Canadian judge: No warrant needed to see ISP logs

[Boeman]

Where you've been on Net not private, judge rules

Child-Porn Case

Shannon Kari, National Post Published: Friday, February 13, 2009

An Ontario Superior Court ruling could allow police to routinely use Internet protocol addresses to find out the names of people online, without any need for a search warrant.

Justice Lynne Leitch found that there is "no reasonable expectation of privacy" in subscriber information kept by Internet service providers, in a decision issued this week.

The decision is binding on lower courts in Ontario, and it is the first time a Superior Court level judge in Canada has ruled on whether there are privacy rights in this information that are protected by the Charter.

The ruling is a significant victory for police investigating such crimes as possession of child pornography, while privacy advocates warn there are broad implications even for law-abiding Internet users.

"There is no confidentiality left on the Internet if this ruling stands," said James Stribopoulos, a law professor.

Judge Leitch made the ruling in a possession of child pornography case in southwestern Ontario.

A police officer in St. Thomas faxed a letter to Bell Canada in 2007 seeking subscriber information for an IP address of an Internet user allegedly accessing child pornography. The court heard that it was a "standard letter" that had been previously drafted by Bell and the officer "filled in the blanks" with a request that stated it was part of a child sexual exploitation investigation.

Bell provided the information without asking for a search warrant. The name of the subscriber was the wife of the man who was eventually charged with "possession of child pornography" and "making available child pornography."

Most ISPs in the country require search warrants to turn over subscriber information unless it is a child pornography investigation.

Ron Ellis, the lawyer for the defendant, stressed to the judge that there was no allegation of attempted luring, or of a child in immediate danger. The "making available" charge stems from peer-to-peer Web sites that permit the downloading of images from other users.

Mr. Ellis argued that police should have been required to seek a search warrant to obtain the subscriber information.

Judge Leitch accepted the arguments of Crown attorney Elizabeth Maguire that the information is similar to what is in a phone book.

"One's name and address or the name and address of your spouse are not biographical information one expects would be kept private from the state," Judge Leitch said.

The reasoning of the judge misses the context of what police are seeking, suggested Mr. Stribopoulos, who teaches at Osgoode Hall Law School in Toronto.

"It is not just your name, it is your whole Internet surfing history. Up until now, there was privacy. An IP address is not your name, it is a 10-digit number. A lot more people would be apprehensive if they knew their name was being left everywhere they went," he said.

This information should require police to obtain a search warrant if there is suspected criminal activity, Mr. Stribopoulos said. Judges are accepting the argument that this is "just your name" because "everyone wants to get at the child abusers," he said.

The federal Personal Information Protection Electronics Documents Act permits ISPs to provide this information to someone with "lawful authority," which Judge Leitch interpreted as meaning a police officer and not requiring a court-ordered warrant.

There is an irony that exemptions in federal privacy legislation have been used to increase police powers and potentially reduce privacy rights, Mr. Stribopoulos said.

The trial of the defendant in St. Thomas will resume this spring. Mr. Ellis declined yesterday to comment about the ruling because the case is ongoing.

As an Ontario resident, the alarms bells went off in a rising crescendo after reading the above article.

Law enforcement officials have long since had the tools and ability to procure information from Internet service providers. However, doing so without any preconditions from the courts conjures some frightful scenarios that I, as a citizen, am none too happy to see come to fruition.

Given that IP addresses are identifiers associated with the history of one’s online activity, would it be fair to say that then, that allowing state authorities (or those who claim to be such) to request your ISP’s logs without due process is tantamount to physically searching your home to uncover what you’ve watched, written and read without a warrant?

I have no problems whatsoever in the prosecution of traffickers that distribute child pornography. But at what point should the line be drawn when freedoms and rights to online privacy are encroached upon in the crusade to suppress cyber criminals?

Will demands be made for similar provisions from say, the recording and software industries to initiate their own autonomous probes to see who has received files with names that may resemble one of their products?

Who oversees and holds accountable the police when they undertake an investigation to audit one’s browsing history? Is there anything to stop rogue officials from abusing such mechanisms within the judicial framework for their own benefit? I have no doubt it will happen, particularly by those who mask themselves as law enforcement personnel.

What precautions, if any, will law enforcement take to ensure criminals are correctly identified beyond just reviewing server logs? Will old granny be busted with child porn because her wireless router was hacked by her neighbour who downloaded said content?

Digital files are notoriously persistent as ISPs can retain logs for several years. Should conduct which was previously legal and then rendered criminal leave you subject to prosecution due to suspicious activity found in a 10-year old log?

A very dangerous precedent has been set here, I think.

[Tero]

This one's for the conspiracy buffs.

First there is a global demand for ISP's to retain logs for a prolonged period of time, then this. A definitive trend is emerging and it is global.

Over here in Finland there is now a debate over what is called Lex Nokia. If passed this law will grant companies without any legal proceedings leave to investigate email ID information. The law is worded so that it would grant ANY organization this leave, be it a bussiness, university, public library or a housing co-operative.