Canadian law enforcement historically obtained subscriber information without a warrant by requesting the information from ISPs, who conveniently believed that federal privacy laws entitled them to voluntarily disclose the information. In a June 2014 decision, the Supreme Court of Canada ruled on a case in which the police obtained subscriber information from an ISP and subsequently used the information to obtain a warrant to search the subscriber’s home. The court held that police asking an ISP for the subscriber information associated with an IP address constituted a search, and that doing so without a court order was unconstitutional.
Paulston drew an analogy between accessing Internet subscriber data and running a licence plate. There are similarities. It makes perfect sense for an officer engaged in a legitimate traffic stop to run a licence plate and make further database enquiries about the owner of the vehicle. However, accessing this same information when there is no legitimate reason to do so raises serious privacy concerns. Inappropriate use of licence plate information has traditionally been a problem for law enforcement agencies; some police forces regularly audit licence plate queries by employees.
There are obvious differences. Licence plates are issued by governments and are a legal requirement to drive on public roads. IP addresses, on the other hand, are assigned by an ISP as part of a private business relationship to which federal privacy laws apply. They also have the potential to reveal much more personal information, as articulated by the court:
“The identity of a person linked to their use of the Internet must be recognized as giving rise to a privacy interest beyond that inherent in the person’s name, address and telephone number found in the subscriber information. Subscriber information, by tending to link particular kinds of information to identifiable individuals, may implicate privacy interests relating to an individual’s identity as the source, possessor or user of that information. Some degree of anonymity is a feature of much Internet activity and depending on the totality of the circumstances, anonymity may be the foundation of a privacy interest that engages constitutional protection against unreasonable search and seizure. In this case, the police request to link a given IP address to subscriber information was in effect a request to link a specific person to specific online activities. This sort of request engages the anonymity aspect of the informational privacy interest by attempting to link the suspect with anonymously undertaken online activities, activities which have been recognized in other circumstances as engaging significant privacy interests.”
Protecting children from abuse is obviously a high priority. However, crying “it’s for the children” is a common political distraction technique. Former Minister of Public Safety Vic Toews, defending proposed lawful access legislation, told a political opponent in 2012 that he could “either stand with us or with the child pornographers.”
This dialog is not about protecting children, it is about the right of Canadians to be secure against unreasonable searches. Paulson would have us believe that the ability to obtain personal information without judicial oversight is critical to protecting Canadians. It isn’t.
In reality, if police have evidence indicating that an IP address is associated with criminal activity they should have no difficulty obtaining a warrant. The real impact of last year’s ruling is that obtaining personal information without evidence of an offence has become much more difficult.
Paulson’s suggestion to provide police with administrative access to Internet subscriber name and address information essentially asks Canadians to waive a constitutionally protected right. That is a slippery slope. If a warrant is not required to obtain a name and address, how about for emails, web searches, and other activity? Law enforcement might find it inconvenient at times to obtain a warrant, but the privacy rights of Canadians are worth protecting. Judicial oversight is critical to protecting these rights and ensuring that searches remain reasonable.
Have a security question you’d like answered in a future column? Email email@example.com
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…