The Supreme Court of Canada recently formulated new rules for computer searches by police, acknowledging that the traditional legal framework was inadequate to protect the privacy rights of individuals in their digital life. In R. v. Vu, 2013 SCC 60, the Court said that a police search of a computer now requires prior authorization in the form of a specific warrant.
The police had been tipped about electricity theft at a residence suspected of being used to cultivate marijuana. They obtained a warrant to search the residence for evidence of such theft, including information identifying the owners and/or occupants of the residence. The information to obtain the warrant indicated the police intended to search for “computer-generated notes” but did not specifically refer to computers or authorize a search of computers.
In their search, the police found marijuana, two computers and a cellphone; a search of the computers provided evidence which identified Mr. Vu as the occupant. At trial, Mr. Vu claimed that a search of the computers and cell phone violated his section 8 Charter rights to be free from unreasonable search and seizure.
The trial judge found that the police were not authorized to search the computers or the cell phone because, inter alia, those devices were not specifically mentioned in the warrant. The acquittal was set aside by the BC Court of Appeal, which concluded that the warrant authorized a search for “documents”, a term that included electronic documents which might be found on a computer. The Supreme Court, however, overturned the appeal court, and in the process, declared that a computer found in a location for which a search warrant has been issued can only be searched if the warrant specifically authorizes that search.
The traditional legal framework holds that once police obtain a warrant to search a place for certain things, they do not require specific prior authorization to search in receptacles located in that place, such as cupboards and filing cabinets.
The Court noted, however, that computers are fundamentally different from other receptacles. They can store immense amounts of information, some of which will touch the biographical core of personal information. Computers also do two things that have no analogue in the physical world: they automatically generate information (often unbeknownst to the user) and they retain files and data even after users think that they have destroyed them. Additionally, they are also portals to “an almost infinite amount of information that is shared between different users and is stored almost anywhere in the world.”
As a result, the traditional framework is not appropriate for computers as they give rise to particular privacy concerns that are not sufficiently addressed by this approach. Instead, the volume and nature of the information on a computer requires that a justice consider this issue and specifically authorize this type of search in the warrant.
Courts are increasingly noting the fundamentally different nature of computing devices, strengthening protections (both civilly and criminally) of the personal information therein and attempting to balance personal privacy with the needs of law enforcement (or, in the civil context, businesses).
Rule-rewriting notwithstanding, the Vu decision is cautious. The Court said that the rules it laid down were meant to apply specifically to searches of computers which were found in locations for which a warrant had been issued.
The Court also cautioned that it’s decision was not meant to pre-judge the result in other searches involving computers, such as searches of a cell phone incident to arrest. This issue is currently before the Supreme Court after the Ontario Court of Appeal held in R. v. Fearon, 2013 ONCA 106 that a warrantless search of a cell phone incident to arrest was acceptable because, inter alia, the phone was not password protected.
Interestingly, the phone in the Fearon case was a not a smart phone, but a comparatively dumb “feature” phone with limited personal information. In light of the reasoning in Vu, it will be interesting to see what the Supreme Court says about the expectation of privacy in respect of dumb phones, smart phones and phones of middling intellect (is the search of a “smart” phone incident to arrest permitted? The reasoning in Vu suggests that devices which are “vast repositories of information” may require a higher level of protection than that contemplated for Mr. Fearon’s dumb phone. Where do tablets fit? How about wearable technologies like Google Glass or smart watches? ).
With respect to the auto-collection of information without a user’s knowledge, a higher expectation of privacy in computerized devices may pose some interesting challenges given computers’ ubiquity. For instance, personal vehicles, like cell phones, are getting smarter. While most consumer vehicles since 1998 have had at least a rudimentary event data recorder (“EDR”), EDRs are evolving to record even more data. Those with GPS functions know where the vehicle’s occupants have been; some after-market technologies even include video cameras. Does a warrant to search a car include the right of the police to download and search EDR data? Or is a separate warrant required? The Court in Vu said the new rule for warranted searches ought to “apply equally to all computers found within a place with respect to which a search warrant has been issued”.
What about the employer trend toward bring-your-own-device policies? A BYOD device is, ostensibly, a single device with at least two sets of data, that which arises from the employment relationship and that which arises from the activities of the private individual. If a separate warrant is required to search the device, should it be restricted to one set of data only? Should a search protocol be required?
The decision in Vu and the pending decision in Fearon highlight the importance of keeping current with the courts’ approach to digital information.