R. v. Bykovets, 2022 ABCA 2082024 SCC 6 (40269)

“During an investigation into fraudulent online purchases from a liquor store, police contacted the third-party processing company that managed the store’s online sales and obtained the IP addresses used for the purchases. Police then obtained a production order compelling the Internet service provider (“ISP”) to disclose the name and address of the customer for each IP address. Police used this subscriber information to seek and execute search warrants. B was arrested.

B challenged the request by police to obtain the IP addresses from the processing company, alleging it violated his right against unreasonable search and seizure under s. 8 of the Charter. The trial judge held that the police’s request to the processing company was not a search under s. 8 of the Charter because B did not have a reasonable expectation of privacy in his IP address; therefore, B’s s. 8 right was not engaged. B was convicted of 14 offences related to the fraudulent online purchases. The majority of the Court of Appeal agreed that B had no reasonable expectation of privacy in his IP addresses and dismissed B’s conviction appeal. The dissenting judge would have allowed the appeal, on the basis that a reasonable expectation of privacy attached to the IP addresses.”

The SCC (5:4) allowed the appeal; ordered a new trial. 

Justice Karakatsanis wrote as follows (at paras. 3-13, 47, 60-70, 76-77, 86, 88-89, 91):

“This appeal asks whether an IP address itself attracts a reasonable expectation of privacy. The answer must be yes.

An IP address is a unique identification number. IP addresses identify Internet-connected activity and enable the transfer of information from one source to another. They are necessary to access the Internet. An IP address identifies the source of every online activity and connects that activity (through a modem) to a specific location. And an Internet Service Provider (ISP) keeps track of the subscriber information that attaches to each IP address.

But because IP addresses consist of numbers that can usually be changed by an ISP without notice, the Crown submits — and the majority of the Court of Appeal agreed — that an IP address does not attract a reasonable expectation of privacy. Here, the Crown contends that police were after no more than the collection of numbers that would ultimately allow them to obtain the production order contemplated by Spencer. Thus, the Crown reasons, the state did not infringe on the appellant’s right to privacy because Spencer sufficiently protected his personal information.

I respectfully disagree. This analysis runs counter to this Court’s jurisprudence under s. 8 of the Charter. We have never approached privacy piecemeal, based on police’s stated intention to use the information they gather in only one way. The right against unreasonable search and seizure, like all Charter rights, must receive a broad and purposive interpretation, reflective of its constitutional source. Since Hunter v. Southam Inc., [1984] 2 S.C.R. 145, we have held that s. 8 seeks to prevent breaches of privacy, rather than to condemn or condone breaches based on the state’s ultimate use of that information. Privacy, once breached, cannot be restored.

To that end, our Court has applied a normative standard to reasonable expectations of privacy. We have defined s. 8 in terms of what privacy should be — in a free, democratic, and open society — balancing the individual’s right to be left alone against the community’s insistence on protection. This normative standard demands we take a broad, functional approach to the subject matter of the search and that we focus on its potential to reveal personal or biographical core information (R. v. Marakah, 2017 SCC 59, [2017] 2 S.C.R. 608, at para. 32).

Informational privacy is particularly critical — and particularly challenging. Our jurisprudence recognizes that computers are unique and present privacy risks that differ from s. 8’s traditional objects. Thus, this Court has determined that s. 8 generally prevents police from seizing a computer without a warrant — even though the device itself provides no information without judicial permission to search its contents — because seizing the computer gives the state the means through which to access its content (R. v. Reeves, 2018 SCC 56, [2018] 3 S.C.R. 531, at para. 34).

Casting the subject matter of this search as an abstract string of numbers used solely to obtain a Spencer warrant goes against these precedents. IP addresses are not just meaningless numbers. Rather, as the link that connects Internet activity to a specific location, IP addresses may betray deeply personal information — including the identity of the device’s user — without ever triggering a warrant requirement. The specific online activity associated with the state’s search can itself tend to reveal highly private information. Correlated with other online information associated with that IP address, such as that volunteered by private companies or otherwise collected by the state, an IP address can reveal a range of highly personal online activity. And when associated with the profiles created and maintained by private third parties, the privacy risks associated with IP addresses rise exponentially. The information collected, aggregated and analyzed by these third parties lets them catalogue our most intimate biographical information. Viewed normatively and in context, an IP address is the first digital breadcrumb that can lead the state on the trail of an individual’s Internet activity. It may betray personal information long before a Spencer warrant is sought.

And the Internet has concentrated this mass of information with private third parties operating beyond the Charter’s reach. In this way, the Internet has fundamentally altered the topography of informational privacy under the Charter by introducing third-party mediators between the individual and the state — mediators that are not themselves subject to the Charter. Private corporations respond to frequent requests by law enforcement and can volunteer all activity associated with the requested IP address. Private corporate citizens can volunteer granular profiles of an individual user’s Internet activity over days, weeks, or months without ever coming under the aegis of the Charter. This information can strike at the heart of a user’s biographical core and can ultimately be linked back to a user’s identity, with or without a Spencer warrant. It is a deeply intrusive invasion of privacy.

