On appeal from the Superior Court, Appellate Division, whose opinion is reported at 389 N.J. Super. 563 (2007).
(This syllabus is not part of the opinion of the Court. It has been prepared by the Office of the Clerk for the convenience of the reader. It has been neither reviewed nor approved by the Supreme Court. Please note that, in the interests of brevity, portions of any opinion may not have been summarized).
This case involves multi-digit numbers called IP addresses that Internet Service Providers (ISPs) assign to subscribers for use in accessing Internet websites. Websites may collect the numbers, but with the technology available today only the ISP that assigned the address can translate it into the name of an actual user. In this context, the Court considers whether Internet subscribers have a reasonable expectation of privacy in their identities while accessing Internet websites.
On August 27, 2004, Jersey Diesel's owner, Timothy Wilson, was informed by a supplier that Jersey Diesel's shipping address and password had been changed on the supplier's website. Specifically, the supplier's information technology specialist determined that on August 24, 2004, someone had accessed the website, used Jersey Diesel's username and password to sign on, changed Jersey Diesel's address to a non-existent address, and changed the password. The supplier's website captured the user's IP address, which was registered to Comcast. Although Wilson contacted Comcast and requested the subscriber information for the IP address so that he could identify the person who made the unauthorized changes, Comcast declined to respond without a subpoena.
Wilson reported the incident to the Lower Township Police Department and suggested that Shirley Reid, an employee who had been on disability leave, could have made the changes. Reid had returned to work on the morning of August 24, argued with Wilson, and left. According to Wilson, Reid was the only employee who knew the company's computer password and ID.
On September 7, 2004, a subpoena duces tecum issued by the Lower Township Municipal Court was served on Comcast. The subpoena sought all information pertaining to the IP address identified by the supplier for the appropriate time period on August 24th. The subpoena was captioned "Timothy C. Wilson, Plaintiff, v. Shirley Reed [sic], Defendant," although no such case was pending. On September 16, 2004, Comcast responded and identified Reid as the subscriber of the IP address. Comcast also provided Reid's address, telephone number, type of service provided, IP assignment, account number, e-mail address, and method of payment.
On February 22, 2005, the Cape May County Grand Jury returned an indictment charging Reid with second-degree computer theft. Reid moved to suppress the evidence. The trial court granted the motion. The court identified various flaws in the subpoena and noted that the procedure followed by the police was unauthorized. The court also concluded that Reid had an expectation of privacy in her Internet subscriber information on file with Comcast, therefore the subpoena violated Reid's right to be free from unreasonable searches and seizures.
In a published opinion, the Appellate Division affirmed. 389 N.J. Super. 563 (2007). The panel found the subpoena invalid because it was not issued in connection with any judicial proceeding, was returnable the same day it was issued, and involved an indictable offense outside the jurisdiction of the Municipal Court. The panel also concluded that Reid had a protected privacy interest under the State Constitution in the information provided by Comcast and, as a result, the method used by the police to obtain the information warranted suppression.
HELD: Pursuant to Article I, Paragraph 7, of the New Jersey Constitution, the Court holds that citizens have a reasonable expectation of privacy in the subscriber information they provide to Internet service providers. Accordingly, the motion to suppress by defendant Reid was properly granted because the police used a deficient municipal subpoena. Law enforcement officials can obtain subscriber information by serving a grand jury subpoena on an Internet service provider without notice to the subscriber. The State may seek to reacquire the information with a proper grand jury subpoena because records of the information existed independently of the faulty process used by the police, and the conduct of the police did not affect the information.
1. Both the Fourth Amendment to the United States Constitution and Article I, Paragraph 7, of the New Jersey Constitution protect the right of the people to be secure against unreasonable searches and seizures. Federal case law interpreting the Fourth Amendment has found no expectation of privacy in Internet subscriber information. On multiple occasions, however, this Court has held that the New Jersey Constitution affords greater protection than the Fourth Amendment. In State v. Hunt, 91 N.J. 338 (1982), this Court concluded that telephone toll billing records are protected and explained that citizens are entitled to assume that the numbers they dial in the privacy of their home will be recorded solely for the telephone company's business purposes. Similarly, in State v. McAllister, 184 N.J. 17 (2005), the Court held that the New Jersey Constitution provides bank account holders a reasonable expectation of privacy in their bank records. (Pp. 12-15).
2. It is well-settled under New Jersey law that disclosure to a third-party provider, as an essential step to obtaining service altogether, does not upend the privacy interest at stake. In order to access the Web, individuals must obtain an IP address from an ISP. Users make disclosures to ISPs for the limited goal of using the technology and not to promote the release of personal information to others. IP address information can be used to track a person's Internet usage, revealing intimate details about his or her personal affairs. Because current technology renders the user's identity anonymous to all except the ISP, users have reason to expect that their actions are confidential when they surf the Web from the privacy of their homes. Therefore, the Court holds that Article I, Paragraph 7, of the New Jersey Constitution protects an individual's privacy interest in the subscriber information that he or she provides to an ISP. (Pp. 15-21).
3. In State v. McAllister, the Court concluded that the constitutional protection against improper government intrusion is satisfied by the issuance of a grand jury subpoena providing that the bank records bear some possible relationship to the grand jury investigation. The Court adopts the same standard for the records at issue in this matter. As in McAllister, the Court also declines to adopt a requirement that notice be provided to account holders whose information is subpoenaed. Unscrupulous individuals aware of subpoenas could delete or damage files on their home computers and thereby effectively shield them from legitimate investigations. (Pp. 21-25).
