PEICA finds no “search” in interviewing a hacker informant

The headline is sensational, but it aptly describes the issue that the Prince Edward Island Court of Appeal recently addressed in R v Molyneaux. The Court held that the police did not conduct a search (governed by section 8 of the Charter) by interviewing an informant about what she saw when she surreptitiously viewed the accused’s phone.

The police charged the accused with child pornography offences. There was a separate dispute about the seizure of images from the accused’s phone, but the Court of Appeal dealt with the informant’s statement alone. The informant attended the police station for an interview, and told the police that she had viewed numerous pornographic pictures of her child when browsing the accused’s phone. The defence argued that the police conducted a search into the phone by conducting this interview. It relied, in part, on cases that have precluded the police from obtaining private information from commercial actors – namely, R. v. Spencer, 2014 SCC 43 and R. v. Orlandis-Habsburgo, 2017 ONCA 649.

The Court rejected the defence argument, explaining:

Society’s conception of the proper relationship between the investigative branches of the state and the individual surely must allow the police to speak to a witness without prior judicial authorization.

I do not believe that the subject matter of the “search” was Molyneaux’s cell phone or the contents thereof. The police were seeking information that might reveal whether or not a crime occurred, and if so, whether or not they should pursue further investigation.  The subject of the search was K.’s memory of what she saw the morning of December 31, 2017.

The Court distinguished Spencer and Orlandis-Habsburgo as matters arising out of the commercial context, in which expectations differ.

R v Molyneaux, 2020 PECA 2 (CanLII).

Ont CA – reasonable expectation of privacy turns on potential for secondary use

The Court of Appeal for Ontario issued a judgement yesterday that highlights the potential for secondary use of collected data as a factor that weighs in favour of privacy protection.

The police swabbed the door handle of a car that was parked in public to test for cocaine residue. The Court found a reasonable expectation of privacy that rendered the search – which was done without judicial authorization – unlawful.

While holding that physical contact with the car was “a factor,” the Court de-emphasized the significance of physical contact with a chattel:

Too narrow a focus on whether there was a trespass to a chattel, and the extent of interference with use of that chattel, could obscure the privacy interests at stake, as here, where the trial judge focused on the fact that the taking of the swabs had no impact on the appellant’s use of the car and was not known to him.

Compare this to the United States Supreme Court finding in United States v Jones, in which a majority held that the trespass committed by police who install a GPS tracking device on a vehicle is the trigger to constitutional privacy protection.

The Court of Appeal for Ontario’s analysis rested more heavily on the potential for using the swab sample for purposes more intrusive than testing for cocaine residue:

These swabs presumably revealed whether the appellant had handled cocaine. I also agree with the observations in Wong, at para. 27, that privacy concerns are heightened because the swabs may also provide DNA samples for analysis by police, even if that is not why they were initially collected, or what they were used for. Patrick concerned police searches of a suspect’s curb-side garbage. Though the police were searching for evidence of drug offences, the potential for collection of DNA was also relevant to the privacy analysis: see para. 30. The court also expressed scepticism of the notion that privacy concerns are diminished because the search was targeted at contraband: see Patrick, at para. 32; see also A.M., at para. 73.

Search methodologies can be so targeted as to become defensible. The Supreme Court of Canada’s Tessling case, for example, suggests that capturing a heat signature emanating from a residence is unobtrusive because it reveals criminal activity in the house – an illegal grow op – and not much else. The majority in Tessling expressly said that a search should not be judged based on “theoretical” secondary uses. In this case, the potential for secondary use was real.

Hat tip to Fred Schumann of Stockwoods.

R. v. Wawrykiewycz, 2020 ONCA 269.

 

Ont CA says bag search unlawful, order $500 in damages

On April 16th, the Court of Appeal for Ontario held that the Toronto Police breached sections 2(b), 8 and 9 of the Charter by enforcing a “condition of entry” to a public park because they were not properly authorized to establish the condition.

The City of Toronto had authorized the police to act as its agents “for the purpose of administering the Trespass to Property Act.” Acting under this authority, the police decided to search bags (and all other things in which weapons could be concealed) possessed by those attending a G20 protest at Allan Gardens. The appellant took issue with the legality of this “condition of entry.” The police restrained him when he refused to comply, searched his bag and confiscated a pair of swim goggles. You can see a video of the altercation here.

The Court of Appeal decision turned on text of the grant of authorization, which the Court held was too narrow given the Trespass to Property Act only provides property owners and occupiers with “a suite of enforcement powers” and not a power to create restrictions on access to property. It said, “The jurisprudence consistently takes a rigorous approach when interpreting the sources of legal authority relied upon by government to encroach upon the liberty of the subject.”