Weighed against society’s legitimate interest in privacy is society’s legitimate interest in “[s]afety, security and the suppression of crime” (R. v. Tessling, 2004 SCC 67, [2004] 3 S.C.R. 432, at para. 17). While the right to be left alone must keep pace with technological developments, the way in which crime is committed and investigated also evolves. Easy access to the Internet and user anonymity combine to facilitate the commission of crime and challenge effective law enforcement. Clearly, the particularly insidious nature of much online crime, including child pornography and luring, presents serious and pressing social harm. Police must have the tools to investigate these crimes. And when an IP address (or subscriber information) is clearly linked to a crime — as it obviously can be for child pornography or luring — prior judicial authorization is readily available. A production order for an IP address would require little additional information to what police must already provide for a Spencer warrant. Both society’s interest in effective law enforcement and its interest in protecting the informational privacy rights of all Canadians must be respected and balanced.

On balance, the burden imposed on the state by recognizing a reasonable expectation of privacy in IP addresses is not onerous. This recognition adds another step to criminal investigations by requiring that the state show grounds to intrude on privacy online. But in the age of telewarrants, this hurdle is easily overcome where the police seek the IP address in the investigation of a criminal offence. Section 8 protection would let police pursue the Internet activity related to their law enforcement goals while barring them from freely seeking the IP address associated with online activity not related to the investigation. Judicial oversight would also remove the decision of whether to reveal information — and how much to reveal — from private corporations and return it to the purview of the Charter.

As a crucial component inherent in the structure of the Internet, an IP address is the key that can lead the state through the maze of a user’s Internet activity and is the link through which intermediaries can volunteer that user’s information to the state. Thus, s. 8 ought to protect IP addresses. Doing so would safeguard the first “digital breadcrumb” and shroud the trail of an Internet user’s journey through cyberspace; it would further s. 8’s purpose of preventing potential infringements of privacy rather than circumscribe its scope according to the state’s stated intentions about how it will use this key.



Our approach is distinct from that of the United States, where the so‑called “third-party doctrine” negates a reasonable expectation of privacy “if information is possessed or known by third parties” (T. Panneck, “Incognito Mode Is in the Constitution” (2019), 104 Minn. L. Rev. 511, at p. 520, quoting D. J. Solove, “A Taxonomy of Privacy” (2006), 154 U. Pa. L. Rev. 477, at p. 528). This Court rejected the American approach at an early stage of our s. 8 jurisprudence (R. v. Dyment, [1988] 2 S.C.R. 417, at pp. 429-30, per La Forest J.).


 

The Crown suggests that an IP address is useless without a Spencer warrant. Respectfully, I cannot agree. First, as the link that connects specific Internet activity to a specific location, an IP address may betray deeply personal information, even before police try to link the address to the user’s identity. Second, activity associated with the IP address can be correlated with other online activity associated with that address available to the state — with particularly concerning consequences when coupled with access to third‑party‑held information. Finally, an IP address can set the state on a trail of Internet activity that leads directly to a user’s identity, even without a Spencer warrant. The instances when an IP address may betray biographical core information are not all captured by Spencer. In light of these three points, which I elaborate below, access to IP addresses without judicial pre-authorization poses intense privacy risks, and IP addresses attract a reasonable expectation of privacy.

First, the activity associated with the IP address can itself be deeply revealing, even before any attempt to determine identity. Here, the activity was a series of financial transactions through an online intermediary, Moneris. Linked to financial intermediaries like Moneris or PayPal, an IP address can reveal all of a user’s transactions on that intermediary over the period the IP address was assigned to them. For example, Moneris associated five different online transactions with these IP addresses (voir dire reasons, at paras. 7-8).

These purchases may “broadcas[t] a wealth of personal information capable of revealing personal and core biographical information about the [purchaser]” (Marakah, at para. 33), from the restaurants they frequent, the destinations they visit, the hobbies they enjoy, to the health supplements they use. Internet users may even have “an acute privacy interest in the fact of their electronic [purchases]”, especially as our marketplaces rapidly migrate online (para. 33 (emphasis in original)).

Other online activities can reveal information that goes directly to a user’s biographical core. Websites offering dating services or adult pornography can give the state a depiction of the user’s sexual preferences. An Internet user’s history on medical, political, or other similar online chatrooms can reveal their health concerns or political views. If an IP address is not protected, this information is freely available to the state without the protection of the Charter whether or not it relates to the investigation of a particular crime.

Second, the specific activity associated to the IP address by the search can be correlated with other online activity associated to that IP address.

Without the protection of s. 8, nothing prevents the state from pre‑emptively collecting IP addresses and comparing that user’s IP address against their database. Further, and significantly, the scope of information that an IP address can reveal is enormous if correlated against information held by a third party. Cases suggest that third parties provide this information without being asked. For example, in State v. Simmons, 190 Vt. 141 (2011), the police, after identifying a suspect, contacted MySpace, a social media site, and requested that they share the IP addresses that had accessed his MySpace profile (para. 3). MySpace provided records showing not just the IP addresses themselves, but also every time each IP address had logged into Simmons’ MySpace account — including that one IP address had logged into the account “more than 100 times over the course of a week” (para. 3).

