A recent decision out of the Alberta Court of Queen's Bench in R v Bykovets, 2020 ABQB 70 ("Bykovets") raises questions regarding the privacy attributed to an Internet protocol address ("IP address").
While it seems intuitive that an IP address, due to its ability to connect individuals with specific online activity, could conceivably reveal a great deal of information about an individual's behavior on the Internet and would therefore be considered private and enjoy the protection of the law, the Court's ruling in Bykovets suggests otherwise.
The Calgary Police Service's Cybercrimes Investigation Team ("CPS") was investigating online purchases of several gift cards, as it was alleged that these purchases had been made with stolen credit card information. CPS contacted Federated Co-operatives Limited ("Co-op"), one of the businesses at which gift cards had been purchased. The goal was to obtain records relating to the purchases from Co-op, so that the individual responsible could be identified. Co-op in turn directed CPS to its payment processor, which disclosed the IP addresses associated with the fraudulent gift card purchases. CPS had not obtained any warrant or court order in support of its request for the IP addresses from the payment processor.
While CPS had the IP addresses associated with the fraudulent purchases, CPS could not, without more, connect the purchases to physical addresses or particular individuals. Using a free, publicly available online tool, CPS was able to determine the IP addresses obtained from Co-op's payment processor were assigned by Telus. Since Telus was responsible for assigning the IP addresses, CPS concluded the fraudster or fraudsters had accounts with Telus, and that Telus could thus connect the IP addresses with specific physical addresses and individuals. CPS obtained a production order for the subscriber information associated with the IP addresses, and presented it to Telus. Telus then disclosed that the IP addresses in question were associated with accounts held by a Mr. Andrei Bykovets and his father.
With this new information in hand, CPS obtained search warrants for the residences of Mr. Bykovets and his father. The searches were executed, and Mr. Bykovets was ultimately charged with 33 counts of various offences, generally related to the possession and use of third party credit cards and personal information, as well as firearms.
Mr. Bykovets took the position that when CPS took steps to obtain his and his father's IP addresses, it amounted to an illegal search that contravened his section 8 Charter right to be free from unreasonable search or seizure. To support this position, Mr. Bykovets was required to establish that he had a reasonable expectation of privacy in relation to the IP addresses. If such expectation existed, CPS' actions would have been a "search" within the meaning of the Charter. The Crown conceded that if there was a search, Mr. Bykovets' Charter right had been violated.
The Court focused on two main points in the course of its discussion of whether Mr. Bykovets had a reasonable expectation of privacy in relation to his and his father's IP addresses.
First, the Court considered IP addresses in general. The Court observed that IP addresses, on their own, do not reveal intimate details of the lifestyle and personal choices of the individuals associated with them. A distinction was drawn between IP addresses, and similar identifiers connected to mobile devices (e.g. IMSI and IMEI numbers). The difference, the Court said, was that in most cases the identity of the person using a mobile device subject to IMSI and IMEI monitoring is known to police when the monitoring begins. Further, the use of IMSI and IMEI monitoring can, over time, help authorities determine contacts and communication patterns, ascertain the subject's phone number, locate the subject's mobile device and identify digital activities such as web browsing. In short, merely observing IMSI and IMEI numbers can teach the observer a lot about a person using a mobile device. In contrast, merely observing an IP address cannot teach an observer much of anything. To learn anything of consequence, the IP address has to be connected to (a) the person associated with the IP address, and (b) a particular online behaviour. The former point is important because individuals do have a reasonable expectation of privacy in respect of their use of Internet services. Accordingly, judicial pre-authorization (i.e. a warrant) is required to compel Internet service providers to disclose subscriber information to facilitate the connection between IP addresses and individuals. A layer of judicial oversight thus already exists in respect of using IP addresses to identify people and what they do online.
Second, the Court considered the objective reasonableness of Mr. Bykovets' expectation his and his father's IP addresses would remain private. The Court again noted that knowledge of an IP address does not, without more, reveal any intimate details about the lifestyle and personal choices of an individual, and concluded it was not reasonable to expect IP addresses, which have no real biographical content in and of themselves, to be private.
An interesting aspect of the Court's decision in Bykovets, pointed out by the Court in its reasons, is that no submissions were made addressing statutory or contractual privacy frameworks applicable to the businesses involved, their customers and IP addresses. This is notable because the Office of the Privacy Commissioner of Canada ("OPC") has previously found that IP addresses may be personal information within the meaning of the term as used in the Personal Information Protection and Electronic Documents Act ("PIPEDA"). In the result, while it may be that Mr. Bykovets did not have a reasonable expectation of privacy in his IP addresses for Charter purposes in this case, it remains possible that his and his father's IP addresses were nevertheless his personal information, and that his privacy interests protected by PIPEDA (or substantially similar legislation) were violated when Co-op's payment processor disclosed the IP addresses to CPS. Relatedly, questions arise in respect of the particular contractual agreements that may have been in place between Co-op, its payment processor and Mr. Bykovets, and whether some provision in the documents governing those relationships may have compelled a different analysis.
The essential thread to take from Bykovets is that in some instances, individuals may not have a reasonable expectation of privacy in their IP addresses. However, that should not be confused for a general rule that applies in all circumstances, nor should it be taken to mean that businesses are entitled to disclose their customers' IP addresses whenever authorities request them. The privacy landscape in Canada is nuanced and heavily dependent on context, and few general rules exist. Compounding the difficulty is that the same rule may apply differently in different situations, leaving businesses guessing as to how to comply with the law and do right by their customers and clients.
The privacy experts at MLT Aikins have the practical experience to assist your business in all aspects of privacy planning and response. Whether you need assistance in drafting agreements that protect your customers' privacy interests, responding to requests to disclose personal information, or defending a privacy action, our privacy team is ready and able to assist.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.