BCCA affirms its position on text message privacy

On April 11th, the Court of Appeal for British Columbia held that a defendant convicted of internet luring and sexual touching of a minor had a reasonable expectation of privacy in direct messages he sent to the complainant and others via a social media platform.

The trial judge had found no such expectation – a finding that rested in part on the nature of the messages. The trial judge held that the messages contained no personal information that the defendant had not posted in his public profile and were not sent to an intimate, trustworthy contact. The Court of Appeal viewed the messages differently – as “flirtatious” – and held that the trial judge rested too heavily on the “risk analysis” that characterizes American Fourth Amendment law. It reasoned:

While recognizing that electronic surveillance is a particularly serious invasion of privacy, the reasoning is of assistance in this case. Millions, if not billions, of emails and “messages” are sent and received each day all over the world. Email has become the primary method of communication. When an email is sent, one knows it can be forwarded with ease, printed and circulated, or given to the authorities by the recipient. But it does not follow, in my view, that the sender is deprived of all reasonable expectation of privacy. I will discuss this further below. To find that is the case would permit the authorities to seize emails, without prior judicial authorization, from recipients to investigate crime or simply satisfy their curiosity. In my view, the analogy between seizing emails and surreptitious recordings [as considered by the Supreme Court of Canada in R v Duarte] is valid to this extent.

In then end, the Court found a breach of section 8 but held the evidence was admissible after conducting its section 24(2) analysis.

The Court’s reasonable expectation of privacy finding follows its earlier similar finding in R v Peluco. For the context see this Law Times article.

R v Craig, 2016 BCCA 154 (CanLII).

 

 

USB key treated as a private receptacle by labour tribunal – but why?

On March 29th the Grievance Settlement Board (Ontario) held that a government employer did not breach its collective agreement or the Charter by examining a USB key that it found in the workplace.

They key belonged to an employee who used it to store over 1000 files, some of which were work-related and allegedly confidential and sensitive. Remarkably, the employee also stored sensitive personal information on the key, including passport applications for his two children and a list of his login credentials and passwords. The key was not password protected and not marked in any way that would identify it as belonging to the employee.

The employee lost the key in the workplace. The employer found it. An HR employee inserted they key in her computer to read its contents. She identified the key as possibly belonging to the employee. She gave the key to the employee’s manager, who inserted it in his computer on several occasions. The manager identified that the key contained confidential and sensitive information belonging to the employer. The manager then ordered a forensic investigation. The investigation led to the discovery of a draft of an e-mail that disparaged the manager and had earlier been distributed from an anonymous e-mail account.

The GSB held that the employee had a reasonable expectation of privacy – one so limited as not to be as “pronounced” as the expectation recognized in R v Cole. The GSB also held, however, that the employer acted with lawful authority and reasonably. The reasonableness analysis contains some helpful statements for employers, most notably the following statement on the examination of “mixed-use receptacles” (my words):

The Association argues that the search conducted by Mr. Tee was “speculative” and constituted “rummaging around” on the USB key. It asserts that if Mr. Tee had been interested in finding files which might contain government data, he would have or should have searched directories which appeared to be work related, such as EPS, TPAS or CR. I do not find this a persuasive argument. As noted in R. v. Vu, in discussing whether search warrants issued in relation to computers should set out detailed conditions under which the search might be carried out, such an approach does not reflect the reality of computers: see paras. 57 and 58. Given the ease with which files can be misfiled or hidden on a computer, it is difficult to predict where a file relevant to an inquiry will be found. It may be filed within a directory bearing a related name, but if the intention is in fact to hide the file it is unlikely that it will be. Further, the type of file, as identified by the filename extension, is not a guarantee of contents. A photograph, for example can be embedded in a Word document. Provided that the Employer had reasonable cause to view the contents of the USB key in the first place (as I have found there was in this case), an employee who uses the same key for both personal and work related purposes creates and thereby assumes the risk that some of their personal documents may be viewed in the course of an otherwise legitimate search by the employer for work related files or documents.

I learned about this case shortly before it was decided and remarked that it was quite bizarre. I couldn’t fathom why anyone would be so utterly irresponsible to store such sensitive information on a USB key. This is one reason why I’m critical of this decision, which treats this employee’s careless information handling practice as something worthy of protection. The other reason I’m critical of  this decision is that it suggests the expectation of privacy recognized in Cole is higher than contemplated by the Supreme Court of Canada – which remarked that Richard Cole’s expectation of privacy was not “entirely eliminated” by the operational realities of the workplace. Not all of our dealings with information demand privacy protection, and in my view we need to make the reasonable expectation of privacy threshold a real, meaningful threshold so management can exercise its rights without unwarranted scrutiny and litigation.

