Ch. 8: Computer Searches and Privacy ITSS Legal Issues Working Group 11/8/96 8-2 Chapter 8 Computer Searches & Privacy A. Why would the government search or monitor computers? 2 B. New technology and privacy laws: general comments 4 C. Computer searches and monitoring in an internal management context 10 D. Computer searches and monitoring in a regulatory inspection context 22 E. Computer searches and monitoring in a criminal investigation context 23 F. Remedies 37 G. The law applied to various fact scenarios 38 H. Conclusion 41 There are a number of reasons why a government department may want to examine what information is held on computers or is exchanged to and from computers. In this chapter, we discuss the various reasons why government departments may want to undertake computer searches computer and the legal issues that arise in this context, which relate primarily to individual privacy rights. A note about the vocabulary relating to computer searches This chapter frequently uses the phrase “computer searches.” It is important to note that there are a number of words available to describe different kinds of computer “searches.” In some contexts, the choice of words is very important. For some statutes, such as the Criminal Code, search and seizure have well- defined, reasonably narrow definitions. However, in the broadest sense, the phrase “computer searches” in this Chapter is used to include the following: · logging, monitoring or auditing activity on a computer system; · intercepting private communications or intercepting computer functions (in some contexts, it is essential to know whether the communications were private, were between individuals, and were intercepted at the time of transmission, rather than retrieved from a stored file after the messages were transmitted. For example, intercepting e-mail messages while they are being exchanged invokes different legal issues than examining e-mail messages that are stored on a computer after transmittal); · inspecting computers or information holdings for compliance with regulatory provisions; · searching computers for information held on computer disks or tapes that can be used for evidence; and · seizure of evidence, and in particular, things (such as computers, computer disks and diskettes, rather than the information held on the computer disks). In this Chapter, we use the phrase ‘search or monitor’ to capture the above possibilities, except for the purposes of the Criminal Code and the Crown Liability and Proceedings Act, there is a very important distinction to make between searching a computer and intercepting a private communication. This is discussed later in the Chapter when we discuss searches in a criminal law context. Although granting access privileges or disclosing large amounts of information is not the same thing as conducting a search or monitoring computer activity, broad access privileges and disclosures can make it possible for a person to conduct a search, depending on the scope of their access privileges. For this reason, institutions should be careful about who is granted broad access privileges or who receives large disclosures of information: the ‘need to know’ principle should always be observed. What kinds of searches are technically possible? It is technically possible to search or monitor a computer hard drive, diskette, CD ROM or magnetic tape for electronic data. Some of these searches can be done from a remote location. It is also technically possible to monitor from a remote location: · when an employee logs on and off, · what software the employee uses, and for how long, · what e-mail the employee sends and receives, and who it is to or from, · what electronic discussion groups the employee reads or contributes to, · what games he plays on the computer, and for how long, · the employee’s computer screen, as the employee is actually working, from the supervisor’s or a technician’s desk. Other information may only be available by searching a specific individual’s computer, disk or diskettes, where there is no network connection that permits remote searching or monitoring. A. Why would the government search or monitor computers? In this chapter, we will focus on three broad contexts in which computer searching occurs: internal management searches and monitoring, regulatory inspections and criminal investigations. It is important to stress that these three contexts do not necessarily correspond to three separate laws concerning search and monitoring powers, they are merely intended to describe different fact situations in which searches or monitoring might occur. The basic law that applies to government searches and monitoring is set out in section 8 of the Charter of Rights and Freedoms and the Criminal Code which protects individuals from unreasonable search and seizure. There is a spectrum of search and monitoring activities that may take place, and what is reasonable in one set of circumstances may not be reasonable in another set of circumstances. Searching or monitoring can be done at random, can be directed by security or audit policy, can be in response to a system malfunction or testing of a new security feature, or can be based upon allegations or suspicions of specific misuse. Searching or monitoring is technically possible with or without an employee’s or citizen’s knowledge or consent, although there are important legal considerations if it is done without knowledge or consent. A single investigation can result in a variety of actions: internal management remedies such as using new security features, changing access privileges, increasing awareness of security issues, or can result in disciplinary, civil or criminal actions against specific individuals. When a specific computer search or monitoring activity is undertaken, the results of that action can be difficult to predict, and it is often difficult to know precisely when one moves from one context to another (e.g., from routine security audit to investigation of criminal activity). Internal management searches and monitoring First, all departments have a variety of internal management needs that result in disclosures of information to security or information technology professionals and managers through broad computer access privileges, computer logs, searches or monitoring. Among the internal management needs are: · systems-related computer searches or monitoring needed for adding new features to, diagnosing problems with or repairing a computer system; · security-related computer searches or monitoring needed for auditing the system’s security features, checking for viruses, looking for unauthorized disclosures of information or uses of the computer system; and · work-related computer searches or monitoring needed for finding files (which may be misplaced, or which were filed by employees who are no longer with the organization or are otherwise unable to help locate the file); measuring the organization’s performance against set service standards; measuring the time and resources to complete certain tasks; monitoring the accuracy of employee advice to the public or investigating complaints with regard to an employee’s performance or conduct. Regulatory inspections Many departments are responsible for inspections to ensure compliance with regulatory requirements. These inspections can involve searching for information on or monitoring activity passing through computers. Departments will need to know the nature and limits of their powers to inspect computers in fulfilling their regulatory mandates. Criminal investigations If departments suspect that a person outside of government has been trying to gain unauthorized access to their information holdings, they will need to know the extent of their own powers and the range of police powers to intercept communications and search computers for information about the external party. In addition, all departments may hold information which is relevant to the conduct of police investigations. They should know about the powers of the police to search their information holdings and monitor their computer systems. B. New technology and privacy laws: general comments It is ironic that one of the main reasons we want to secure information is to protect personal information from being disclosed to persons who have no need to know the information., and to protect personal privacy generally. However, the technical reality is that securing electronic information (in part to limit the disclosure of personal information) requires collecting even more personal information through computer searches and monitoring. If we want to use electronic information, we have to accept that protecting privacy requires invading privacy, to some extent. The issues the federal government faces with regard to computer searches and monitoring are very similar to those faced by the private sector. However, the private sector does not have to comply with the Charter of Rights and Freedoms and, except in Quebec, does not have to comply with legislation governing the handling of personal information. For the government, the rules concerning computer searches and monitoring are provided by the Charter of Rights and Freedoms, the Privacy Act, Criminal Code and Crown Liability and Proceedings Act, although there are a number of issues to which these laws do not give clear answers. Because of its constitutional nature, section 8 of the Charter of Rights and Freedoms is the most important privacy limit on government computer searches. Section 8 protects everyone from unreasonable searches and seizure. This provision only prohibits searches where there is a “reasonable expectation of privacy.” Whether there is a reasonable expectation of privacy depends on the context of the search. In Hunter v. Southam Inc., 1984 2 S.C.R. 145, the Supreme Court of Canada stated that the right to privacy in s. 8 of the Charter, as in the Fourth Amendment in the United States, protects people not places. In other words, the right to privacy is a personal, rather than a property right. Further, if a court finds that a search was unreasonable, it is unlikely that it will be possible to justify the unreasonable search as being a reasonable limit prescribed by law under section 1 of the Charter.1 The Supreme Court of Canada has adopted a cautious approach in considering the effect of technology on the powers of search and seizure. The Court has suggested that the scope and requirements of s. 8 of the Charter will evolve to ensure protection in the face of developing technologies: What the Court said in Duarte must be held to embrace all existing means by which the agencies of the state can electronically intrude on the privacy of the individual, and any means which technology places at the disposal of law enforcement authorities in the future. In his prophetic dissent in Olmstead v. United States, 277 U.S. 438 (1928), Brandeis J. foresaw that the progress of science in furnishing government with the means of “espionage” could not be expected to stop with wiretapping. One may speculate, however, that even Brandeis J. could not have envisaged the vertiginous pace at which eavesdropping technology would develop in the latter half of this century. But in concluding, at p. 472, that clauses that guarantee to the individual protection against specific abuses of power must have a capacity of adaptation to a changing world, Brandeis J.’s words have lost none of their relevance. They find an echo in the pronouncement of Dickson C.J. observed in Hunter v. Southam Inc., [1984] 2 S.C.R. 145, at p.155, that constitutional provisions aimed at protecting individual rights and liberties must be interpreted as providing a continuing framework for the legitimate exercise of government power. These observations remind one that the broad and general right to be secure from unreasonable search and seizure guaranteed by s.8 is meant to keep pace with technological development, and, accordingly, to ensure that we are ever protected against unauthorized intrusions upon our privacy by the agents of the state, whatever technical form the means of invasion may take.2 In addition to the Charter, other important rules concerning government computer searches and monitoring are found in the Privacy Act, the Crown Liability and Proceedings Act and the Criminal Code. These are discussed in some detail later in this Chapter. Below, we consider how the various privacy laws may apply to computer searches and monitoring in three different contexts: internal management, regulatory and criminal. The basic law with respect to government searches or monitoring is set out by the Supreme Court of Canada in R. v. Borden, 1994 3 S.C.R. 145 at 165 (cited with approval in B.C. Securities Comm. v. Branch, unreported judgment of the S.C.C. dated April 13, 1995). In the absence of prior judicial authorization, a search or seizure will be unreasonable unless it is authorized by law, the law itself is reasonable and the manner in which the search is carried out is reasonable. The objective of the search or monitoring is a key factor in determining whether there is compliance with s. 8.3 Searches of hard drives and monitoring of computer use could be conducted as a means of allowing employers to regulate the work place; alternatively, searches or monitoring could be aimed at securing criminal convictions. It remains to be seen whether lawful authorization will be found in common law sources as well as statutory or regulatory law sources, and what degree of specificity the courts will require the lawful authorization to have. In addition, an argument that could be anticipated in the future is that the Supreme Court was addressing its mind only to a regulatory and criminal context involving government search of third party computers when it made these comments, and might take a different view of government searches of its own computers. Some form of lawful authorization for government to search or monitor computers is likely to be required in all contexts. This chapter proceeds on the assumption that such lawful authorization can be found, based on considerations described later in this Chapter. Regardless of how a search of monitoring is authorized, the manner in which the search or monitoring is conducted must be reasonable, no matter what the factual circumstances are. Therefore, we offer the following suggestions for how to ensure the searches and monitoring is reasonable. Steps to ensure the search or monitoring is reasonable: get a policy, give notice and obtain consent where possible Get a policy When a government institution decides to undertake a search or monitor computer activity for an internal management purpose, there are a number of steps it can take to ensure that the search is considered reasonable. The most basic step is to develop a policy and guidelines for its officers who will be authorized to conduct such searches or monitoring. The Government Security Policy calls on departments to develop policies for monitoring computer security. The Security Policy requires departments to develop policies and procedures for assigning and revoking computer access privileges (Ch. 2-3, p. 9), for hardware security (Ch. 2-3, p. 14), and for software security (Ch. 2-3, p. 17). Part of the software security procedure should be “audit controls and surveillance.” Departments should develop policies and procedures for dealing with the public and the electronic communication of personal information (Ch. 2-3, p. 19) and for