Canadian Court Affirms Citizens Still Have An Expectation Of Privacy In Devices Being Repaired By Third Parties
from the smallish-bulwark-against-tyranny dept
A Canadian appeals court has decided in favor of greater privacy protections for Canadians. The case involves the discovery of child porn by a computer technician who was repairing the appellant's computer. This info was handed over to the police who obtained a "general warrant" to image the hard drive to scour it for incriminating evidence.
Yes, "general warrants" are still a thing in the Crown provinces. The same thing we fought against with the institution of the Fourth Amendment exists in Canada. These days, it has more in common with All Writs orders than the general warrants of the pre-Revolution days, but there's still a hint of tyrannical intent to them. (Again, much like our All Writs orders, which date back to 1789.) "General warrants" are something the government uses when the law doesn't specifically grant permission for what it would like to do:
A provincial court judge, a judge of a superior court of criminal jurisdiction or a judge as defined in section 552 may issue a warrant in writing authorizing a peace officer to, subject to this section, use any device or investigative technique or procedure or do any thing described in the warrant that would, if not authorized, constitute an unreasonable search or seizure in respect of a person or a person’s property if
(a) the judge is satisfied by information on oath in writing that there are reasonable grounds to believe that an offence against this or any other Act of Parliament has been or will be committed and that information concerning the offence will be obtained through the use of the technique, procedure or device or the doing of the thing;
(b) the judge is satisfied that it is in the best interests of the administration of justice to issue the warrant; and
(c) there is no other provision in this or any other Act of Parliament that would provide for a warrant, authorization or order permitting the technique, procedure or device to be used or the thing to be done.
The appellant's challenge of the general warrant (rather than a more particular search warrant) almost went nowhere, but this decision grants him (and others like him) the standing to challenge the warrant in the first place. As the court notes, handing a computer over to a technician doesn't deprive the device's owner of an expectation of privacy.
In our view, the appellant had standing to argue a violation of his section 8 Charter right to be free from unreasonable search. The Crown concedes that the appellant maintained a reasonable expectation of privacy in the data stored on the computer even after delivery of his computer to the repair shop. Privacy is not an all-or-nothing concept. Allowing a technician to have physical access to the computer for the purpose of carrying out repairs does not amount to a waiver of the appellant’s strong expectation of privacy vis-à-vis third parties such as the police. While the appellant’s expectation of privacy was diminished to the extent that he could reasonably expect the repair technician to examine files on the computer in the course of the repairs, this operational reality does not deprive the appellant of standing to bring a claim under section 8 of the Charter.
Standing helps, but ultimately didn't help the appellant here. The court decides the failure to obtain the proper warrant is indeed a violation, but one not severe enough to trigger suppression of the evidence.
The failure to obtain an ordinary search warrant resulted in, at worst, a technical breach of the appellant’s section 8 Charter rights. There was prior judicial authorization for the search even though it was obtained pursuant to the wrong section of the Criminal Code. A general warrant requires reasonable and probable grounds to believe an offence has been committed, and reasonable and probable grounds to believe the search will reveal evidence of an offence – the same standard a judge would have applied with a traditional search warrant under section 487 of the Code.
The court goes on to note the failure to follow proper procedures when obtaining the warrant (ultimately the wrong sort of warrant) was negligent. It was anything but a "trivial" breach of protocol. Even if the officer's inexperience resulted in erroneous actions, the violation is severe enough for the court to take note of. But this negligence isn't enough to overcome the inevitable outcome of the search, in the court's opinion.
In this case, however, the causal link between the forensic search of the computer’s files and the violation of section 489.1 is very weak. Again, there is no reason to believe that the search of the computer’s files would have unfolded any differently if the officer who seized his computer had complied with section 489.1. On this record, any justice would have authorized the initial police detention of the computer, giving the police three months in which to seek a search warrant. There was no copying of the computer’s hard drive prior to the police obtaining a general warrant, which occurred within that three-month period. While the search of the computer’s files undoubtedly had a very significant impact on the appellant’s privacy interests, the police had sought and obtained judicial authorization prior to conducting the initial search, i.e., the forensic imaging. Although the effects of the breach were not trivial, we would not describe the impact on the appellant’s Charter-protected interest, as being particularly serious…
So, while this didn't end up giving the defendant the suppression he was seeking, it did at least affirm an expectation of privacy in devices being handled and repaired by third parties. Better, the opinion contains the government's concession that this privacy expectation exists. Hopefully, this will help deter violations -- erroneous or not -- in the future.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: canada, general warrant, privacy, repairs, third parties
Reader Comments
Subscribe: RSS
View by: Time | Thread
How is it going to deter anything when the court basically said "You shouldn't have done this, but since you did, we'll allow it."?
