Browsing History – Does Knowledge of Site Administrators’ Access Give Consent to Disclosure to Law Enforcement?

A recent US decision held that a person’s browsing history on web dating sites – not just his profiles, which were clearly intended for public use – could be disclosed to police because the person had authorized the administrators of the sites to know what he was looking at. The case, People v Holmes, involved a high-profile defendant in a criminal case (the person who shot up the Colorado movie theatre – allegedly), but these cases should not turn on whether the person claiming a privacy right is sympathetic.

The key for the court is contained in this passage:

[T]he defendant voluntarily conveyed and exposed identification and billing information to two large social networking services. Furthermore, he voluntarily exposed his IP address to the administrators of both networks. Through his IP address, the website administrators were able to collect his log data, including log in times and the duration of sessions. There is no basis in the record to conclude that the defendant did not know that the websites would collect, monitor, transfer, and manipulate his log data.

In view of this reasoning, does anyone have any expectation of privacy in any browsing one does through a web service? Is this right? Would the same decision be made under Canadian privacy or criminal law?


  1. David Collier-Brown

    Was the access consciously granted by the defendant? There’s quite a continuum of access permissions in this seemingly simple example!

    If you have anything at all on a computer system, it is accessible to the system administrator, whose name might be Edward Snowden (;-))

    If it’s a very high-security system, to the system administrator and the security administrator acting in concert (on a class B2 trusted system).

    If the computer stores your data in a database, it’s accessible to the database administrator. I once had access to masses of sensitive health information, as I had a DBA-type login on the database. (As it happens, I had agreed in writing not to look at it. This was the only time I ever had seen customer privacy mentioned in any of my consulting contracts.)

    If you clicked an accept button on a contract you didn’t have the opportunity to negotiate, you may have agreed to something you wouldn’t normally permit.

    Indeed, if you clicked on any form during setup, you may find it contains contract language you wouldn’t believe about what if going to be accessible. One of my directors intentionally included a clause granting him the customer’s first-born child unless they identified him as Rumpelstiltskin. No one even commented on it.

    If you clicked on an accept button for a contract, it may have been unilaterally and silently changed since you did so.

    If you didn’t click on an accept button for a contract, you may not have even had the chance to know what access the supplier has to your data.

    Knowing if one can assume consent to access is factually difficult. It’s arguably difficult for any court, unless the legislation and case law is very detailed about the contracts that are agreed to by or imposed upon the defendant.

    [And yes, I wonder too how this will play out in Canada]