As the expert explained, third-party websites can track the external IP address of each user who visits their site. Some websites, like Google, also collect massive amounts of other information such as YouTube history, Google searches, and location history. This information can be of an extremely personal nature.

A great deal of online activity is performed anonymously (Spencer, at para. 48; Ward, at para. 75). People behave differently online than they do in person (Ramelson, at para. 5). “Some online locations, like search engines, allow people to explore notions that they would be loath to air in public; others, like some forms of social media, allow users to dissimulate behind veneers of their choosing” (para. 46). We would not want the social media profiles we linger on to become the knowledge of the state. Nor would we want the intimately private version of ourselves revealed by the collection of key terms we have recently entered into a search engine to spill over into the offline world. Those who use the Internet should be entitled to expect that the state does not access this information without a proper constitutional basis.

Finally, link by link, an IP address can set the state on a trail of anonymous Internet activity that leads directly to a user’s identity. The expert uses the example of an IP address that logs onto a particular social media profile or email account containing information from which the user’s identity can be inferred, such as their name. From there, the user’s identity is but a short inference away. It is not an answer to say — as Crown counsel does — that a Spencer warrant is required if the IP address is sought in relation to information that can unveil the identity of the Internet user. It cannot be left to police or private companies to determine whether the information provided on the website will (perhaps in combination with other information) assist in identifying the source of the activity, the identity of the user or otherwise compromise privacy interests.

Thus, to say that a Spencer warrant protects against the privacy concerns raised by IP addresses is simply not supported by modern technological realities. IP addresses play a crucial role in the inherent structure of the Internet. They are the means by which Internet-connected devices both send and receive data. As such, they are the key to unlocking an Internet user’s online activity — the first “digital breadcrumbs” on the user’s cybernetic trail (Jones, at para. 42, citing S. Magotiaux, “Out of Sync: Section 8 and Technological Advancement in Supreme Court Jurisprudence” (2015), 71 S.C.L.R. (2d) 501, at p. 502). Those breadcrumbs may establish an Internet user’s entire daily, weekly, or even monthly online activity, leading to an electronic roadmap of the user’s cybernetic peregrinations (Morelli, at para. 3). Like the computer in Reeves, an IP address provides the state with the means that can lead them to a trove of personal information.

Consequently, an IP address may betray an intensely private array of information, touching directly on the intimate details of the lifestyle and personal choices of an individual user (Marakah, at para. 32; Spencer, at para. 27).


 

The Internet has not only allowed private corporations to track their users, but also to build profiles of their users filled with information the users never knew they were revealing. “Browsing logs, for example, may provide detailed information about users’ interests. Search engines may gather records of users’ search terms. Advertisers may track their users across networks of websites, gathering an overview of their interests and concerns” (Spencer, at para. 46). Commentators have even suggested that companies can use the data they collect to infer “what you are going to purchase, the kind of person you are going to get into a relationship with, whether you will be good at a new job, how long you will stay at that job, and whether you’ll get sick” (H. Matsumi, “Predictions and Privacy: Should There Be Rules About Using Personal Data to Forecast the Future?” (2017), 48 Cumb. L. Rev. 149, at p. 149).

This is far from speculation. Indeed, it is common knowledge that the largest social media companies in the world use IP addresses to, for example, personalize the advertisements their users see, identify their users’ preferences, and infer even more information about their users, such as their age, their gender, and their interests. When it comes to tracking users on the Internet, to paraphrase science fiction novelist William Gibson, “[t]he future is already here” (P. Kennedy, “William Gibson’s Future Is Now”, The New York Times, January 13, 2012 (online)).




On balance, the burden imposed on the state by recognizing a reasonable expectation of privacy in IP addresses pales compared to the substantial privacy concerns implicated in this case. Law enforcement will need to demonstrate enough grounds to intrude on an individual’s privacy but, in the age of telewarrants and around-the-clock access to justices of the peace, this burden is not onerous. Police engaging in legitimate investigatory activities can readily establish the requisite constitutional grounds. Recognizing that an IP address attracts s. 8 protection will not thwart police investigations involving IP addresses; rather, it aims to make sure police investigations better reflect what each reasonable Canadian expects from a privacy perspective and from a crime control perspective.


 

Judicial oversight in respect of an IP address is the way to accomplish s. 8’s goal of preventing infringements on privacy. Since Hunter, we have held that s. 8 seeks to prevent breaches of privacy, not to condemn or condone breaches after the fact based on the state’s use of that information. Privacy, once breached, cannot be restored. Finally, judicial oversight removes the decision to disclose information — and how much to disclose — from private corporations and returns it to the purview of the Charter. The increase in state power occasioned by the Internet is thus offset by a broad, purposive approach to s. 8 that meets our “new social, political and historical realities” (Hunter, at p. 155). To leave it to the private sector to decide whether to provide police with information that may betray our most intimate selves strikes an unacceptable blow to s. 8. To leave the protection of the Charter to the next intended step in the investigation is insufficient. As I have explained, the next step might be too late.



…Extending s. 8’s reach to IP addresses protects the first “digital breadcrumb” and therefore obscures the trail of an Internet user’s journey through the cyberspace.”