Some great news on the privacy front, this time a decision handed down by the Supreme Court of Canada, as reported by Michael Geist:
This morning another voice entered the discussion and completely changed the debate. The Supreme Court of Canada issued its long-awaited R. v. Spencer decision, which examined the legality of voluntary warrantless disclosure of basic subscriber information to law enforcement. In a unanimous decision written by (Harper appointee) Justice Thomas Cromwell, the court issued a strong endorsement of Internet privacy, emphasizing the privacy importance of subscriber information, the right to anonymity, and the need for police to obtain a warrant for subscriber information except in exigent circumstances or under a reasonable law.
I discuss the implications below, but first some of the key findings. First, the Court recognizes that there is a privacy interest in subscriber information. While the government has consistently sought to downplay that interest, the court finds that the information is much more than a simple name and address, particular in the context of the Internet. As the court states:
the Internet has exponentially increased both the quality and quantity of information that is stored about Internet users. Browsing logs, for example, may provide detailed information about users’ interests. Search engines may gather records of users’ search terms. Advertisers may track their users across networks of websites, gathering an overview of their interests and concerns. “Cookies” may be used to track consumer habits and may provide information about the options selected within a website, which web pages were visited before and after the visit to the host website and any other personal information provided. The user cannot fully control or even necessarily be aware of who may observe a pattern of online activity, but by remaining anonymous – by guarding the link between the information and the identity of the person to whom it relates – the user can in large measure be assured that the activity remains private.
Given all of this information, the privacy interest is about much more than just name and address.
Second, the court expands our understanding of informational privacy, concluding that there three conceptually distinct issues: privacy as secrecy, privacy as control, and privacy as anonymity. It is anonymity that is particularly notable as the court recognizes its importance within the context of Internet usage. Given the importance of the information and the ability to link anonymous Internet activities with an identifiable person, a high level of informational privacy is at stake.
Third, not only is there a significant privacy interest, but there is also a reasonable expectation of privacy by the user. The court examines both PIPEDA and the Shaw terms of use (the ISP in this case) and concludes that PIPEDA must surely be understood within the context of protecting privacy (not opening the door to greater disclosures) and that the ISP agreement was confusing at best and may support the expectation of privacy. With those findings in mind:
in the totality of the circumstances of this case, there is a reasonable expectation of privacy in the subscriber information. The disclosure of this information will often amount to the identification of a user with intimate or sensitive activities being carried out online, usually on the understanding that these activities would be anonymous. A request by a police officer that an ISP voluntarily disclose such information amounts to a search.
Fourth, having concluded that obtaining subscriber information was a search with a reasonable expectation of privacy, the information was unconstitutionally obtained therefore led to an unlawful search. Addressing the impact of the PIPEDA voluntary disclosure clause, the court notes:
Since in the circumstances of this case the police do not have the power to conduct a search for subscriber information in the absence of exigent circumstances or a reasonable law, I do not see how they could gain a new search power through the combination of a declaratory provision and a provision enacted to promote the protection of personal information.
Update, 7 July: A few weeks later, the US Supreme Court also made a strong pro-privacy ruling, this one mandating a warrant for police to search the contents of a cellphone.
Politico‘s Josh Gerstein has more on the ruling in in Riley v. California:
The Supreme Court’s blunt and unequivocal decision Wednesday giving Americans strong protection against arrest-related searches of their cell phones could also give a boost to lawsuits challenging the National Security Agency’s vast collection of phone call data.
Chief Justice John Roberts’s 28-page paean to digital privacy was like music to the ears of critics of the NSA’s metadata program, which sweeps up details on billions of calls and searches them for possible links to terrorist plots.
“This is a remarkably strong affirmation of privacy rights in a digital age,” said Marc Rotenberg of the Electronic Privacy Information Center. “The court found that digital data is different and that has constitutional significance, particularly in the realm of [the] Fourth Amendment…I think it also signals the end of the NSA program.”
Roberts’s opinion is replete with rhetoric warning about the privacy implications of access to data in individuals’ smart phones, including call logs, Web search records and location information. Many of the arguments parallel, or are virtually identical to, the ones privacy advocates have made about the dangers inherent in the NSA’s call metadata program.
