ABCA says no reasonable expectation of privacy in IP addresses

On June 13th, a majority of the Court of Appeal of Alberta held that an IP address alone is not subject to a reasonable expectation of privacy such that it is protected by section 8 of the Charter.

The police had identified a series of fraudulent online transactions and asked a credit card processor for the matching IP addresses. The processor provided the police with two IP addresses, and the police then obtained a production order to require Telus to identify the two Telus subscribers. Unlike in the leading Supreme Court of Canada case R v Spencer, the police sought prior judicial authorization to identify the subscribers. Did they do wrong, however, by obtaining the IP addresses first?

The majority said “no,” and relied on the protection granted by Spencer in finding that there was no reasonable expectation of privacy in the IP addresses alone.

In Spencer, police obtained, without judicial authorization, the IP address and its subscriber data. Thus, without a court order, the police believed the following: Matthew Spencer was using the internet to download child pornography at a specifically named address. By contrast, the police here obtained, without judicial authorization, only IP addresses. Based on this abstract information, police believed a person who committed fraud used the IP addresses. They did not know who. They only knew the IP addresses belonged to TELUS and they ascertained this information through a publicly available internet lookup site. To get the name and address of the subscriber, they lawfully served TELUS with a production order. Thus, without a court order, they believed only this: an unknown person using a known IP address was committing fraud from an unknown address.

An IP address does not tell police where the IP address is being used or, for that matter, who is using it. Nor is there a publicly available resource from which the police can learn this or other subscriber data. To get the core biographical information such as an address, name, and phone number of the user, the police must obtain and serve a production order on the ISP in accordance with Spencer. That is what the police did here.

The dissenting judge held that, notwithstanding Spencer, IP addresses have investigative value as “digital breadcrumbs” and could be used to discover the identity of an unknown internet user. She held that – from a normative perspective – the Charter ought to apply to the police process of gathering electronic evidence right from the beginning.

R v Bykovets, 2022 ABCA 208 (CanLII).

Recent cyber presentations

Teaching is the best way of learning for some, including me. Here are two recent cyber security presentations that may be of interest:

  • A presentation from last month on “the law of information” that I delivered to participants in the the Osgoode PDP program on cyber security
  • Last week’s presentation for school boards – Critical Issues in School Board Cyber Security

If you have questions please get in touch!

ABCA decision on defending allegations about privileged communication

On April 12th, the Court of Appeal of Alberta held that a defendant waived solicitor-client privilege by affirmatively pleading that its counsel had no instructions to agree to a time extension for filing a prospectus.

The defendant faced a lawsuit that alleged its counsel gave a time extension and had the actual authority to do so. The majority judges explained that a party faced with such an allegation about a privileged communication can make a bald denial and safely rest on its privilege. The defendant went further, thereby putting its privileged communications in issue.

PetroFrontier Corp v Macquarie Capital Markets Canada Ltd, 2022 ABCA 136 (CanLII).

IPC upholds university vaccination policy

On April 5th, the Information and Privacy Commissioner/Ontario affirmed a University of Guelph requirement that students in residence for the 2021/2022 academic year be fully vaccinated.

The IPC has jurisdiction to consider whether a public body’s collection of personal information is “necessary” to a lawfully authorized activity based on the Freedom of Information and Protection of Personal Privacy Act. The necessity test has been endorsed by the Court of Appeal for Ontario as strict. Where personal information would merely be helpful to the activity, it is not “necessary” within the meaning of FIPPA. Similarly, where the purpose can be accomplished another way, a public body is obliged to chose the other route.

The IPC’s affirmation of the University’s policy (and its collection of personal information) rested heavily on a letter the University had received from the Wellington-Dufferin-Guelph Health Unit in July 2021. It said:

I am writing to recommend in the strongest possible terms that the University of Guelph require a full (two-dose) course of COVID-19 vaccines for all students living in residence during the 2021-22 school year. Additionally, the University should continue to recommend strongly that all other students, faculty and staff receive both doses of the vaccine.

Students beginning or returning to their studies this fall are looking forward to a safe and relational post-secondary experience. Adding this significant layer of protection will help create a more normal fall on campus. Strong vaccination rates across the University are an important part of student physical and mental well-being, and should contribute peace of mind to all Gryphons.

The IPC affirmation is significant not only because it supports a vaccine mandate based on the strict FIPPA necessity standard, but also because of its adoption of this letter and its reasoning. While mandates must certainly be based on science that establishes that vaccination reduces the risk of exposure, the privacy commissioners, labour arbitrators and judges who will continue to be called upon to evaluate mandates must recognize that they are also based on a need for stability and mental well-being.

