Computer Evidence

Henry Waldock
Last updated: 2018-02-09

• Computer Evidence
  
  • Principles
    • Data May Not Be A 'Thing'
    • Information Privacy and Search Issues
      • What's Private?
      • Searching computers "Incidental To Arrest"
      • Searching computers seized "In Plain View" or under s.489
      • Comparing information to a Database
    • Search Warrant Issues
      • Informations To Obtain
      • What to Search For
      • Seizing Information - Search Warrant or General Warrant?
      • Warrant for evidence of a defence
      • When and Where to Analyze
      • Reading emails - interception?
      • Expert Opinions
      • Internet Chat
  • What Kind of Warrant?
    • Wiretap
    • General Warrant
    • Assistance Order
    • Seizing and Analyzing Evidence
  • Disclosure & Encryption
  • Admissibility
    • Electronic Documents

Principles

Computers (cell phones, tablets and other information processing devices) may contain evidence probative of any offence.  That evidence is usually mere information.

Canadian law treats information differently from physical objects: it offers substantial privacy to personal information, but accords it little property value. Because s.8 of the Charter protects privacy, you need authority to intrude into private information. That means getting warrants or consent from a person who has authority over that information.

Careful how you execute them.

• Data in a computer system may be changed easily.  Therefore you must capture and preserve it in a fashion which prevents accidental or deliberate alteration.
• Search only for what you can justify. Justify what's useful.
• Searches inside the box need support from evidence outside the box.

Data May Not Be A 'Thing'

A union hired Stewart [1988] 1 S.C.R. 96 to help them organize the employees of a hotel.  Mr Stewart bribed a clerk to allow him to photocopy an employee list.  She turned him in.  When charged with counselling the commission of a theft, Stewart argued that his plan was never to deprive the hotel of anything.  Copying confidential information is not theft of a “thing”.  Held: Acquitted.

Similarly, s.487 of the Criminal Code, which authorizes the taking of a 'thing', does not authorize the taking of a credit balance in a bank account, because it is an intangible.  R. v. Banque Royale du Canada (1985) 18 C.C.C. (3d) 98 (Que CA).

If computer data is not a 'thing' for these purposes, then is it a 'thing' for other purposes, such as search warrants?

In 1998, a court generally agreed with this argument, but admitted evidence obtained by search warrant anyway.  The ITO clearly explained what the police intended to do with the "things" (the computers) once they "seized" them.  Weir, 1998 ABQB 56

Information Privacy and Search Issues

What's Private?

In R. v. Tessling, 2004 SCC 67 the Supreme Court of Canada considered whether a search warrant was required for police to fly over a house and obtain FLIR images.  The court observed that the FLIR device revealed very no intimate details of the lifestyle and personal choices of the individual.  The court ruled that it did not require prior judicial authorization.

Personal computers are private.  Morelli, 2010 SCC 8 (para 2).

Texting between two users of cell phones may be private. Don't rely upon standing, but ensure you have lawful authority to read their communications. Marakah, 2017 SCC 59.

Personal computers differ from other "receptacles" because they may receive information from the internet, they automatically collect personal information, and they retain some information even after the user thinks its gone.  Therefore, you generally require specific judicial pre-authorization to search personal computers. Vu, 2013 SCC 60.

After a you lawfully obtain a quantity of private information, you may examine or analyze it for purposes related to your seizure, but searching it for other incriminating material may breach someone's Charter rights. Someone stole Mr Law's (2002 SCC 10) safe, cracked it open, and left it in a field. When police located the safe, they found with it various papers Mr Law had stored in the safe. An officer not connected with the theft investigation suspected Mr Law of tax evasion. He photocopied the documents and forwarded them to Revenue Canada, who found them so compelling that they charged him with tax evasion. Even though the safe was stolen, Mr Law complained that he had a remaining expectation of privacy which the police violated. The court agreed that Law's remaining expectation of privacy in the documents was low, but there remained enough that the police should have respected it more. The evidence was excluded.

Because computers can contain very large quantities of personal information, this case suggests that you should consider whether they the computer you want to search may contain such information.  Is there a "reasonable expectation of privacy"?  Do you have authority to obtain the information you seek?

When police obtained a search warrant for a residence containing Mr Billings' 2004 BCSC 378 property, they did not include his computer as an item they sought.  They took it anyway, and searched it.  The court found this violated his privacy, and excluded the evidence.

