InfoSecBulletin Cybersecurity for mankind
The Canadian Supreme Court ruled that police must have a warrant before asking for the internet protocol address of Canadians. The Supreme Court ruled 5-4 that Canadians have privacy rights protected by the Charter when police ask for information about their online activities.
“Personal privacy is vital to individual dignity, autonomy, and personal growth. Its protection is a basic prerequisite to the flourishing of a free and healthy democracy,” the majority ruling read.
CVSS 9.6: IBM QRadar & Cloud Pak Security Flaws Exposed
ALERT
Thousands of IP addresses compromised nationwide: CIRT warn
New Android Malware ‘Crocodilus’ Targets Banks in 8 Countries
Qualcomm Patches 3 Zero-Days Used in Targeted Android Attacks
Critical RCE Flaw Patched in Roundcube Webmail
Hacker claim Leak of Deloitte Source Code & GitHub Credentials
CISA Issued Guidance for SIEM and SOAR Implementation
Linux flaws enable password hash theft via core dumps in Ubuntu, RHEL, Fedora
Australia enacts mandatory ransomware payment reporting
Why Govt Demands Foreign CCTV Firms to Submit Source Code?
“The Internet requires that users reveal subscriber information to their ISP to participate in this new public square, and Canadians are not required to become digital recluses in order to maintain some semblance of privacy in their lives.”
The issue was a 2017 investigation by the Calgary police into fraudulent online purchases from a liquor store.
Police went to the liquor store’s payment processing company, Moneris, and requested internet protocol (IP) addresses related to the purchases. They did not get a warrant.
Moneris handed over two IP addresses used for the transactions, which the police used to obtain a court order requiring an internet service provider to turn over the names and addresses associated with the IP addresses.
The email you need for the day’s top news stories from Canada and around the world.
That led to a search of Andrei Bykovets’ residence, and to Bykovet’s arrest on charges of possessing other peoples’ credit cards and identification documents. Bykovet challenged the cops’ right to obtain his IP address from Moneris, arguing it violated his Charter rights against unreasonable search and seizure.
Both the trial judge and the Alberta Court of Appeal ruled that Canadians had no reasonable expectation of privacy for their IP address. The Supreme Court disagreed.
“Activity associated with the IP addresses can be correlated with other online activity associated with that address available to the state. An IP address can also set the state on a trail of Internet activity that leads directly to a user’s identity,” the decision read.
“Access to IP addresses without judicial pre-authorization poses intense privacy risks.”
Police agencies used to routinely request what they called “basic subscriber information” from telecommunications companies – information such as names, IP addresses, physical addresses and telephone numbers.
But the Supreme Court ruling does not stop police from accessing IP addresses – just requires them to get a court order first, a process that law enforcement agencies have said takes time particularly for urgent cases.
The BC Civil Liberties Association, which intervened in the case, welcomed the court’s majority decision Friday and said it was “heartened” by the court’s recognition that privacy has become “ever more important” in the digital age.
“The reality today is that in order to engage in society to any degree, we really have to be able to go online. And so if the police have easy access to all of our online activity, which website we’re going to, who we’re talking to online, that creates a huge chilling effect on people’s behaviour,” Vibert Jack, the BCCLA’s director of litigation, told Global in an interview.
“Privacy rights are obviously implicated, but our freedom of expression, freedom of association, those rights would all be curtailed if we know the police could be watching us while we’re online.”
While the Supreme Court decision notes that the determining a reasonable expectation of privacy under the Charter is an “exercise in balance,” it also noted that the internet has vastly expanded the amount of personal information
“The intensely private nature of the information an IP address may betray strongly suggests that the public’s interest in being left alone should prevail over the government’s interest in advancing its law enforcement goals,” the decision read.
Police used to regularly ask telecommunications companies for “basic subscriber information,” which includes names, IP addresses, physical addresses, and telephone numbers.
The Supreme Court ruling doesn’t prevent police from accessing IP addresses. It just requires them to get a court order first, which law enforcement agencies have said takes time, especially for urgent cases.
The BC Civil Liberties Association, which participated in the case, is pleased with the court’s decision. They are encouraged by the court’s acknowledgment that privacy is increasingly crucial in the digital era.
“The reality today is that in order to engage in society to any degree, we really have to be able to go online. And so if the police have easy access to all of our online activity, which website we’re going to, who we’re talking to online, that creates a huge chilling effect on people’s behaviour,” Vibert Jack, the BCCLA’s director of litigation, told Global in an interview.
“Privacy rights are obviously implicated, but our freedom of expression, freedom of association, those rights would all be curtailed if we know the police could be watching us while we’re online.”
While the Supreme Court decision notes that the determining a reasonable expectation of privacy under the Charter is an “exercise in balance,” it also noted that the internet has vastly expanded the amount of personal information
“The intensely private nature of the information an IP address may betray strongly suggests that the public’s interest in being left alone should prevail over the government’s interest in advancing its law enforcement goals,” the decision read.
