Think you have a right to privacy online? Think again, says Ontario court. -

Think you have a right to privacy online? Think again, says Ontario court.

Yes, it was about child pornography—but the implications for the rest of us are scary


Getty Images

If you expect privacy when you’re online, if you think you can anonymously use the Internet without the government finding out who you are and what you’ve accessed, then you’re being unreasonable. That’s what the Ontario Court of Appeals has said, making them the highest court in Canada to rule that privacy laws don’t protect Canadians’ names and addresses from warrantless requests by police.

The case in question, of course, involves child pornography. David Ward of Sudbury was convicted of possessing pornographic images and videos of children. Police found him after German authorities handed them an I.P. address linked to a Canadian Internet account, provided by Bell Sympatico. The cops took the I.P. number to Bell and told them it was a child porn case, and Bell handed over Ward’s name and address. With that, police were able to get a search warrant, which they used to seize Ward’s incriminating hard drive. The service agreement Ward had signed with Bell gave them the right to surrender his identity in the event of a criminal investigation, and, as we now know, no Canadian privacy law trumps that contract.

Why should we care? Locking up child porn users sounds like a good idea to most Canadians, and Ward’s case is unlikely to cause much of a stir. But that’s exactly why child porn cases are often used to set privacy-eroding precedents. Nobody wants to look like they don’t care about the suffering and exploitation of children, so it’s easy to ignore the larger implications of precedents set in the handling of pornography cases.

Which  this: police are now able to invade a person’s home and seize their property based on the fact that an I.P. address they rent is linked to a crime. An I.P. address is not a person. Often, a number of people under one roof use the same I.P. address. An I.P. address isn’t a fingerprint either. If a wi-fi connection is unprotected, anyone nearby can use it. I.P. spoofing allows users to hide their real I.P. addresses and use a fake one. If these fake addresses ever match a real one assigned to a third party, police investigations may incriminate innocent people.

It’s like getting a full body-cavity search because your cousin was spotted shoplifting. Or it’s like a SWAT team barging into your house and upturning your belonging because somebody robbed a bank with a “you” mask on. Actually, it’s worse than either of those things, because scrutinizing a hard drive can be far more invasive than scrutinizing a person’s body or belongings. It’s closer to forced mind-reading.

Am I overstating this? I hope so. Right now, we can hope that this erosion of privacy law will only be applied to cases in which the crime is atrocious and the suspect turns out to be guilty. But today’s legal precedents will be used to investigate tomorrow’s crimes, which will be committed using tomorrow’s technologies.

Criminals who know they are doing wrong online will grow ever-more capable of dancing around I.P.-based identification. The rest of us will grow ever more likely of turning up as “false-positives.”

Follow Jesse on Twitter @JesseBrown


Think you have a right to privacy online? Think again, says Ontario court.

  1. Which is exactly why they should have a judicial warrant in every case but those where life,immediate risk of flight or imminent evasion in some form is obvious to the reasonable person.Was that the case with this guy? Because a nearby store has been broken into at 6pm is no justification for the police cordoning off the entire block at 6.05 and searching every single household for stolen goods.

    • In fact it’s almost impossible for an ISP situation to occur where time would be of the essence in the way that you mention. The fact that police needed to go to the ISP in the first place to get the info will almost always mean there is enough time to go to the warrant judge as well!

  2. As much as I am against ISPs handing over information without a warrant (I would like them to adopt a policy of requiring one), once the police want to go to a house I am pretty sure they then need the warrant – I haven’t read this judgment but I would be amazed to learn it states otherwise. That it may be the wrong computer or be a proxy is something the issuing judge should certainly consider when deciding to grant a warrant to go to a house after IP addresses have been unfortunately handed out.

  3. Surely the question of whether one has a reasonable expectation of privacy in the use of an IP address rented from an ISP under terms of a contractual relationship – the issue seemingly addressed by the court here – is distinct from the question of whether an identity furnished by an ISP based on activity tied to an IP address should suffice to provide the probable cause necessary to obtain a search warrant – the issue Jesse highlights in this post. In other words, if John Doe rents a car from ACME Rent-a-Car, and that car is subsequently recovered from a crime-scene, it would seem perfectly reasonable for police to ask ACME for the identity of the person who had rented the car at the time; but it might not be reasonable for police, based solely on that identification, to ” invade a person’s home and seize their property” – or, put less dramatically, the identity alone might not create probable cause to believe that John Doe was using the car at the time of the crime. That’s especially the case where there’s reason to believe that any number of people might have been using the car – the way there’s more or less always reason to believe that any number of people might be using a given IP address at a given time. But to say that police shouldn’t be entitled even to *begin* to establish a definitive identity merely because the identity they receive at that first step might not be definitive, as Jesse seems to suggest, strikes me as unreasonable.

  4. “It’s like a SWAT team barging into your house and upturning your belongings because somebody robbed a bank with a ‘you’ mask on.”

    I respectfully disagree. I think it’s more like a SWAT team barging in because someone robbed a bank using a car that I rented. I’m not guilty of robbery just because my car was used to rob the bank, but I think it would be reasonable for the police to get my name from the rental company and use that to get a warrant to search my property. It’s reasonable to assume that if my property was involved in the crime, then I might be too.

    Obviously, the onus still has to be on the police to prove that I participated in the robbery before I’m convicted of any crime, the fact that my rented car was used certainly isn’t proof of my guilt. But if I don’t want the cops busting down my door with a warrant, I should take steps to prevent that car from being used in a crime, like keeping it locked and not giving the keys to strangers or to my bank-robbing cousin.

    Now I realize that securing an IP address is different than securing a car, and that in both cases, amateurs can breach poor security and experts can often breach even strong security. But I think that it’s reasonable to expect people to be responsible for their property, owned or rented. And getting searched because a crime was committed with property that I’m responsible for still seems reasonable to me.

  5. Well said David. As a general aside, I think we all sacrificed privacy the second we turn on our computers. There is zero security online. And people seem pretty eager to give away their locations, personal information etc over social media anyway. But then, don’t listen to me. I’ve always thought inhibiting police investigations in the name of ‘privacy’ was a lame- sauce excuse.

  6. Jesse, a careful reading of the decision would reveal that the police confirmed that there was no public network being used by Ward and that he was the only person using a computer in the home before the police got their warrant. The case doesn’t present the danger of other people using your IP address to commit crimes and then having your house searched the way you suggest.

  7. “Am I overstating this?”

    Uh, yes. A full cavity body search? A SWAT team upturning your house? Mind reading? I’d rather have my hard drive scanned than any of those things.

    Give me a break. The IP warrant is just the first step. It could easily lead to a Starbucks or MacDonalds. Quite useless.

    And almost all Internet providers voluntarily hand that information over without a warrant if they know the circumstances behind it. What we don’t need is the unfettered right for any authority to get that information without first disclosing why.

    Most porn criminals that are caught are not genuises using proxy servers and IP spoofing. They are small minded sickos use rudimentary tools to dodge detection.