The Court ordered the police to pay $500 in damages. It said the appellant (who drew attention to his fate during the altercation and afterwards) did not establish any reputational or other personal loss. The Court also noted that the police acted in good faith with a view to the safety of the public.

Stewart v Toronto (Police Services Board), 2020 ONCA 255 (CanLII).

NSCA says no expectation of privacy in address information

On January 28th the Nova Scotia Court of Appeal dismissed a privacy breach allegation that was based on a municipality’s admitted disclosure of address information to a related service commission so the service commission could bill for certain statutorily mandated charges. The Court held there was no reasonable expectation of privacy in the information disclosed, reasoning as follows:

Mr. Banfield’s information was not confidential, secret or anonymous. Neither did it offer a glimpse into Mr. Banfield’s intimate, personal or sensitive activities. Nor did it involve the investigation of a potential offence. Rather, it enabled a regulated public utility to invoice Mr. Banfield with rates approved under statutory authority for a legally authorized service that, in fact, Mr. Banfield received.  

Banfield v. Nova Scotia (Utility and Review Board), 2020 NSCA 6 (CanLII).

Jones, Marakah and corporate information systems

There has been significant discussion of the Supreme Court of Canada’s decisions in R v Jones and R v Marakah – cases in which the Court recognized a reasonable expectation of privacy in text messages that police obtained from others. In Jones, the police obtained messages from a telecom company and in Marakah the police obtained messages from a recipient’s phone.

At their broadest, Jones and Marakah are clearer than ever recognition that the Charter protects digital communications although digital communications are not easily controlled or kept secret. Justice Cote said it well in Jones:

Here, as in Spencer and TELUS, the only way to retain control over the subject matter of the search vis-à-vis the service provider was to make no use of its services at all. That choice is not a meaningful one. Focusing on the fact that Mr. Jones relinquished direct control vis-à-vis the service provider is accordingly difficult to reconcile with a purposive approach to s. 8. Canadians are not required to become digital recluses in order to maintain some semblance of privacy in their lives.

 

Recognizing this particular, highly-normative basis for Jones and Marakah is essential to properly understanding what these cases might mean for rights and entitlements of organizations that hold the digital information of others – including employers who hold the digital information of their employees. In contrast to the above statement, the Supreme Court of Canada has already recognized that employees have a meaningful choice as to whether they use a work system for their private dealings . In R v Cole, Justice Fish said the following about employee Cole’s choice:

In this case, the operational realities of Mr. Cole’s workplace weigh both for and against the existence of a reasonable expectation of privacy.  For, because written policy and actual practice permitted Mr. Cole to use his work-issued laptop for personal purposes.  Against, because both policy and technological reality deprived him of exclusive control over — and access to — the personal information he chose to record on it.

Jones and Marakah do not detract from this statement and, if anything, invite the law to develop in a way that gives even greater emphasis to employee choice and its impact on privacy and corporate data security. Corporate data security is all about choosing the right medium – the right tool – for the purpose. Our right as citizens to text without state interference is quite a different thing.

R. v. Jones, 2017 SCC 60 (CanLII).

R. v. Marakah, 2017 SCC 59 (CanLII).

Ont CA majority says no Charter right to text in private

In a case that speaks to the bounds of digital privacy, the Court of Appeal for Ontario recently held that a text message sender has no reasonable expectation of privacy in text messages stored on a recipient’s phone.

Text messaging is a unique form of communication. To text certainly invites the feeling of engaging in a private conversation, but a sender’s texts are received by another person who typically has no duty of confidence and who has exclusive control of the “inbox” in which the texts are invariably left to reside. Like digital messages of all kinds, once sent, a text message is beyond control.

The question for courts in these matters is a normative one – what ought to be treated as private in our society? – so the loss of control over information does not necessarily invalidate a Charter-based privacy claim. Nonetheless, there’s a real practical consequence to the loss of control that Courts must reckon with. If they do not, we risk unduly restricting the free flow of information and free expression. Privacy is always a matter of striking an appropriate balance.

The Court issued its balance-striking judgement about text messaging on July 8th. Justice MacPherson wrote for the majority that denied privacy protection, and held that control was of “central importance” in the context. He wrote:

The facts of this case demonstrate that, unlike in Spencer and Cole, the ability to control access to the information is of central importance to the assessment of the privacy claim. We are not talking about the appellant’s privacy interest in the contents of his own phone, or even the contents of a phone belonging to someone else, but which he occasionally used. We are also not dealing with deeply personal, intimate details going to the appellant’s biographical core. Here, we are talking about text messages on someone else’s phone that reveal no more than what the messages contained – discussions regarding the trafficking of firearms.

