R v Bykovets
2024 SCC 6
Supreme Court of Canada
Wagner, CJ; Karakatsanis, Côté, Rowe, Martin, Kasirer, Jamal, O’Bonsawin and Moreau SCJJ
March 21, 2024
Reported by Faith Wanjiku & Mercy Njeri
Download the Decision
Law of Treaty— Canadian Charter of Rights and Freedoms —legal rights- search and seizure — where the police were investigating fraudulent online transactions — where the police contacted a payment processing company to request internet protocol (“IP”) addresses associated with transactions — where the payment processing company voluntarily provided IP addresses to police and accused consequently arrested — whether reasonable expectation of privacy attached to IP address — whether the search method exposed core biographical information and was intrusive in relation to the privacy interest- whether request by state to third party for IP address constituted a search — Canadian Charter of Rights and Freedoms, section 8.
Constitutional Law — fundamental rights and freedoms-right to privacy - expectation of privacy - whether subjective expectation of privacy was objectively reasonable
Brief factsThe appellant was arrested following an investigation into fraudulent online purchases from a liquor store, and subsequently convicted of 14 offenses related to credit card fraud. During the investigation, the police contacted Moneris, a third-party payment processing company that managed the store’s online sales and obtained the Internet Protocol (IP) addresses used for the purchases. The police then obtained a production order compelling the Internet service provider (ISP) to disclose the name and address of the customer for each IP address, after which they used the subscriber information to seek and execute search warrants.
The appellant lodged the instant appeal with the Supreme Court challenging the request by the police to obtain IP addresses from the processing company, alleging it violated his right against unreasonable search and seizure guaranteed under section 8 of the Charter. He alleged that the trial court and the Court of Appeal erred by holding that the police’s request to Moneris, was not a search under section 8 of the Charter because the appellant did not have a reasonable expectation of privacy with respect to his IP address.
Issues
- Whether an IP address attracted reasonable expectation of privacy.
- Whether subjective expectation of privacy was objectively reasonable.
- Whether the arrest of the appellant and the subsequent searches, seizure and conviction violated his rights protected under section 8 of the Charter.
- Whether the search method exposed core biographical information and was intrusive in relation to the privacy interest.
- Whether a request by the state to a third party for an IP address constituted a search under section 8 of the Charter.
Relevant provisions of law
Canadian Charter of Rights and Freedoms Section 8 8. Search or Seizure Everyone has the right to be secure against unreasonable search or seizure. Held by majority:- An IP address itself attracted a reasonable expectation of privacy. An Internet Protocol address (IP address) was the key to unlocking a user’s internet activity and, ultimately, their identity, such that it attracted a reasonable expectation of privacy. The court considered an IP address to be the first digital breadcrumb that could lead the state on the trail of an individual’s Internet activity.
- To establish a breach of section 8 of theCanadian Charter of Rights and Freedoms (Charter), a claimant must first show that there was a search or seizure. A request by the state for an IP address constituted a search under section 8 of the Charter. Section 8 generally prevented police from seizing a computer without a warrant. The precise subscriber information sought from the third party provided a link between a specific individual and the particular online activity associated with an anonymous IP address. All of that constituted the subject matter of the search.
- IP addresses amounted to private information deserving of protection, even if recourse to third-party information was necessary. IP address was personal data relating to an identifiable person. It did not matter if a third party was needed to make the person identifiable: a user’s IP address was itself “personal data” because the IP address could reasonably tend to reveal the user’s identity — in that case, through information held by a private intermediary.
- There was a reasonable expectation of privacy in an IP address. Reasonable expectation of privacy was assessed normatively rather than simply descriptively. Privacy was not limited to identity, but included information which tended to reveal intimate details of the lifestyle and personal choices of the individual. An expectation of privacy was reasonable where the public’s interest in being left alone by the government outweighs the government’s interest in intruding on the individual’s privacy to advance its goals, notably those of law enforcement.
- The police were required to obtain prior judicial authorization before obtaining an IP address. Judicial oversight narrowed the state’s online reach and removed the decision to disclose information and how much to disclose from private corporations and returned it to the purview of the Charter. Access to IP addresses without judicial pre-authorization posed intense privacy risks. IP addresses connected internet activity to a specific location betraying an individual’s personal information including the identity of the device’s user, without ever triggering a Spencer (R v Spencer, 2014 SCC 43-there was a reasonable expectation of privacy in an Internet Service Provider’s subscriber information (which included the name, address and contact information attaching to an IP address) and that a request for subscriber information in that context amounted to a search) warrant requirement. Judicial oversight removed the decision to disclose highly personal information without the safeguards of judicial pre-authorization.
- Judicial pre-authorization considerably narrowed the state’s online reach and prevented it from acquiring the details of a user’s online life revealed by their IP address that were not relevant to the investigation. That significantly reduced the potential of any arbitrary and even discriminatory exercises of discretion that would empower the state to identify information about any internet user it pleased for any reason it saw fit. Judicial oversight would also remove the decision of whether to reveal information — and how much to reveal — from private corporations and return it to the purview of the Charter.
- Both society’s interest in effective law enforcement and its interest in protecting the informational privacy rights of all Canadians must be respected and balanced, the burden imposed on the state by recognizing a reasonable expectation of privacy in IP addresses was not onerous. Weighed against society’s legitimate interest in privacy was society’s legitimate interest in safety, security and the suppression of crime.
