Twitter stream of Osgoode’s Cybercrime and Electronic Evidence Symposium

I attended Osgoode’s Symposium on Technology Crime and Electronic Evidence today. A great program, with dialogue on search and electronic evidence issues from keynote speaker Jennifer Granick of the EFF, Crown counsel Susheel Gupta, computer forensic professional Philip Fodchuck, Crown counsel Michel Fairburn, defence counsel Scott Fenton and defence counsel Alan Gold among others.

I didn’t plan on live blogging but had my computer open and kind of got into it. Here’s the stream, which includes some “nuggets” and cites to case law.

Thanks to the presenters and organizers. Inspiring.

Dan

Case Report – Ont. S.C.J. okays warrantless search of subscriber data

On February 10th, the Ontario Superior Court of Justice dismissed a Charter application that challenged a letter request made by the police to an internet service provider for the name and address of an account holder associated with a specific IP address at a specific point in time.

The Court held that the applicant had no expectation of privacy in the information disclosed, which the police used to obtain a warrant and lay child pornography charges. The Court narrowly construed the personal information collected in the search as one’s name and address (or the name and address of a cohabiting spouse) and held that this information is not “biographical information” that is protected by the Charter. It also relied on the service provider’s contract of service, which expressly permitted the transfer:

In addition, in this case the terms of the contract with the internet provider is one of the factors to be considered in assessing whether the asserted expectation of privacy is reasonable in the totality of the circumstances. That contract includes an agreement that the service provider could disclose any information necessary to satisfy any laws, regulations or other governmental request from any applicable jurisdiction. Further, the agreement contained a provision that by subscribing to the service, one consents to the collection, use and disclosure of personal information as described in the Bell Customer Privacy Policy and the Bell Code of Fair Information Practices. This privacy statement includes a provision that Bell Canada may also provide personal information to law enforcement agencies. Therefore by virtue of the contractual terms on which the internet service was provided an expectation of privacy is not reasonable

Thank you to David Fraser for digging up a copy of the decision!

R. v. Wilson (10 February 2009), 4191/08 (Ont. S.C.J.).

Case Report – Appeal court restores defence struck as a remedy for spoliation

On February 13th the Prince Edward Island Court of Appeal held that a motions judge erred in striking a statement of defence as a sanction for non-production. The Court suggested that such a strong sanction should not be utilized for discovery abuse in the absence of a finding of bad faith or contempt given the difficulties in assessing relative prejudice before trial. It nonetheless sanctioned the defendant by imposing conditions on the use of records subsequently found, by specifying that the trial judge may presume damages and by awarding costs of the motion and appeal to the plaintiff.

Jay v. DHL, 2009 PEICA 2 (CanLII).

Case Report – Arbitrator Simmons rejects challenge to bag search

On January 29th, Arbitrator Gordon Simmons dismissed motion to exclude evidence obtained in a bag check conducted by a municipal employer.

The employer found stolen goods after examining the contents of two bags that were left near a receiving area of a care home. One of the bags was left open and there was signage nearby indicating that personal belongings should not be left unattended. The Union argued the evidence should be excluded because the employer breached section 8 of the Charter.

In the circumstances, Mr. Simmons held that the grievor had abandoned her expectation of privacy. More significantly, he held that the Charter did not apply to the municipality in its management of the grievor’s employment relationship:

Unlike the many reported decisions the instant case does not involve a matter arising out of a criminal activity where the state is the direct actor in the form of police involvement in carrying out the search and seizure. Instead, the issue at hand involves an employment relationship with a collective agreement. While the courts do not appear tot have addressed the set of circumstances directly it would appear the Charter does not apply.

In making this finding, Mr. Simmons relied the Supreme Court of Canada finding in Dunsmuir, where it held that the termination of public sector employees is generally governed by private law.

Ottawa (City) and Ottawa-Carleton Public Employees Union, Local 503 (Nguyen Grievance), [2009], O.L.A.A. No. 37 (Simmons) (QL).

Information Roundup – 15 February 2009

Another Roundup brought to you mostly by Twitter, which remains a wonderful distraction. I’ve also found a few new blogs, including one by Winnipeg privacy lawyer Brian Bowman. I look forward to following Brian’s writings and meeting him in person when we both speak at a Toronto privacy conference this May (details to come).

Here are some recent developments in the domain that you may find noteworthy. They are about monitoring and auditing employee computer use, government e-mail management and consent rules in privacy statutes.