This is far from being a question of whether the appellant had “exclusive control” over the content. He had no ability to regulate access and no control over what Winchester (or anyone) did with the contents of Winchester’s phone. The appellant’s request to Winchester that he delete the messages is some indication of his awareness of this fact. Further, his choice over his method of communication created a permanent record over which Winchester exercised control.

It has never been the case that privacy rights are absolute. Not everything we wish to keep confidential is protected under s. 8 of the Charter. In my view, the manner in which one elects to communicate must affect the degree of privacy protection one can reasonably expect.

Justice Laforme dissented – clearly differing from the majority on the importance of control, citing numerous cases in which the loss of control has not precluded the recognition of a Charter-protected privacy interest, stressing that privacy is a normative concept and in general ascribing great value to texting in private.

While the debate between majority and minority about the significance of control and standing to raise section 8 of the Charter is important, the majority and minority do not differ by much in principle. Where they clearly do differ is on the value they ascribe to text messaging. To start with the minority, Justice Laforme says texting is the “modern version of a conversation,” and is nearly romantic about it: “In my view, these private communications are an increasingly central element of the private sphere that must be protected under s. 8.”  Justice MacPherson, in contrast, has no interest in constitutionalizing texting. In a humorous and effective appeal to authority, he links to the Ontario health and physical education curriculum, under which we teach 12-year-olds across the province, “If you do not want someone else to know about something, you should not write about it or post it.” This, of course, dovetails with Justice MacPherson’s important point about electing how to communicate. To people older than 12, we typically say something like, “You want privacy, pick up the phone.”

R. v. Marakah, 2016 ONCA 542 (CanLII).

BCCA affirms its position on text message privacy

On April 11th, the Court of Appeal for British Columbia held that a defendant convicted of internet luring and sexual touching of a minor had a reasonable expectation of privacy in direct messages he sent to the complainant and others via a social media platform.

The trial judge had found no such expectation – a finding that rested in part on the nature of the messages. The trial judge held that the messages contained no personal information that the defendant had not posted in his public profile and were not sent to an intimate, trustworthy contact. The Court of Appeal viewed the messages differently – as “flirtatious” – and held that the trial judge rested too heavily on the “risk analysis” that characterizes American Fourth Amendment law. It reasoned:

While recognizing that electronic surveillance is a particularly serious invasion of privacy, the reasoning is of assistance in this case. Millions, if not billions, of emails and “messages” are sent and received each day all over the world. Email has become the primary method of communication. When an email is sent, one knows it can be forwarded with ease, printed and circulated, or given to the authorities by the recipient. But it does not follow, in my view, that the sender is deprived of all reasonable expectation of privacy. I will discuss this further below. To find that is the case would permit the authorities to seize emails, without prior judicial authorization, from recipients to investigate crime or simply satisfy their curiosity. In my view, the analogy between seizing emails and surreptitious recordings [as considered by the Supreme Court of Canada in R v Duarte] is valid to this extent.

In then end, the Court found a breach of section 8 but held the evidence was admissible after conducting its section 24(2) analysis.

The Court’s reasonable expectation of privacy finding follows its earlier similar finding in R v Peluco. For the context see this Law Times article.

R v Craig, 2016 BCCA 154 (CanLII).

 

 

USB key treated as a private receptacle by labour tribunal – but why?

On March 29th the Grievance Settlement Board (Ontario) held that a government employer did not breach its collective agreement or the Charter by examining a USB key that it found in the workplace.

They key belonged to an employee who used it to store over 1000 files, some of which were work-related and allegedly confidential and sensitive. Remarkably, the employee also stored sensitive personal information on the key, including passport applications for his two children and a list of his login credentials and passwords. The key was not password protected and not marked in any way that would identify it as belonging to the employee.

The employee lost the key in the workplace. The employer found it. An HR employee inserted they key in her computer to read its contents. She identified the key as possibly belonging to the employee. She gave the key to the employee’s manager, who inserted it in his computer on several occasions. The manager identified that the key contained confidential and sensitive information belonging to the employer. The manager then ordered a forensic investigation. The investigation led to the discovery of a draft of an e-mail that disparaged the manager and had earlier been distributed from an anonymous e-mail account.

