no privacy right in identity linked to ip address

The Ontario Court of Appeal released its decision in R v. Ward earlier today. The case involved the conviction of a worthless low-life pedophile by the name of David Ward.

The police were able to find him due, in part, by tracking down his IP address and asking his ISP to provide the identity of the customer using the IP address at the time. His ISP did so voluntarily, even though the police did not have a search warrant. The appeal focused on whether or not he had been subject to unreasonable search and seizure, in violation of the the Charter of Rights, and whether or not he had a reasonable expectation of privacy.

The Court of Appeal’s decision concluded that the disclosure of this information by the ISP to the police did not violate his Charter  rights nor was there, nor should there have been, a reasonable expectation of privacy.

While my personal sentiments in respect of Mr. Ward would be that I could care less if he rotted in a jail cell for the rest of his days, the ends, as they say, do not always justify the means. And if the law is to be applied equally to everyone, I do believe there are some rather disconcerting implications regarding the conclusions in this case, notwithstanding the court’s attempt to put a ring fence around its application.

No time for the detailed analysis right now but it will be forthcoming. In the meantime, I encourage you to read the case – what do you think?

the gizmodo/jason chen/search warrant debacle

There have been many views expressed on both the propriety of Gizmodo breaking the story on the next-gen iPhone as well as the subsequent search warrant executed by the police against Jason Chen, the Gizmodo reporter that broke the story. Needless to say, each side has its supporters. A good summary with links to contrasting views can be found on GigaOm.

I won’t rehash all the arguments either for or against the execution of the warrant or its validity – you can check out the link above for all of that. The only thing I did want to point out was the possibility that a previous, somewhat similar case, may perhaps have prompted the criminal investigation leading to the search warrant. O’Grady v. The Superior Court of Santa Clara County (pdf) was a case in 2006 that also involved Apple. Apple was seeking civil subpoenas to certain websites that published information that it claimed to be trade secrets, in order to discover the source of the disclosures. The publishers moved for a protective order, which was denied at trial. However, the protective order was granted on appeal.

Though there were various bases on which the court found in favour of the websites, the one that seems relevant to the Chen search warrant relates to the California reporter’s shield – the same California legislation cited by the chief operating officer of Gizmodo as making the search illegal. In short, the appeal court in O’Grady found that “any subpoenas seeking unpublished information from petitioners would be unenforceable through contempt proceedings in light of the California reporter’s shield (Cal. Const., art. I, § 2, subd (b); Evid. Code, § 1070)”.

More importantly, the appeal court had this to say about what was alleged by Apple to be criminal activity and reviewing the lower courts findings on same:

The court found petitioners’ assertion of a constitutional privilege “overstated” because “[r]eporters and their sources do not have a license to violate criminal laws such as Penal Code [section] 499c [(§ 499c)].” 8 The court assumed petitioners to be journalists, but wrote that “this is not the equivalent of a free pass” and that they could still be compelled to reveal information relating to a crime. The court repeatedly alluded to the supposed presence of criminal or larcenous conduct. The court also faulted petitioners for failing to establish “what public interest was served” by the publications in question. While acknowledging evidence that thousands of people were interested in the information in question, the court opined that “an interested public is not the same as the public interest.” The court implied that the publications in question were not “ ‘protected speech.’”

Though the appeal court didn’t dwell much further on the relevance of the alleged criminal acts to the California reporter’s shield in the body of the decision, the foonote to the excerpt above is rather informative:

8 Section 499c criminalizes the misappropriation or attempted misappropriation of trade secrets under specified circumstances. Although Apple alluded to this statute in its memorandum below, and does so again before us, it has never demonstrated that the facts here could establish a criminal theft of trade secrets. That offense requires proof of, among other things, “intent to deprive or withhold the control of [the] trade secret from its owner, or . . . to appropriate [the] trade secret to [the defendant’s] own use or to the use of another . . . .” (§ 499c, subd. (b).) Since Apple has never argued the point, no occasion is presented to consider whether the inferred circumstances of the disclosure here could be found to constitute a crime. For present purposes we are concerned only with an allegedly tortious disclosure of a trade secret presumably by an Apple employee.”

