Ontario Court Wrong About IP Addresses, Too 258
Frequent Slashdot contributor Bennett Haselton comments on a breaking news story out of the Canadian courts:
"An Ontario Superior Court Justice has ruled that Canadian police can obtain the identities of Internet users without a warrant, writing that there is 'no reasonable expectation of privacy' for a user's online identity, and drawing the analogy that 'One's name and address or the name and address of your spouse are not biographical information one expects would be kept private from the state.' But why in the world is it valid to compare an IP address with a street address in the phone book?"
Read on for Bennett's analysis.
Last October I wrote about a the Virginia Supreme court's ruling that forged IP addresses in spam headers were constitutionally protected, because they were necessary to protect anonymous speech. I said that misconstrued facts about IP addresses for two main reasons: (a) there are protocols for secure anonymous speech on the Internet, so it's not true that forged IP addresses are "necessary"; (b) forging your IP in mail headers doesn't actually hide the sender's real IP anyway. Now an Ontario Superior Court Justice has ruled that IP addresses are no more private than "[o]ne's name and address or the name and address of your spouse", suggesting another instance where a court may not have realized the implications of how IP addresses work.
In the current case, Canadian police had determined the IP address of a user allegedly accessing child pornography, and faxed the ISP a request for the user's identifying information, which the ISP provided, without a warrant. The defendant had argued that the evidence should be in admissible because the police should have been required to obtain a warrant first, but Justice Lynne Leitch rejected that argument, drawing an analogy to the public listings in a phone book and writing, "One's name and address or the name and address of your spouse are not biographical information one expects would be kept private from the state."
Even if the court had ruled that the evidence were inadmissible, that doesn't mean the police couldn't have caught this defendant if they'd followed the warrant procedure from the beginning — if the police had evidence that the user was accessing child pornography, presumably they could have gotten a warrant if they'd asked for one. So excluding this evidence probably would have only set a precedent that defendants would occasionally get off because of procedural screw-ups (similar to police forgetting to read a defendant his Miranda rights), not that huge numbers of child pornographers would have now been able to evade police, because the police could usually get a warrant in cases where they had evidence against them. What is troubling is the analogy that the court drew between IP addresses and "one's name and address".
Unlike the statements made by the Virginia Supreme Court, this may not be a case of getting technical facts wrong about IP addresses, but logical errors in the analogy, namely: (a) concluding that two things are similar when they are perceived differently, when perceptions are what the case is about, and (b) not following the premise through to its logical conclusion, which would be absurd, showing the premise is wrong in the first place.
Consider that the court drew the analogy to name and address information that can be found in the phone book, and wrote, "One's name and address or the name and address of your spouse are not biographical information one expects would be kept private from the state." But then why would one draw any link between that, and information about the user's identity behind their IP address? The only similarity is that both pieces of information are "information about someone". But if you're trying to determine whether a user has a "reasonable expectation of privacy" for their identity online, the whole point is that it's not like a street address in the phone book — users do expect that their identity cannot be discovered by someone who knows their IP address, at least not without subpoenaing their ISP. When asking whether users have a "reasonable expectation of privacy" for a given type of information, if you parse that sentence literally, there are only two questions: (1) Do users have an expectation of privacy for that information, and (2) Is it reasonable? To determine if users have an expectation of privacy for something, you just ask them: Do you? You don't need to draw analogies to anything else — either users expect privacy (because of the analogies or the reasoning going on their own heads) or they don't. The remaining question is whether their expectation is reasonable, and it seems absurd to say that a user's expectation of privacy for their identity online (at least until a court issues a warrant) is "unreasonable".
Suppose a security company were to discover an exploit in Internet Explorer that could reveal your real name (as entered in your personal computer's Control Panel settings at setup time) to any Web site that you visited. This would be big news and would warrant Microsoft issuing a critical patch to fix the problem — because users expect that this information should not be available to a remote Web site, even though the Web site that they're visiting can of course see their IP address. And most would agree that this is a "reasonable" expectation.
On the other hand, try following the judges' ruling through to the end — if information about the user's real identity behind their IP address is not considered private, than what is? Justice Leitch stated that an address in the phone book and an IP address are both "biographical information" and hence that the analogy was proper. But by the same logic, virtually any fact that a company has on file about you would constitute "biographical information" just by virtue of the tautology that it's a fact about you, and so this would become meaningless as a standard by which to determine what facts should be kept secret from police without a warrant.