ensuring network security (Ch. 2-3, p. 20). Part of the network security procedure should be “monitoring network operating for security irregularities.” While calling upon departments to ensure computer security, the Security Policy provides a discussion of privacy and Charter issues and indicates that appropriate limits on the monitoring are to be observed. One of the basic principles set out in the Security Policy is ‘need to know’: information should not be disclosed to persons who do not need it for their jobs. Chapter 2-1 of the Security Policy includes a section on “Inspections and Investigations” with specific references to the requirements of the Charter of Rights and Freedoms. The policy requires departments to establish policies and procedures for dealing with possible breaches of security. The Security Policy also states (Ch. 2-1, pp. 50-51): Departments conducting security inspections and investigations must have policies that establish the conditions under which these will be carried out. Security inspection policies and procedures must be clear, unequivocal and comprehensive; reasonable in the circumstances; and brought to the attention of employees before being implemented. They must also conform with the collective bargaining regime or any collective agreement. Informing employees of inspections and investigation policies and procedures before they are implemented means giving reasonable notice to existing employees and advice on application or commencement for new employees. Where appropriate, the consent of the affected individuals should be obtained. There is a need for prudence where inspections begin to merge with criminal investigations. That is, inspections are to be confined to the conditions set out in departmental policies; they are not to be deliberately used to by-pass the procedural requirements of the criminal law. In particular, inspections should not be used as a pretext for carrying out a search for or to gather evidence of criminal wrong-doing without reasonable grounds. ... Employees should also be informed of the reasons for inspection and investigation policies and procedures ... Departmental inspection and investigation policies should be reviewed by departmental legal services before implementation. It is difficult to over-emphasize the importance of developing a policy. Departments have an opportunity to influence what are reasonable expectations of privacy by publishing their policies. Their policies can help clarify and define what constitutes “unauthorized use” and a “colour of right” for the purposes of Criminal Code offences relating to misuse of their computers. Government policy requires departments to develop such policies. Policies concerning who has access to computer systems and databanks and authorized purposes for using such access are virtually essential for there to be audits to ensure that there is compliance with these authorized uses. The spirit of the Privacy Act is that departments should inform the public how the department collects and discloses personal information. To the extent the government may be liable for negligent disclosure of information, defamation, intellectual property infringement, dissemination of inaccurate information, etc., a policy (and adhering to the policy) will help establish that the government exercised a reasonable standard of care and was diligent in preventing illegal dissemination of information on its computer systems. A computer policy should address the following issues: · whether office computers can be used for private purposes; and · who within the organization has access privileges to which databanks and computer activity and for what purposes (the policy should expressly refer to the ‘need to know’ principle set out in the Security Policy and no more information than is necessary for the purpose should be collected). A computer search or monitoring policy should address the following issues: · whether there will be an audit trail of how persons uses their access privileges; · the purposes for conducting any searches or monitoring; · who may conduct the searches or monitoring; · what may be searched (e.g., diskettes, hard drives) or monitored (will live monitoring be authorized?);4 · the time and manner in which searches or monitoring may take place; · specific restrictions on the use that can be made of information garnered from an search or monitoring activity; · where any information collected will be stored and what rights of access there will be to that information (complying with the Privacy Act); · whether there will be an audit trail of the search and monitoring activity itself; · what an official should do if he or she suspects evidence of a criminal, regulatory or disciplinary offence has been detected and how the institution will respond to such evidence (give guidelines on when to call the police and make it clear who will make the decision whether or not to pursue criminal or regulatory prosecutions, or to take disciplinary measures, and how this decision-making will proceed); and · whether a seizure can be effected and if so, what may be seized. The policy should explicitly specify that the power to search and monitor is not a power to venture into private information that employees may have on their computers unless the bona fide purpose of the search requires or clearly justifies that this be done. Legal advice should be sought before searching employee’s non-work-related information. Give effective notice It is strongly advised that some type of notice be provided explaining any search or monitoring procedures that will be followed and any monitoring that will take place. The value of a policy can be limited if the persons affected by the policy do not have effective notice of the terms of the policy (including the institution’s search and monitoring practices). There are varying degrees of notice that may be provided. At a minimum, a general notice alerting employees to the possibility of monitoring or sweeps could be provided to all current employees and to any new employees when they enter the employ of the government. Similar notice should then be circulated periodically and perhaps made available to all employees at all times on computer networks. In addition, the autoexec.bat file of each computer could be set to provide notice each time an employee logs in to their computer. This could include a requirement that the employee acknowledge the message by typing OK or hitting a particular button. Finally, a message could be circulated each time a sweep is going to take place. It should be noted that where compliance is the objective of an internal management search or monitoring, providing notice of the possibility of computer searches or monitoring is actually likely to serve that objective. It may be argued that providing notice of computer searches and monitoring will tip-off individuals who may then remove from their computers materials that are there contrary to the security policies. However, if compliance is the objective, rather than identification of offenders, the removal of such material will not frustrate the purpose of the inspections but will help to achieve that purpose. The notice of computer searches should extend not only to employees, but also to citizens whose personal information may be accessible through a search. The Privacy Act requires that government institutions inform citizens of the personal information it collects about them and how that information is used (a general notice that searches occur and how that search information is used should suffice). Such notices should appear in the government directory of information holdings and uses InfoSource. In providing this notice, it may be appropriate to include a copy of the institution’s computer policies. Obtain consent where possible It will be apparent that the more complete and effective the notice, the more likely it is that an argument will succeed that the employees have impliedly consented to the monitoring or inspections. Computer searches or monitoring undertaken pursuant to a valid informed consent will not be found contrary to s. 8 of the Charter. Accordingly, it is recommended that full and complete notice be provided to employees before implementing a new policy and periodically thereafter. This will encourage compliance and will help insulate the monitoring practices or inspections from a s. 8 challenge. Alternatively, if practical, each employee could be required to sign an express consent allowing monitoring or periodic checks. Even then, periodic reminders would be advisable. C. Computer searches and monitoring in an internal management context This discussion considers the legal issues at play when the government conducts computer searches or monitors computer use for systems-related, security-related or work-related purposes, (i.e., internal management context) and not for the purposes of undertaking regulatory inspections or criminal investigations. When a government searches or monitors computers for internal management purposes, it will usually be collecting information about the activities of its employees, either as an incidental result of the search or monitoring or as an express purpose of that action. It may also be collecting information about citizens who communicate with the government or about whom the government has collected information for other purposes. Employee privacy rights It is well accepted that the Charter applies to the government in its role as an employer. This is clear from a number of cases interpreting s. 32 of the Charter. The statements of La Forest J. in Douglas/Kwantlen Faculty Assn. v. Douglas College, [1990] 3 S.C.R. 570 at pp. 584 - 585 are to the point: Briefly stated, [the college] is simply part of the apparatus of government both in form and in fact. In carrying out its functions, therefore, the college is performing acts of government, and I see no reason why this should not include its action in dealing with persons it employs in performing these functions. ... Accordingly, the actions of the college in the negotiation and administration of the collective agreement between the college and the association are those of the government for the purposes of s. 32 of the Charter. The Charter, therefore, applies to these activities.5 It also appears well accepted that, even though an individual does not normally have a proprietary interest in their office, there is a reasonable expectation of privacy in one’s office. In Thompson Newspapers Ltd. v. Canada La Forest J. explained that: People who work in offices ... think of their offices as personal spaces in a manner somewhat akin to the way in which they view their homes, and act accordingly. In part this reflects an understandable need to humanize an environment in which people spend a good deal of their waking hours. It may in part reflect the simple reality that human life is not divisible into mutually exclusive compartments of professional and personal which correspond with the office and home. Indeed an office may actually be more private than the home in so far as one’s relations with family are concerned. Whatever the reason, one is likely to find personal letters, private telephone and address directories, and many other indicators of the personal life of its occupants. The requirement to submit to a search of business premises by agents of the state can therefore amount to a requirement to reveal aspects of one’s personal life to the chilling glare of official inspection. It seriously invades the right to be secure against unreasonable search and seizure.6 A similar conclusion was reached after a thorough discussion in R. v. Rao, a case involving a warrantless search of an office for narcotics.7 (It should be noted that there is no Canadian case law considering reasonable expectation of privacy in open office environments.) There is no Canadian caselaw specifically on whether an employee has a reasonable expectation of privacy in the computer he or she uses. However, there is U.S. and some Canadian case law with regard to an employee’s reasonable expectation of privacy in his office, desk and other work tools. In CUPW v. Canada Post,8 a trial court ruled that Canada Post could unilaterally impose rules and search employee lockers and items carried into and out post office premises without a warrant. The reason for the court’s decision was that there were problems in the Calgary mail processing plant and in the Canadian mail system as a whole that required immediate action from management. It should be noted that this case carries relatively little precedential value because it was a lower court trial decision of a preliminary motion made in the early days of Charter interpretation, without the benefit of more recent Supreme Court pronouncements on the issue. In O’Connor v. Ortega,9 the U.S. Supreme Court stated that in determining the appropriate standard for a search conducted by a public employer in areas in which an employee has a reasonable expectation of privacy, what is a reasonable search depends upon balancing the employee’s legitimate expectation of privacy against the government’s need for supervision, control, and the efficient operation of the workplace. The court stated that employers did not need a warrant to enter an employee’s office for legitimate work-related reasons wholly unrelated to illegal conduct, or for an investigation of work-related employee misconduct. Because this is an Amercian decision considering a differently worded constitutional search and seizure provision, in which the Supreme Court was divided in conclusion, the precedential value of this decision is also open to question. The case law shows that employees may have a reasonable expectation of privacy, but that those reasonable expectations must take into account the legitimate purposes of the employer. The cases offer no specific guidance on whether a person may have a reasonable expectation of privacy in the computer in their office. Numerous analogies can be drawn to show the relative degree of privacy people expect for their computer files and computer use. The list of possible analogies includes: the office, the desk in the office, an individual’s brief case, telephone conversations on office telephones, and even business records. Rather than comparing and distinguishing the many analogies, it may be more useful to acknowledge that people do commonly store private information on office hard drives (e.g.: letters, phone numbers, and even personal journals). If it is reasonable to expect privacy in such situations, this will attract the protection of s. 8 of the Charter.10 The fact that information seized from a computer may be reproduced with relative ease or accessed from a remote location increases the threat to the privacy interest at stake.11 In addition, the tremendous breadth of information that may be attained through computer monitoring further raises the import of the privacy interest in question. It is probable, therefore, that a court may find that employees have a reasonable expectation of privacy in their office computers, depending on the facts. There is no statutory definition of what constitutes reasonable search and seizure: what is reasonable will always depend on the facts. What is reasonable in one circumstance may not be reasonable in another circumstance. Public privacy rights in the context of government searching its own computers It would appear that one of the basic principles upon