Monitoring and auditing employee computer use

On June 8th I’ll be speaking at the OBA’s Hot Issues in Privacy Law seminar and have promised a paper on monitoring and auditing employee computer use. My yet-to-be proven thesis is that we Canadians are moving from period in which a blunt employer-friendly rule prevailed – one relying on systems owner rights – to a period in which Courts and labour arbitrators will impose a balancing rule. There’s early indication in Canadian case law that supports this thesis – the Daniel Potter case on privilege waiver and the University of British Columbia spyware case, for example. There’s not much recent Canadian case law though, so I’m planning on reviewing American case law, including the much-discussed Quon v. Arch Wireless case.

Quon made the news a few weeks back, when on January 27th the United States Court of Appeals for the Ninth Circuit denied a petition for rehearing en banc. The Court thereby endorsed its previous finding that a California police department violated an officer’s Fourth Amendment rights by auditing his text messages to determine why he and others were consistently exceeding monthly character limits.

While I make no comment on American law, I do think the facts in Quon illustrate why having a standard computer use policy is not necessarily enough to immunize employers from employee challenges now that most permit or condone some degree of personal use. This shift is likely to pressure Canadian courts and labour arbitrators to go behind broad “no expectation of privacy” statements in policy, leaving employers who tolerate personal use with a choice: (a) fight against an expectation of privacy by clearly and consistently communicating the details of a routine monitoring and periodic audit program through multiple means or (b) reckon with an expectation of privacy and implement controls to ensure that all searches are likely to withstand a reasonableness challenge.

Thank you to the Proskauer Rose privacy law group for their excellent coverage of Quan. For more on this topic, law student and blawgger Omar Ha-Redeye posted a related piece at Slaw just today and I wrote a paper in 2007 on the the basics of employee surveillance law. These rough ideas to be developed and more to come.

Government e-mail management

Employers are not the only ones who face challenges associated with e-mail management and communication systems that are used for mixed purposes. The Executive Office of the (United States) President’s challenges are detailed nicely by Joan Indiana Rigdon in an article published in this month’s DC Bar magazine. She outlines how legitimate attempts at segregating personal and political e-mails from official e-mails have led to widespread abuse of presidential record keeping legislation. Very interesting, and hints at the challenge of enforcing single purpose communication systems in organizations.

Consent rules in privacy statutes

And finally, knowledge management consultant Peter West sent me a link to this January 2009 paper by the Center for Democracy & Technology. (Thank you!) It contains the Center’s policy position on personal health information protection. Notably, the Center has changed its position on the role of informed consent, reasoning that an over-reliance on consent can harm privacy protection. It explains:

The ability of individuals to exercise control over their personal health inforamtion is one important element of privacy protection, and a comprehensive privacy and security framework should set out circumstances where patient consent or authorization must be obtained. However, consent is not a panacea. As appealing as it may seem in concept, in practice over-reliance on consent puts the burden for data privacy on csonumers and provides very weak protection for personal health information in a digital envrionment.

In isolation, without other legal limits, mandating consent is more likely to lead to overbroad information-sharing than to the protection of patietn privacy. Over-reliance on consent can confer disproportaionate bargaining power on providers and othes seeking approval for disclosure. This is especially true if patients are offered all-or-nothing disclosure options in circumstances in which they are unlikely to withold consent, or even to understand the choices they are making. In particular, when patients are seeking care or applying for insurance, they often authorize disclosures without a full appreciation of the scope of their consent and with an inadequate understanding of how their privacy is being protected.

This rings true.

One of the challenges with our commercial privacy legislation, PIPEDA, is that it features a very absolute (though contextual) consent rule. Organizations faced with PIPEDA compliance can get distracted by the consent rule and equate achieving compliance with obtaining consent. I have been coaching to this misunderstanding recently by using a concept I call the “three pillars of privacy protection” – informed consent, reasonable and proportional use and reasonable safeguards. If I had to explain what informational privacy legislation does in 10 second or less I’d describe the three pillars. I see this idea reflected in the Center’s paper, and am happy for it.

On a personal note, I just got back from a very short surf trip to Halifax. As a Torontonian, I’m allowed to say that it’s the best city in Canada – hands down. Here are a couple of pics from the first of two good but cold surf sessions, both of my good buddy Alex. Getting in the water has made me feel human again!

See ya!

Dan

Case Report – Court puts off spoliation claim until trial

On February 13th, Mr. Justice Peter Lawers of the Ontario Superior Court of Justice rejected a motion to dismiss a personal injury claim based on the defendant’s allegation of spoliation. The idea that spoliation claims should generally be settled at trial is not remarkable, but the Court did reject the defendant’s argument that spoliation claims relating to records of loss of earnings should be treated differently:

I am also alive to the real concern of the defendants, expressed on the issue of prejudice by Mr. Forget; in a case involving loss of income, the defendant should not be forced to gamble that the jury will appropriately punish the plaintiff for his failure to keep proper records when a loss of income case is normally based thereon.

