Canadian Court Affirms Citizens Still Have An Expectation Of Privacy In Devices Being Repaired By Third Parties

from the smallish-bulwark-against-tyranny dept

A Canadian appeals court has decided in favor of greater privacy protections for Canadians. The case involves the discovery of child porn by a computer technician who was repairing the appellant’s computer. This info was handed over to the police who obtained a “general warrant” to image the hard drive to scour it for incriminating evidence.

Yes, “general warrants” are still a thing in the Crown provinces. The same thing we fought against with the institution of the Fourth Amendment exists in Canada. These days, it has more in common with All Writs orders than the general warrants of the pre-Revolution days, but there’s still a hint of tyrannical intent to them. (Again, much like our All Writs orders, which date back to 1789.) “General warrants” are something the government uses when the law doesn’t specifically grant permission for what it would like to do:

A provincial court judge, a judge of a superior court of criminal jurisdiction or a judge as defined in section 552 may issue a warrant in writing authorizing a peace officer to, subject to this section, use any device or investigative technique or procedure or do any thing described in the warrant that would, if not authorized, constitute an unreasonable search or seizure in respect of a person or a person’s property if

(a) the judge is satisfied by information on oath in writing that there are reasonable grounds to believe that an offence against this or any other Act of Parliament has been or will be committed and that information concerning the offence will be obtained through the use of the technique, procedure or device or the doing of the thing;

(b) the judge is satisfied that it is in the best interests of the administration of justice to issue the warrant; and

(c) there is no other provision in this or any other Act of Parliament that would provide for a warrant, authorization or order permitting the technique, procedure or device to be used or the thing to be done.

The appellant’s challenge of the general warrant (rather than a more particular search warrant) almost went nowhere, but this decision grants him (and others like him) the standing to challenge the warrant in the first place. As the court notes, handing a computer over to a technician doesn’t deprive the device’s owner of an expectation of privacy.

In our view, the appellant had standing to argue a violation of his section 8 Charter right to be free from unreasonable search. The Crown concedes that the appellant maintained a reasonable expectation of privacy in the data stored on the computer even after delivery of his computer to the repair shop. Privacy is not an all-or-nothing concept. Allowing a technician to have physical access to the computer for the purpose of carrying out repairs does not amount to a waiver of the appellant’s strong expectation of privacy vis-à-vis third parties such as the police. While the appellant’s expectation of privacy was diminished to the extent that he could reasonably expect the repair technician to examine files on the computer in the course of the repairs, this operational reality does not deprive the appellant of standing to bring a claim under section 8 of the Charter.

Standing helps, but ultimately didn’t help the appellant here. The court decides the failure to obtain the proper warrant is indeed a violation, but one not severe enough to trigger suppression of the evidence.

The failure to obtain an ordinary search warrant resulted in, at worst, a technical breach of the appellant’s section 8 Charter rights. There was prior judicial authorization for the search even though it was obtained pursuant to the wrong section of the Criminal Code. A general warrant requires reasonable and probable grounds to believe an offence has been committed, and reasonable and probable grounds to believe the search will reveal evidence of an offence – the same standard a judge would have applied with a traditional search warrant under section 487 of the Code.

The court goes on to note the failure to follow proper procedures when obtaining the warrant (ultimately the wrong sort of warrant) was negligent. It was anything but a “trivial” breach of protocol. Even if the officer’s inexperience resulted in erroneous actions, the violation is severe enough for the court to take note of. But this negligence isn’t enough to overcome the inevitable outcome of the search, in the court’s opinion.

In this case, however, the causal link between the forensic search of the computer’s files and the violation of section 489.1 is very weak. Again, there is no reason to believe that the search of the computer’s files would have unfolded any differently if the officer who seized his computer had complied with section 489.1. On this record, any justice would have authorized the initial police detention of the computer, giving the police three months in which to seek a search warrant. There was no copying of the computer’s hard drive prior to the police obtaining a general warrant, which occurred within that three-month period. While the search of the computer’s files undoubtedly had a very significant impact on the appellant’s privacy interests, the police had sought and obtained judicial authorization prior to conducting the initial search, i.e., the forensic imaging. Although the effects of the breach were not trivial, we would not describe the impact on the appellant’s Charter-protected interest, as being particularly serious…

So, while this didn’t end up giving the defendant the suppression he was seeking, it did at least affirm an expectation of privacy in devices being handled and repaired by third parties. Better, the opinion contains the government’s concession that this privacy expectation exists. Hopefully, this will help deter violations — erroneous or not — in the future.