which section 8 of the Charter and the Criminal Code search warrant provisions are based is that persons have a right to refuse to disclose information or to submit to searches. When the government searches its own computers for internal management purposes, it will inevitably search or capture information provided to the government (perhaps as a requirement of law) by members of the public. It is unlikely that section 8 of the Charter will provide rights to citizens that will limit the government’s ability to search its own computers for internal management purposes. The collection of information by government institutions from citizens is generally authorized, either expressly or implicitly, by an Act of Parliament. In the circumstances, the collection of the information will have already been found to be reasonable (if the collection of the information in question is not reasonable, then the government activity that depends on that information will be called into question, not simply the internal management computer search or monitoring). In addition, the reasonable expectation of privacy that citizens may have in the information about them held by the government is set out in the Privacy Act. One presumes that the Privacy Act is reasonable, and indeed, is a considerable improvement in the protection of privacy from the state of affairs before the Privacy Act and the Charter of Rights and Freedoms were adopted (at approximately the same time in the early 1980s). Arguably, citizens will be presumed to know that the information they provide to the government will be used by the government for a variety of purposes, including those set out in InfoSource, and may be disclosed for the purposes described in subsection 8(2) of the Privacy Act. So long as the government is complying with the Privacy Act, it would then be unlikely that citizens could complain successfully about unreasonable computer searches or monitoring, although the Privacy Act provides a procedure for making such complaints. Further, as mentioned earlier, internal management computer searches and monitoring will often be done for the purpose of protecting citizens’ personal information held by government and that a failure to undertake such searches may make that personal information even less secure than it would be otherwise. Nonetheless, as the government acquires increasingly sensitive information about some of its citizens (such as DNA or other biometric information), the government should be vigilant to ensure that computer searches of citizen information are limited to the extent possible. (See below for comments about how the Privacy Act applies to internal management computer searches and monitoring.) Do internal management searches require a warrant or specific statutory authorization? The case law relating to section 8 of the Charter has, to date, considered searches and interceptions of private communications primarily in the context of the criminal law, to some extent in the context of regulatory inspections and but not at all in the internal management context. One of the issues that arises with respect to computer searches is whether there is authority to undertake such searches or monitoring. The case law with respect to searches in the context of regulatory inspections and criminal investigations is that where a person does not consent to a search, the government must have prior authorization to conduct the search. In a criminal context, prior judicial authorization in the form of a search warrant is generally required. In a formal regulatory context, prior legislative authorization is demanded. There are no statutes that expressly give the Crown the power to search and monitor computer for purposes other than regulatory inspections and criminal investigations. Will the courts require warrants or statutory authority before government can engage in computer searches or monitoring for internal management purposes? Even if express legislative authority is not required, it is reasonably clear that some lawful authority will be. To justify searches and monitoring in the internal management context would require building arguments around the government duties and interest as government, as employer, and as proprietor12 of the computers. A related issue is whether there is a positive duty on the Crown to keep its information secure. The government might argue that not only does it have the authority to conduct internal management computer searches and monitoring, it has a positive duty to do so. Again, this question has not been the subject of jurisprudence and the government has not previously been called upon to develop detailed legal arguments on this point. However, as previous chapters in this report have indicated, a failure to protect the integrity, accuracy and confidentiality of different kinds of information could lead to liability on the part of the government, suggesting there is a duty of care and that duty requires the government to take appropriate steps to secure its information holdings. This Chapter proceeds on the assumption that legal authority for the government to ensure the security of its information holdings could be found if challenged, by developing arguments on the following considerations:13 · the federal government’s rights as the owner of the computers. The Crown has a proprietary interest in its own computers and a right to ensure that they are secure from damage (for example, through computer viruses or excessive, unauthorized use of computer memory resources) and are used only for authorized purposes; · its rights as an employer. The Treasury Board, and by delegation, deputy ministers, as the employer, have the right under the Financial Administration Act to set reasonable terms and conditions of employment for Crown employees; · its obligations under the Privacy Act, Access to Information Act (particularly the mandatory exemptions) and other statutes not to disclose information except for purposes specified in those Acts. Those statutory requirements could arguably require a government department to audit the security of government information holdings, such as medical records or commercial proprietary information, to make sure that employees or third parties did not have access to and were not improperly disclosing information; · its obligations under the National Archives Act, Access to Information Act, Privacy Act and other Acts to ensure that records are retained (and therefore are secure) for the purpose of documenting government actions and decision-making processes and for making the government accountable to the public for its actions; · its obligations to publish accurate information (taking into account the doctrines of officially induced error and legitimate expectations). The government should be able to ensure its published information is secure from unauthorized alterations; · its obligations to obey the laws respecting illegal dissemination of information (such as intellectual property infringement, defamation, harassment, hate propaganda and obscenity, etc.). The government should be able to take steps to ensure its computer systems are not being used to illegally disseminate certain regulated kinds of information; · its responsibility for security. The Crown prerogative gives the federal government the power to take security measures to protect the security of its information and communications; and · its own policy requirements. As described above, the Government Security Policy (“GSP”) requires government departments to undertake basic monitoring and auditing of their computer systems, taking into consideration privacy considerations as might be expressed in collective agreements, the employee privacy code and other privacy principles (including the Charter). The GSP requires departments to develop policies and procedures for assigning and revoking computer access privileges (Ch. 2-3, p. 9), for hardware security (Ch. 2-3, p. 14), and for software security (Ch. 2-3, p. 17). Part of the software security procedure should be “audit controls and surveillance.” Departments are required to develop policies and procedures for dealing with the public and the electronic communication of personal information (Ch. 2-3, p. 19) and for ensuring network security (Ch. 2-3, p. 20), including “monitoring network operating for security irregularities.” One of the basic principles set out in the Security Policy is ‘need to know’: information should not be disclosed to persons who do not need it for their jobs. The GSP includes a section on “Inspections and Investigations” with specific references to the requirements of the Charter of Rights and Freedoms. The policy requires Departments to establish policies and procedures for dealing with possible breaches of security. The Security Policy also states (Ch. 2-1, pp. 50-51): The T.B. policy on Electronic Authorization and Authentication requires departments to establish policies and procedures to ensure an adequate level of control on all processes involving electronic financial transactions. Although the above list sets out a variety of justifications for conducting searches or monitoring computers, an important legal question that may arise later is whether these justifications are actually authorizations. By analogy, one might argue that although the government has a responsibility to enforce the Criminal Code, this responsibility does not create search and seizure powers: those powers are only created once Parliament actually legislates express provisions in the Criminal Code. Despite this possible distinction between justifications and authorizations, we proceed on the assumption that lawful authority for computer searches and monitoring in an internal management context can be found among the above named factors, with the proprietary interest and employer rights providing perhaps the most persuasive arguments. Assuming a prior lawful authorization can be found for internal management searches, another question becomes how to deal with fact situations where there may be evidence of a regulatory or criminal offence? It should be observed that a search or monitoring undertaken pursuant to a complaint does not, without more, change the purpose of the search or monitoring to become a criminal investigation.14 An adminstrative search or monitoring does not become unreasonable merely because there is an expectation that evidence of crime may be uncovered.15 However, an internal management search must be undertaken in good faith and not as a pretext for a search for evidence of criminal activity.16 We would add that where compliance is the primary objective of an internal management search or monitoring, evidence of criminal activity that is turned over to the police may be admissible in subsequent criminal proceedings. Privacy Act requirements There are a number of basic privacy principles which can be important in the context of computer searches and monitoring for internal management purposes: · collect no more information than is necessary for the internal management purpose of the search; · where it is possible to collect the necessary information directly from the individual concerned without using computer searches or monitoring, collect it directly; · where it is reasonably practicable to obtain consent to internal management computer searches or monitoring, obtain the consent; · provide access to personal information that is collected in the course of the search or monitoring (by preserving personal information for two years after its last internal management use, by putting the collected information into a personal information bank, and by notifying the public that the information has been collected and for what purposes); · do not disclose the collected personal information except as authorized in s. 8 of the Privacy Act; · designate a person to be responsible for compliance with the computer search and monitoring policy and the principles on how to handle the information collected as a result of computer searches; · make information about the computer search policy and practices readily available to individuals; and · provide for a procedure for individuals to challenge the organization’s compliance with the above principles. The above principles are an adaptation of the principles expressed in the Privacy Act and the Canadian Standards Association Model Code for the Protection of Personal Information. Problems with how the Privacy Act applies to computer searches or monitoring The Privacy Act reflects most of these principles, but does not always do so in a direct way. For example, the Privacy Act applies only to recorded information, and therefore does not appear to apply to unrecorded information, such as live monitoring of computer activity or employee communications, or to browsing of information which is recorded for other purposes but is not recorded or used. As currently written, the letter of the Privacy Act would not categorize searching or monitoring of unrecorded information as either a collection or disclosure of personal information and it may not require departments to record such information and consequently to place it in a personal information bank or to describe the computer search or monitoring activities in InfoSource if the information is not used (although departmental policies are available under the Access to Information Act, and the government publishes its information management policies). The Privacy Act does not expressly require that government institutions designate specific individuals as the officials responsible for complying with Privacy Act requirements with respect to certain information or information handling practices. Instead, it assumes that accountability for information handling will be sufficiently provided for by making the head of the government institution the responsible official and his or her delegates for the purposes of the Privacy Act. The complaints under the Privacy Act and investigations conducted by the Privacy Commissioner relate primarily to refusals to provide access to personal information or to unauthorized disclosure of information, and generally do not relate to IT security auditing, although the Act provides for complaints and investigations relating to an institution’s information handling policies and practices. Aside from the problem of how to deal with unrecorded information, it is difficult to determine whether to categorize computer search and monitoring activity as a collection of information (under s. 4 of the Act) or a disclosure of information (under s. 8 of the Act). The categorization is important to determine whether a collectiondisclosure is authorized and to determine what kind of information about collectiondisclosure activity must be provided to the public. As computer systems are monitored, personal information is likely to be revealed to the system operator. Some of this information will be in the nature of who is using what part of the computer system at any given time. This is personal information that was not previously collected for any particular purpose. This is unlikely to be considered a “disclosure” subject to the requirements of s. 8 of the Privacy Act. Thus, it would be a collection. There would need to be minimal collection, direct collection from the individual where possible, and notice of the existence of the collection and of its uses in InfoSource. The Privacy Act requires that personal information used for an internal administrative