No Reasonable Expectation of Privacy in an IP Address
In a split decision, Alberta Court of Appeal finds that police do not have to seek judicial authorization to obtain IP addresses in order to further an investigation
In R. v. Bykovets, police were investigating a fraud in which the fraudsters had purchased online liquor gift cards using stolen credit card information. The payments had been processed through a third party service, and when an investigating officer requested information about the purchasers from the third party, that company sent the officer two IP addresses. Using public sources the police were able to determine that the IP addresses were registered to TELUS, and obtained a production order requiring TELUS to provide subscriber information. The information produced by TELUS linked the IP addresses to the appellant and his father, at their home addresses. The police obtained search warrants for the two residences and eventually seized evidence linking the appellant to the fraud. At trial the appellant had argued that s. 8 of the Charter had been breached because the police officer had not obtained judicial authorization before obtaining the IP addresses initially. The trial judge had not acceded to this argument, holding that the appellant did not have a reasonable expectation of privacy in the IP addresses.
This latter question was the main issue confronted by the Court of Appeal: does the target of a police investigation have a reasonable expectation of privacy in an IP address used by them, such that s. 8 of the Charter is engaged and police are required to obtain judicial authorization before obtaining the IP address? Interestingly, this question produced a split decision from the Court of Appeal. Both the majority and dissenting judgments agreed that the analytical starting point was the Supreme Court of Canada’s 2014 decision in R. v. Spencer, in which the Court held that people have a reasonable expectation of privacy in their subscriber information that is attached to IP addresses which have been assigned to them, because this data can reveal to the police “core biographical information.” The disagreement in this case turned on differing views on what the police “were actually trying to obtain” in seeking the IP addresses. Writing in dissent, Justice Veldhuis accepted the appellant’s broader argument that the privacy invasion here was analogous to the one dealt with in Spencer:
 …Police officers asking third parties for IP addresses associated with particular internet activity is, in essence, no different from police asking Internet Service Providers (ISPs) to provide the subscriber information associated with a particular IP address. Both investigative techniques are aimed at gathering information to ascertain the identity of an internet user and allow the police to gather further information to draw inferences about the intimate details of the lifestyle and personal choices of the internet user.
 The trial judge distinguished this case from R v Jennings, 2018 ABQB 296, and in my view, it was an error to do so. In Jennings, the police deployed a mobile device identifier (MDI) on numerous occasions which gathered third-party cellular phone information numbers (IMEI and IMSI). The Crown alleged, much like it does here, that IMEI and IMSI are just numbers and do not constitute or contain intimate details, core biographical information or reveal personal choices. However, the trial judge accepted the defence position that had the numbers been linked to Jennings, the police would be able to use that information in repeated applications of the MDI to build a profile that would reveal patterns of communication, contacts, and other biographical data about Jennings.
 The trial judge in Jennings recognized, at paragraph 37, the quintessential problem with the Crown’s position and applying a narrow scope to characterizing information that acts as a trace associated with a particular individual’s electronic activities: at what point in the iterative process of police gathering electronic information do they need to seek a warrant to ensure that there is a warrant at the point the numbers are associated with a particular person? She held that the point is at the beginning, and I agree.
However, the majority judges held that this view stretched the Spencer analysis too far:
 In Spencer, police obtained, without judicial authorization, the IP address and its subscriber data. Thus, without a court order, the police believed the following: Matthew Spencer was using the internet to download child pornography at a specifically named address. By contrast, the police here obtained, without judicial authorization, only IP addresses. Based on this abstract information, police believed a person who committed fraud used the IP addresses. They did not know who. They only knew the IP addresses belonged to TELUS and they ascertained this information through a publicly available internet lookup site. To get the name and address of the subscriber, they lawfully served TELUS with a production order. Thus, without a court order, they believed only this: an unknown person using a known IP address was committing fraud from an unknown address.
 We also note the difference in mobile phone searches. In situations involving mobile phone data, there is clearly a reasonable expectation of privacy in international mobile subscriber identity (“IMSI”) and international mobile equipment identity (“IMEI”) numbers that the police obtained with a mobile device identifier (“MDI”) or cellular-site simulator (“CSS”). In those cases, the subject or identity of the target is generally known when the MDI or CSS technology is used. More importantly, in those situations, over time the police can glean “significant personal information” from the IMSI and IMEI numbers such as drawing inferences about a target’s cell usage and web browsing.
 The appellant has analogized an IP address to a house address. In our view, the analogy is not appropriate.
 An IP address does not tell police where the IP address is being used or, for that matter, who is using it. Nor is there a publicly available resource from which the police can learn this or other subscriber data. To get the core biographical information such as an address, name, and phone number of the user, the police must obtain and serve a production order on the ISP in accordance with Spencer. That is what the police did here.
 An IP address is an abstract number that reveals none of the core biographical information the issuer of that IP address attaches to it. Standing alone, it reveals nothing. An IP address does not reveal intimate details of a person’s lifestyle nor does it, without more, disclose core biographical information, nor communicate confidential information. An IP address can tell the police something about a person only if they get subscriber information. But the police can only get subscriber information if they comply with Spencer and obtain a production order.
The trial judge had correctly found that the IP addresses, by themselves, revealed no private information, and therefore no reasonable expectation of privacy had arisen.
While at the time of writing there was no indication of a defence appeal to the Supreme Court of Canada, one is available because of a dissent on a point of law at the Court of Appeal. It will be interesting to see if the Supreme Court wishes to examine this issue, given that (as revealed in the decision) there seems to be some division of opinion on whether an IP address attracts a reasonable expectation of privacy.