Also, I can't help wondering if the outcome would have been the same if he'd bee accused of anything else other than possession of child porn. When CP is involved, it seems there's no legal violation by police that the courts won't turn a blind to.
[ link to this | view in chronology ]
Re: And you wish that would?
A court has looked at this quite closely and found only a technical violation. Do you even understand the "inevitable outcome" phrase?
[ link to this | view in chronology ]
Re: Re: And you wish that would?
I don't. If it's inevitable, why not skip the warrant and convict them?
[ link to this | view in chronology ]
Letting bad people walk
It's a failure of the system that protection of the people's rights often mean someone who did something terrible is acquitted, which is the situation that leads to judges giving overreaching investigators and law enforcement a pass.
Rather, the Supreme Court ruled that if a crime is bad enough, catching the criminal at any cost is justified (that is, evidence of such crimes cannot be suppressed), so they've clarified that the legal system serves not the public but corporate and aristocratic interests, especially since they felt possession was severe enough a crime.
Also the problem of making given crimes (or categories of crimes) justification to violate civil rights is that all crimes become related to that crime. Much that all traffic stops are now drug-related to justify asset forfeiture, they'll also be child-porn related to justify unreasonable search.
[ link to this | view in chronology ]
This started my career
A few days later we were being sued by the owner of the PC for snooping around his system. The forensic analysts saved us from that be showing proof that his screen saver was set up to display that at a date before he brought in the system. This event inspired me to pursue a degree in digital forensics which I just completed spring 2018.
[ link to this | view in chronology ]
Re: This started my career
[ link to this | view in chronology ]
Re: Re: This started my career
You did the right thing, NeghVar.
[ link to this | view in chronology ]
Re: This started my career
I know in this rare case, the idiot had a screen saver on and the dumb thing was linked to his CP. So the computer its self, turned him in. So it's completely different fro most cases like this.
After all these cases, you really have to be an IDIOT to bring your computer anywhere that has anything criminal on it to get fixed.
[ link to this | view in chronology ]
Re: Re: This started my career
https://www.techlicious.com/blog/geek-squad-searching-your-computer/
[ link to this | view in chronology ]
Bringing your computer in.
That's the problem. It's almost certain you have criminal evidence on your computer, if you've been using it for long enough. Even computers used exclusively for business. Especially computers used exclusively for business.
[ link to this | view in chronology ]
How the US gets around this...
Looks like we're going to see similar for anyone working on electronics.
[ link to this | view in chronology ]
Re: How the US gets around this...
What exactly is the legal obstacle that you construe people in law are "getting around", and shouldn't?
[ link to this | view in chronology ]
Client--Technician privilege?
It's a problem that goes both ways.
A doctor who treats a teenager for an STI from illegal sex can retain docter-patient privilege in order to inform the adult partner about it. (and vice versa, if the adult has the STI and a teen partner.) Without that, patients are incentivized not to be forthcoming with their doctors and let the infections spread among the population in order to protect themselves.
On the other hand, mandated reporting for incidents of child abuse (or child sexual abuse) also means professionals can't promise to not disclose family problems if they reveal that someone is in imminent danger. The same with people who are immanently suicidal.
But then again, this means that patients aware of mandated reporting laws are disinclined to talk about any danger they are in, if it means they or someone close to them might be threatened by law enforcement.
It's gotten worse since the age of mobile cameras and the rise of awareness of police brutality. In my community, the threat of mandatory reporting is regarded as nothing short of a death threat by patients. Law enforcement is notorious for gunning down crazy people who cannot follow explicit instructions.
As a result our patients often go silent when they are most in need of contact, therapy and treatment, since a triggered mandate either puts the professional at risk of losing their license or the patient of being slain in their tracks (or at very least losing their liberty and being drugged by medical personnel unfamiliar with their case -- a nightmare scenario of its own)
But that's medical issues.
With tech, the problem is that no matter who you are, something can be found in your system that will incriminate you. The question is if it's worth searching your system for whatever it is. Generally if the Department of Justice thinks you are a bad guy, typical policy is to arrest you first and figure out what data of yours will get you the longest prison sentence with the least amount of effort.
