Saturday, March 02, 2024

How private is an IP address? R v Bykovets, 2024 SCC 6

How private is an IP address?


Is it like a fingerprint at the scene of a crime? Of itself it says nothing until matched with other information. No one has privacy rights in respect of fingerprints they may leave on things.


Or is an IP address as private as the information to which it is linked?


Whether there is privacy in an IP address is a difficult question. The strong dissent of four justices in R v Bykovets, 2024 SCC 6 demonstrates how vexed this is.


Wagner CJ, with Coté J (who delivered the joint dissenting judgment), Rowe and O’Bonsawin JJ made the fingerprint point at [154]. Their judgment focuses on the circumstances of the present case and recognises that on different facts a person might have a reasonable expectation of privacy [159]. Further, the Court’s jurisdiction is confined to questions of law arising from the facts as they are, not as they might be [161]-[162]. Consistent with this is the circumscribed role that interveners can have [163]. In essence, held the minority, the majority answer a question that was not asked [164]. Of most significance to the difference between the judges is the majority’s inclusion in the subject matter of the privacy question every step leading to the ultimate identification of the suspect notwithstanding that the IP address alone does not go that far [138].


Karakatsanis J delivered the majority judgment of herself and Martin, Kasirer, Jamal and Moreau JJ. For what an IP address does, see [4]. One asks, what were the police really after? An holistic approach must be taken in answering this [34]. The privacy interests are intense [60]-[70]. These outweigh the burden on the police of having to obtain search warrants [86].


Both judgments accepted that the approach is normative (see [120] for what this means). So the question is not determined by whether an individual has a low expectation of privacy (for example because of having a suspicious nature). Instead, the determination is about what expectation of privacy a person should have. The difference is in over what the judges considered was a reasonable expectation of privacy (for the dissenters, in the circumstances of this case [141]-[158], for the majority, generally [44]-[70]).


This was a case about credit card fraud. The minority saw no reasonable expectation of privacy as to IP address in that context. In what context might the minority have held that there was a reasonable expectation of privacy? The significant point here is that here the IP address did not reveal core biographical information [148], while on other facts it might. The important thing about the context seems to be, not the offence being investigated but the extent to which core biographical information is revealed.


The majority's teleological approach to the issue - addressing the purpose of the search - is consistent with the development of the common law in the interests of the community, whereas the minority's narrower perspective is a case law application of legislation to the facts of the instant case. The distinction between common law and case law (not a universally recognised distinction, but useful nevertheless) is illustrated here.