We thought we were though the pandemic, and are now in Wave Six. Will there be a Wave Seven? And although the province is trying to give us the stability we all crave by committing to laissez faire policy, why should our public bodies be precluded from adopting stable, medium-term policy that prioritizes safety?

University of Guelph (Re), 2022 CanLII 25559 (ON IPC).

GSB addresses use of surveillance footage

In a decision first released last September, the Grievance Settlement Board partly upheld a grievance that challenged the use of video surveillance footage in Ontario correctional facilities.

It has become standard to establish the purpose of workplace video surveillance as supportive of safety and security and to proscribe the use of surveillance technology as a replacement for supervision. In principle this distinction makes sense, though in practice it is unclear and has led to disputes.

In this case, the GSB affirmed the employer’s use of video footage to address misconduct discovered incidentally during a legitimate surveillance footage review that was occasioned by a security incident. Vice-Chair Anderson said:

The evidence as to why the surveillance camera was placed in the central control module was scant.  The ISPPM indicates “audio and video technology are tools to enhance safety and security”.  Sgt Essery’s evidence suggests that was the purpose for the camera in the central control module. It is clear the duties of the officers in the control module are reasonably necessary to the safety and security of inmates, staff and property in the building.  I infer the ability, if necessary, to observe central control module officers in the performance of those duties has a safety and security function.  The camera is also used to observe the hallway next to the central control module through which inmates pass, in particular when they are being escorted to or from the segregation units.  There is no dispute that this has a safety and security function.  There is no evidence that the camera was placed in the central control module for any other purposes.  I conclude its placement was done in good faith for purposes permitted by Appendix COR10.

The GSB also recognized that the employer could justify the use surveillance video to spot check compliance with a procedure because the spot check and procedure were both to uphold safety and security – the primary purpose of video surveillance. In the circumstances, however, the GSB held that the employer had not proven a sufficient need for such spot checks.

The practical lesson for employers is to be wary of vague and unbounded promises to refrain from using video surveillance. The matter is one of nuance.

Ontario Public Service Employees Union (Union) v Ontario (Solicitor General), 2021 CanLII 95740 (ON GSB).

Where’s that workplace surveillance bill? More thoughts pending its release

It’s Friday at 4:20pm and I don’t see an Ontario workplace surveillance bill yet, so here are a couple more thoughts – one positive, one negative and one neutral.

Positive – Organizations ought to employ “information technology asset management” – a process for governing their network hardware and software. Those organizations with strong asset management practices will have little difficulty identifying how employees are “monitored.” For those who are weak asset managers, the new bill is an invitation to improvement and rooting out unmanaged applications.

Negative – As I said yesterday, the devil will be in the detail, and the scope of the “monitoring” that is regulated will be key. Monitoring must be defined in a way that does not affect non-routine processes – i.e., audits and investigations. Those raise a different kind of privacy concern, and a notification requirement shouldn’t frustrate an organization’s ability to investigate.

Neutral – Organizations typically keep security controls confidential to protect against behavior we call “threat shifting” – the shifting of tactics to circumvent existing, known controls. I’m doubtful the type of disclosure the bill will require will create a security risk, but it’s an issue to consider when we see the text.

Bring on the bill!

Ontario electronic monitoring bill coming

We’re getting numerous questions today about Ontario’s move to implement a electronic monitoring legislation.

We have no bill yet, but the announcement says:

The policy would need to contain information on whether the employer electronically monitors its workers, and if so, a description of how and in what circumstances the employer does this. In addition, the employer would need to disclose the purpose of collecting information through electronic monitoring.

The devil is in the detail, but this seems painless enough. There is nothing to indicate the Bill will impose a limit on monitoring, which is permitted by law and entirely unregulated in Ontario right now. Notice is a good practice, employed by many already, and can help cleanse networks of personal data that does get lost and stolen and that can complicate investigations and audits.

It will be important to see how monitoring is defined, and whether it is confined to endpoint monitoring or is likely to capture all the various means by which network data is captured and analyzed. There is a trend towards endpoint monitoring by the way, now arguably a network security best practice.

Let’s hope we get a bill that’s as benign as it has first appeared.

UKSC recognizes the frailty of collective judgement and protects the privacy of investigative subjects

Earlier this week. the Supreme Court of the United Kingdom held that, as a “legitimate starting point,” persons under investigation by law enforcement have a reasonable expectation of privacy in the fact they are suspected of a crime and any expressed basis for that suspicion.