The GSB held that the employee had a reasonable expectation of privacy – one so limited as not to be as “pronounced” as the expectation recognized in R v Cole. The GSB also held, however, that the employer acted with lawful authority and reasonably. The reasonableness analysis contains some helpful statements for employers, most notably the following statement on the examination of “mixed-use receptacles” (my words):

The Association argues that the search conducted by Mr. Tee was “speculative” and constituted “rummaging around” on the USB key. It asserts that if Mr. Tee had been interested in finding files which might contain government data, he would have or should have searched directories which appeared to be work related, such as EPS, TPAS or CR. I do not find this a persuasive argument. As noted in R. v. Vu, in discussing whether search warrants issued in relation to computers should set out detailed conditions under which the search might be carried out, such an approach does not reflect the reality of computers: see paras. 57 and 58. Given the ease with which files can be misfiled or hidden on a computer, it is difficult to predict where a file relevant to an inquiry will be found. It may be filed within a directory bearing a related name, but if the intention is in fact to hide the file it is unlikely that it will be. Further, the type of file, as identified by the filename extension, is not a guarantee of contents. A photograph, for example can be embedded in a Word document. Provided that the Employer had reasonable cause to view the contents of the USB key in the first place (as I have found there was in this case), an employee who uses the same key for both personal and work related purposes creates and thereby assumes the risk that some of their personal documents may be viewed in the course of an otherwise legitimate search by the employer for work related files or documents.

I learned about this case shortly before it was decided and remarked that it was quite bizarre. I couldn’t fathom why anyone would be so utterly irresponsible to store such sensitive information on a USB key. This is one reason why I’m critical of this decision, which treats this employee’s careless information handling practice as something worthy of protection. The other reason I’m critical of  this decision is that it suggests the expectation of privacy recognized in Cole is higher than contemplated by the Supreme Court of Canada – which remarked that Richard Cole’s expectation of privacy was not “entirely eliminated” by the operational realities of the workplace. Not all of our dealings with information demand privacy protection, and in my view we need to make the reasonable expectation of privacy threshold a real, meaningful threshold so management can exercise its rights without unwarranted scrutiny and litigation.

I also should say that it’s very bad to stick USB keys found lying around (even in the workplace) into work computers (or home computers), at least without being very careful about the malware risk. That’s another reason why USB keys are evil.

Association of Management, Administrative and Professional Crown Employees of Ontario (Bhattacharya) v Ontario (Government and Consumer Services), 2016 CanLII 17002 (ON GSB).

SCC says the voluntary identification of an anonymous internet user is unlawful

Last Friday’s Supreme Court of Canada’s decision in R v Spencer renders it unlawful for a telecommunications service provider (or any other commercial actor) to voluntarily identify an anonymous internet user to help the police investigate crime.

Spencer is about the means by which police have investigated the trading of child pornography on the internet – i.e., by identifying objectionable online activity that is associated with an IP address and by asking the service provider who assigned the IP address for “subscriber information” that identifies the holder of the account to which the IP address was assigned. This legality of this means of investigation – enabled by service provider cooperation – has been heavily litigated; in 2012, the Court of Appeal for Ontario held that the police do not breach section 8 of the Charter by obtaining the identity of an anonymous internet user without judicial authorization because such a user has no reasonable expectation of privacy.

The Supreme Court of Canada has now unanimously reached the opposite conclusion. The Court stayed true to the case law that establishes that the protection afforded by section 8 of the Charter should not be debased by framing the activity that the proponent seeks to protect as criminal and therefore unworthy of protection. Although the police may have an entirely legitimate interest in pursuing criminal activity that we all can observe on the open internet, the issue according to the Court was (more neutrally) whether “people generally” have a right to use the internet anonymously.

The Court said “yes” and, in doing so, offered some principled support for online anonymity. It also said that the service provider’s contractual terms and the provision of the Personal Information Protection and Electronic Documents Act that allows for voluntary disclosures to law enforcement were both too ambiguous to weigh against a reasonable expectation of privacy finding.

The Court then held that police requests for subscriber information are not reasonable because they are not  “authorized by law.” Notably, the Court did not consider whether the search was authorized by the common law nor did it consider the interplay between section 8 of the Charter and the common law constraint on police action, which a majority of Court said is less constraining than section 8 in R v Kang-Brown (see para 56). To the contrary, the Court’s decision in Spencer appears to be heavily driven by the proposition that the police only have the power to ask questions “relating to matters that are not subject to a reasonable expectation of privacy.”

Spencer is a very significant decision on the reasonable expectation of privacy concept, internet anonymity and police powers.

R v Spencer, 2014 SCC 43 (CanLII).

No reasonable expectation of privacy in bad breath

On January 7th, the Ontario Superior Court of Justice overturned a trial decision that had recognized a Charter-protected expectation of privacy in the odour emanating from one’s breath. A doctor who had treated the accused following a motor vehicle accident told a police officer that the accused’s breath smelled of alcohol, following which the police obtained an warrant to seize a blood sample. The Court also noted that the doctor was not acting as a state agent in making his observation and reporting to the police.

R v Maureen Daly, 2014 ONSC 115 (CanLII).