purpose be retained for at least two years after its last internal management use. Monitoring computer use can be an exercise in viewing or collecting many pieces of information and immediately discarding the information because it is unrelated to the purpose of the computer search or simply confirms that everything is occurring as expected. Presumably the Privacy Act only requires preservation of personal information that is actually collected, not just observed in passing. Possibly an ‘internal management use’ must be more than a simple confirmation that everything is normal, although the Act is not entirely clear on this point. Is a computer search or monitoring an authorized disclosure under the Privacy Act? As the system operator monitors the system, he or she will be able to read personal information that was or is being collected for a purpose entirely unrelated to computer security. Can it be said that having access to information is the same as a disclosure of that information? In the case of computer searches, there is probably a disclosure of personal information whenever a person actually sees the personal information that was collected for another purpose. Section 8 of the Privacy Act requires that disclosures be authorized under one of the 13 authorizations in that section. There are a number of possible authorizations for computer searches or monitoring under the Privacy Act if these activities are considered to be disclosures. The clearest are paragraphs 8(2)(b), which authorizes disclosures where there is express statutory or regulatory authority to disclose the information; 8(2)(c), where disclosure is required by a court order or warrant and 8(2)(e), where disclosure is made to an investigative agency designated in the regulations, so long as the agency makes a written request describing the information sought and the purpose for seeking the information, and so long as the information relates to the enforcement of a law or to a lawful investigation. Although the regulations specify a fairly long list of investigative bodies, departmental security and information technology units are generally not designated investigative bodies. Even if they were, the implication of paragraph (e) is that it will not apply to the context of an internal management search, but only in the context of an investigation relating to a suspected regulatory or criminal offence. Assuming that paragraphs (b), (c) and (e) do not apply, it might be possible to argue that internal management computer search or monitoring is justified under paragraph 8(2)(h) as an “internal audit,” inasmuch as it is an audit of the functioning of the computer system or of how an institution is managing its programs. On the other hand, a court may hold that this paragraph should only be available to the unit in the department that is specifically tasked with conducting internal audits, which are often separate from and unrelated to computer systems, security functions and work performance measurement or evaluation. (It is unlikely this issue would ever come before a court for decision.) Another authorization under s. 8 which might justify computer monitoring and searches may be found in paragraph (a), that the disclosure to the system operator represents a use “consistent” with the purpose for which the information was originally collected. The CSA Model Code provides that institutions should adopt security safeguards appropriate for the sensitivity of the information concerned. Thus, internal disclosures of the information for security purposes may be a consistent use with collecting the information in the first place. If disclosure to a system operator is a new consistent use, then there is a requirement that the consistent use be communicated to the Privacy Commissioner and noted in InfoSource. Describing computer search collections and disclosures in InfoSource There is another problem fitting computer searches and monitoring into the scheme of the Privacy Act. Individuals have a right of access to their personal information. Part of that right of access involves creating personal information banks and stating in InfoSource where the personal information is located and what it is used for. Section 10 of the Privacy Act requires that all personal information that has been used, is being used or “is available for use for an internal management purpose” be included in personal information banks. Section 11 of the Act requires that an index (InfoSource) describe the uses for that information. There do not appear to be entries in InfoSource to deal with computer searches and monitoring at the present time. One possible place for such an entry is in the Sources of Federal Employee Information and the creation of a new standard bank held by virtually all government institutions. It is possible that the computer security information might fit into an existing standard bank, such as “Discipline,” “Identification and Building Pass- Cards,” “Reliability Checks” or “Security Clearances,” although none of these seems to fit exactly. However, some computer security monitoring will capture information about private citizens as well as employees. Therefore, there should be something in the main volume of InfoSource on this subject, rather than the volume solely on federal employees. The problem is that the main volume of InfoSource does not have standard banks which apply to all departments. Because internal management computer searches and monitoring potentially involves incidental disclosures of information from every government information bank, in theory every information bank listed in the 1,000 page index should have “computer security monitoring” listed as a consistent use of the information obtained. This does not seem to be a reasonable requirement. There is no immediately apparent solution to how to notify Canadians of the government’s practices in monitoring electronic information that may be about them, within the present scheme of the InfoSource. To summarize, the Privacy Act does not clearly deal with computer search activity. While it would not appear that the Act prohibits searches for internal management purposes, it is not clear how the Act applies to unrecorded information and whether the Act would categorize computer searches (or broad access privilveges) as either collections or disclosures of information. If there is a collection of information, it may be problematic to know exactly which information must be retained and when an ‘internal management use’ has occurred. If there is a disclosure of information, it is difficult to assess which is the strongest argument to justify the disclosure under subsection 8(2) of the Act, although the ‘consistent use’ and ‘internal audit’ arguments are both possible. Finally, it would appear that InfoSource does not adequately provide notice of what kinds of search and monitoring activity is undertaken by government security officials. Auditing those who have broad access privileges In a recent controversy in British Columbia, it was alleged that a Delta police officer used his access to B.C.’s vehicle registration databank to provide information about persons who worked at a pro-choice health clinic to anti-abortion activists. The case was investigated by the Information and Privacy Commissioner of B.C.17 All police officers in B.C. have direct access to the vehicle registration databank through the Canadian Police Information Centre (CPIC). There was at the time no express agreement between CPIC and the B.C. vehicle registration authorities and no way to know who accesses the information in the databank, for what purposes and whether that information is subsequently disclosed to other parties. The Commissioner recommended that there be agreements or internal privacy codes whenever persons are given access to specific data bases, that there should be audits of how persons use their access privileges, and that there should be “a powerful, easily accessible electronic record of all entries into and output from the database, including a record of the number and type of files consulted.” One of the government responses to this controversy is that the generic identification for access terminals will be progressively eliminated to ensure against access by an otherwise ‘anonymous’ user. The Commissioner noted that where there are agreements regarding uses of information, “consequences for violating those terms may not be sufficiently clear, or negative in character, adequately to deter improper use of the personal information gained.” These are useful recommendations for any computer system, and stresses the importance of keeping track of how individuals use their access privileges. Crown Liability and Proceedings Act requirements In addition to Charter and Privacy Act limitations on computer monitoring, the Crown Liability and Proceedings Act provides that where a servant of the Crown, by means of an electro- magnetic, acoustic, mechanical or other device, intentionally intercepts a private communication, in the course of that servant’s employment, the Crown is liable for all loss or damage caused by or attributable to that interception, and for punitive damages in an amount not exceeding five thousand dollars, to each person who incurred that loss or damage. Section 16 of the Act defines “private communication” to mean: any oral communication or any telecommunication made under circumstances in which it is reasonable for the originator thereof to expect that it will not be intercepted by any person other than the person intended by the originator thereof to receive it. “Telecommunication” is not defined in the Act. The Act goes on to say that the Crown is not liable if the interception was lawfully made or was made with the express or implied consent of the originator of the private communication. The Act goes on to make the Crown liable for damages arising out of the use or disclosure of the substance or any part of the private communication. Where the Crown is held liable, the Act expressly provides that the civil servant is liable or accountable to the Crown and the Crown may recover the amount from that servant. The Act provides that the Crown is not liable for loss, damage or punitive damages if the private communication is disclosed in a number of circumstances, including, among other reasons: · where there is consent of the originator or intended recipient of the communication, · for the purpose of giving evidence in any civil or criminal proceedings in which the Crown servant may be required to give evidence on oath, · for the purpose of any criminal investigation so long as the private or radio-based telephone communication is lawfully intercepted. It should be noted that the way that computer security checks are conducted may frequently amount to an interception of private communications as defined in Part VI of the Criminal Code, discussed later in this Chapter. It is unclear whether communications between a citizen and a public servant or communications between employees are ‘private’ communications (one can imagine that there are at least some circumstances where public servants have a reasonable expectation to privacy in the telephone calls they make from their office telephone). It is also unclear whether a Crown employee can give a consent to the interception of a communication with a private citizen (the spirit of the Act may be that the government should not also be able to ‘consent’ to its own interception activity). The bottom line to the provisions in this Act, however, is that if the interception is done pursuant to a lawful investigation, there will be no liability, and in most cases, interception of private communications will not result in damages. Generally, although the intent of the provisions of this Act is to limit government activity with respect to monitoring communications, the provisions are not very helpful in knowing whether or how they might apply to monitoring federal computer activity. D. Computer searches and monitoring in a regulatory inspection context In the preceding section, we described internal management computer searches and monitoring (i.e., for systems-related, security-related and work-related purposes). Generally, what we describe as the internal management context for computer searches and monitoring involves government searching and monitoring its own computers. In the regulatory and criminal contexts, we are primarily discussing searches of third party computers. In the regulatory context, there is case law which suggests that the government will need to have either prior authorization in the form of a warrent or express authority to conduct a search or monitor computer use for the purpose of ensuring there is compliance with regulatory provisions. It would appear that prior authorization in the form of warrants will not necessarily be required in the context of regulatory searches. In Comité Paritaire, La Forest J., writing for the majority, concluded: The exercise of powers of inspection does not carry with it the stigmas normally associated with criminal investigations and their consequences are less draconian. While regulatory statutes incidentally provide for offences, they are enacted primarily to encourage compliance. ... In view of the important purpose of regulatory legislation, the need for powers of inspection, and the lower expectation of privacy, a proper balance between the interests of society and the rights of individuals does not require, in addition to legislative authority, a system of prior authorization. Of course, the particular limits placed on the inspection scheme must, so far as possible, protect the right to privacy of the individuals affected.18 In the regulatory context, it would appear that legislative authority will normally serve as the equivalent of prior authorization in the regulatory context.19 We note as well that s. 8 of the Charter acts as a limit on existing powers of search and seizure already possessed by the government. In the very least, then, the government must have an existing power to search in order to comply with s. 8 in the regulatory context and, absent a warrant, will need legislative authority. Most regulatory statutes contain search powers, and in fact, many deal specifically with searches of computer systems and seizures of data contained in computer systems. (By contrast, the Criminal Code has no search and seizure provisions that are specific to computerized environments.) For example, section 16 of the Competition Act, which controls trade and commerce in respect of conspiracies, trade practices and mergers affecting competition, grants the right to the person executing a search warrant issued under the Act to “use or cause to be used any computer system on the premises to search any data contained in or available to the computer system.” The investigator has the power to reproduce records from the data in the system and to produce a printout or other “intelligible output” and then seize it. Similar provisions are found in subsection 49(1.1) of the Fisheries Act, subsection 100(6) of the Canadian Environmental Protection Act, subsection 21(2) of the Canada Agriculture Products Act, paragraph 13(2)(c) of the Consumer Packaging and Labelling Act, subsection 49(2) of the National Energy Board Act, subsection 14(3) of the Explosives Act, paragraph 22(1)(d) of the Hazardous Products Act, subsection 38(2) of the Health of Animals Act, subsection 25(2) of the Plant Protection Act, subsection 