interact in digital environments on a daily and routine basis, this is 19th century reasoning that is a poor fit for the information age.

The approach of the dissenting justices also overlooks the fact that laws such as PIPEDA are permissive when it comes to data sharing by organizations with law enforcement. Under section 7(3)(c.1) of PIPEDA, an organization may disclose personal information without the knowledge or consent of the individual to a government actor upon request by that actor where the purpose is law enforcement or investigation. The only check on this data sharing without knowledge or consent is the Charter. If there is a reasonable expectation of privacy in the data being shared, then police require judicial authorization. Charter rights in this context are extremely important – particularly given the vast quantities of often highly sensitive personal information in the hands of private sector organizations. This volume and variety of information has only been increasing and will continue to do so exponentially. To say that the police can request the digital equivalent of a skeleton key from a private organization without a warrant so long as they only intend to use that key to open a particular lock, is to effectively surrender essential Charter rights to privacy in exchange for a “trust me” approach to policing that runs counter to the very idea of Charter rights. The private sector organization is required to trust the police when handing over the information, and society must trust that the police will only use this data appropriately. Yet, the right to be free from unreasonable search or seizure is premised on the very idea that some searches and seizures are unreasonable. Charter rights set important boundaries. In a digital society, the boundary between agents of the state and everything one does online is a fundamentally important one. It deserves to be guarded against intrusion.

Charter cases often arise in contexts in which persons have been accused of dangerous and/or antisocial activities that we wish to see stopped. In cases such as Bykovets, it is easy to be impatient with adding superficially unnecessary steps to complicate investigations. But we need also to bear in mind the research and reporting we see on systemic racism in policing in Canada, of the misuse of police powers to stalk or harass women, and the potential for abuse of personal information when it is made too readily available to authorities. Although Charter rights may be cast as an interference in legitimate investigations, they are also a crucial safeguard against excess and abuse of authority. The digital data held by private sector companies can render us naked in the eyes of state authorities. The Charter is not a blindfold that leaves police fumbling in the dark. Rather, it is a protective cloak that each of us wears – until judicial authorization directs otherwise.

For the majority in Bykovets, the goal is not to interfere with online investigations; rather, it is to “better reflect what each reasonable Canadian expects from a privacy perspective and from a crime control perspective” (at para 86). Finding a reasonable expectation of privacy in IP addresses “significantly reduces the potential of any “arbitrary and even discriminatory” exercises of discretion” (at para 87) by the state. It also removes from the private sector decision-making about what information (and how much of it) to disclose to the state. The majority characterizes its approach as ensuring “that the veil of privacy all Canadians expect when they access the Internet is only lifted when an independent judicial officer is satisfied that providing this information to the state will serve a legitimate law enforcement purpose.” (at para 90)


Published in Privacy

Canadian Trademark Law

Published in 2015 by Lexis Nexis

Canadian Trademark Law 2d Edition

Buy on LexisNexis

Electronic Commerce and Internet Law in Canada, 2nd Edition

Published in 2012 by CCH Canadian Ltd.

Electronic Commerce and Internet Law in Canada

Buy on CCH Canadian

Intellectual Property for the 21st Century

Intellectual Property Law for the 21st Century:

Interdisciplinary Approaches

Purchase from Irwin Law