It would seem clear that the court took pains to distinguish between a tortious disclosure of a trade secret, versus a criminal misappropriation of a trade secret. And although the court does not make any findings as to what might have happened if there were a basis to claim of criminal wrongdoing, the implication of the note above is that the findings on appeal may well have been different, if only apple had presented any facts to establish a crime. (All that being said, the EFF has expressed the opinion that both the California shield law as well as the federal Privacy Protection Act would make such a search illegal, even if a crime were committed)

So here Apple is, facing a similar situation as in O’Grady, and knowing that it will likely have either very limited or no ability to successfully obtain civil subpoenas given the finding in O’Grady, but with a little crack in the door suggesting that if criminal misconduct could be successfully demonstrated, it may have some chance of success. That seems better than nothing.

Given the above, it seems logical that Apple would want to request the DA to commence a criminal investigation (though to be clear, reports indicate that the DA has declined to indicate who instigated the investigation), either for plain theft or for theft of trade secrets, in order to enable it to seek some sort of remedy for the leaked information, though I’ll admit that if the above is correct its not clear to me exactly what remedy Apple would be seeking – in contrast to O’Grady, the identity of the Apple rep who lost the phone (and all the gory details) is already public. Perhaps the identity of the person who picked it up (which doesn’t appear to be public)? Though I’m not sure what that gets Apple, other than perhaps fiery retribution against the fellow and disgorgement of his ill-gotten gains (the $5,000 that Gizmodo paid him for the phone). Will be interesting to see how it plays out.

norwich orders, part ii (an editorial of sorts)

<rant>

I was a bit surprised to find this article that covered the court orders that had required Google to disclose information on some Gmail users and the subsequent orders in Canada against certain Canadian ISPs, which was the subject of a previous post. The long and short of it is that the author considers Norwich orders to be some sort of grave, grave intrusion on privacy rights and personal liberty. Hence, this dire warning at the end of the article:

No matter how many precautions we take to remain private or cloak our identity, the authorities and other potential litigants usually have little difficulty obtaining this content. And they do it not by nefarious mean like hacking, but through our very own court system.

Internet users everywhere would do well to take heed. Your emails — and maybe even your Google searches — could be one subpoena away from the prying eyes of federal authorities, not to mention private litigants.

Why am I surprised? Because it seems to lack the most basic understanding of the legal system. I won’t get into all the details of the workings of Norwich orders – the original article by Omar Ha-Redeye that I had previously mentioned does a very good job at that, and I would certainly commend it to the author of this article so he may perhaps gain some insight.

The fact of the matter is that no, your privacy rights and right to anonymity have not suddenly disappeared altogether. However, as with all rights there are limitations. Thus, while U.S. citizens have the right to bear arms, they do not have the right to shoot people. If someone were to do that, they should reasonably expect their gun (and likely their liberty) to be taken away. Similarly, if someone uses their right to anonymity in an attempt to commit a crime or harm someone else, they should reasonably expect that right of anonymity to be taken away – at least to the extent it relates to the crime.

Remarkably, the author seems to suggest that the use of “subpoenas” (presumably he meant to refer to the Norwich orders) are almost the equivalent of, say, parking tickets, that the authorities or litigants can simply write up  if and when they choose to stomp on someone’s personal liberties for no good reason. What an unfortunate misperception of the legal system. The very reason why someone must go to the courts to obtain such as order is to ensure that the interests of the parties involved are balanced and safeguarded. If someone seeking the order does not have a reasonable and valid basis for doing so, it is likely that the order would not issue.

Regarding process, he cites Eric Goldman:

“People need to know that very little information that they give or make available to third parties [like Google] is unavailable to the government or private litigants,” says Eric Goldman, director of the High Tech Law Institute at Santa Clara University School of Law. “I think most people are surprised at how relatively easy it is for the government and private litigants to obtain ‘their’ information.”

I can’t speak to the process in the U.S. or what Mr. Goldman considers to be “relatively easy”. What I can say is that in Canada there is reasonable due process and consideration before such orders are issued. Just to cite one part of Mr. Redeye’s article:

A Norwich order is a pre-action discovery mechanism that is described by Spence J. in Isofoton S.A. v. The Toronto-Dominion Bank,

Requests for Norwich relief are largely unfamiliar to Canadian courts.  A Norwich order essentially compels a third party to provide the applicant with information where the applicant believes it has been wronged and needs the third party’s assistance to determine the circumstances of the wrongdoing and allow the applicant to pursue its legal remedies.