Mr Pommer 2008 BCSC 423 and his wife were on bad terms.  She and her daughter slept in the master bedroom, and he slept elsewhere.  The daughter discovered a hidden video camera set up and recording in the master bedroom.  The wife kicked him out of the house.  He took his laptop, but left the family computer behind.  Pommer and his wife signed a separation agreement which said that the property remaining at the house was family property, to be divided later.  The wife asked a police officer to examine the family computer to see if Mr Pommer used it to distribute pictures of the daughter on the internet.  The officer, who dabbled in forensic computer analysis in his spare time, took it home and undeleted some files.  He found child pornography on Mr Pommer's password protected account.  Defence complained that he should have got a warrant.  The judge disagreed.  The evidence was admissible because the wife consented to the search.

"Canadians may reasonably expect privacy in the information contained on their own personal computers.  In my view, the same applies to information on work computers, at least where personal use is permitted or reasonably expected." - Fish J., Supreme Court of Canada.

While doing routine maintenance, a computer technician at a school found a nude photo of an underage student on a school laptop.  The laptop belonged to the school, but Mr Cole, 2012 SCC 53, a teacher at the school, had exclusive use of it, and permission to store private information on it.  The school seized the computer, searched it, and copied child pornography from the computer onto separate disks.  They gave the computer and the disks to police.  Police copied the hard drive and searched it without getting a warrant.

Did Mr Cole enjoy any expectation of privacy over his computer as against the school?  Did the police violate his expectations of privacy?

Factors affecting the reasonableness of Cole's expectation of privacy

Private	Non-Private
The school's written policy permitted personal use. In practice, teachers used their laptops for personal purposes. Computer was password-protected. Cole kept pictures of his wife on the laptop.	The school's written policy asserted that it owned the computer and the data on it. Remote access software permitted other school personnel to access the entire contents of the laptop. Cole knew of this technical capability and used it himself on other laptops on the school network.

When the officer received the computer from the school, the officer did a sensible thing: he investigated the teacher's expectation of privacy. He read the policies affecting it.  Unfortunately, he thought that ownership of the laptop and data determined whether Cole enjoyed a reasonable expectation of privacy.

The court disagreed.  Ownership doesn't determine expectations of privacy.

That makes sense.  Your doctor owns your medical records, but their contents are private to you.

Although I think it was a close call, the court concluded that Mr Cole enjoyed a reduced expectation of privacy, but one which s.8 still protected.

• The school's responsibilities to protect students justified the school's search of the computer.
• The police did not "search" anything when they received the disks, and so their receipt of those disks did not violate s.8.
• The police did violate Mr Cole's reasonable expectations of privacy when they searched the computer without a warrant.
  

The good sense of the investigating officer paid off.  Because he cared about Cole's expectations of privacy, and because he thought about privacy rights in the laptop, the court found it could admit the evidence in spite of the breach of s.8.  The prosecution will be able to tender all of the evidence against Mr Cole.

The take-home messages are

• Before searching, think about expectations of privacy.
  
• The law gives personal electronic information devices (like smart-phones, laptops, home computers) lots of s.8 protection.
  
• Don't search personal electronic devices unless you have clear lawful authority.
• Err on the side of caution - consider getting a warrant.

Searching computers "Incidental To Arrest"

See this section of Warrantless Search of the Person.

Searching computers seized "In Plain View" or under s.489

If you lawfully seize a cell phone or computer, you don't need a warrant to search it as an object.  But you do need a warrant to search the information in it.  "[S]earching for hidden compartments, testing that cell phone for fingerprints, or reading the identification number physically inscribed on the cell phone, do not interfere with the heightened expectation of privacy in the accessible information." Fearon, 2014 SCC 77

As part of an investigation into the murder of Mr Little's, 2009 CanLII 41212 (ON S.C.) wife, police obtained a search warrant for his house.  As they were searching for other things, they noticed his cell phone, with a blood stain on it.  They seized it too.  Later, they searched it.  Did they need a warrant?  This judge said that the seizure was lawful as a "plain view" seizure, or a seizure under s.489(1) of the Criminal Code.  But searching its contents required judicial authority.

When searching Ms Brown's 2014 BCSC 112 residence for marijuana, police found a camera.  They turned it on, and examined some of the photographs.  The warrant did not authorize the search of electronic devices.  The court found that the expectation of privacy in a digital camera fell somewhere between a photo album and a computer.  This warrant did not authorize the search of electronic devices, and therefore this search violated Ms Brown's expectation of privacy.  They should have obtained another warrant to perform this search.

