The internet is our generation’s playground, our social hub. We go there to play and chat, learn and explore. We often assume that we’re safe there, that we can do what we want without consequence, that our activities are not being monitored. We rarely take time to consider the digital trail we leave behind. Even if internet companies collect our data for all sorts of reasons (or even generate their own through secret experiments), we assume that our data stops there and is identity-free. We believe that the internet is a bastion of privacy. Thankfully, the Supreme Court of Canada agrees.
On June 13, 2014, the Court released their decision in R v Spencer, upholding the general right to privacy on the internet. The case turned on whether a request by a police officer to an ISP for internet subscriber data constituted an unreasonable search, violating the defendant’s constitutional rights under section eight of the Charter. In the case, the police obtained the IP address of a computer that had been used to commit crimes. They then requested that the linked ISP provide them with the internet subscriber data in order to identify the owner. The police relied on the Personal Information Protection and Electronic Documents Act (PIPEDA) as grounds for having lawful authority for such requests and disclosure. Based on that information, they obtained a warrant to search the defendant’s home and seize his computer, on which incriminating evidence was found.
The defence argued that such evidence should be excluded at trial because the internet subscriber data was obtained by an unlawful search. The Court agreed. Justice Cromwell, author of the unanimous opinion, made clear the importance of informational privacy, and how the privacy interests of secrecy, control, and anonymity justify constitutional protection, regardless of whether it shelters legal or illegal activity. He writes:
In my view, in the totality of the circumstances of this case, there is a reasonable expectation of privacy in the subscriber information. The disclosure of this information will often amount to the identification of a user with intimate or sensitive activities being carried out online, usually on the understanding that these activities would be anonymous. A request by a police officer that an ISP voluntarily disclose such information amounts to a search. (para 66)
Based on the Court’s reading of PIPEDA, the police lacked lawful authority to conduct such a search. Without exigent circumstances or a reasonable law, the searches and subsequent seizure of the defendant’s property were ruled unlawful. For more details, many great summaries, and the case itself, look online.
In general, the decision leaves us with the understanding that internet users can reasonably expect that their anonymously undertaken internet activities will remain confidential, and that their information will not be disclosed to police without a warrant.
It is important to note, however, that this reasonable expectation of privacy depends on the contractual agreement between Internet users and their ISPs, and the statutory framework of PIPEDA. Changes in privacy policy could see that expectation disappear. Due to consumer pressure, that is unlikely to happen. In fact, companies entrusted with our private data are increasing user security and privacy. For example, Apple’s latest operating system, iOS 8, has received a change in encryption that will keep Apple and the police from using your data—even if Apple receives a warrant, it will be unable to comply since the company itself is denied special access. It’s a service that other companies like Google and Facebook, reliant on our data for advertising revenue, cannot provide.
Perhaps ISPs, who (as far as we know) don’t make any special uses of our data, might follow suit. No doubt police demand for our data is there. Rogers, in its transparency report released this summer, stated that it received 174,917 requests in 2013 for customer information from government and law enforcement agencies. While 74,000 of these requests were court orders, approximately 100,000 did not include warrants. Rogers (predictably) failed to note how many of those warrantless requests it granted.
The Court’s decision does not rule potential collaboration between data-collecting third parties and legal authorities. ISPs and other internet companies may have a legitimate interest in preventing crimes and may disclose information to police on their own motion, but only if consistent with their disclosure procedures and the reasonable expectations of their users.
There are conceivable occasions in which protection could trump privacy when it comes to police access to information. ISPs, search engines, and social media may be able to alert relevant authorities when a crime is going to be committed or if someone is in danger. Algorithms are already being developed and employed to detect the possibility of suicide. On the other hand, the trove of information generated by internet users is valuable not just for money-making, but for predictive policing. How tempting is it to be able to engage in real time data collection and map probable criminal hotspots or monitor search terms to gauge if a murder is about to occur? If the laws were changed to explore this possibility, who’s to say the Supreme Court of Canada wouldn’t agree?