- A court must take a holistic view of the subject matter and must be especially careful in describing the subject matter of a search touching electronic data. The approach must not be mechanical, and it must reflect technological reality.
- The court reasoned that it was clearly arguable that such information was personal data because it individuated the individual, in the sense that they were singled out and distinguished from all others requiring that police obtain prior judicial authorization before obtaining an IP address was not an onerous investigative step, and it would not unduly interfere with law enforcement’s ability to deal with the crime. Where the IP address, or the subscriber information, was sufficiently linked to the commission of a crime, judicial authorization was readily available and added little to the information police must already provide for a Spencer production order.
- Courts must be especially careful in describing the subject matter of a search touching electronic data. The approach must not be mechanical, and it must reflect technological reality. With respect to whether a subjective expectation of privacy was objectively reasonable, courts must look to the totality of the circumstances.
- By concentrating the mass of information with private third parties and granting them the tools to aggregate and dissect that data, the internet had essentially altered the topography of privacy under the Charter. It had added a third party to the constitutional ecosystem, making the horizontal relationship between the individual and the state tripartite. Though third parties were not themselves subject to section 8, they mediate a relationship which was directly governed by the Charter, between the defendant and police. That shift has enhanced the state’s informational capacity.
- An expectation of privacy by considering many interrelated but often competing factors, which could be grouped together under four categories: a) the subject matter of the search;b) the claimant’s interest in the subject matter;c) the claimant’s subjective expectation of privacy; and d) whether the subjective expectation of privacy was objectively reasonable. In the case at bar, the parties agreed that the respondent had a direct interest in the IP addresses and a subjective expectation of privacy in their informational content.
- Recognizing that an IP address attracted section 8 protection would not thwart police investigations involving IP addresses; rather, it aimed to make sure police investigations better reflect what each reasonable Canadian expects from a privacy perspective and from a crime control perspective.
Per Wagner, CJ and Côté, Rowe and O’Bonsawin,SCJJ (dissenting opinion)
- An IP address, on its own, revealed only limited information. It did not reveal a biographical core of personal information which individuals in a free and democratic society would wish to maintain and control from dissemination to the state. Only when an IP address was combined with other information could it give rise to inferences about a user’s identity.
- The reasonable expectation of privacy test was fact-specific and contextual. Whether someone had a reasonable expectation of privacy depended on the totality of the circumstances of a particular case. The appellant lacked a reasonable expectation of privacy in the IP addresses in the circumstances of the case.
- B’s subjective expectation of privacy in the subject matter of the search was not objectively reasonable. The IP addressed at issue were not private and did not, on the facts of the case, revealed private information.
- Identifying the subject matter of the search was a key question in the totality of the circumstances analysis. To identify the subject matter of the search, the court must examine the connection between the police investigative technique and the privacy interest at stake. It must consider not only the nature of the precise information sought, but also the nature of the information that it revealed. The alleged search was not carried out at the appellant’s home, and its location did not enhance the objective reasonableness of his subjective expectation of privacy.
- The police did not need judicial authorization before asking the processor for the IP addresses in order to determine the internet service provider (ISP) associated with them. The police followed the teachings of Spencer to the letter. The increased need for those judicial authorizations could strain police and judicial resources in an already overburdened criminal justice system. Investigations would be slowed, more judicial officers would be required, and the administration of criminal justice as a whole would suffer.
- Such a holding would upset the careful balance that the court has struck between the interest of Canadians in actual privacy and the interest of Canadians in not hindering law enforcement.
Appeal allowed, new trial ordered; Wagner, CJ and Côté, Rowe and O’Bonsawin SCJJ, dissenting
Relevance to Kenyan jurisprudence
The decision emphasizes the importance of safeguarding informational privacy in the overwhelmingly digital age, recognizing the potential of IP addresses to disclose personal information when combined with other data. The decision also highlights the increasingly important role played by private sector organizations, and ISP in particular, in the context of such searches. While the Charter applies to state-individual relations, the court's findings should also be of interest to private organizations that hold personal information and to which law enforcement authorities may present certain access requests.
The Data Protection Act, Cap 411 C provides in section 2 that data includes information which is recorded as part of a relevant filing system.
Section 25 provides that every data controller or data processor shall ensure that personal data is—
(a) processed in accordance with the right to privacy of the data subject;
(e) collected only where a valid explanation is provided whenever information relating to family or private affairs is required;
In Kenya, the case of Okiya Omtatah Okoiti v Communications Authority of Kenya and Others, Constitutional Petition No. 53 of 2017, the High Court reaffirmed the importance of the right to privacy by stating data protection is an aspect of safeguarding a person’s right to privacy. It provides for the legal protection of a person in instances where such a person’s personal particulars (information) are being processed by another person or institution (the data user). Processing of information generally refers to the collecting, storing, using and communicating of information. The processing of information by the data user/responsible party threatens the personality in two ways:
a) First, the compilation and distribution of personal information creates a direct threat to the individual’s privacy; and
(b) second, the acquisition and disclosure of false or misleading information may lead to an infringement of his identity.
On appeal, the Supreme Court in Petition No. 8 of 2020 ruled that installation of the DMS without adequate data protection measures violated the right to privacy. The decision underscored the importance of protecting personal data, including IP addresses, and set a precedent for how technological implementation must comply with privacy laws in Kenya. This is the same position that has been upheld in the above Supreme Court of Canada case.