On June 13th, a majority of the Court of Appeal of Alberta held that an IP address alone is not subject to a reasonable expectation of privacy such that it is protected by section 8 of the Charter.
The police had identified a series of fraudulent online transactions and asked a credit card processor for the matching IP addresses. The processor provided the police with two IP addresses, and the police then obtained a production order to require Telus to identify the two Telus subscribers. Unlike in the leading Supreme Court of Canada case R v Spencer, the police sought prior judicial authorization to identify the subscribers. Did they do wrong, however, by obtaining the IP addresses first?
The majority said “no,” and relied on the protection granted by Spencer in finding that there was no reasonable expectation of privacy in the IP addresses alone.
In Spencer, police obtained, without judicial authorization, the IP address and its subscriber data. Thus, without a court order, the police believed the following: Matthew Spencer was using the internet to download child pornography at a specifically named address. By contrast, the police here obtained, without judicial authorization, only IP addresses. Based on this abstract information, police believed a person who committed fraud used the IP addresses. They did not know who. They only knew the IP addresses belonged to TELUS and they ascertained this information through a publicly available internet lookup site. To get the name and address of the subscriber, they lawfully served TELUS with a production order. Thus, without a court order, they believed only this: an unknown person using a known IP address was committing fraud from an unknown address.
An IP address does not tell police where the IP address is being used or, for that matter, who is using it. Nor is there a publicly available resource from which the police can learn this or other subscriber data. To get the core biographical information such as an address, name, and phone number of the user, the police must obtain and serve a production order on the ISP in accordance with Spencer. That is what the police did here.
The dissenting judge held that, notwithstanding Spencer, IP addresses have investigative value as “digital breadcrumbs” and could be used to discover the identity of an unknown internet user. She held that – from a normative perspective – the Charter ought to apply to the police process of gathering electronic evidence right from the beginning.