I also should say that it’s very bad to stick USB keys found lying around (even in the workplace) into work computers (or home computers), at least without being very careful about the malware risk. That’s another reason why USB keys are evil.

Association of Management, Administrative and Professional Crown Employees of Ontario (Bhattacharya) v Ontario (Government and Consumer Services), 2016 CanLII 17002 (ON GSB).

SCC says the voluntary identification of an anonymous internet user is unlawful

Last Friday’s Supreme Court of Canada’s decision in R v Spencer renders it unlawful for a telecommunications service provider (or any other commercial actor) to voluntarily identify an anonymous internet user to help the police investigate crime.

Spencer is about the means by which police have investigated the trading of child pornography on the internet – i.e., by identifying objectionable online activity that is associated with an IP address and by asking the service provider who assigned the IP address for “subscriber information” that identifies the holder of the account to which the IP address was assigned. This legality of this means of investigation – enabled by service provider cooperation – has been heavily litigated; in 2012, the Court of Appeal for Ontario held that the police do not breach section 8 of the Charter by obtaining the identity of an anonymous internet user without judicial authorization because such a user has no reasonable expectation of privacy.

The Supreme Court of Canada has now unanimously reached the opposite conclusion. The Court stayed true to the case law that establishes that the protection afforded by section 8 of the Charter should not be debased by framing the activity that the proponent seeks to protect as criminal and therefore unworthy of protection. Although the police may have an entirely legitimate interest in pursuing criminal activity that we all can observe on the open internet, the issue according to the Court was (more neutrally) whether “people generally” have a right to use the internet anonymously.

The Court said “yes” and, in doing so, offered some principled support for online anonymity. It also said that the service provider’s contractual terms and the provision of the Personal Information Protection and Electronic Documents Act that allows for voluntary disclosures to law enforcement were both too ambiguous to weigh against a reasonable expectation of privacy finding.

The Court then held that police requests for subscriber information are not reasonable because they are not  “authorized by law.” Notably, the Court did not consider whether the search was authorized by the common law nor did it consider the interplay between section 8 of the Charter and the common law constraint on police action, which a majority of Court said is less constraining than section 8 in R v Kang-Brown (see para 56). To the contrary, the Court’s decision in Spencer appears to be heavily driven by the proposition that the police only have the power to ask questions “relating to matters that are not subject to a reasonable expectation of privacy.”

Spencer is a very significant decision on the reasonable expectation of privacy concept, internet anonymity and police powers.

R v Spencer, 2014 SCC 43 (CanLII).

No reasonable expectation of privacy in bad breath

On January 7th, the Ontario Superior Court of Justice overturned a trial decision that had recognized a Charter-protected expectation of privacy in the odour emanating from one’s breath. A doctor who had treated the accused following a motor vehicle accident told a police officer that the accused’s breath smelled of alcohol, following which the police obtained an warrant to seize a blood sample. The Court also noted that the doctor was not acting as a state agent in making his observation and reporting to the police.

R v Maureen Daly, 2014 ONSC 115 (CanLII).

SCC addresses the line between hunch and suspicion

The Supreme Court of Canada issued two decisions today that attempt to define the “reasonable suspicion” standard – a relaxed standard that allows for searches in the absence of prior judicial authorization in certain investigative contexts, including sniffer dog searches and school searches, for example.

The more principled of the two decisions is R v Chehil, which involves a sniffer dog search at an airport that the police conducted after determining that the accused fit the profile of a drug carrier: (1) he was traveling on a one-way plane ticket; (2) his flight originated in Vancouver; (3) he was traveling alone; (4) he purchased his ticket with cash; (5) his ticket was the last one purchased before the flight departed; (6) he checked one piece of luggage; (7) his flight was overnight; (8) his flight took place mid- to late-week; and (9) he flew on a WestJet flight. These factors, based on their training and experience, led the police to form a suspicion that the Court unanimously held was reasonable.

Justice Karakatsanis wrote the decision in Chehil. She held that the existence of a reasonable suspicion must be assessed against the totality of the circumstances. The police must assess all the objective factors that weigh for and against the possibility of criminal behavior and may have a reasonable suspicion even if the factors (each on their own or together) could support an innocent explanation.