The 5 elements identified in this case for granting such an order include:

(i) Whether the applicant has provided evidence sufficient to raise a valid, bona fide or reasonable claim;
(ii) Whether the applicant has established a relationship with the third party from whom the information is sought such that it establishes that the third party is somehow involved in the acts complained of;
(iii) Whether the third party is the only practicable source of the information available;
(iv) Whether the third party can be indemnified for costs to which the third party may be exposed because of the disclosure, some [authorities] refer to the associated expenses of complying with the orders, while others speak of damages; and
(v) Whether the interests of justice favour the obtaining of disclosure.
[emphasis added]

The privacy interests of the alleged wrongdoer were overcome by the last element, the interests of justice, because of the applicant’s equitable right to information.  Spence J. pointed to Alberta v. Leahy and Bankers Trust Orders (from Bankers Trust Co. v. Shapira) indicating that court orders can override confidential information, even for financial records, and Glaxo-Wellcome PLC v. M.N.R. that the privacy interests of alleged wrongdoers is somewhat diminished.

Perhaps its just me, but this doesn’t sound particularly easy.

Of course, as with most things, the legal system is certainly not perfect, and there may well be instances where abuses might occur, or wrong decisions might be made by the courts where the scales of justice tip a bit. But to point at the sky and say it’s falling because of this case seems to me to be somewhat premature, to say the least.

Or at very least, as far as privacy concerns go, consider focusing more on things like the NSA and TIA than the courts.

</rant>

the internet: how not to learn to commit crimes

A story in the the Daily Record. The phrase “the thing speaks for itself” (which is one of those handy latin phrases I learned in law school but almost never use, except of course in blog posts – res ipsa loquitur, for you latinphiles out there…) seems to be appropriate for this:

At exactly 5:45:34 on April 18, 2004 a computer taken from the office of the attorney of Melanie McGuire, did a search on the words “How To Commit Murder.”

That same day searches on Google and MSN search engines, were conducted on such topics as `instant poisons,` `undetectable poisons,’ ‘fatal digoxin doses,’ and gun laws in New Jersey and Pennsylvania.

Ten days later, according to allegations by the state of New Jersey, McGuire murdered her husband, William T. McGuire, at their Woodbridge apartment, using a gun obtained in Pennsylvania, one day after obtaining a prescription for a sedative known as the “date rape” drug.

As a married man, it also makes me wonder what exactly is it about divorce that is really so bad that people resort to the apparently more preferable alternative of brutally murdering their spouses (as I delicately knock on wood…).

Via Slashdot.

A Really, Really, Really Good Reason to use Spybot

Story from the Norwich Bulletin. The nub:

NORWICH — State Prosecutor David Smith said he wondered why Julie Amero didn’t just pull the plug on her classroom computer.The six-person jury Friday may have been wondering the same thing when they convicted Amero, 40, of Windham of four counts of risk of injury to a minor, or impairing the morals of a child. It took them less than two hours to decide the verdict. She faces a sentence of up to 40 years in prison.

Oct. 19, 2004, while substituting for a seventh-grade language class at Kelly Middle School, Amero claimed she could not control the graphic images appearing in an endless cycle on her computer.

“The pop-ups never went away,” Amero testified. “They were continuous.”

This all sounds somewhat incredible to me, to be honest. Not just the fact that she was convicted, and convicted so quickly, but also the maximum punishment of 40 years. Seems a bit high when one hears of killers being convicted of manslaughter and getting maybe 2-3 years.

Jail as a Retirement Option

Somewhat frightening (or perhaps sad) article on someone who basically chose to go to jail to support himself. The nub:

On May 1, Mr. Bowers — or, as he is known to the Ohio Department of Rehabilitation and Correction, prisoner A535976 — handed a teller a stickup note, got four $20 bills and then handed them over to a security guard, telling the guard that it was his day to be a hero, according to accounts by The Columbus Dispatch and The Associated Press.

At his trial in October, he explained to the judge that he was about to turn 63 and had lost his job making deliveries for a drug wholesaler. He said that with only minimum-wage jobs available, he preferred to draw a three-year sentence, which would get him to age 66, when, he said, he could live off of Social Security. And that is what he got.

Killer E-mails

Just one more before my “lunch” ends…. still trying to catch up. Anyway, a recent article highlights a real low point in spam. This is even worse than the Nigerian scams (which actually resulted in several real-word deaths). Anyway, the jist of it is as follows:

The emails claim that the recipient has been stalked by a hired assassin for 10 days, but that the hitman is prepared to drop the contract if he is paid a total of $80,000. Upon receiving an initial advance payment of $20,000 the hitman claims that he will produce taped evidence of the contract to kill the reader of the email.

Frightening. Even it is spam. Of course, this is nothing more than old-fashioned extortion, gone high tech. That being said, for me, it seems to have crossed a line that most cyber-criminals had not yet crossed until know – actually threatening physical harm to get paid.