This line of argument raises two larger issues. First, this will have already provoked the ire of people with legally training, who are asking, "Who are you to disagree with a Superior Court Justice? Did you go to law school? Did you clerk with a judge?" The proper response to this is: If you're invoking your credentials to support a statement, then if I were to randomly poll 10 people with the same credentials, would at least 8 of them agree with you? If the answer to that question is No, then there's no point in bringing up credentials, because there is no strong majority of people with those credentials who agree on any particular to answer to that question, so it cannot be true that a strong majority agree on the "correct" answer to the question. The story about this case quotes Professor James Stribopoulos at the Osgoode Hall Law School in Toronto, as disagreeing with the judges' conclusion, for example: "It is not just your name, it is your whole Internet surfing history. Up until now, there was privacy. An IP address is not your name, it is a 10-digit number. A lot more people would be apprehensive if they knew their name was being left everywhere they went." If credentialed users are randomly divided on what the answer is, then that cannot be used as a guide to what the rest of us laypeople should think, because how do we know which group to side with? We have to rely on generic reasoning — looking for logical mis-steps in a judge's argument, or looking for premises that would be absurd if they were carried to their logical conclusion. If you're going to tell me that my reasoning is wrong, then mentioning a degree in mathematics or the hard sciences is just as relevant, if not more so, than mentioning a law degree — but in either case the logical argument should be evaluated on its merits, regardless of a person's "credentials". People who do well on those Martin Gardner brainteasers should be encouraged to take part in these debates.
Second, there is the question of whether such logical errors (if you accept the premise that the court made a logical error in drawing an analogy between IP addresses and street addresses in the phone book) could be avoided if the courts took a different approach to answering these questions. In the October article about the Virginia Supreme Court's ruling on IP addresses, I suggested that a judge could have avoided the technical mis-statement in the ruling if they had just convened some Internet technology experts in their courtroom and said, "Here's my reasoning so far. Is any part of it wrong on the technical facts? I'm not promising to change my mind in response to anyone's objections. But just tell me if you think some part of it is wrong." A large number of people e-mailed me objections that all boiled down to, "That's not how judges do things", or suggesting that I didn't know that because I'd ventured outside my own area of expertise.
Hello! I know that's not how judges do things, that was my point: that they might avoid certain types of errors if they did try it. On the other hand, just because a particular practice by a judge might have avoided one type of error, that doesn't mean it's a good idea. If the judge had tested their theory about IP addresses and street addresses by posting it on a message board somewhere and asking for feedback, that might have helped to avoid the particular mis-statements that they made about IP addresses in that case, but would that be a good idea generally? Almost certainly not — because users responding to the judge's request for help would not be under oath, so they'd be free to try and confuse the issue with lies to support whatever outcome they wanted for the case. That would be bad enough if it were a one-time case where a judge solicited feedback for their reasoning on a message board. If it became a regular practice by judges, and people knew in advance that judges were likely to solicit public feedback on their arguments before making their rulings official, then all parties with an agenda would have misinformation campaigns gearing up in advance to fool judges whenever possible.
That's why I suggested that you'd have the best of both worlds if the judges presented their argument first to experts in court, who were testifying under oath. This would present a opportunity for experts to spot any factual errors or what they consider to be logical mis-steps that the judge can then take into consideration. At the same time, because the experts are testifying under oath, they can't lie outright to try and trick the judge into basing their ruling on wrong information. (Of course, this depends on the court system's willingness to prosecute experts and other witnesses if they lie under oath. If the courts don't bother, then there's not much point in swearing in the experts before they testify anyway.)
So: an interesting counterargument would be: What is an example of a problem (a situation where a judge could be led to the wrong conclusion, or where a third party would have new incentives to spread false information) that would be created by judges running their opinions past experts who are assembled in their courtroom, that does not already exist under the current system? I can't immediately think of any, but some more imaginative people might be able to. I don't think it would be valid to say, for example, that this creates an incentive for biased experts to try and mislead the judge without technically lying — because biased experts in court already try and mislead the judge anyway, even without a "final round" where the judge asks what they think. But that's the form that an interesting argument would take. Not "I went to law school and that's not how we do stuff."
Meanwhile, regular users can use Tor and similar programs if they want their anonymity to be securely protected online. Tor can securely protect your identity from anyone, with or without a warrant. At least 8 out of 10 computer experts would agree; otherwise I wouldn't say that.
tl; dr (Score:3, Interesting)
Better analogy: Receipt number (Score:5, Interesting)
A better analogy is: If police find a repair receipt with an order number, can the police go to the shop and ask for the name of the customer?
A receipt number is neither public nor private, it is merely obscure. Can a business owner not voluntarily give information to the police? If the business has a privacy contract with the customer, a violation is a contract law issue between the customer and the business, and not a constitutional issue.
If the business won't voluntarily provide the information, the police can use a search warrant to search the business. But that is a situation between the business and the police, not the customer. And if the business voluntarily gives the information the police haven't conducted a search.
Isn't it based on commuity expectations? (Score:3, Interesting)
It strikes me that "reasonable expectation" would mean, "reasonable by those in the community in question".
Was this judge a regular Internet user? If not, is his opinion about what's a "reasonable expectation" relevant, or should he poll, for example, 1000 high-school and college kids regarding whether or not they expect their IP#'s to be tied back to them as people?
C A N A D A -- is different from the US ! (Score:4, Interesting)
Canadian Courts and police operate differently from the US. The individuals are generally more professional and competant, and less ambitious for higher office.