Though the ratio of Chehil is therefore permissive, Justice Karakatsanis does state that the police must be subject to “rigorous judicial scrutiny”:

The constellation of facts must be based in the evidence, tied to the individual, and capable of supporting a logical inference of criminal behaviour. If the link between the constellation and criminality cannot be established by way of a logical inference, the Crown must lead evidence to connect the circumstances to criminality. This evidence may be empirical or statistical, or it may be based upon the investigating officer’s training and experience.

Evidence of police training and experience was a prominent feature of the dialogue in R v MacKenzie, a case in which the Court split five to four in affirming a police search.

MacKenzie is about a sniffer dog search that the police executed after conducting a highway traffic stop. The factors at issue were about guilty appearance and demeanor and more equivocal than in Chehil: the accused slowed down and pulled over upon sight of the police; he was nervous when confronted, he was sweating (on a warm day); he was breathing rapidly; he had pinkish eyes; he was driving west to east; he corrected an initial response given about travel dates. The police evidence about the probity of the factors was also more qualified; the police testified that the factors were associated with drug carrying, but not strongly.

The majority and minority in MacKenzie differ on how much weight to give a police opinion that is based on training and experience. Both accept that police opinions based on training and experience should be considered in assessing the probity of the factors. Justice Moldaver (for the majority) says that deference is not “necessarily owed to a police officer’s view of the circumstances” but that that police should be “allowed to carry out their duties without undue skepticism.” Justice LeBel (for the minority) says quite clearly that the police are owed no deference.

R v Chehil, 2013 SCC 49 (CanLII).

R v MacKenzie, 2013 SCC 50 (CanLII).

Voluntary bank disclosure to police lawful

On August 7th, Justice Fuerst of the Ontario Superior Court of Justice held that the police did not breach an individual’s reasonable expectation of privacy by receiving information from two banks and using the information to obtain restraint orders.

The judgement is notable for the Court’s recognition of the banks’ legitimate interest in providing voluntary assistance to the police. Justice Fuerst said:

The bank was directly implicated in allegations of money-laundering. It had a legitimate interest in preventing the criminal misuse of its services, particularly in circumstances where accounts associated to the applicant were alleged to be offence-related property subject to forfeiture.

Disclosing personal information to the police (within certain parameters) is permitted by section sections 7(3)(c.1) and 7(3)(d) of the Personal Information Protection and Electronic Documents Act, which Justice Fuerst noted in her reasonable expectation of privacy analysis. Section 7(3)(d) authorizes disclosures initiated by commercial organizations. Notably, Justice Fuerst held that section 7(3)(d) allows for some two-way dialogue between the disclosing organization and the police: “It is unreasonable to interpret s. 7(3)(d) so narrowly that police officers to whom information is given by organizations like banks about possible criminal activity can do no more than passively receive it and are prevented from asking for specifics or details necessary to take steps in response.”

R v Kenneth James, 2013 ONSC 5085 (CanLII).

Government’s collection of census information does not breach Charter

On May 2nd, the Court of Appeal for Saskatchewan held that the federal government does not breach section 8 of the Charter by collecting census information under threat of prosecution.

The Court held that the collection does not interfere with a reasonable expectation of privacy given the context in which the (admittedly sensitive) information is collected – a context that includes statutory assurances of limited use and confidentiality. It explained:

Thus , the question is not whether Ms. Finley had an expectation of privacy or even a reasonable expectation of privacy in dictionary terms. The question must be linked to the overall context of the case. In this case, the question must be cast in these terms: whether a reasonable person would expect to have privacy in the information requested by the 2006 Long Form Census, which the government wishes to collect exclusively for statistical purposes to aid it in implementing sound and effective public policy, with no criminal or quasi – criminal repercussions flowing from the disclosure of such information, and with the specific information collected being ultimately generalized and “delinked” from the individuals being required to so disclose. The trial judge answered this critical question negatively and the summary conviction appeal court judge found no error of law, mixed fact and law or fact in her conclusion.

The Court did not address an argument by the Crown that section 8 is not engaged by merely asking someone to provide information, an argument rejected in each of the two lower court decisions that led to the appeal.

R v Finlay, 2013 SKCA 47.

Child porn files seized from work computer admissible

On March 6th, the British Columbia Court of Appeal held that an accused’s section 8 Charter rights were violated when his work computer was seized by the police without a warrant but allowed the admission of evidence from the computer because it would not bring the administration of justice into disrepute.

The case illustrates that the standard for finding an objective reasonable expectation of privacy on a work computer following the Supreme Court of Canada’s decision in R v Cole is very low. While the record in Cole weighed particularly in favor of  an expectation of privacy finding, in this more recent case, the were no special facts. The employee (a school principal), for example, only used his work computer for browsing the internet. The Court nonetheless recognized a Charter-protected privacy interest.

