April 2008
Buggy Voting Systems in New Jersey (4 April 2008
An Outage from Managing P2P Traffic? (6 April 2008
Ships Impounded in Cable Cut (8 April 2008
Comcast Outage: Not P2P-Related (18 April 2008
PayPal is Wrong About Unsafe Browsers (19 April 2008
New Jersey Supreme Court Protects Internet Users' Privacy (22 April 2008
The Fate of Old Hardcopy Journals (27 April 2008

New Jersey Supreme Court Protects Internet Users' Privacy

22 April 2008

In an interesting ruling, the New Jersey Supreme Court ruled that Internet users have a "reasonable expectation of privacy in their identities while accessing Internet websites". [The quote is from the opinion's syllabus, not from the actual binding opinion itself.] What makes this especially interesting is that New Jersey law protects personal privacy much more than the equivalent Federal provisions.

In this case, someone used a corporation's login and password to a supplier's site to change the corporation's address, and then change the password to lock the corporation out of its own account. The supplier provided the IP address that made this change; the police got a municipal court subpoena to the ISP for the subscriber's identity, and she was arrested and charged in short order. However, NJ law does not permit the police to obtain subpoenas for such things, especially when they cite non-existent cases (see the opinion for details). Only a grand jury subpoena will suffice. The real issue, though, is whether the woman had a privacy interest in her identity, given that her IP address was of course known to any site she contacted.

Both the Federal and New Jersey governments are constrained by their respective constitutions. The Federal provision, in the Fourth Amendment, reads

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
The New Jersey text is almost identical:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated; and no warrant shall issue except upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched and the papers and things to be seized.
However, the interpretations are very different.

The Federal interpretation is given in Smith v. Maryland, 442 U.S. 735 (1979). In it (and quoting myself),the Supreme Court ruled that phone numbers were voluntarily given to a third party — the phone company — and that the caller thus had no legitimate expectation of privacy. It noted that

Petitioner concedes that if he had placed his calls through an operator, he could claim no legitimate expectation of privacy. We are not inclined to hold that a different constitutional result is required because the telephone company has decided to automate.

New Jersey feels otherwise. Its Supreme Court has ruled that the New Jersey constitution "affords our citizens greater protection against unreasonable searches and seizures". In Doe v. Poritz, 142 N.J. 1 (1995), the court noted "a constitutional right of privacy … including the disclosure of confidential or personal information". Accordingly, in a case very similar to Smith (State v. Hunt, 91 NJ 338 (1982), not online in any free source I can find), the New Jersey court held that

Under New Jersey law, a telephone subscriber has a reasonable expectation that the calls he makes will be utilized only for the accounting functions of the telephone company and that he cannot anticipate that his personal life, as disclosed by the calls he makes and receives, will be disclosed to outsiders without legal process.
because "he is entitled to assume that the numbers he dials in the privacy of his home will be recorded solely for the telephone company's business purposes." This is an important distinction: people give the phone company — or ISP — a phone number or an IP address for a specific purpose. It is not a general grant, nor are the resulting records the property of the communications carrier with regard to future legal processes. The caller has a privacy interest in them, not the carrier. This is very much in accord with one element of the Code of Fair Information Practices: "There must be a way for a person to prevent information about the person that was obtained for one purpose from being used or made available for other purposes without the person's consent."

I applaud this ruling by the New Jersey court.