Mr. Stephenson notes the irony in that position, since the plaintiff objected to the defendants’ jury notice on the basis that, as noted in the endorsement of Ferguson J., dated December 20, 2007:

That evidence would unfairly influence the verdict if trial were by jury. He relied on the evidence indicating the failure of the plaintiff to keep proper records that is potentially adversely affecting a jury’s assessment of his credibility or reliability – he used the term “trustworthiness.”

In upholding the jury notice, Ferguson J. held that:

The evidence of the plaintiff’s bookkeeping practices is directly relevant to his claim for damages and any affect of that evidence on his credibility and reliability is clearly a relevant factor which the jury may consider.

I agree.

Also notable is the ambiguity in the claim, which seems to be more about bad record keeping than spoliation itself: “The heart of the problem from the viewpoint of the defendants is the lack of documents relating to Mr. Carleton’s income.” If there is no duty to keep records, there can be no valid spoliation claim when records are not available for production. This seems to be a simple case where bad business record keeping may prevent a plaintiff from meeting its burden of proving loss.

Carleton v. Beaverton Hotel, 2009 CanLII 4245 (CanLII).

Case Report – Information Commissioner can impose confidentiality screen on joint legal retainer

In a judgement dated October 5th of last year, the Federal Court held that the Information Commissioner of Canada acted lawfully in making a confidentiality order that prohibited Crown counsel from sharing information with the Crown that it gained while jointly representing individual Crown servants.

The Crown servants were compelled to give evidence before the Deputy Commissioner in the course of his investigation into an Access to Information Act complaint. Department of Justice counsel accompanied the witnesses and acted as their counsel. In order to preserve the integrity of his investigation, the Deputy Commissioner prohibited the witnesses from disclosing the questions asked, answers given and exhibits used in the examination and prohibited counsel from disclosing the same. The Crown applied for judicial review of the orders, arguing that they interfered with its solicitor-client relationship with Crown counsel.

The Court held that the Information Commissioner has an implicit power to make confidentiality orders and that the potential for a conflict of interest given the witnesses were not high-ranking officials made the Deputy Commissioner’s orders reasonable and necessary in the circumstances. It said:

Counsel for the applicant countered that there is absolutely no factual or evidentiary foundation for the proposition that such a conflict of interest exists or is even likely to come up in the present circumstances, and that the decision and orders are therefore founded on speculation and unsubstantiated assumptions. The only reason that the individuals were subpoenaed by the Deputy Commissioner was on account of their activities on behalf of the Crown. Since they were not examined in their personal capacity but rather in their professional capacity as Crown servants and employees, there can be no conflict of interest in this proceeding between the individuals and the Crown, according to the applicant’s argument.

I must confess that I am somewhat troubled by this automatic and necessary assimilation of the Crown’s and the employees’ interests. As a general rule, I am prepared to concede that it is unlikely the employees’ views with respect to the disclosure of a document will differ from those of the senior management of the Department involved. But the possibility cannot be ruled out entirely, especially when the employees subpoenaed by the Commissioner are not in the higher ranks of the Department but rather at the lower level. Similarly, I can easily envisage situations where there is no conflict at the outset but conflict develops as the questioning proceeds and the investigation unfolds. It is in those kinds of circumstances that employees must have the assurance that they will remain in control of the disclosure of their testimonies notwithstanding the fact that their counsel play a dual role.

I agree with the respondent that the investigatory process would simply be unworkable and profoundly undermined if the Attorney General had a de facto right to attend all hearings simply by providing a counsel to the witnesses compelled to give evidence.

The Court also rejected an argument that the confidentiality orders unjustifiably violated section 2(b) of the Charter.

Canada (Attorney General) v. Canada (Information Commissioner) (F.C.), [2008] F.C.J. No. 1235 (F.C.) (QL).

Case Report – Ont. C.A. considers pre-trial publicity, jury contamination and the internet’s long memory

On January 26th, a 3-2 majority of the Ontario Court of Appeal held that the mandatory ban on publication of bail proceedings when requested by an accused violates the Charter-protected right to freedom of the press and is not saved by section 1. The majority read down the Criminal Code ban so that it applies only to charges that may be tried by a jury.

All members of the panel agreed that the mandatory ban breached freedom of the press. They also agreed on the purpose of the ban: to ensure a fair trial by promoting expeditious bail hearings, avoiding unnecessary detention and allowing accused to retain scarce resources to defend their cases. The panel members differed, however, on how to apply the Charter‘s saving provision, section 1.