71(4) of the Telecommunications Act, paragraphs 15(a) and (d) of the Transportation of Dangerous Goods Act, paragraph 17(1)(c) of the Weights and Measures Act and pursuant to the powers of an Evidence-Gathering Order under section 18 of the Mutual Legal Assistance in Criminal Matters Act. The latter is issued specifically for the purposes of gathering evidence at the request of a party to a Mutual Legal Assistance Treaty between Canada and the party. In respect of those Acts that specifically provide for search of computer systems, use of the computer system to search any data contained in or available to the computer system, and to reproduce records from the data contained therein, is specifically permitted in the legislation. It should be noted that some of these Acts provide both for inspection powers (i.e. powers to conduct routine inspections) and enforcement powers where there are reasonable grounds to believe that an offence has been committed. Some of the Acts provide for the inclusion of terms and conditions on the search. For example, the provisions of the Competition Act [s.16(3)] provide that the person who is subject to the search may seek an order from the court that issued the search warrant to have terms and conditions placed on the person searching the system. E. Computer searches and monitoring in a criminal investigation context As is the case with other types of searches, searches of computer systems and seizures of computer equipment or of data within the systems can be conducted with the consent of the person authorized to give such consent. The basic principle in the context of criminal investigations is that where there is no consent, warrantless searches (and by implication, interception of private communications) are presumptively unreasonable in a criminal context (Hunter v. Southam). However, the common law power to search incident to arrest without a warrant has not been found to be contrary to s. 8. Disclosures of government-held personal information for the purposes of lawful investigations A preliminary issue with respect to criminal investigations involving communications and information held on government computers is whether investigative bodies must obtain warrants or have other statutory authority to search for information held by government instituions. Paragraph 8(2)(e) of the Privacy Act gives the heads of government institutions the discretion to disclose personal information to investigative bodies designated in the Privacy Act regulations if the investigative body requests the information in writing, describing the information sought and the purpose for which it is sought, so long as the purpose is for the enforcement of a law or for the purposes of a lawful investigation. Paragraph 8(2)(f) permits the disclosure of personal information to organizations of other levels of government for the purpose of administering or enforcing any law or carrying out a lawful investigation, so long as there is an agreement or arrangement between Canada and the other government. The 8(2)(f) agreements with the provinces make similar requirements for requests in writing, stated purposes for seeking the personal information and descriptions of the personal information sought. In the cases of both paragraphs 8(2)(e) and (f), the requesting body does not have a right to actively search for the information, it is merely authorized to request (and receive) the information. More importantly, the head of an institution is not required to disclose the requested information, but has the discretion to disclose the information. Before the Privacy Act was in place, the disclosure of personal information under the control of government institutions was unregulated. Thus, paragraphs 8(2)(e) and (f) represent significant improvements over the state of the law before the Privacy Act was adopted. In addition, because subsection 8(2) is subject to other Acts, if other Acts, such as the Income Tax Act, provide for an even higher degree of protection, then the measures provided in those Acts will have to be followed before personal information may be disclosed. What happens in 8(2)(e) and (f) situations is that citizens provide information to government institutions for one purpose (unrelated to law enforcement investigations), and the information is subsequently disclosed to law enforcement agencies for another purpose. The Court has found that where individuals consent to give blood and urine samples to doctors for medical reasons, subsequent use of the samples or information from the samples by the police for the purposes of conducting criminal investigations has been found contrary to s. 8 (R. v. Dyment, [1988] 2 S.C.R. 417 and R. v. Colarusso, [1994] 1 S.C.R. 20). In R. v. Borden, [1994] 3 S.C.R. 145, the Court considered a case where an accused provided hair and blood samples, being informed he was being investigated for one charge but not being informed he was being investigated for a second, unrelated charge. The Court ruled that the samples could only used for the case about which the accused was informed, althoug the consent form was deliberately in the plural: for the purposes relating to the police “investigations.” In a separate opinion, the Chief Justice went to considerable length to explain his view that conditional or limited consents should not be permitted in the criminal law context: once an informed consent is given, the evidence from that consent applies for all subsequent criminal law uses. The key is that the police inform the accused about all the offences they are investigating at the time they seek the samples. However, the majority of the Court appears to accept that consent in a criminal context may be limited for specific purposes. Paragraphs 8(2)(e) and (f) of the Privacy Act authorizes the disclosure of personal (recorded) information to investigative agencies without requiring prior judicial authorization and without other legislative authority. At this time, we must presume that the Privacy Act is consistent with with the Charter requirements concerning unreasonable search and seizure and with the Criminal Code requirements concerning search warrants. A number of supporting arguments are available, such that 8(2)(e) is a reasonable, prior legislative authorization as required by the courts, that the public has notice of the existence of 8(2)(e) when it agrees to provide information to the government and therefore does not have a reasonable expectation of privacy in the information supplied, that the head of the government institution or his or her delegate is the appropriate party to consent to the disclosure of citizens’ personal information, and that requesting information from a government institution is different from searching for information for the purpose of s. 8 of the Charter. It remains to be seen how the issues dealt with in Plant (discussed above, where the Supreme Court seemed to imply that police should obtain warrants when seeking computer records that are not publicly available) or the concepts of limited consents might be applied to the personal information held by government institutions. Lawful interception of communications There is a distinction between search in a system and interception of communications. Search involves the search (i.e. to look, examine, to find) and usually, the seizure of a thing, which could include data, records, etc. Search is governed by the common law and statutes. Interception is governed by Part VI of the Criminal Code, which is titled “Invasion of Privacy,” and only involves the interception of “private communications,” which refers in part to any oral communication or any telecommunication. “Telecommunication” is defined in section 35 of the Interpretation Act to mean “any transmission, emission or reception of signs, signals, writing, images or sounds or intelligence of any nature by wire, radio, visual or other electronic system.” “Intercept” is defined in section 183 of the Criminal Code as including “listen to, record or acquire a communication or acquire the substance, meaning or purport thereof.” Therefore, there is a clear distinction between search for things (including data) and interception of communications. Search of a computer system is analogous to search of a filing cabinet. For example, the obtaining of stored data that is in tangible or electronic form of storage is search and seizure. This would include the examination of stored or delivered e-mail (whether opened or unopened). The interception of communications by the police, without judicial authorization, would be considered to be an invasion of privacy if the circumstances are such that there is a reasonable expectation of privacy. Such interception is prohibited by section 8 of the Charter of Rights and Freedoms. As noted earlier, interception by any person of “private communications” or of a computer “function” are statutorily prohibited by sections 184 and 342.1 of the Criminal Code, respectively. A “private communication” between individuals can be intercepted with an authorization obtained from a superior court judge (and also, in Quebec, a provincial court judge) pursuant to the provisions of Part VI of the Criminal Code. A “private communication” is defined in section 183 of the Criminal Code to mean any oral communication or any telecommunication made under circumstances thereof “to expect that it will not be intercepted by any person other than the person intended by the originator thereof to receive it.” The definition expressly refers to “radio- based telephone communication” (i.e., cellular phone calls) and provides that they are “private” if they are treated electronically or otherwise for the purpose of preventing intelligible reception by any person other than the person intended by the originator to receive it (in other words, encrypted). The examination of active communication of data is interception. For example, examination of e-mail in the course of active transmission would likely be interception. It remains to be seen whether the notorious poor security available for e-mail, combined with routine computer security procedures, and increasing availability of encryption, might result in unencrypted e-mail eventually being incapable of being found to be a “private communication” and might instead be treated the same way as radio-based telephone communications. (There is no case law to date which has considered whether or not e-mail is a private communication.) Lawful interception of a telecommunication between two computers may be legally feasible where there is a human intermediary at both ends, as the communication may then be considered a “private communication” and interceptable with an authorization under Part VI of the Criminal Code. However, due to the reference to “persons” in the definition of “private communication,” the issue of intercepting telecommunications under Part VI between an individual and a computer is not clear. Likewise, where there is no human involvement, as is the case of two computer systems communicating with each other, the communication would likely not be considered a “private communication.” Although Part VI (i.e. both the prohibition and exceptions) might not apply if the communication were not a “private communication,” interception may still be rendered unlawful by virtue of section 342.1. Additionally, the constitutional provisions in section 8 of the Charter would still apply, if the circumstances are such that there is a reasonable expectation of privacy. With respect to cellular telephone communications, even if a communication is not within the definition of a “private communication” (see definition above), interception may still be unlawful if it is intercepted in Canada “maliciously or for gain”: s. 184.5 of the Criminal Code. Wilful use or disclosure of an intercepted cellular telephone communication, as well as wilful disclosure of the existence of such a communication, is also an offence if it originated or was received in Canada without the consent of the originator or intended recipient: s. 193.1 of the Criminal Code. Section 9(1.1) of the Radiocommunication Act also prohibits the use or divulgence of a cellular communication in the absence of permission of the originator or intended recipient to do so. In circumstances where Part VI would not be applicable to permit an interception of a computer or other communication, s. 487.01, enacted in 1993, may provide lawful authority to do so. This section would permit a judge to authorize, subject to terms and conditions, the police to use various devices or investigative techniques (other than those that would interfere with the bodily integrity of any person), where no other provision specifically provides for the obtaining of a warrant or authorization and the investigative technique would otherwise constitute an unreasonable search or seizure in the absence of obtaining such permission. This provision might provide authority to intercept all forms of internal and external computer communications and functions. Additionally, the newly enacted s. 487.02 would permit a judge, when granting an authorization to intercept private communications or to conduct other forms of electronic surveillance, to “order any person to provide assistance where the person’s assistance may reasonably be considered to be required to give effect to the authorization ...” It is generally understood that this would permit the use of third party equipment. In addition, newly enacted s. 492.2 would also permit the police to install devices or obtain telephone records to determine the source or destination of a telecommunication. It is unclear whether a systems operator who monitors a hacker’s or lawful user’s communication for the purposes of a security-check is unlawfully intercepting communications. A number of variables must be considered, including whether a notice of monitoring was posted to users, whether communications of lawful users are intercepted along with the alleged hacker’s communications and whether the systems operator is acting as an agent of the police when undertaking the monitoring. The answer in any given situation is dependant on the facts.20 Encryption Generally, where a communication is lawfully intercepted, or data or documents are seized under search and seizure powers, no special authority is required to undertake forensic tests or analysis of the communications or data. This would likely include decryption, as well. Where communications are encrypted, however, this could be indicia that there is a higher expectation of privacy regarding the communication and, therefore, the communication may be protected both by the Charter and as “private communications” under Part VI of the Criminal Code. For example, in Part VI of the Criminal Code, encrypted communications by cellular telephone are deemed specifically to be “private communications.” (“Encrypted” is defined as “treated electronically or otherwise for the purpose of preventing intelligible reception by any person other than the person intended by the originator to receive it”) Therefore, agents of the state require authorizations, in most cases, to intercept encrypted cellular telephone communications. Furthermore, it is an offence for anyone to intercept and make use of, or to intercept and divulge a cellular telephone communication, which may be encrypted (section 9(2) of the Radiocommunication Act).21 New section 487.02 of the Criminal Code mentions that the judge who gives