The New Jersey Supreme Court has ruled that people have an expectation to privacy online and that the authorities can’t just demand citizens’ Internet protocol (IP) addresses from their Internet service providers without a grand jury warrant.
The ruling was handed down in the case of a woman who was charged with hacking into her employer’s computer system.
The court threw out the case, but said the police can investigate it again if they go through proper channels.
Here’s what happened: Jersey Diesel had its IP address and mailing address listings in one of its suppliers’ databases altered without permission.
Its owner, Timothy Wilson, suspected one of his employees, Sheila Reed, with whom he had argued the day the changes were made. The police were called, and they used a municipal court subpoena to get Reid’s IP address and other detailed information from Comcast, her Internet service provider.
A grand jury returned an indictment in 2005 charging Reid with second-degree computer theft for hacking into her employer’s computer system from her home PC.
The initial trial court granted Reid’s motion to suppress the evidence on the grounds that the subpoena was improperly issued; after a series of appeals, the case landed in front of the supreme court, which ruled unanimously that Article 1 of New Jersey’s state constitution extends a reasonable expectation of privacy to Internet subscriber information, which can only be obtained from ISPs by serving them with a subpoena from a grand jury or a trial jury, or from the State Commission of Investigation.
The police can go back and get the information again from Comcast, but need a grand jury subpoena to do so.
The Other Side
The New Jersey court’s ruling runs counter to that handed down by the Ninth Circuit Court of Appeals in San Francisco in July 2007 in the case of the U.S. v. Forrester, in which two California men were charged with trying to set up a massive ecstasy lab in an insulated shipping container near Escondido.
In that case, the federal government installed a device at an ISP used by one of the suspects, capturing his to/from e-mail addresses, the IP addresses of Web sites he visited and the total volume of information sent from his account.
The court ruled that getting users’ e-mail and IP addresses without a warrant is the same as reading information on the outside of an envelope sent by regular mail or recording every number a suspect dials, because they only deal with information and not content.
The New Jersey court’s ruling will open the door for a flood of legal actions over the right to sue in a bid to get a final ruling on the issue of online privacy. “That’s a tried and true methodology,” Owen Seitel, founding partner of San Francisco legal firm Idell & Seitel, which has an Internet law practice, told the E-Commerce Times.
However, that may not amount to anything.
For one thing, it may not affect rulings in other jurisdictions because “courts are not beholden to rulings in other states,” Seitel said.
And, if the Patriot Act or national security is invoked, state court rulings will have even less clout because in those cases “the feds will basically say, ‘That’s nice, New Jersey, that you afford this to your citizens, but in this situation federal law will hold primacy, and we’re going to do what we’re going to do,'” Seitel said.
That will also hold true if business interests are affected. “Now, everything is couched in terms of interstate commerce, there’s no such thing as intrastate commerce anymore, so any time a state tries to pass laws that even touch on interstate commerce, the feds will come in,” Seitel said.