The New Jersey Supreme Court ruled this week that, under the New Jersey Constitution, citizens have an expectation of privacy in subscriber data provided to Internet Service Providers (“ISP”). State v. Reid, ___ A.2d __, 2008 WL 1774969 (N.J. Sup. Ct. 4/21/08). The case is significant because it departs from federal constitutional standards, and because it squarely holds that the right to privacy extends to subscriber data in the possession of an ISP.
Shirley Reid was an employee of Jersey Diesel. On the same day that she had an argument with the owner of the company, someone visited the website of one of Jersey Diesel’s suppliers and altered certain data, including the passwords assigned to Jersey Diesel and its shipping address. Jersey Diesel learned of the changes through the supplier, who provided Jersey Diesel with the IP address of the alleged offender (automatically obtained by supplier’s system). The IP address, which was registered to Comcast, was given by Jersey Diesel to local police, who then subpoenaed Comcast for the identity of the individual associated with the particular IP address, who turned out to be Ms. Reid. After she was indicted following Comcast’s disclosure of her identity, Ms. Reid moved to suppress the evidence disclosed by Comcast on the grounds that the subpoena was technically defective. Ms. Reid argued that, absent a valid subpoena, she had an expectation of privacy that barred Comcast’s disclosure of her identity.
The court agreed. In language nearly identical to the Fourth Amendment of the U.S. Constitution, the New Jersey Constitution protects “the right of the people to be secure…against unreasonable searches and seizures.” But whereas courts interpreting the Fourth Amendment have held there is no expectation of privacy in information exposed to third-party providers, such as ISPs, telephone companies and banks, New Jersey courts in prior cases have broadly construed the parallel New Jersey Constitutional provision to extend privacy protection to information in the hands of certain third-party providers. Noting that “[u]sers make disclosures to ISPs for the limited goal of using that technology and not to promote the release of personal information to others,” the New Jersey Supreme Court in Reid expressly extended these holdings to protection of subscriber data provided to ISPs. Cautioning that the reasonableness of the privacy interest may change as technology evolves (as, for example, if someday software allowed individuals to type IP addresses into a reverse directory and obtain the name of the user). “Internet users today enjoy relatively complete IP address anonymity when surfing the Web. Given the current state of technology, the…IP addresses cannot be matched to an individual user without the help of an ISP,” and therefore, according to the court, users today have a reasonable expectation of privacy.
It should be pointed out that the state was not left without a practical remedy: the court noted that the information could properly be obtained through a grand jury subpoena.
Many state constitutions, by their terms or as interpreted, provide broader protections than the U.S. Constitution. In the civil context, New Jersey courts have been leaders in crafting standards that attempt to balance the need for disclosure of identifying data and the First Amendment right to anonymous speech. It will be interesting to see if other states follow New Jersey's lead in the recognition of a privacy right in data possessed by third parties. Finally, although this ruling comes within the context of a criminal case, it will likely present additional challenges for corporations pursuing civil remedies and seeking to pierce the anonymity of individuals responsible for defamation and other speech torts on the Internet.