No Reasonable Expectation of Privacy in IP Address
In controversial ruling, Alberta court distinguishes Spencer, holds police do not require warrant for IP address
In R. v. Bykovets, Justice L. Bernette Ho of the Alberta Court of Queens Bench presided over an application by the defence in a criminal case for exclusion of evidence, specifically two IP addresses which were alleged to have been used in fraudulent transactions. The accused was charged with 33 counts relating to use and possession of third parties’ credit cards (and also firearms). As part of the investigation, a police officer requested that an ISP (Moneris) send “purchaser information” regarding several suspicious online purchases, and the ISP responded by providing the IP addresses for the purchases which were shown in their logs. No warrant was obtained. The accused brought an application for a declaration that his s. 8 rights under the Charter had been breached. An uncontested defence expert report indicated that an IP address could be used to track individual users, even without access to the subscriber information linked to that IP address which was held by an ISP. The Crown conceded that this was the ultimate investigational goal of the approach to the ISP.
Justice Ho began by speaking to the developing jurisprudence on point:
The question of where to draw the line between an individual’s privacy interests and concerns about safety, security, and suppression of crime is difficult to answer in this digital age, where computers and electronic devices play a significant role in people’s work and personal lives. The Court must continue to strive to understand how technology is being used by authorities and citizens in considering evolving societal expectations regarding privacy.
Here the accused argued that the court should take a broad view of what the “subject matter of the search” was for the purposes of the s. 8 analysis, and hold that what was being sought by the police was the ability to identify a person from the IP addresses that had been provided. The defence noted that, as per the Supreme Court’s decision in R. v. Marakah, the question should be determined “functionally.” His argument drew analogies to case law where accused persons had been found to have a reasonable expectation of privacy in international mobile subscriber identity (“IMSI”) and international mobile equipment identity (“IMEI”) numbers obtained through the use of a mobile device identifier (“MDI”). However, Justice Ho distinguished these cases and held that the “subject matter of the search” did not functionally include the identity of the user, stating:
 In this case, however, the evidence establishes that the nature of the information obtained, or what may be inferred from the information, provides less information, and less personal information, about a particular individual. [The defence expert’s] evidence was that even without having access to ISP-held subscriber information, one may still take steps to determine the identity of an individual accessing the internet. [The defence expert] clarified that this is predicated on the assumption that the “individual seeking to learn the identity of a particular internet user, is able to access the information logged by the third party company’s website”. He also indicated that one could “attempt to determine the identity of an individual using their service by examining the internet activity of that user on their site”. He does not state that identity may be ascertained with certainty. Therefore, there are important limitations in [the defence expert’s] evidence regarding the extent to which an IP address may be used to reveal an individual’s identity. I find that the nature, quantity and quality of personal information gleaned from an IP address is limited.
 I also note that while the Primary Investigator agreed that an IP address is a valuable investigative tool, she testified that you still need to know where to look and who to ask to track someone by their IP address alone. Thus, the Primary Investigator and [the defence expert] are aligned in their view that there are limitations to the extent an IP address alone may be used to identify a particular individual. Based on this, I conclude there is a significant difference between the nature of the information or what may be inferred when the police obtain an IP address.
 In the end, I must define the subject matter of the search functionally and consider the question, “what are the police really after?” I conclude that the subject matter of the search was, as the Primary Investigator testified, the IP addresses which she sought for the purpose of being able to further the investigation. She knew that with the IP addresses, she would be able to take the next investigative step which was to access an open source, described by Mr. Musters as an “IP lookup website”, to find out which ISP had control over those IP addresses. But the IP addresses, on their own, did not provide a link to, or provide any other information about, a street address or a person. The IP addresses were used by the CPS to subsequently seek subscriber information from the ISP, which was done by obtaining judicial pre-authorization.
As both of the IP addresses were ultimately linked to the accused’s home address, the court accepted that he had an interest in them and assumed for analytical purposes that he had a subjective expectation of privacy in them. In determining whether the expectation of privacy was reasonable, Justice Ho held that, first, the location of the search (not being the accused’s home, but rather the IP office) was a neutral factor. In perhaps the most interesting finding, she did not consider the IP addresses to be “private” in nature:
Although the police might be able to use an IP address to take steps to determine the identity of an individual accessing the internet, the police would first need to know what third-party website to access, and then gain access to such third-party website in order to attempt to identify a specific user. Therefore, as a collection of numbers, an IP address does not disclose the “biographical core of personal information”, nor does it communicate information about a particular claimant without more: Plant at 293. An IP address does not, in itself, reveal intimate details of a claimant’s lifestyle.
Justice Ho held, based on the expert evidence, that users do not necessarily have control over their IP addresses because these can be changed “at will” by the ISPs. They are not typically accessible to the public, and were not in public view or abandoned. This was “a factor for consideration.”
In the end, Justice Ho ruled that there was no reasonable expectation of privacy in an IP address. Her analysis is worth setting out here:
 …In reaching this conclusion, I am heavily influenced by the analysis regarding the subject matter of the search. In my view, an IP address in itself does not reveal information about a subscriber that should be protected in a free and democratic society. While I acknowledge that the police might be able to obtain information about a user’s identity, there are significant limitations on this. Obtaining an IP address is an important investigative step for police, but privacy interests are not triggered by mere police investigation. The Courts must continually ask the question, “what are the police really after?”, including where electronic devices, technology and digital information are concerned. There must continue to be a balancing of interests in determining the scope of section 8 of the Charter.
 Based on Spencer, police must seek judicial authorization prior to requesting subscriber information from an ISP. The Court in Spencer was particularly concerned about linking internet activity to a particular user, which cannot easily be done with an IP address alone. While Mr. Musters’ evidence indicated that one could take steps to ascertain an individual’s identity with an IP address, this position was predicated on the assumption that an investigator could gain access to a third-party website. I question why an investigator would do that when they are able to access a public resource listing IP addresses to identify an ISP. The investigator can then seek judicial authorization before obtaining specific subscriber information from that ISP.
 In my view, the balance that is achieved by the ruling in Spencer remains appropriate. I see little to be gained from a normative perspective, requiring the police to seek judicial authorization earlier in the investigation process, particularly since an IP address may not reveal much information to police at all. Fundamentally, defence counsel asks me to find a reasonable expectation of privacy in any IP address used by an individual, not just his or her own. But accepting defence counsel’s position could lead to a strange result in different contexts.
 Consider, for example, a scenario where an individual uses a public computer to engage in a fraudulent online transaction. Does that individual have a reasonable expectation of privacy in an IP address in those circumstances? In such a case, the IP address alone would reveal even less from a personal information perspective, and would presumably be less helpful from an investigatory perspective. I conclude that finding a reasonable expectation of privacy in an IP address would not advance the protection of privacy interests expected in a free and democratic society.