the authorization in certain cases “may order any person to provide assistance where the person’s assistance may reasonably be considered to be required to give effect to the authorization ...” This provision might be used to obtain a judicial order requiring the disclosure of an encryption code, although it is unlikely to succeed in requiring an accused person to produce the encryption code. Currently, law enforcement access to encrypted communications is a very topical issue. If law enforcement authorities have a legal warrant to wiretap or search and seize electronic communications, and those communications are encrypted, the law enforcement authorities may not be able to decipher those communications, thus making the wiretap ineffective. The law enforcement access issue is being addressed in various ways by various jurisdictions. In the U.S., the Department of Commerce National Institute of Standards for Technology (“NIST”) established ClipperCapstone key escrow encryption as a voluntary standard for U.S. federal government use. ClipperCapstone is a key escrow encryption chip which can be used to encrypt telephone communications (Clipper) or data transmissions and records (Capstone). With key escrow encryption, the ‘key’ required to decrypt a communication is split in two parts, and each part is ‘escrowed’ with a different agency, at the time the encryption chip is manufactured. When there is a law enforcement requirement to intercept an encrypted communication, the law enforcement agency obtains a court order, takes it to the two escrow agencies, is provided with the two halves of the key, and then is able to decrypt the communication. The U.S. Department of Justice has established procedures, in a policy document (not legislation), for obtaining the key necessary to decrypt an encrypted communication. France requires the registration of encryption software and hardware devices with a government security service, so that law enforcement authorities will be able to decrypt communications. The Canadian Advisory Council on the Information Highway states, in a draft of its final report: The Council believes that it is in the interest of all Information Highway users that an appropriate balance be found between privacy, law enforcement, and national security on the Information Highway. We do not believe, however, that the key escrow policy and standard adopted by the U.S. government (“Clipper Chip”) is an appropriate solution to balancing these concerns in Canada. We recommend that extensive study and public consultations are necessary to determine how to best strike this balance in Canada in a fashion which is mindful of the civil and human rights of Canadians, adheres to what the OECD Security Guidelines (1992) refer to as the ‘Democacy Principle’, i.e., ‘that security must be compatible with the legitimate use and flow of data and information in a democratic society,’ and respects Canadian sovereignty. The Council believes that encryption algorithms, standards, and the process used to arrive at them, should be open to public scrutiny. There must also be freedom of choice in the use of these algorithms and standards. Some persons argue that government should not try to control encryption because it restores only a modicum of the privacy already lost in our information society through pervasive use of video cameras and electronic data trails left by credit cards and other kinds of identifying information.22 Still others believe that with encryption technology freely available over the Internet, even if government tries, it will not succeed in ensuring that it has access to encryption technology.23 Search and seizure of information and information technology Power to search Criminal Code search warrants As is the case with other types of searches, searches of computer systems and seizures of computer equipment or of data within the systems can be conducted with the consent of the person authorized to give such consent. If this consent cannot be obtained, a search warrant has to be obtained under the general search warrant provisions of section 487 of the Criminal Code. This provision can be used to issue a warrant where there are reasonable grounds to believe that: · anything (including a system or its contents) affords evidence of the commission of an offence in Canada; · an offence under federal legislation has been or is suspected of having been committed on or in respect of anything; or · anything is intended to be used for the purpose of committing “any offence against the person for which a person may be arrested without a warrant.” In addition, where section 487 or any other provision does not apply, the recently enacted section 487.01, mentioned earlier, provides for warrants authorizing a peace officer to, subject to this section, use any device or investigative technique or procedure or do any thing described in the warrant that would, if not authorized, constitute an unreasonable search or seizure in respect of a person or a person’s property if (a) the judge is satisfied by information on oath in writing that there are reasonable grounds to believe that an offence against this or any other Act of Parliament has been or will be committed and that information concerning the offence will be obtained through the use of the technique, procedure or device or the doing of the thing; (b) the judge is satisfied that it is in the best interests of the administration of justice to issue the warrant; and (c) there is no other provision in this or any other Act of Parliament that would provide for a warrant, authorization or order permitting the technique, procedure or device to be used or the thing to be done. Subsection 487.01(3) provides that the warrant shall have such terms and conditions necessary to ensure that the search will be reasonable in the circumstances. Section 487.01 also permits video surveillance: (4) A warrant issued under subsection (1) that authorizes a peace officer to observe, by means of a television camera or other similar electronic device, any person who is engaged in activity in circumstances in which the person has a reasonable expectation of privacy shall contain such terms and conditions as the judge considers advisable to ensure that the privacy of the person or of any other person is respected as much as possible. There are no rules dealing with the drafting of search warrants issued for computerized environments; however, most law enforcement agencies have established policies or guidelines. For example, a general search warrant may be drafted to include the fact that the peace officer has reasonable grounds to believe that a computer system is on the premises named in the warrant, or that the peace officer has reasonable grounds to believe that the computer system contains information which will afford evidence of the commission of an offence, or it may be drafted with sufficient particularity so as to include the search of connected data banks accessible to the place or computer terminal searched. Extent of the search Search to be conducted in the same territorial division Normally, since the Criminal Code search warrant is “place- specific,” the search is limited to the specificity of the address and of description of the things to be seized that are named in the warrant. Also, if the place is in any other territorial division than the one in which the warrant was issued, the warrant has to be endorsed by a justice having jurisdiction in that territorial division. For these reasons, it is uncertain whether s.487 of the Criminal Code would permit an on-line search into computers that are not located on the premises described in the search warrant. If on-line searches pursuant to s.487 of the Criminal Code are permissible, they would still only be permissible within the territorial jurisdiction of the warrant (usually within a province or territory of Canada), depending upon the specificity of the description in the warrant of the place (and system) to be searched. On-line searches would not be permissible if the search extends outside of the territorial jurisdiction of the warrant. Searches within the territorial division would be limited to computer equipment present on the specified premises and maybe, depending on the specificity of the wording of the warrant, to systems present at other locations which are accessible through interconnected systems and networks in the same jurisdiction. However, there has been no judicial interpretation of this issue, and the safer course would be to obtain and execute warrants for each physical location. Likewise, the extra-provincial or extra- territorial application of such search warrants has also not yet been litigated before the courts. It should be noted that some of the Canadian legislation that have specific computer search provisions (mentioned earlier) permit the investigator to “use or cause to be used any computer system on the premises to search any data contained in or available to the computer system.”24 This might be interpreted to permit on-line search to or from outside locations; but again, the issue has not yet been legally determined. In any event, unless specifically provided by legislation, all police powers may only be executed within Canada. Right of access By analogy with the principles set out in the decision of the Supreme Court of Canada in Reference Re an Application for an Authorization25 and in light of section 25 of the Criminal Code, the search warrant impliedly does provide means of access to the computer system in order to search it, although in most cases the warrant will explicitly grant special powers to use and access the system or data, including programmes. Under certain conditions, investigators may get access to bulletin boards without having to obtain search warrants. For example, if the general public has unrestricted access to a Bulletin Board such that it can be considered as a public place, the police require no specific powers to gain access to the Board for purposes of search in the furtherance of both reactive and pro-active types of investigations. Similarly, where the Bulletin Board is limited to a particular class of person (i.e. one who has paid for the privilege of accessing the Board), an investigator may represent him or herself as a member of the general public and purchase the same privilege. That “undercover” investigator can then exercise the same powers of access as mentioned in the previous paragraph. However, where the investigator is acting in his or her capacity qua peace officer, access of, and search and seizure in relation to restricted Bulletin Boards must be gained pursuant to a valid search warrant, save for the exceptions mentioned in any legislation. Right to erase or alter data With consent of the owner or systems operator, an investigator may erase or alter data. Furthermore, where it is necessary to fulfil the purpose set out in the search warrant, it is arguable that the warrant impliedly permits the erasure or alteration of data (i.e. destruction of a virus or trojan horse from the computer system) if this action is inherent in seizing the data. As well, it may be applicable to invoke the provisions of section 25 of the Criminal Code to justify the erasure or alteration of data during the enforcement of the law. The relevant portion of that section reads: (1) Everyone who is required or authorized by law to do anything in the administration or enforcement of the law .... is, if he acts on reasonable grounds, justified in doing what he is required or authorized to do and in using as much force as is necessary for that purpose. Although section 430(1.1) of the Criminal Code prohibits the wilful destruction or alteration of data (including programs), section 429(2) provides that no person shall be convicted of such an offence where that person acted with legal justification or excuse or with colour of right. It is therefore arguable that a system operator would be legally justified in destroying a virus, created by someone else, in order to protect the system. Likewise, the police in being requested by the owner to protect such system, or being authorized by a search warrant to search and seize it, could arguably be protected for the alteration or destruction of data inherent in carrying out the search and seizure. Seizure of intangibles Information, because of its intangible nature, cannot be seized under s.487 of the Criminal Code,26 but the data from which the information can be derived may be tangible and therefore capable of being seized. In any event, intangible data recorded or stored upon any physical medium (e.g. disks) can be seized by seizing the medium. This distinction is also inherent in those Acts which specifically permit searches of computer systems, since they authorize the investigator to reproduce records from the data in the system, produce a printout or other “intelligible output” and seize this representation of information. Also, for the purposes of admissibility of computer print-outs, courts have held that these can be considered as original business records, depending on the circumstances.27 If purely intangible data or information cannot be seized under s.487, one may resort, possibly, to s. 487.01, which permits a warrant to be issued to use any device or investigative technique or procedure that would ordinarily constitute a search or seizure if it is in the interests of the administration of justice to issue the warrant, and there is no other provision in federal legislation permitting such to be done. Duty to assist the search General Generally, a systems-keeper is not obliged to cooperate actively in order to enable a search of a computer system. For example, the general search and seizure provisions in section 487 of the Criminal Code do not obligate the person whose premises are searched to actively cooperate. However, certain legislation includes such an obligation in respect of regulatory enforcement (but not criminal law enforcement). For example, subsection 23(3) of the Food and Drugs Act reads: The owner or person in charge of a place entered by an inspector pursuant to subsection (1) and every person found therein shall give the inspector all reasonable assistance and furnish the Inspector with any information he may reasonably require. A person who contravenes this subsection is liable to punishment on summary conviction to a maximum penalty of a fine of $1000, or 6 months incarceration, or both, and upon being convicted on indictment to a fine of $5,000 or 3 years incarceration, or both. Similar penalties exist in some other federal statutes. The question of who has the authority to consent to a search of a multi-user system is one of fact, and thus varies from one situation to another. The consequences of a refusal can be seen in the wording of the previously noted subsection taken from the food and drug legislation. The penalties for refusal are generally considered to be quasi-criminal in nature, given that such convictions are not registered in the accused’s criminal record. In some of the legislation which contains specific references to searches of and seizures from computer systems, there is a duty on the person in charge of the system to permit the seizing officer, investigator or inspector to exercise the powers authorized in that legislation. See, for example, Fisheries Act, s. 49(1.1); Competition Act, ss. 100(7), 101(6), 102; Competition Act, ss. 15(5), 16(2). Forced cooperation The powers granted in