Unfortunately, as in Cole, the record in this case did not appear to support any discussion of whether the computer was networked or the impact of the employer’s control over its network.

For an essay on what Cole means for employers, click here.

R v McNeice, 2013 BCCA 98 (CanLII).

 

 

Ontario CA on computer searches – broad access and targeted searches endorsed

Yesterday the Ontario Court of Appeal issued a judgment in which it held the police violated section 8 of the Charter by proceeding with a lawfully authorized search of a personal computer after finding evidence of a crime that was not within the scope of authorization.

The police were granted a warrant that permitted the search of a computer to find evidence of fraud. In the course of searching the computer for such evidence, they found images believed to be of child pornography. After seeking legal advice, the police continued and found videos believed to be of child pornography.

The accused brought a Charter application. One issue was whether the broad authorization to search the computer (without date or file type limitations) was reasonable. Another was whether, having found the images, the police should have stopped to obtain a second warrant.

On the scope of the warrant, Justice Blair accepted arguments by the Crown about the need for a forgiving rule because of the challenges in conducting a computer search. He said that “the language used to authorize computer searches may need to be relatively broad in order to cope with the practical realities of an ever-changing and developing age of technology” and held the warrant at issue was reasonable on its face because it precisely defined the kind of evidence to be sought (i.e., evidence of fraud).

Significantly, Justice Blair suggested that the need to authorize access in broad terms justifies the imposition of a duty to search with care. The following are the most relevant passages:

Thus, authorizing a search of the contents of a computer is not unlike authorizing a search of another “place” or of a more expansive search of the same “place.” There seems to me to be no reason in principle why the state should be any more entitled to roam around through the contents of a person’s computer in an indiscriminate fashion than it would be to do so in a person’s home without further authorization.

The police have available to them the necessary software, technology and expertise to enable them to tailor their searches in a fashion that will generate the information they seek, if it exists, while at the same time minimizing the intrusion on the computer user’s privacy rights in other information stored on the computer. Sergeant Rumnyak testified that the EnCase software used in this case permits the police to view all data and all files contained on the computer but that the police do not normally look at all files in the course of an investigation; they focus on those they think will generate the evidence they are looking for. That is as it should be.

Consistent with this protective view, Justice Blair held that the police may seize incriminating evidence that is beyond the scope of a warrant if it is found, but must stop and obtain a warrant before continuing search for additional incriminating evidence. He therefore held that the police violated section 8 by failing to stop upon finding the accused’s incriminating pictures. According to Justice Blair, they should have sought a warrant.

On first read, it seems like the suggested duty to conduct a targeted search (my words) creates a good basis for scrutinizing computer searches and is likely to put significant pressure on law enforcement to undertake a logical, minimally intrusive search. I’m also curious whether the search process is as tidy as the summary of evidence above makes it seem.

R. v. Jones, 2011 ONCA 632.

Question of Remedy for Privilege Breach Back to Securities Commission in Knowledge House Affair

On Thursday, the Nova Scotia Court of Appeal issued a judgement about the Knowledge House affair, which has become as notable for the handling of an e-mail server containing solicitor-client communications as for the securities law issues at its heart.

In 2005, Justice Scanlan issued a scathing judgement in which he rejected an argument that certain individuals had waived privilege by sending communications over a company-owned server. In the result, he ordered removal of counsel who had seized the server and reviewed e-mails in prosecuting a civil claim on behalf of National Bank Financial Limited.

The Nova Scotia Securities Commission obtained privileged communications from NBFL and allegedly reviewed them in aide of its investigation. The Court of Appeal dealt with the affected persons’ quest for a remedy against the Commission in 2006. Justice Cromwell (as he then was) held that the affected persons’ application for certiorari was premature, but said the Commission should take “serious and immediate steps” to do right. The Commission did not respond to the Court’s suggestion by initiating proceedings to resolve the privilege issue. Instead, it issued formal allegations. The affected persons then moved before the Commission for a remedy. In June 2010, after numerous intervening proceedings, the Commission held that the privilege breach issue should not be bifucated and dealt with in advance of the merits of the Commission’s allegations.

Thursday’s decision is strictly procedural. Though it recognized that the hanging investigation and privilege question has been “stressful and costly” for the affected persons, the Court held that the delay in hearing the request to remedy the privilege breach was understandable and that the request for a remedy could be dealt with by way of a voire dire at the commencement of the hearing of the Commission’s allegations. It upheld the Commission’s decision.

Wadden v. Nova Scotia (Attorney General), 2011 NSCA 55.