- Mr. Ward’s “Unreasonable” Expectation of Privacy towards Data Held by his ISP
- November 13, 2012 | Author: Chloé Fleurant
- Law Firm: McCarthy Tétrault LLP - Montreal Office
Is the anonymity of the Internet user unconditionally protected by the Canadian Charter of Rights and Freedoms’ legal strongbox? In R. v. Ward, 2012 ONCA 660, the Court of Appeal for Ontario determined that it is not always the case and that there are limits to an Internet users’ reasonable expectation of privacy.
In this case, Mr. Ward’s expectation of privacy in his name and address held by his Internet Service Provider (ISP) was considered “unreasonable” in the context of an investigation for crimes of possession and trafficking of child pornography.
The RCMP’s Information Request
The police, in the course of investigating child pornography crimes on the Internet, sometimes request and receive the names and addresses of customers from ISPs. These requests typically follow a protocol developed by the police and ISPs, and are made without seeking prior judicial authorization.
Here, the RCMP made such a request to Ward’s ISP. More specifically, the police asked the ISP for the name and address of the customer associated with specific IP addresses that were used at specific times, on specific dates. Ward’s ISP chose to cooperate. The information provided by the ISP, combined with other information gathered during the investigation, enabled the RCMP to obtain a search warrant for Ward’s residence and computer. That search yielded over 30,000 images and 373 videos of child pornography.
Conviction by Trial Judge
The trial judge of the Court of Justice of Ontario determined that the police obtained information from Ward’s ISP without violating his right to be secure against unreasonable search or seizure, as enshrined in section 8 of the Canadian Charter of Rights and Freedom (Charter). The trial judge thus admitted the evidence and Ward was convicted.
Measuring the Reasonable Expectation of Privacy
In order to decide whether Ward’s constitutional right to be secure against unreasonable search or seizure was violated, the Court of Appeal had to determine if he had a reasonable expectation of privacy in respect of his subscriber information held by his ISP by considering the “totality of the circumstances”.
More specifically, the Court examined three questions:
“What was the subject matter of the impugned state conduct, that is, what were the police after when they asked Bell for the subscriber information?”;
“Did Mr. Ward have a subjective expectation that he could act with anonymity, at least with regard to the state, in his Internet activity?”; and
“If so, was that expectation objectively reasonable?”
The Court’s answered these questions as follows:
1. What was the Subject Matter of the State’s Conduct?
The Court determined that the police were after information that might identify Ward, not merely as a subscriber of his ISP, but as a person who had potentially engaged in illegal activities on three specific occasions on the Internet.
2. Did Ward have a Subjective Expectation that he Could Act with Anonymity?
It was demonstrated that Ward had a subjective expectation of privacy in respect of his subscriber information as he did not reveal his identity when accessing the Internet and because he “used temporary anonymous e-mail addresses suggesting a clear intention to conceal his identity even further”.
3. Was Ward’s Expectation Objectively Reasonable?
Ward’s expectation of privacy was found not to be objectively reasonable because:
a) A reasonable and informed person would have taken into account his ISP’s legitimate interests in voluntarily disclosing subscriber information to the police, assuming that it did not violate any laws or the terms of its customer agreement with Ward. In fact, the ISP had a legitimate interest in preventing the criminal misuse of its services.
b) A reasonable and informed person would have expected that the privacy of his subscriber information would be circumscribed by his ISP’s discretion to disclose it to the police where it was reasonable to do so and where it was compliant with applicable federal legislation such as the Personal Information Protection Electronic Documents Act, S.C. 2000, c. 5 (PIPEDA).
In this case, the RCMP’s request was formulated in accordance with section 7(3)(c.1)(ii) of PIPEDA. Although nothing in the terms of PIPEDA empowers the state to interfere with an individual’s right under section 8 of the Charter, it is relevant to the constitutional analysis “to the extent that they speak to the existence and scope of a reasonable expectation of privacy in respect of information in the hands of an organization operating under the auspices of PIPEDA.”
c) The RCMP’s request for information was narrow. It was limited to Ward’s name and address and could not, in and of itself, reveal to the police anything about the subscriber’s computer activity before or after the three connections associated with the specific IP addresses targeted by the request. In other words, by providing this information, the ISP “would not be telling the police anything about [Ward]’s Internet activities at any time other than three times identified in the request.”
d) The request referred specifically to the investigation of a serious offence, that of child exploitation pursuant to the Criminal Code, perpetrated over the Internet, a powerful tool which allows anonymity. Furthermore, the ISP’s service, which is to provide Ward with Internet access, was the central component in the police investigation. This context would make it reasonable to anticipate that the ISP would cooperate with the RCMP’s request for subscriber information.
e) The terms of the service agreement between Ward and his ISP, and documents related to that service agreement, addressed both the ISP’s commitment to maintaining the confidentiality of client information and its willingness to disclose this information to law enforcement authorities in connection with criminal investigations involving allegations of the criminal misuse of its services. This reinforces the Court’s view that a “reasonable and informed person would not expect that society should recognize that the appellant had a reasonable expectation of privacy in the circumstances”
This judgment should be viewed with caution, in that it does not stand for the proposition that disclosure of customer information by an ISP will never be considered a breach of the customer’s reasonable expectation of privacy.
In fact, the Court not only emphasizes the fundamental importance of personal privacy but also highlights that, in every case, all factual circumstances have to be weighed before determining if one’s expectation of privacy is reasonable. Interestingly, the Court cites examples in which the expectation of privacy could be considered as reasonable:
“If, for example, the ISP disclosed more detailed information, or made the disclosure in relation to an investigation of an offence in which the service was not directly implicated, the reasonable expectation of privacy analysis might yield a different result. Similarly, if there was evidence that the police, armed with the subscriber’s name and address, could actually form a detailed picture of the subscriber’s Internet usage, a court might well find that the subscriber had a reasonable expectation of privacy. Those cases will be considered using the totality of the circumstances analysis when and if they arise.”
This decision reminds ISPs of the importance of including provisions regarding privacy and disclosure of personal information in exceptional situations in their customer agreements.