The Court affirmed an award of privacy tort damages made to a former CEO of a publicly traded company who United Kingdom authorities suspected of various financial crimes. He successfully sued Bloomberg, who had published an article with details about the investigation after Bloomberg had been leaked a copy of a letter of request that the authorities had sent to another state in furtherance of their investigation.

To sue for misuse of information in the UK one must first establish that they have a reasonable expectation of privacy in the relevant information. As in our Charter jurisprudence, the test is contextual and requires an examination of all the circumstances.

The Court said this does not preclude recognition that certain classes of information are, as a starting point, private enough to warrant protection. It held there is growing recognition of the harms faced by those suspected (but not yet charged) of crimes and made its protective finding, pointing out that some circumstances will weigh against an expectation of privacy. An arrest that follows public rioting, the Court said, would not (ordinarily) attract an expectation of privacy.

The Court said the rationale for its starting point is the potential for damage to reputation, which it tied to the right of privacy as follows:

Fifth, the rationale for such a starting point is that publication of such information ordinarily causes damage to the person’s reputation together with harm to multiple aspects of the person’s physical and social identity such as the right to personal development, and the right to establish and develop relationships with other human beings and the outside world all of which are protected by article 8 of the ECHR: see Niemietz v Germany (Application No 13710/88) (1992) 16 EHRR 97, para 29. The harm and damage can on occasions be irremediable and profound.

Despite linking the right of privacy to the protection of reputation, the Court nonetheless held that defamation law’s recognition that the ordinary reasonable reader is capable of distinguishing suspicion from guilt is irrelevant to the resolution of a privacy claim. Rather, it took notice of the profound impact that the publication of suspicions can have on individuals despite the criminal justice system’s presumption of innocence.

The presumption of innocence is a legal presumption applicable to criminal trials. In that context the presumption weighs heavily in the directions that a jury is given or in the self-directions that a judge sitting alone applies. However, the context here is different. In this context the question is how others, including a person’s inner circle, their business or professional associates and the general public, will react to the publication of information that that person is under criminal investigation. All the material which we have set out between paras 80-99 above now admits to only one answer, consistent with judicial experience, namely that the person’s reputation will ordinarily be adversely affected causing prejudice to personal enjoyment of the right to respect for private life such as the right to establish and develop relationships with other human beings. Accordingly, we reject the submission that a general rule or starting point is unsound because it significantly overstates the capacity of publication of the information to cause reputational and other damage to the claimant given the public’s ability and propensity to observe the presumption of innocence.

The Court did not mention the internet or the so-called “cancel culture” phenomenon, though its judgement is responsive to a very similar concern. It understands that we may shun those who are the subject of criminal suspicion while offering them a measure of protection from these “unfair” harms.

Bloomberg LP (Appellant) v ZXC (Respondent), [2022] UKSC 5.

The perils of e-mail attachments and privilege claims

The Court of Appeal for Saskatchewan issued a freedom of information judgement last week that illustrates a good practice point for FOI practitioners: claim privilege over privileged e-mails and their attachments together.

“Record 1” was an e-mail sent to Ministry legal counsel for the purposes of obtaining legal advice about its attachments. Though part of the privileged communication, the Ministry indexed the attachments as “Record 2” and “Record 3.” It claimed that the attachments were privileged, and also exempt pursuant to the Saskatchewan exemption for “information obtained in confidence from other governments.”

By making its exemption claims in this way, the Ministry revealed that it sought legal advice on communications (and information) it received from other governments. Is it any surprise, then, that the Court affirmed a finding that the attachments were not protected by solicitor-client privilege?

While viewing the Court’s finding is understandable, I don’t agree that it is correct. The attachments to (privileged) Record 1 are clearly part of a privileged communication. As part of that communication (and not necessarily on their own), the attachments are privileged. The Ministry ought to have better protected its privilege by indexing Record 1 in its entirety and, if Records 2 and 3 were responsive on their own, indexing each separately.

Saskatchewan (Ministry of Health) v West, 2022 SKCA 18 (CanLII).

A call to modernize public sector privacy statutes without inviting litigation

The wave of public sector reform is coming, so it’s time to start thinking and talking about they best way achieve strong privacy protection in the Ontario public sector. I had the honour of participating the University of Toronto’s Privacy Day celebration yesterday, including by sitting on a panel and giving the short prepared remark below. I’m all for privacy protection and modernization, but the implementation of administrative monetary penalties in the Ontario public sector (like now in Quebec) would fundamentally change the relationship between the Ontario public sector and its regulator and not serve the public or education sectors well.