The majority, in judgement written by Madam Justice Feldman, held that the ban was over-broad in its application to charges that may not be tried by a jury. While finding that judges are “professional decision-makers” immune to the influence of pre-trial publication, the majority was not willing to invalidate the legislation as it applied against juries given the conflicting social science evidence on the impact of pre-trial publication on jury decisions. It held that the legislature is entitled to act upon a “reasoned apprehension of harm” in enacting laws based on such disputed domains.

The minority, in a judgement written by Mr. Justice Rosenberg, held that the conflicting evidence was a basis for striking down the ban in whole (with a 12 month suspension). The minority held that the salutary effects of the ban did not outweigh its deleterious effects because the causal connection between pre-trial publicity and jury contamination is weak and speculative.

Both the majority and minority made comments on the internet and the concept of practical obscurity. The majority said:

It is also, in my view, no longer appropriate or realistic to rely on jurors’ faded memories of any pre-trial publicity by the time of the trial as the basis for confidence that they will not remember what they read or heard. Once something has been published, any juror need only “Google” the accused on the Internet to retrieve and review the entire story.

The minority made a similar note:

On the one hand, the salutory effect of any publication ban is undermined by the ease with which the ban can be circumvented. On the other hand, because of the nature of the Internet, information first published at the time of the bail hearing is always accessible, right up to the time of the trial. In other words, the court cannot always simply rely upon the fact that time will have passed from when the information was first published and that this passage of time will lessen any prejudicial effects of the information.

On the whole, perhaps all that can be said about the efficacy of publication bans in the era of mass communication and the Internet is that the salutory and deleterious effects are uncertain.

The concept of practical obscurity is one favoring the maintenance of an individual’s privacy interest despite the disclosure of information because the information can be hard to find or recall.

For more detailed commentary, see the Court’s summary here.

Toronto Star Newspapers v. Canada, 2009 ONCA 59.

Workplace privacy panel notes and case citations attached

I greatly enjoyed sitting on a panel with Professor Avner Levin on workplace privacy today!

Dr. Levin and other members of the Ryerson University Privacy and Cyber Crime Institute at the Ted Rogers School of Management have recently published a leading study on the perceptions of risk of young Canadians engaged in online socializing and how their behaviors meet with the use of online social networks by business for commercial and human resources purposes. Dr. Levin’s work raises some important and difficult questions about whether the law should cause companies who provide social networking platforms that are used predominantly by youth to take greater responsibility for user privacy (and other content-related disputes). I commend it to you.

I did promise to provide a copy of my preparatory notes (most of which we did not touch on) as well as coordinates for some of the cases that came up in discussion. Here are the notes and the cases:

The Johnson v. Bell decision on PIPEDA application and “personal e-mails”
Hooper v. College of Nurses of Ontario on PHIPA application
The Colwell constructive dismissal for privacy breach case
The Cheskes adoption disclosure decision, in which the Ontario Superior Court of Justice said that consensual disclosure is a principle of fundamental justice
The Murphy v. Perger case on the expectation of privacy in information disclosed to Facebook friends
The British Columbia IPC University of British Columbia decision on investigations into employee computer misuse
The Imperial Oil drug testing judicial review

Take care!

Dan

Case Report – Challenge to “lawful access” exemption in privacy legislation dismissed

On January 26th, the Saskatchewan Provincial Court dismissed a Charter challenge to a provision in the Saskatchewan Freedom of Information and Protection of Privacy Act that allows the Saskatchewan government and its agencies to answer law enforcement requests for personal information without obtaining individual consent.

The police identified an IP address of a computer used to share child pornography on the internet and made a warantless request for subscriber records to SaskTel in order to identify the accused as being associated with the computer. SaskTel provided the information without consent based on the exemption in section 29(2)(g) of Saskatchewan FIPPA, a relatively characteristic “lawful access” provision – i.e. one that allows an entity bound by privacy legislation to answer law enforcement requests for personal information. The accused claimed that this permissive provision allowed the police to conduct a search in violation of two Charter rights: (1) the section 7 right not to be deprived of liberty except in accordance with the principles of fundamental justice (on the basis of the provision’s overbreadth and vagueness); and (2) the section 8 right to be free from unreasonable search and seizure.

The Court dismissed both claims with little reasoning. It quoted extensively from the Crown’s factum and held that the accused person’s position was inconsistent with the Supreme Court of Canada’s judgement in R. v. Plant and the Saskatchewan Court of Appeal’s judgement in R. v. Cheung. The Court’s decision will lack authority because the Court did not fully engage in the issues, but it does show that the “lawful access” issue is very live.

R. v. Trapp, 2009 SKPC 5.