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Canadian Court Affirms Citizens Still Have An Expectation Of Privacy In Devices Being Repaired By Third Parties”

Subscribe: RSS Leave a comment
Rekrul says:

Better, the opinion contains the government’s concession that this privacy expectation exists. Hopefully, this will help deter violations — erroneous or not — in the future.

How is it going to deter anything when the court basically said "You shouldn’t have done this, but since you did, we’ll allow it."?

Also, I can’t help wondering if the outcome would have been the same if he’d bee accused of anything else other than possession of child porn. When CP is involved, it seems there’s no legal violation by police that the courts won’t turn a blind to.

Uriel-238 (profile) says:

Re: Letting bad people walk

It’s a failure of the system that protection of the people’s rights often mean someone who did something terrible is acquitted, which is the situation that leads to judges giving overreaching investigators and law enforcement a pass.

Rather, the Supreme Court ruled that if a crime is bad enough, catching the criminal at any cost is justified (that is, evidence of such crimes cannot be suppressed), so they’ve clarified that the legal system serves not the public but corporate and aristocratic interests, especially since they felt possession was severe enough a crime.

Also the problem of making given crimes (or categories of crimes) justification to violate civil rights is that all crimes become related to that crime. Much that all traffic stops are now drug-related to justify asset forfeiture, they’ll also be child-porn related to justify unreasonable search.

NeghVar (profile) says:

This started my career

Back in 2008, I worked at a PC repair shop. A person brought a system in for malware removal. We took it in an began our scans. Shortly into the scan, his screen saver activated and it was a slide show of child porn. I turned off the monitor and told the other techs to not touch the system since it was now a crime scene. I told my boss. He called the police. They arrived and asked me every single thing I did to the system from the moment I plugged it in, to spotting the child porn.
A few days later we were being sued by the owner of the PC for snooping around his system. The forensic analysts saved us from that be showing proof that his screen saver was set up to display that at a date before he brought in the system. This event inspired me to pursue a degree in digital forensics which I just completed spring 2018.

Anonymous Coward says:

Re: This started my career

Why do so many who are fixing PC’s go snooping all over the persons Hard Drive? Really snooping at all of the users Data. Maybe the person wanted to see if there’s any nudes of his girlfriend or wife, or looking for banking Data, etc. A completely wrong thing to do, but so many computer repair places do this!!! Some people are even getting paid by the police to go snooping on people’s computers. That’s a known fact!!!

I know in this rare case, the idiot had a screen saver on and the dumb thing was linked to his CP. So the computer its self, turned him in. So it’s completely different fro most cases like this.

After all these cases, you really have to be an IDIOT to bring your computer anywhere that has anything criminal on it to get fixed.

Bamboo Harvester (profile) says:

How the US gets around this...

It’s called Mandated Reporting. Teachers, social workers, just about anyone that gets a check from the government (which means a pension as well, in many cases) is REQUIRED to report ANY form of abuse they witness. Penalties for not doing so range from being fired to being charged as an Accessory.

Looks like we’re going to see similar for anyone working on electronics.

Uriel-238 (profile) says:

Re: Re: Client--Technician privilege?

It’s a problem that goes both ways.

A doctor who treats a teenager for an STI from illegal sex can retain docter-patient privilege in order to inform the adult partner about it. (and vice versa, if the adult has the STI and a teen partner.) Without that, patients are incentivized not to be forthcoming with their doctors and let the infections spread among the population in order to protect themselves.

On the other hand, mandated reporting for incidents of child abuse (or child sexual abuse) also means professionals can’t promise to not disclose family problems if they reveal that someone is in imminent danger. The same with people who are immanently suicidal.

But then again, this means that patients aware of mandated reporting laws are disinclined to talk about any danger they are in, if it means they or someone close to them might be threatened by law enforcement.

It’s gotten worse since the age of mobile cameras and the rise of awareness of police brutality. In my community, the threat of mandatory reporting is regarded as nothing short of a death threat by patients. Law enforcement is notorious for gunning down crazy people who cannot follow explicit instructions.