the above-mentioned legislation which contains specific references to search and seizure of computer systems may, in certain circumstances, force third parties to provide information which might help in an investigation in relation to computer-related evidence, for instance by obligating program companies to provide information about the design of the program or for an encryption vendor to provide the “key” to the encryption program. As well, there are specific provisions for a court order under section 462.48 of the Criminal Code compelling the production of income tax records for the purposes of an investigation into a proceeds of crime or money laundering offence. In addition, to assist in the execution of certain authorizations and warrants, section 487.02 provides the judge or justice who gives the authorization, issues the warrant or makes the order may order any person to provide assistance where the person’s assistance may reasonably be considered to be required to give effect to the authorization, warrant or order. These orders are available only in conjunction with matters authorized under certain sections of the Criminal Code, including s. 186 and s. 487.01. It is unlikely that this section would support orders to force persons to provide assistance where the result of providing that assistance would incriminate them. Production of Documents Witnesses, including systems operators, can be ordered to produce computer generated evidence by a number of means, such as a subpoena duces tecum, section 18 of the Mutual Legal Assistance in Criminal Matters Act and pursuant to the provisions of the above-mentioned legislation, where appropriate. The form of such evidence, in either a printout or diskette format, can be specified in the order, so that where the legislation does not specifically deal with computer-generated evidence, that eventuality can be included in the relevant order. In any event, there are no rules governing who makes the decision as to format, or who bears the expense of the print-out; accordingly, these issues are open to negotiation. If the evidence is in another country, production of it can be obtained by means of letters rogatory, if the Canadian courts so order (sections 709 and 712 of the Criminal Code), or pursuant to the provisions of a Mutual Legal Assistance Treaty, if one exists. There are no clear answers to the question whether witnesses in Canada can be ordered to produce computer generated evidence located in another country. In one case in Canada (R. v. Spencer), the Supreme Court of Canada held that a Canadian banker could be ordered to testify about information, which he personally possessed, that was obtained while working at a branch of that bank in the Bahamas, even though he was prohibited by law in the Bahamas from releasing the information. However, in the American case of The United States v. The Bank of Nova Scotia, which was litigated by the Canadian bank in the United States, strong objection was taken (unsuccessfully) to an American subpoena which required the bank’s branch in the United States to produce records held by another branch in the Cayman Islands. It was Canada’s concern over this incident that became one of the major factors behind the negotiation of a mutual legal assistance treaty with the United States. Currently, Canadian police cannot obtain a search warrant, the scope of which would extend outside of Canada and require the production of documents held in a foreign state. It is arguable that such documents could be obtained under a subpoena duces tecum by issuing a subpoena to an official of the company who is in Canada. In relation to computer records, under the current law a court would have to consider whether requiring production was within the jurisdiction of the court, which is presumed territorial, absent an express statutory provision. The creation of new documents by processing and linking data can only be ordered pursuant to section 18 of the Mutual Legal Assistance in Criminal Matters Act. Procedural Guarantees Privileged information Information stored on a computer is subject to the same rules as to confidentiality as any other documentary evidence. The solicitor-client privilege is recognized by both common law principles and by virtue of statutory provisions. Under section 488.1 of the Criminal Code, where data is seized which is likely to fall within such a privilege, the law provides that the data must be seized and sealed without having been examined, and delivered to the Sheriff in the relevant territorial jurisdiction. Either the Attorney General or the solicitor involved in the seizure may then bring an application to the Court for a determination of whether or not the data falls within the solicitor-client privilege. Where it does, it remains privileged and inadmissible as evidence unless the client consents to its admission or it otherwise loses its privilege according to law. Where the Court is not satisfied that it is privileged, it orders delivery of the data to the officer who seized it. It should be noted that this procedure is not applicable where a claim of solicitor-client privilege can be made pursuant to the Income Tax Act, which contains its own provisions concerning privileges. At common law certain other types of data can be protected from disclosure in criminal proceedings (i.e. information which relates to police informants). As well, Canadian privacy legislation addresses this issue and defines procedures applicable to different types of information. Finally, sections 37 to 39, inclusive, of the Canada Evidence Act permit the Court to order the protection from disclosure of information where the disclosure is contrary to the public interest, or where the information relates to national defence or security or international relations, or to confidences of the Queen’s Privy Council for Canada. Matters relating to health and the administration of hospitals is within the jurisdiction of the provinces under the Constitution of Canada. It has been held by the courts [e.g. R. v. French (1977), 37 C.C.C. (2d) 201 (Ont. C.A.)] that provincial legislation and safeguards must be complied with in order to obtain hospital records, even though criminal law is a matter within federal jurisdiction. Jurisdictional issues There are a number of legal, jurisdictional and practical problems when the victims of a computer or computer-related crime are located in Canada and the suspect is in a different country. A fundamental principle of international law, reflected in Canada’s criminal law, is the primacy of the principle of territoriality. This principle is based on mutual respect of sovereign equality between states and is linked with the principle of non-intervention in the affairs and exclusive domain of other states. In Canada, extraterritorial offences are rare, and when they exist are generally as a result of implementation of an international convention or in accordance with customary international law. The general rule expressed in the Criminal Code, subject to specified statutory exceptions, is that no one can be convicted of an offence in Canada that was committed outside of Canada. When different elements of an offence occur in more than one country, a number of legal principles are used to determine whether it can be said that the offence has been committed in Canada, despite the fact that a number of elements of the offence occurred outside. The Supreme Court of Canada held in Libman v. The Queen28 that an offence can be considered to have been committed in Canada “if there is a real and substantial link” between the offence and Canada. Whether a sufficient nexus exists will depend on the circumstances of each case. The transborder nature of many computer or computer-related offences also causes problems with respect to investigation. Use of the Internet or other network can make it difficult to trace the location and identity of a suspect. Network users can loop their communications through computers in many different countries making it difficult (if not impossible) to track the originator of a communication. Due to the primacy of the principle of territoriality, law enforcement powers are equally limited to Canada and cannot (save certain exceptions regarding the High Seas) be exercised outside of Canada, especially within the territory of another state. It is a rule of statutory interpretation that any powers conferred by the law are territorially bound to Canada, unless specific and clear exception is made otherwise by statute. Therefore, investigation of transborder offences requires coordination with foreign authorities. It also requires legal mechanisms, including treaties and legislation, to enable law enforcement authorities to undertake investigative techniques that would ordinarily require judicial or other authority in order to undertake them. Therefore, transborder search and seizure of foreign data banks or computer systems, interception of foreign communications and tracing the destination or source of transborder communications may all require that these be effected by the foreign authorities, rather than directly by Canadian officials in Canada even if they are operating by way of the network links. In Canada, the Mutual Legal Assistance in Criminal Matters Act provides the legal mechanism by which Canada may request legal assistance of other states and by which Canada may provide such to other states. A number of treaties exist, and more are being negotiated on an annual basis. Nevertheless, the formal mechanisms for approval under these treaties and legislation may be too slow at times, given the ease of movement of data over transborder networks. New expedited procedures need to be developed and agreements need to be negotiated to provide expeditious assistance while respecting state sovereignty. When alleged offenders are found, extradition under the Extradition Act may also be available to surrender an alleged offender to Canada, if the conduct constituting the offence in Canada would also be considered to be criminal in the foreign state if it had occurred there. Similar principles govern surrender of a person from Canada to another state. F. Remedies The following provisions or approaches can be looked to for remedies against unreasonable search and seizure: · application to quash the search warrant; · application to declare the search or seizure unreasonable under section 8 and to obtain appropriate remedies under section 24 of the Charter of Rights and Freedoms; · application to have a thing seized returned to its lawful owner under section 490 of the Criminal Code; · a complaint to the Privacy Commissioner and ultimately a motion in the Federal Court to prohibit a specific disclosure of information; · a lawsuit for damages under the Crown Liability and Proceedings Act, and potentially for the torts of invasion of privacy, breach of statutory duty or even negligent misrepresentation if representations were made about who would have access to the information are proven incorrect and damage has resulted from reasonable reliance on those representations; · civil actions under the common law (action in damages) and equitable remedies of certiorari, self-help and replevin and the provisions of the Civil Code in the province of Quebec. Depending on the remedy, the seized data can be ordered by a court to be returned to the accused, the target of the seizure (if no charges are laid) or the third-party interest-holder; the evidence may be judicially ruled to be inadmissible in judicial proceedings; the accused can also be acquitted, or have the charges against him stayed; or, there can be a combination of any of the aforementioned remedies plus an awarding of damages in a civil court. In the case of internal management computer searches and monitoring, and assuming the steps suggested earlier in the Chapter are followed (i.e., get a policy, give notice, obtain consent where possible), it is unlikely that such searches would be considered unreasonable and run afoul of s. 8 of the Charter. However, if searches or monitoring were undertaken with the intention of pursuing, or as a pretext to, possible criminal prosecution, s. 24(2) may be invoked to exclude evidence resulting from the search or monitoring. It is, therefore, recommended that a warrant be secured for any searches intended to gather evidence for prosecution unless there are exigent circumstances. If monitoring or searches are undertaken exclusively for the purpose of regulating the workplace, but an individual considers the search to constitute unreasonable search and seizure, then a remedy might be sought under s. 24(1). Subsection 24(1) provides: Anyone whose rights or freedoms, as guaranteed by this Charter, have been infringed or denied may apply to a court of competent jurisdiction to obtain such remedy as the court considers appropriate and just in the circumstances. (emphasis added) Under this provision, any of a range of remedies are available including reinstatement of an employee who has been dismissed or compensation in the form of monetary damages and an order for the government institution to alter its search and monitoring practices. While it appears that compensation is a possible remedy under s. 24(1), the conditions under which such an award will be appropriate have not been clearly defined by the courts. It is notable, though, that search and seizure situations have served as the basis for the leading constitutional damages cases in the United States.29 G. The law applied to various fact scenarios Whether or not a warrant or statutory authorization will be required for a search depends on a number of factors, but especially on the purpose of conducting the search in the first place. Internal management searches and monitoring With regard to work-related purposes, no one would argue that a supervisor looking for a file on an employee’s day off for work-related purposes would require a warrant. In addition, the U.S. case of O’Connor v. Ortega suggests that investigation of work-related employee misconduct does not require a warrant. On the other hand, where an employee encrypts data, he or she may have an increased expectation of privacy. An employee may have a lower or even no expectation of privacy in a shared computer terminal in an open concept office, while an employee who had a computer for his own use with access restricted to him through password or other access control, located in a locked office may have a reasonable expectation of privacy. If the federal government department has a policy known to employees of prohibiting non-work-related use of government computers (e.g. no personal use of e-mail), it may be more difficult for an employee to argue that he or she had a reasonable expectation of privacy in personal data on the computer used by the employee. If the federal government department has a policy known to employees of searching or monitoring computers for maintenance, security, audit, work-related, or investigative purposes, it may not be reasonable for an employee to expect to have privacy in the computer provided for his use. A computer search or computer monitoring could be an interception of a private communication, as defined in the Crown Liability and Proceedings Act or as provided in section 184 of the Criminal Code. In most cases, searching or monitoring computers will not constitute interception of private communications, because most searching or monitoring is not of communications, but