In the case, New Jersey v. Reid, the New Jersey Supreme Court ruled that Internet service providers can't disclose a subscriber's IP address to the police without a grand jury subpoena. While the ruling dealt with a criminal matter, the opinion's broad language suggests that the court is willing to ponder privacy rights in online data in other contexts.
"We now hold that citizens have a reasonable expectation of privacy ... in the subscriber information they provide to internet service providers--just as New Jersey citizens have a privacy interest in their bank records stored by banks and telephone billing records kept by phone companies," the court stated in its unanimous decision.
With the case, the New Jersey Supreme Court joined European authorities in holding that IP addresses are private.
The ruling seems to signal that the court is concerned about privacy erosion in a society where data is increasingly stored digitally. Lee Tien, a lawyer with the digital rights group Electronic Frontier Foundation, called the holding a "harbinger of a trend" toward protecting online privacy. That organization, along with the ACLU, Electronic Privacy Information Center and others, filed a friend of the court brief in the case.
The New Jersey court specifically examined not just IP addresses, but also the clickstream data associated with particular addresses, and appeared to find an expectation of privacy in that data as well. "With a complete listing of IP addresses, one can track a person's Internet usage," the opinion reads. The court then quoted a law review article by privacy expert Daniel Solove for the proposition that clickstream data can allow the government to learn "the names of stores at which a person shops, the political organizations a person finds interesting, a person's ... fantasies, her health concerns, and so on."
The court went on to hold that users only disclose information to Internet service providers for the limited purpose of being able to access the Web "and not to promote the release of personal information to others."
"Under our precedents, users are entitled to expect confidentiality under these circumstances," the court wrote.
The case stemmed from charges that Shirley Reid logged on to her computer from her home in New Jersey and changed the shipping address and password of her boss's company after an argument with him. Her boss knew that the changes originated from a specific IP address, which was registered to Comcast. The authorities served Comcast with a subpoena to discover the identity of the subscriber associated with that IP address, but the New Jersey court held the subpoena was insufficient because it was issued by a municipal court and not a grand jury.
Despite the broad language in the ruling, some behavioral targeting companies say the ruling won't affect them. At NebuAd, a startup that targets consumers based on data provided by Internet service providers, CEO Bob Dykes takes the position that the case only prohibits networks from disclosing the identities of subscribers. "We don't have personally identifiable information, so it really isn't relevant to our business practice," he said.
But some observers say that companies can figure out identity from detailed clickstream information--especially if users type their own names or addresses into search engines' query boxes and that information is captured and retained in the clickstream data. What's more, the holding discussed clickstream data and the various ways it could be used to compromise privacy.
Dykes said his company considered that portion of the ruling "dicta," meaning that it doesn't set a precedent.