In R v. Bykovets[1], the Supreme Court of Canada, on a 5-4 majority, ruled that an IP address attracts a reasonable expectation of privacy. The ruling brings IP addresses under the protection of section 8 of the Charter of Rights and Freedoms, which protects against unreasonable search or seizure and requires police investigating crimes to get judicial authorization before requesting IP addresses from third parties.
Background
In 2017, police commenced an investigation into the online purchase of virtual gift cards using fraudulent credit card information. The police contacted the payment processor, which voluntarily provided them with the IP addresses associated with the purchases. Then, the police then obtained a court order requiring the internet service provider to disclose the subscriber information (i.e., name and address) associated with the IP addresses (aka a “Spencer” warrant). The police then executed search warrants for Mr. Bykovets at his residence and seized magnetic stripe card readers, government IDs of third-party individuals, fake immigration documents and firearms.
At trial, Mr. Bykovets argued that the police request of the payment processor for his IP address violated his section 8 Charter (Section 8) rights. The Alberta Court of Appeal upheld the conviction (2-1 majority), finding that an IP address did not provide any core biographical information about a person and therefore did not attract Charter protection as Mr. Bykovets could have no reasonable expectation of privacy in the IP address.
Majority decision
The main issue on appeal was whether or not the initial police request for the IP address amounted to a “search.” For a search to have occurred, the police would have had to have violated a reasonable expectation of privacy.
The majority disagreed with the narrow description used by the trial judge and the Court of Appeal to define the subject matter of the alleged search, i.e., police were not after the IP address of the appellant but were after the information an IP address reveals about the user. The Court found that an IP address is a powerful tool that allows the state, with or without a warrant, to collect information about a user’s internet activity and draw direct inferences about the user behind the specific internet activity. Online activity associated with the IP address may betray highly personal information without the safeguards of judicial pre-authorization. Thus, the subject matter of this alleged search is an IP address which is a key to obtaining more information about a particular internet user and, eventually, their identity, not just the IP address itself.
The police’s specific intention to restrict the use of information in a particular case is irrelevant to a Section 8 analysis. The “reasonable expectation of privacy” analysis revolves around the potential of a particular subject matter to reveal an individual’s biographical core to the state, not whether the IP addresses reveal information about the appellant on these facts. This was a key distinction between the majority and dissenting opinions. The Crown argued that an IP address is useless without a Spencer warrant. The majority disagreed because an IP address may provide deeply personal information, even before police try to link the IP address to the user’s identity.
The majority’s analysis focused on the private nature of the subject matter of the search. The activity associated with the IP address can be deeply revealing even before any attempt to determine identity. In Bykovvets’ case, the information was related to the purchases done through payment processor. These purchases broadcast a wealth of personal information capable of revealing personal and core biographical information about the purchaser from restaurants they visit, places they go, hobbies, and health supplements they may take. According to the majority, an IP address can set the state on the trail of anonymous internet activity that leads directly to a user’s identity. If a user accesses their social media profile or email account containing information from which the user’s identity is inferred, the identity is only a short inference away. IP addresses are the first “digital breadcrumbs” on the user’s digital trail. As a result, this potential to reveal personal or biographical core information is enough to trigger Section 8 protection. If the information is not protected, it is freely available to the state without the protection of the Charter, whether it relates to investigating a particular crime.
The ubiquity of the internet means that courts must increasingly consider “how different data sets in combination with other data sets affect privacy rights.” The specific activity associated with the IP address by the search can be correlated with other online activity associated with that IP address. Without the protection of Section 8, nothing prevents the state from pre-emptively collecting IP addresses and comparing the IP address against their own database.
The majority was also concerned with the role of technology companies and how the data they collect impacts the relationship between an individual and the state. The Court noted that the internet has allowed third parties to amass huge amounts of data, altering the topography of privacy under the Charter. These third parties have altered the constitutional ecosystem between the state and the individual as they are not subject to Section 8, but they “mediate a relationship which is directly governed by the Charter – that between the defendant and police.” Technological developments permit government actors to expand their surveillance powers significantly by tapping into detailed information collected by the private sector.
The majority rejected the argument that requiring the police to obtain judicial authorization before obtaining an IP address was an onerous investigative step. The majority held that where the IP address is sufficiently linked to the commission of a crime, judicial authorization is readily available and adds little to the information police must already provide for a Spencer production order. The burden imposed on the state by recognizing a reasonable expectation of privacy in IP addresses pales compared to the substantial privacy concerns. Judicial pre-authorization considerably narrows the state’s online reach and prevents it from acquiring the details of a user’s online life revealed by their IP address that are irrelevant to the investigation. Most importantly, judicial oversight removes the decision to disclose information and how much to disclose from private corporations and returns it to the purview of the Charter. Thus, IP addresses should attract a reasonable expectation of privacy.
Dissenting opinion
The dissenting opinion, written by Justice Côté, acknowledged that IP addresses “are not sought for their own sake” but are “sought for the information they reveal.” However, the evidentiary record in this case established that an IP address, on its own, reveals only limited information. The dissent found that the IP addresses did not attract a reasonable expectation of privacy because they were nothing more than IP addresses. The dissent therefore considered that the Spencer warrant requirements offered sufficient protection.
Key takeaways for business
The Court recognizes the ability of the internet to connect information as a factor in its analysis. As a result, the IP address could not be viewed in isolation and as such could reveal much about an individual when combined (or potentially combined) with other information. As a result, IP addresses attract a reasonable expectation of privacy under Section 8.
It is not unusual for organizations to receive requests from law enforcement about an individual’s online activities. Organizations should reconsider their position on providing such information to law enforcement in light of this case. It is likely that the rationale of the majority will eventually be extended to private actors, and law enforcement requests for an item of information (the “breadcrumb”) may be tainted because of the potential for it to reveal further rich information about an individual. This will be particularly applicable to social media, online retailers, and connected vehicles.
It is important to note is that this is a case about state overreach. Section 8 of the Charter generally applies only to state action (here, the police). However, the logic of the majority – that an isolated piece of information may have the potential to unlock information about the biographical core of a person – is likely to find its way into private disputes and guidance from privacy regulators. This suggests that IP addresses – and possibly other digital “breadcrumbs” – are now personal information under privacy laws. Previous guidance and findings from privacy regulators had considered only that IP addresses could be personal information, if the context (e.g., associated information) so warranted. Companies handling such breadcrumb information (in other words, information that in isolation they had determined not be to personal information) as if it were outside privacy laws may need to rethink their approach.
Finally, this approach begs the question of whether there is much merit in the privacy protections offered by de-identifying personal information. However, if de-identified information is a “breadcrumb,” this case suggests that de-identification may not matter in terms of how such information should be treated – in other words, de-identified information falls within the regulatory perimeter of privacy legislation. The proposed new federal privacy law, the CPPA contemplates a range of activities which may be permissibly performed if the information is first de-identified, and these provisions (if they survive further Parliamentary scrutiny) may need to be revisited in light of this case.
For more information on this topic, please contact the authors, Kirsten Thompson, Brandon Barnes Trickett and Laurie Livingstone.
Special thanks to articling student Birpal Benipal for his assistance with this article.
[1] 2024 SCC 6.