of records. However, searching or monitoring of e-mail in the course of transmission could constitute “interception” of a communication. Whether or not it constituted interception of a “private” communication would depend on whether it was reasonable in the circumstances for the originator to expect that it would not be intercepted by any person other than the intended receipient. A notice to users of monitoring or a policy against using e-mail for personal messages would reduce the likelihood of a departmental e-mail being found to be a “private communication.” It remains to be seen whether the notoriously poor security available for e-mail, and increasing availability of encryption, combined with routine computer security procedures, might result in unencrypted e-mail eventually be incapable of being considered a “private communication.” It is not certain even today that e- mail would qualify as a “private communication.” Due to the reference to “persons” in the definition of “private communication”, the issue of intercepting telecommunications between an individual and a computer is not clear. Where there is no human involvement, as is the case of two computer systems communicating with each other (e.g. Electronic Data Interchange), the communication would likely not be considered a “private communication.” Generally, one can only “intercept” a function a computer system for the purposes of para. 342.1(1)(b) of the Criminal Code if there is some aspect of communication, either internal or external, engaged in by that system. This can include communications within the system or between systems, and even the interception of electromagnetic computer emanations. With regard to paragraph 342.1(1)(b) of the Criminal Code, a government system operator or security officer conducting computer searches or monitoring would not be operating “fraudently” and would have a “colour of right,” and therefore would be legally justified with regard to that section in intercepting a function of a government computer system, in order to protect the system, or to prevent or investigate a criminal act. However, a hacker intercepting a function of a government computer system could be subject to prosecution under that paragraph. It is unclear whether a systems operator who monitors a hacker’s or a lawful user’s communication for the purposes of a security-check is unlawfully intercepting communications. A number of variables must be considered, including: · whether a notice of monitoring was posted to users, · whether communications of lawful users are intercepted along with the alleged unlawful user’s or hacker’s communications, and · whether the systems operator is acting as an agent of the police when undertaking the monitoring. The answer in any given situation is dependant on the facts. Regulatory inspections A warrant will not necessarily be required for regulatory inspections but it is likely the court will look for some legislative authority to conduct a search. Generally, a systems operator is not obliged to cooperate actively with investigative agencies in order to enable a search of a computer system. However, certain legislation includes such an obligation in respect of regulatory (but not criminal law) enforcement. The question of who has the authority to consent to a search of a multi-user system is one of fact, and thus varies from one situation to another. In some of the legislation which contains specific references to searches of and seizures from computer systems, there is a duty on the person in charge of the system to permit the seizing officer, investigator or inspector to exercise the powers authorized in that legislation.30 Criminal investigations With regard to a criminal investigations, it is likely that departmental security officials investigating an alleged fraud by the employee require a warrant. If the employee has consented to the search, there is no warrant requirement. Third parties may in limited circumstances be required to provide information which might help in an investigation in relation to computer-related evidence, for instance, software program companies may be obliged to provide information about the design of the program or an encryption vendor may be obliged to provide the “key” to the encryption program, by section 487.02 of the Criminal Code. Witnesses, including systems operators, can be ordered to produce computer generated evidence by a number of means, such as a subpoena duces tecum, and pursuant to the provisions of the above-mentioned legislation, where appropriate. H. Conclusion There are a variety of reasonably distinct contexts in which the government may want to search computers. Regardless of the context, the government must respect person’s rights to be free from unreasonable search and seizure. What is reasonable will depend on the circumstances and whether there is a reasonable expectation of privacy in particular information, computer use or communications. The expectation of privacy can change depending on the nature of the information, the office and computer set-up, the work-place policies and the purpose of the search. There is little case law available to guide government security and information technology officers conducting systems- related, security-related and work-related computer searches. This Chapter has proceeded on the assumption that either warrants and express statutory authority are not required to justify such searches (although legal authority is required), or that the necessary authority can be found for the government. With respect to regulatory inspections, it would appear that warrants are not necessarily required, although there should be legislative authority for the searches. With regard to criminal investigations, the ordinary rule is that warrants should be obtained, although information held by a third party (particularly a government institution) may be obtainable if the investigative agency asks the third party for the information (as opposed to searching for it). Generally, government institutions can take steps to ensure that their computer search activities are reasonable by establishing computer search policies, by providing effective notice about their computer search policies and practices and by obtaining consent to computer search activities where obtaining the consent would be reasonable in the circumstances. The Privacy Act and the Crown Liability and Proceedings Act (and to a lesser extent the Criminal Code) are not written in a way that clearly sets out what is required of the government in the conduct of computer searches and what constitutes private communications in the electronic environment. Generally, government departments should use InfoSource to communicate how personal information is collected or disclosed for the purposes of computer security (or for other purposes requiring broad access privileges or computer searches) and to give a meaningful right of access to the information collected or right to complain about how the personal information is handled. ENDNOTES _______________________________ 1 R. v. Baron, 1993 1 S.C.R. 416 at 453, Sopinka J., for the Court, stated: “As observed by Dickson in Hunter, it is problematic as to ‘what further balancing of interests, if any, may be contemplated by s. 1, beyond that envisioned by s. 8’ (at pp. 169-70). Presumably for the same reason, other cases in this Court which have considered s. 8 of the Charter have not addressed s. 1.” This was relied on in R. v. Grant, 1993 3 S.C.R. 223 at 241 where the Court again observed that it was unnecessary to consider s. 1. 2 R. v Wong, [1990] 3 S.C.R. 36 at pp. 43-44. 3 Other important factors include the place where the information was obtained, the manner in which the information is obtained, the nature of the relationship between the parties and the expectations of the parties. 4 Special considerations may apply to searches of messages sent or received using a computer (e.g., e-mail or postings to bulletin boards). Section 184 of the Criminal Code makes it an offence to intercept private communications by means of an electro-magnetic, acoustic or mechanical device. Those terms are defined in s. 183 of the Code. Subsection 184(2) provides an exception where there is prior authorization pursuant to ss. 185 - 186. It is likely that reading e-mail, once received, does not constitute intercepting communications; however, intercepting e-mail which is being sent by a government employee may be more problematic. In addition, s. 342.1 of the Criminal Code makes it an offence to fraudulently obtain computer services or to intercept a function of a computer system. 5 See also, Lavigne v. O.P.S.E.U., [1991] 2 S.C.R. 211; McKinney v. University of Guelph, [1990] 3 S.C.R. 229; Harrison v. University of British Columbia, [1990] 3 S.C.R. 451; Stoffman v. Vancouver General Hospital, [1990] 3 S.C.R. 483; RWDSU v. Dolphin Delivery Ltd., [1986] 2 S.C.R. 573; B.C.G.E.U. v. British Columbia (A.G.), [1988] 2 S.C.R. 214; Slaight Communications Inc. v. Davidson, [1989] 1 S.C.R. 1038; New Brunswick Broadcasting Co. v. Nova Scotia, [1993] 1 S.C.R. 319; and Dagenais v. Candian Broadcasting Corporation, [1994] 3 S.C.R. 835. 6 [1990] 1 S.C.R. 425 at pp. 521 - 522. The Supreme Court has, on numerous other occasions, recognized a privacy interest in business premises. See generally Comité Paritaire v. Potash, 1994 2 S.C.R. 406. 7 (1984), 12 C.C.C. (3d) 97 (Ont. C.A.). 8.(1987), 40 D.L.R. (4th) 67, [1987] 5 W.W.R. 262, 53 Alta. L.R. (2d) 121 9.480 U.S. 709 (U.S.C.A. 9th Circ.) 10 See R. v. Plant, [1993] 3 S.C.R. 281, in which Sopinka J., for the majority, focused on whether the computer records in question contained information of a personal and confidential nature. The majority concluded that computer records of electricity consumption did not contain personal and confidential information. Madam Justice McLachlin concurred in the result but disagreed with the majority’s conclusion that there was no expectation of privacy in the computer records. This decision has a significant flaw. Generally, appeal courts, and especially the Supreme Court of Canada, are supposed to decide points of law. Yet the difference between the majority and the dissent in this case turned on a disagreement about the facts of the case. Sopinka and McLachlin did not agree on the important issue of whether the computer records in question were or were not publicly available. Given Sopinka J’s view that the records were publicly available, it is not surprising that he concluded that there was no reasonable expectation of privacy in the records. 11 See R. v. Duarte [1990] 1 S.C.R. 30. where La Forest J., for the majority, explained at p. 44: “The regulation of electronic surveillance protects us from a risk of different order, i.e., not the risk that someone will repeat our words but the much more insidious danger inherent in allowing the state, in its unfettered discretion, to record and transmit our words. “The reason for this protection is the realization that if the state were free, at its sole discretion, to make permanent electronic recordings of our private communications, there would be no meaningful residuum to our right to live our lives free from surveillance.” See also, R. v Wong, [1990] 3 S.C.R. 36. 12 If legal authority for an inspection is based on the government’s proprietary rights, an inspection of a computer owned by an employee (e.g., an employee’s lap top that has been brought to the office) would not be authorized. As will become apparent through the discussion that follows, an inspection of an employee’s own computer without prior authorization in the form of a warrant may contravene s. 8 of the Charter. 13 In some circumstances, there is a duty on the government not to divulge confidential information such as certain commercial information supplied to the government. This may serve as the impetus to undertake monitoring or inspections. However, the government should be cautious when considering whether to engage in monitoring or inspections where there is no existing duty specifically regarding those practices since to do so invites liability that would otherwise not exist. For example, since the government is not liable for the actions of its employees who act outside the scope of their employment, and to the extent that using illegal software is an act outside the scope of employment, the government may not have any duty to monitor for the use of illegal software. On the other hand, it may be liable if it knows and should know that employees are using illegal software and fails to take appropriate measures to stop this illegal use. By actively monitoring for illegal software, a government institution could be exposing itself to liability it would not otherwise have. 14 Comité Paritaire, supra, at pp. 421 - 422. 15 R. v. Annett (1985), 43 C.R. (3d) 350 (Ont. C.A.), and Comité Paritaire, supra. 16 The Supreme Court has taken a rather dim view of pretext searches. See generally R. v. Mellenthin, [1992] 3 S.C.R. 615, and R. v. Borden, 1994 3 S.C.R. 145. 17 Investigation Report P95--005, “Cars, people and privacy: access to personal information through the Motor Vehicle Database,” March 31, 1995, Information and Privacy Commissioner of British Columbia 18 Comité Paritaire v. Potash, 1994 2 S.C.R. 406 at pp. 421 and 422. 19 Thompson Newspapers Ltd. v. Canada, supra; R. v. McKinlay Transport Ltd., [1990] 1 S.C.R. 627; Comité Paritaire, supra; 143471 Canada Inc., supra. 20.D. Scott, “Interception of a Hacker’s Computer Communication” (1993), 25 Ottawa L.R. 525 21 Under the Radiocommunication Act it is an offence, contrary to section 9(1)(c) and (d) of the legislation, to “decode an encrypted subscription programming signal or encrypted network feed otherwise than under and in accordance with an authorization from the lawful distributor of the signal or feed.” This provision covers radio and television broadcasting through networks or to paying subscribers receiving transmissions of frequencies lower than 3,000 GHz propagated in space without artificial guidelines. It is also an offence, contrary to section 327 of the Criminal Code to possess a device to de-scramble pay TV signals. 22 “Pour la liberalisation du chiffrement en France,” Stéphane Bortzmeyer, Le Monde, Jan. 27, 1995. Whitfield Diffie, one of the co-inventors of public key encryption, believes governments should not have the power to decrypt citizens’ encrypted messages. He argues that while this may constitute a set-back from current police ability to wiretap communications, this set-back is more than off-set by the rapidly increasing sources of other information available to police about citizens. “Prophet of Privacy,” Steven Levy, Wired, Nov. 1994, p. 165 23 Out of Control: The rise of neo-biological civilization, Kevin Kelly, Addison-Wesley Publishing Co., 1994, p. 209, citing Tim May. 24.E.g. Competition Act R.S. 1985, c.C-34, s.16. 25.(1986), 15 C.C.C. (3d) 466. 26.See the decision of the Quebec Court of Appeal in Re Banque Royale du Canada and The Queen (1985), 18 C.C.C. (3d) 98. 27.E.g. R. v. Bell and Bruce (1982) 65 C.C.C. (2d) 377 (Ont. C.A.) 28.(1985), 21 C.C.C. (3d) 206 (S.C.C.) 29 See Monroe v. Pape, 365 U.S. 167 (1961), and Bivens v. Six Unknown Named Agents of the Federal Bureau of Narcotics, 403 U.S. 388 (1971). But see Anderson v. Creighton, 107 S. Ct. 3034 (1987). 30. See, for example, Fisheries Act, s. 49(1.1); Competition Act, ss. 100(7), 101(6), 102; Competition Act, ss. 15(5), 16(2).