4. Here, the subscriber information was suppressed because the police department used a defective municipal subpoena. Evidence discovered, directly or indirectly, as a result of a constitutional violation must be suppressed. However, unlike a confession coerced from a defendant in violation of that individuals constitutional rights, Comcast's records existed independently of the faulty process the police followed. Moreover, evidence of Reid's knowledge of the company's password, her argument with Wilson, as well as the supplier's information about the IP address used to access its website remains untainted by the results of the defective municipal subpoena. Because the subscriber information attached to that particular IP address bore some possible relationship to the investigation underway, the State may attempt to reacquire Comcast's records with a proper grand jury subpoena limited to seeking subscriber information for the IP address in question. (Pp. 25-29).
5. The trial court properly suppressed the subscriber information obtained, and the State may not proceed with the pending indictment absent proof that the indictment has a sufficient basis without relying on the suppressed evidence. Alternatively, the State may move to dismiss the pending indictment, re-serve a proper grand jury subpoena on Comcast, and seek a new indictment. (P. 29).
The judgment of the Appellate Division is MODIFIED and AFFIRMED and the matter is REMANDED to the Law Division for further proceedings consistent with this opinion.
JUSTICES LONG, LaVECCHIA, ALBIN, WALLACE, RIVERA-SOTO and HOENS join in CHIEF JUSTICE RABNER's opinion.
The opinion of the court was delivered by: Chief Justice Rabner
Modern technology has raised a number of questions that are intertwined in this case: To what extent can private individuals "surf" the "Web" anonymously? Do Internet subscribers have a reasonable expectation of privacy in their identity while accessing Internet websites? And under what circumstances may the State learn the actual identity of Internet users?
In this case, defendant Shirley Reid allegedly logged onto an Internet website from her home computer. The site belonged to a company that supplied material to her employer's business. While on the supplier's website, Reid allegedly changed her employer's password and shipping address to a non-existent address.
Whenever an individual logs onto an Internet website, that user's identity is revealed only in the form of a unique multi-digit number (an "IP address") assigned by the user's Internet Service Provider ("ISP"). A website may collect that number, but only a service provider can translate it into the name of an actual user or subscriber.
Here, the supplier's website captured a 10-digit IP address, and the supplier told Reid's employer what had occurred. The employer, in turn, reported the IP address to local authorities. They issued a deficient municipal subpoena to Comcast, the service provider, and Comcast revealed that the IP address was assigned to Shirley Reid.
Reid is now under indictment for second-degree computer theft. She successfully moved to suppress the subscriber information obtained via the municipal subpoena.
We now hold that citizens have a reasonable expectation of privacy, protected by Article I, Paragraph 7, of the New Jersey Constitution, in the subscriber information they provide to Internet service providers -- just as New Jersey citizens have a privacy interest in their bank records stored by banks and telephone billing records kept by phone companies. Law enforcement officials can satisfy that constitutional protection and obtain subscriber information by serving a grand jury subpoena on an ISP without notice to the subscriber.
Because the police used a deficient municipal subpoena to obtain protected subscriber information in this case, defendant's motion to suppress was properly granted. However, records of the protected subscriber information existed independently of the faulty process the police used, and the conduct of the police did not affect that information. As a result, the State may seek to reacquire the subscriber information with a proper grand jury subpoena.
Some background information about computers and the Internet may assist in evaluating the issues presented. The Internet is a global network of computers that allows for the "sharing" or "networking" of information to and from remote locations. See Harry Newton, Newton's Telecom Dictionary 502 (23rd ed. 2007). Users of the Internet can send electronic mail, share files, and explore or "surf" the World Wide Web ("Web"), a graphical computer-based information network. Id. at 502-03. While surfing the Web, a user can visit and interact with sites maintained by businesses, educational institutions, governments, and individuals, which cover almost every conceivable topic.
An individual customer must select an Internet Service Provider like Comcast, AOL, or Verizon, in order to connect to the Internet. See, e.g., id. at 107. To sign up for service, a customer must disclose personal information including one's name, billing information, phone number, and home address.
To interact with other computers also attached to the Internet, a computer must be assigned an Internet Protocol address, or IP address. Id. at 342. An IP address is a string of up to twelve numbers separated by dots -- for example, 22.214.171.124. Ibid. In certain situations, a computer is assigned a permanent IP address, called a static IP address. Ibid. Most often, when an individual connects to the Internet, his or her Internet Service Provider dynamically assigns an IP address to the computer, which can change every time the user accesses the Internet. Ibid. In other words, the "dynamic" IP address assigned to the computer can be different for each Internet session. Ibid.
The American Registry for Internet Numbers (ARIN) is in charge of assigning IP addresses within North America. See http://www.arin.net/index.shtml. Anyone acquiring an IP address must register and provide ARIN certain contact information, which ARIN makes publicly available. Ibid. However, most Internet users do not obtain IP addresses directly from ARIN; they instead "lease" an IP address from a service provider like Comcast, which is the actual, named registrant. See RIR Comparative Policy Overview (2008), http://www.nro.net/documents/nro47.html (last visited April 16, 2008) (linked to ARIN website).
When an Internet user surfs the Web, sends e-mail, or shares a file, any site the user connects to can collect certain information, including the user's IP address. See Newton, supra, at 506. However, the sites ordinarily cannot identify the name of an individual user. Only the ISP can match the name of the customer to a dynamic IP address.
Recently, IP Address Locator Websites have become available to the general public.*fn1 Such websites operate similarly to a reverse phone directory: they permit a person to type in an IP address and obtain the name and location of the registrant for that address. Once again, because most Internet users access the Internet via third-party service providers like AOL, Comcast, Yahoo, and others, Address Locator Websites typically reveal ...