ITBusiness.ca

No expectation of privacy in an IP address, Alberta judge rules

Police in Alberta don’t need a court order to get an external IP address from a service provider in trying to identify an internet user, according to a recent Calgary judicial ruling.

The decision is a first in Canadian privacy law. The precedent applies for now only in Alberta but it will be cited in other courts across the country and could be persuasive if the facts in other cases are similar. If upheld in other provinces or by the Supreme Court, organizations across the country — including social media platforms, content providers and websites — may have to turn over IP addresses without court orders.

The pre-trial hearing involved the way Calgary police tracked down and charged a man with 33 counts of possessing and using other people’s credit cards and personal identification to fraudulently buy goods with virtual gift cards.

The transactions went through Moneris, a Toronto-based company that offers payment processing services to organizations. Trying to find who was behind the allegedly fraudulent transactions, police got the external IP address of the purchaser from Moneris. Police then got a court order to get an internet service provider to hand over the physical address of the external IP address owner. Ultimately that led to the arrest of the accused.

The defence objected to admitting that evidence, saying the accused’s Charter rights had been violated because the external IP address was given to police by Moneris without a court order. The accused, the lawyer said, had a reasonable expectation of privacy of his external IP address.

However, the Crown prosecutor objected. Unlike an internal, or local, IP address, which is tied to a particular device, an external IP address is used to transfer information across the internet, the judge was told. An IP address alone doesn’t have personally-identifiable information. More work is needed to tie an external IP address to a person, and in this case, the police did get a court order to get the physical address from the ISP.

Justice L. Bernette Ho agreed. The accused had no reasonable expectation of privacy in an IP address, she ruled. “In my view, an IP address in itself does not reveal information about a subscriber that should be protected in a free and democratic society.

“While I acknowledge that the police might be able to obtain information about a user’s identity, there are significant limitations on this. Obtaining an IP address is an important investigative step for police, but privacy interests are not triggered by a mere police investigation.”

In this case, the next step police made, the judge added, was looking up the IP address on a public directory to get the name of the Internet provider. That led to getting a disclosure court order for the ISP.

The judge agreed with police testimony that while an IP address is a valuable investigative tool, one still needs to know where to look and who to ask to track someone by their IP address alone.

The judge also said the facts in this case are different from a landmark 2014 case called Spencer, where the Supreme Court of Canada ruled that Canadian internet providers can’t turn over basic subscriber information — including a home address — to police without a search warrant.

However, separately she ruled that the accused’s rights were violated because of the loss of forensic notes of an examination of USB sticks seized at the accused’s home. Whether the entire case collapses because of this has yet to be determined.

The defence lawyer could also appeal the IP address part of the ruling after the trial if it goes on.

In a 2013 report, the federal privacy commissioner’s office (OPC) concluded that an IP address can reveal information about a user’s online activities, but not necessarily the identity of the user.

For Halifax lawyer David Fraser of the McInnes Cooper law firm, the Calgary decision “raises more questions than answers.”

It doesn’t explain how the police got the IP address from Moneris, he pointed out. Did the police ask for it, or was it handed over? And whether that was a violation of federal privacy law.

The OPC has said under federal privacy law an IP address is personal information and should only be disclosed with a court order, he said.

“I would have thought, also, that one has an expectation of privacy in an IP address, in part because privacy commissioners have said its personal information that could lead to an identifiable individual,” he said.

Therefore a warrant is needed before any organization can hand over an IP address.

Fraser also noted that in the Calgary case Moneris wasn’t the entity that initiated the police investigation. It might have been different if Moneris believed it had been defrauded and went to the police, in which case the disclosure of the IP address it had would have been proper for reporting a crime.

“I represent and advise a number of companies that from time to time get requests for IP addresses, and I know none of them would disclose that information without a court order. I would recommend to all companies to continue that practice, notwithstanding this decision,” he said, adding this is important because then a judicial officer has looked at the allegations.

Exit mobile version