Generally, reporting is bad for the tech firm (as no-one wants to go to a tech company that will turn them in for any reason) but, as the Geek Squad thing shows, tempting for the individual technicians.
Mandated reporting and privacy protections would create a standard about what kinds of evident data warrants law-enforcement intervention, and what doesn't. (Lolicon -- that is drawn cartoon depictions of pre-teen sex popular in Japan -- is criminal in Canada and much of the US. Should lolicon be reported?)
But I doubt we could get a consistent group to agree on what those standards should be, especially since there are big personal incentives for convictions. Essentially (I think) one shouldn't send private drives to data recovery services if they're going to report you for any reason. Police in the United States cannot be trusted to investigate or respond to crime.
[ link to this | view in chronology ]
Re: Client--Technician privilege?
In the real world, people don't know enough to maintain their own computers and it's impossible for them to "remove the evidence" before taking it into the shop if the drive is already broken.
On the third hand, there aren't that many crimes (yet) that require mandatory reporting, and a computer tech isn't likely to recognize many types crimes hidden in people's data.
I strongly suspect most techs don't poke around trying to discover CP, they poke around trying to discover porn in general for their own amusement, or see preview thumbnails while doing normal reviews of file and directory structure after a data recovery from a drive failure.
[ link to this | view in chronology ]
Replacing hard drives
With the rise of cheap external drives replacing data drives (including porn stashes) should be much less of a problem. Granted, when I've done tech support work, it was often for technophobes who couldn't understand system components.
[ link to this | view in chronology ]
Re: How the US gets around this...
[ link to this | view in chronology ]
Re: Re: How the US gets around this...
Really how does looking through pictures fix anything? it doesn't, it's snooping. The perfect people for the police to pay to snoop through the systems of people's computers they're fixing.
[ link to this | view in chronology ]
Re: Re: Re: How the US gets around this...
[ link to this | view in chronology ]
Paying people to snoop.
I think people naturally snoop.
I don't think people naturally turn their snooped findings to law enforcement, since doing so means admitting you were snooping.
Hence the cash incentives.
See something? Say something!
Don't see anything? Look harder!
[ link to this | view in chronology ]
Re: How the US gets around this...
[ link to this | view in chronology ]
In-house tech pools
In large companies that have their own tech-pool to recover data for them, it's probably a really bad idea to report any kind of data that might serve as biographical leverage, whether child porn or slush fund accounts.
If it's from upper management, no-one will go to jail, but you'll never work again in the same field.
Now Geek Squad is known to report data to law enforcement for any reason as a means of personal revenue enhancement (the police pay them as informants). But generally, that means I'd avoid going to Geek Squad for data recovery, given they are actively looking for something to bust me for.
Generally, I want data recovery from a company that will respect my privacy, since even if I think I have nothing to hide we know that they'll make excuses to ruin my life just because I have opinions that are perpendicular to theirs.
[ link to this | view in chronology ]
ONE DAY after "Stone" defended Techdirt from charge that want
those downloading child pornography to escape justice, HERE'S THIS exactly proving the charge.
Your "quote and contradict" method isn't going to make the charge go away, kids, so long as keep running such items as though it's an outrage by police against all civil procedure.
[ link to this | view in chronology ]
Re: ONE DAY after "Stone" defended Techdirt from charge that want
If a serious criminal went free because law enforcement couldn't bother to follow the law then the fault lais not with reporters pointing out the error but rather with law enforcement who didn't do it right. We should be demanding explanation from law enforcement when said criminal acts again because it's THEIR fault he/she is not in jail.
Stop blaming your own goddamn rights for law enforcement mistakes.
[ link to this | view in chronology ]
Re: ONE DAY after "Stone" defended Techdirt from charge that want
If you decide to try again, could you perhaps comment with an eye towards making sure that people can understand what you're referring to?
[ link to this | view in chronology ]
Re: Re: ONE DAY after "Stone" defended Techdirt from charge that want
[ link to this | view in chronology ]
Re: Spam marketing in comments
[ link to this | view in chronology ]
Re: BG/SBLC FOR LEASE AND SALE WITH MONETIZING
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
Add 'inevitable discovery' to that list, where police can demand a device be unlocked because obviously they know what's on it, and therefore forcing the accused to provide potentially incriminating evidence isn't actually forcing them to provide potentially incriminating evidence that can be used against them.
[ link to this | view in chronology ]