People love their phones.  Phones now accompany us pretty much wherever we go, whatever we do.  People use their phones in church, in restaurants, at the theatre, and, apparently, while committing crimes.  And our phones are leaving a trail behind us.

Police know this.  They also know that records are created every time our phones connect to cell towers to send and receive calls, SMS messages, or data.  Every one of those records indicates that a phone (and, implicitly, the person carrying it) was in range of a particular cell tower, at a particular time.

This could be useful information if, say, one wanted to identify the person (or people) responsible for a string of jewelry store robberies.

The method will be familiar to many from movies and T.V. shows: all you need to do is to gather a list of every single person who was near each of the locations of interest at the time of interest and analyze the patterns.  And, hey, that cell tower data can provide that list….

But is it legal?  What about the privacy interests of the literally tens of thousands of other people who may have been passing by those locations at the time?  This was the subject of a recent decision of Justice Sproat, of the Ontario Superior Court of Justice.

Context

The circumstances that led to the decision in R v Rogers Communications, 2016 ONSC 70, can be stated briefly.  In April of 2014, the Peel Regional Police (PRP) were investigating a string of jewelry store robberies.  They sought, and obtained, a production order under s. 487.012 of the Criminal Code (which has since been replaced by s. 487.014, which is substantially similar).

The production orders, which were issued by a Justice of the Peace, as set out in the Criminal Code, required the name, address, and billing information of every subscriber making or attempting a communication through a number of cell towers.  This included subscribers who were not located anywhere near those towers, if their communications passed through the towers in question.

Two telecommunications companies, Rogers and Telus, objected to the production orders and challenged them in court. In light of the challenge, the PRP sought to withdraw the production orders and to replace them with more narrow orders.  They also argued that the challenge should be dismissed as moot.  In a preliminary decision in July 2014, Justice Sproat agreed to revoke the original production orders, but allowed the Charter challenge to proceed nonetheless.

The follow-up decision, issued on January 14, 2016, confirms that telecommunications users have a reasonable expectation of privacy in the tower data and that the production orders originally sought in this case were unconstitutionally broad.  The decision attempts to provide guidance both to police and to Justices of the Peace as to how to limit production orders such that the conform to both the Criminal Code and the Canadian Charter of Rights and Freedoms.

Guidance on Scope of Production Orders

At the heart of the guidance lies one relatively simple principle: collect no more personal information than is necessary.  This basic concept is familiar both in Canadian privacy law (for example, limiting collection is one of the Fair Information Practice Principles in PIPEDA, the federal private sector privacy statute, although this statute expressly does not apply to law enforcement) and constitutional law (minimal impairment is one of the branches of the so-called Oakes test for a justifiable infringement of Charter rights and freedoms).

Based on this principle, Justice Sproat set out seven non-binding guidelines addressing what the police should include in the “information to obtain” (being the information the police put before the Justice when requesting the order).  But the main ideas can be restated slightly more simply.

  • Police should explain why all of the data requested is relevant to the investigation.
  • Police should not omit or ignore any details or parameters that might help narrow the search.
  • Police should either limit the request to a report that distills out the relevant information (for example: the list of telephone numbers that show up at multiple locations of interest, rather than the raw list of every number that appears at any of the locations) or explain why the raw data is necessary for the investigation.

The first two of these seem rather straightforward.  The last is interesting.  It presumes that it is constitutionally preferable to have a private actor—in this case a phone company—do this analysis on behalf of the state.

On one hand, this makes some sense.  The Charter regulates the relationship between the state and the individual.  It does not normally apply to the activities of private parties.  Moreover, the phone companies already have this data, so they are, at least in a sense, not learning anything new in the process.  It certainly does help minimize the amount of personal information that changes hands, which should help prevent proliferation and the attendant risk of unauthorized use of the information, while still putting the relevant information in the hands of the police.

But one might ask whether this arrangement is entirely satisfactory for the service providers, who seem to have been deputized into some kind of investigative role, or their customers.

This connects to the fourth issue in the case, which is the most technical but possibly the most interesting: whether the service providers had standing to bring the claim at all.

Standing of Service Providers

Justice Sproat’s analysis of this point is brief, but it arguably addresses the elements of the test for public interest standing: there seem to be clear findings that there was a serious constitutional issue and that there was no other reasonable means for the issue to be brought before the courts.  But on the final branch of the test, that is, whether the phone companies had a genuine interest in the matter, the decision is less clear.

The decision seems to rely on the contractual relationship between the service providers and their customers.  In fact, Justice Sproat goes so far as to say at para. 38 of the decision (although this is obiter dicta) that Rogers and Telus not only had standing to bring the challenge, they had a contractual obligation to do so.

If this is true, it raises some questions.

Does a  Contract Oblige Service Providers to Challenge Production Orders?

First, it seems there were other service providers who were prepared to comply with the initial, over-broad production orders.  Were their service contracts substantially different from those of Rogers and Telus?  If not, should they have been liable to their customers for failing to contest the order?  What remedies would the customer have, and how would they be enforced?  Can the service provider change the terms of that contract to avoid this duty to litigate their customer’s Charter rights?

Second, why is it more consistent with a contractual obligation of confidentiality for service providers to directly perform the same analysis that the police might otherwise have performed?  Less irrelevant personal information will end up in the hands of the state, which does have the salutary effect of protecting against potential misuse of the information, but there will still be disclosures of personal information, including about people who have no involvement in the crimes under investigation.  Can the service provider simultaneously act as a guardian of customers’ privacy interests and as a delegated investigator for the state?

Third, is society’s interest in justice well-served by this delegation?  How can the police, the courts, or society at large have confidence that these reports are complete and accurate unless there is some way to independently verify them against the raw data?

Fourth, does this do anything to relieve the service providers from the burdens of performing the over-broad searches?  On its face, it seems to increase the burden on them: now, not only will they have to perform the same searches, they will have to analyze the data and produce reports from them.  Furthermore, they apparently also will have to concurrently perform a legal analysis to determine whether or not they have a contractual duty to object to the request (or a statutory obligation to comply with it, or both).

Uncertain Role of Service Providers

The principle of limiting the collection of personal information, and the associated impairment of the Charter freedom from unreasonable search and seizure, is doctrinally sound.  Justice Sproat’s guidelines mostly seem sensible and helpful on their face.  Even the concept of limiting the production to a report, rather than raw data, seems attractive.  But, with all respect to Justice Sproat, who has clearly attempted to strike a practical balance that is protective of Charter interests, it is not obvious that he has achieved an entirely satisfactory solution to this difficult problem.

Justice Sproat himself noted that at least some of the questions raised by the parties, such as whether safeguards should be imposed to protect the personal information when it is in the hands of the police and whether the police should limit recourse to tower dump orders to a “last resort” when other techniques have failed, were better left to Parliament.  It may be that the obligation for service providers to effectively participate in the investigation by performing data analysis on behalf of the state should also be in this category.  This might permit a more comprehensive assessment of what role the service provider should play and what safeguards should be in place.