A Canadian court might will find (and even presume) police are acting reasonably, so evidence is admissible.
Exactly how is a Reverse IP lookup is different from using a Criss-Cross telephone directory?
Chill!
Re:Justice is blind (Score:5, Interesting)
Justice is blind, and even more so when technological cases are heard in an anglo-saxon setting, where customary law (precedents) is king.
I think you're mixing a number of references, there. Justice is blind is a reference to the notion that justice ought to be objective, a concept going back to (at least) the Babylons. I don't think objective (versus subjective) reasoning in any takes away from "justice", which seems to be what you are implying.
"Customary law (precedents)" is presumably a reference to stare decisis [wikipedia.org], a concept of binding precedents which dates back to the Normans invading Britain around the 1100's I believe. Stare decisis generally occurs only when a "higher" Court (i.e. an appellate level Court) makes a decision. The lower Courts are bound to the decision of higher Courts, subject to law and fact that distinguishes the case at hand from the case of the higher Court. Courts of the same level are generally not bound (though it is generally considered polite not to change the law the same Court had previously made - case made law is in principle, after all, not creating law, but illuminating an already-existing truth).
In terms of facts, though, appellate Courts generally defer to the Court of first instance (i.e. the trier of fact, or trial court), because the judge at the first instance will have heard the facts from experts first-hand. However, there is generally a discretion in appellate Courts to overturn rulings of the Court of first instance on the basis that the trier of fact made errors that were incorrect, unreasonable or patently unreasonable (depending on the nature of the appeal and the Court in question).
In the Ontario case in question, I haven't read the reasons of Justice Leitch, but if she took "judicial notice" of the analogy between an IP and an address (i.e. no experts were called), a higher Court may alter that. However, if an expert posited that analogy, then it is very unlikely that the decision will be overturned by a higher Court (i.e. the Ontario Court of Appeal). In both scenarios, it's possible that subsequent decisions would be made on different facts, and this wayward analogy would be debunked.
Mod parent up!!! (Score:5, Interesting)
This guy has it right, along with the reverse lookup comment for a phone number there was no violation of criminal law or established procedures for enforcement with what was done. Now, the ISP may have violated their privacy agreement, but privacy agreements usually contain verbiage that denies privacy if you are suspected of a crime, depending on the nature of information being divulged.
Data that was traveling over the wire to and from the IP address was not obtained and would require a warrant to view, but simple subscriber information will-9 times out of 10-be given to law enforcement upon request. Now, if that information was somehow "unlisted at the user's request", like an unlisted phone number, then a warrant would be needed to obtain the information. I do not know of an ISP that provides "unlisted" Internet service.
Re:Is it valid to compare an IP to address book? (Score:3, Interesting)
I recognize your point that an IP address is not always fixed to one user or machine, but I think the analogy works for this situation. If the police found a phone number logged on a caller ID near the scene of a crime, I would expect them to request the owner's name from the phone company. The same goes for an IP address discovered. I would expect them to follow the evidence. Now if the police attempted to prosecute using this IP evidence, then all of your other arguments apply.
The question before the judge was "can we solicit this information without a warrant" not "does this evidence support our case". From the summary it appears that the police used this evidence, to request other warrants, to collect information from the suspect's computer. This is raises much tougher legal issues that I do not feel qualified to debate.
Re:Is it valid to compare an IP to address book? (Score:3, Interesting)
Yes, but not to provide a way to look up a number and find the owner (reverse lookup). This is a relatively recent innovation and one that I doubt people considered twenty years ago when allowing their numbers to be listed. In other words, twenty years ago, people had a reasonable expecation that their number would not give away their identity even if they were listed in the phone book
Re:Public Information? (Score:1, Interesting)
How does this make it public information that can be published?
The court's decision does not state that it's public information that can be published, just that the police can request it without a warrant -- the same way they would contact your credit card company to find out what name is assigned to a credit card number they've encountered in their investigation.
Your analogy is spot on. It just doesn't lead to the conclusion you thought it did.
A fundamental misperception about warrants (Score:3, Interesting)
If the witness proves uncooperative, then the police need a warrant (which only permits them to search whether the subject wants to submit or not). There are very few situations where the police need to get a warrant even though someone wants to tell them something. But that's not what happened here. The police asked the ISP to tell them which subscriber had IP 127.0.0.1, and the ISP chose to disclose the information. Perhaps the response from the ISP should have been "I'm sorry, I need to see a warrant" -- but that doesn't mean it gets excluded from the trial. Sometimes it does, sometimes it doesn't.
There is also Supreme Court precedent (which I sadly could not locate) which says that "envelope information" can be obtained from a service provider without a warrant, but the content of any message requires a warrant to obtain from the provider. Envelope information is date, time, from whom, and to where. In this case, the IP address is more properly classified as "envelope data". The Supreme Court said that there is a reasonable expectation of privacy in the communication itself, but that one must necessarily disclose that you are making the communication to the provider, so that the provider can connect you. (I personally disagree with this analysis, but it is controlling law.)