As a result our patients often go silent when they are most in need of contact, therapy and treatment, since a triggered mandate either puts the professional at risk of losing their license or the patient of being slain in their tracks (or at very least losing their liberty and being drugged by medical personnel unfamiliar with their case — a nightmare scenario of its own)

But that’s medical issues.

With tech, the problem is that no matter who you are, something can be found in your system that will incriminate you. The question is if it’s worth searching your system for whatever it is. Generally if the Department of Justice thinks you are a bad guy, typical policy is to arrest you first and figure out what data of yours will get you the longest prison sentence with the least amount of effort.

Generally, reporting is bad for the tech firm (as no-one wants to go to a tech company that will turn them in for any reason) but, as the Geek Squad thing shows, tempting for the individual technicians.

Mandated reporting and privacy protections would create a standard about what kinds of evident data warrants law-enforcement intervention, and what doesn’t. (Lolicon — that is drawn cartoon depictions of pre-teen sex popular in Japan — is criminal in Canada and much of the US. Should lolicon be reported?)

But I doubt we could get a consistent group to agree on what those standards should be, especially since there are big personal incentives for convictions. Essentially (I think) one shouldn’t send private drives to data recovery services if they’re going to report you for any reason. Police in the United States cannot be trusted to investigate or respond to crime.

Bruce C. says:

Re: Re: Re: Client--Technician privilege?

If every “criminal” knew how to replace their own hard drives and reinstall the OS, they wouldn’t have this problem…

In the real world, people don’t know enough to maintain their own computers and it’s impossible for them to “remove the evidence” before taking it into the shop if the drive is already broken.

On the third hand, there aren’t that many crimes (yet) that require mandatory reporting, and a computer tech isn’t likely to recognize many types crimes hidden in people’s data.

I strongly suspect most techs don’t poke around trying to discover CP, they poke around trying to discover porn in general for their own amusement, or see preview thumbnails while doing normal reviews of file and directory structure after a data recovery from a drive failure.

Anonymous Coward says:

Re: Re: How the US gets around this...

Of course, it’s been talked about in the past. Why would you just go snooping through a person’s personal files otherwise? No need to do that to fix a computer. I’ve fixed many computers and never once saw a need to go through personal files on the HDD. Even if you back up the HDD, you’re not looking through the files. No need to look through files fixing device drivers either.

Really how does looking through pictures fix anything? it doesn’t, it’s snooping. The perfect people for the police to pay to snoop through the systems of people’s computers they’re fixing.

Uriel-238 (profile) says:

Re: Re: In-house tech pools

In large companies that have their own tech-pool to recover data for them, it’s probably a really bad idea to report any kind of data that might serve as biographical leverage, whether child porn or slush fund accounts.

If it’s from upper management, no-one will go to jail, but you’ll never work again in the same field.

Now Geek Squad is known to report data to law enforcement for any reason as a means of personal revenue enhancement (the police pay them as informants). But generally, that means I’d avoid going to Geek Squad for data recovery, given they are actively looking for something to bust me for.

Generally, I want data recovery from a company that will respect my privacy, since even if I think I have nothing to hide we know that they’ll make excuses to ruin my life just because I have opinions that are perpendicular to theirs.

Anonymous Coward says:

ONE DAY after "Stone" defended Techdirt from charge that want

those downloading child pornography to escape justice, HERE’S THIS exactly proving the charge.

Your "quote and contradict" method isn’t going to make the charge go away, kids, so long as keep running such items as though it’s an outrage by police against all civil procedure.

Ninja (profile) says:

Re: ONE DAY after "Stone" defended Techdirt from charge that want

Yep, because the criminal is a despicable person (a pedo in this case) let’s just throw all due process and constitutional rights out of the window. Don’t be surprised when they do it with you ok?

If a serious criminal went free because law enforcement couldn’t bother to follow the law then the fault lais not with reporters pointing out the error but rather with law enforcement who didn’t do it right. We should be demanding explanation from law enforcement when said criminal acts again because it’s THEIR fault he/she is not in jail.

Stop blaming your own goddamn rights for law enforcement mistakes.

Anonymous Coward says:

Re: ONE DAY after "Stone" defended Techdirt from charge that want

I have read this comment three times, and I still don’t understand what you’re trying to say.

If you decide to try again, could you perhaps comment with an eye towards making sure that people can understand what you’re referring to?

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...