Comparing information to a Database

Two of three judges of the Ontario Court of Appeal found that compelling a person to provide a name so that it can be checked against a police database is a significant interference with privacy.  Harris 2007 ONCA 574.  But the one said that there's little expectation of privacy in a name, and nobody can expect privacy in the information in a police database.  I don't think this case will decide the point.  We can expect these questions to persist.

Search Warrant Issues

Checklist

Real world	Digital world
Identify the addresses of the places you want to search	Identify all the electronic devices you want to search. Some people recommend asking for authority to search your own exhibit locker as a "place". I recommend describing the devices as "receptacles" (see s.487)
Describe the things you want to search for - not just the drugs, but the score sheets and the documents of residency which identify the occupants of the place.	Identify all the data you want to search for: not just the child pornography but the innocent documents and log entries which were made close in time which tend to identify who used the computer.
Identify the people - including non-peace officers - who will assist in the search.	Identify the people - including non-peace officers - who will examine the data.
On the face of the warrant, specify when you will start the search. In the ITO explain why you need the time frame requested.	On the face of the warrant, specify when you will start the data examination. Avoid writing language which requires you to complete the search within any particular time.
If you intend to search in any unusual way, explain why in the ITO.	If you intend to get the data on-site, explain why in the ITO.
If you need an order compelling someone to assist in your search explain why in your ITO, and ask for an assistance order.	If you need an order compelling someone to assist in your search explain why in your ITO, and ask for an assistance order.
	Searching for data on connected devices - s.487(2.1) - give yourself authorization on the face of the warrant, and explain why in the ITO.
Don't search for things not mentioned on the face of the warrant.	Don't search for data not mentioned on the face of the warrant.
If you encounter evidence of other offences, you may seize it. If you want to search for more, you must apply for another warrant.	If you encounter evidence of other offences, you may seize it. If you want to search for more, you must apply for another warrant.

Informations To Obtain

Before a justice can issue a warrant for child pornography or obscenity, the justice must be satisfied that the place contains the obscene or pornographic images.  Must you send copies of the images to the justice?  No.  But the ITO must sufficiently describe the images so that the justice can decide for him- or her-self that they are indeed contraband.  R. v. Harris, 1987 CanLII 181; R. v. Smith, 2007 CanLII 32671 (ON S.C.).

The justice must be satisfied that the evidence will still be there.  When police applied to search Mr Morelli's, 2010 SCC 8 computer, they knew that the hard drive had recently been reformatted.  The court wasn't satisfied that the child pornography would still be there.

What to Search For

Things or data?

Searching for and seizing a computer or cell phone differs from searching the data inside it.  If you want to do both, ask for authority to do both.  Search warrants in Form 5 allow you to search for and seize things.  Form 5 was drafted before the Charter and before computers existed. It  doesn't spell out the difference between seizing a computer and analyzing the data inside it.

Current case law distinguishes between possessing a computer and searching its contents.  Your warrant must spell out what evidence you seek.  If your searching turns up evidence of a different crime, you need a new warrant to search for more evidence of that offence. Jones, 2011 ONCA 632.

In Marek, 2016 ABQB 18, the searcher delivered all the documents and data from a hard drive to the investigator instead of merely the documents and data of interest.  The court found that breached the defendant's rights. This suggests that the technician needs a thorough briefing of the circumstances of the case, and the technician should report out only the relevant evidence.  See also Dadmand, 2016 BCSC 878 - technicians must show the focus of the search responded to warrant granted.

Do you just want to search the computer for contraband?  The trial judge knew Mr McGarvie, 2014 ONCA 394 was the one using the family computer for viewing child pornography in part because his browsing history showed a pattern of viewing material related to his personal hobbies, interspersed with searching for and viewing the porn.  Consider searching the computer for evidence of ownership and use, such as:

• emails,
• resumés,
• family photographs of the suspect(s),
  
• internal logs for evidence of the times of use, and
• internet searches done from the computer.

Don't copy that list into your ITO.  You don't need to spell out what kinds of computer files you want to examine.  Instead, describe the type of data you want to find.  Jones, 2011 ONCA 632 at para 43.

If you spell out in your ITO that computers tend to record dates and times on documents and data as they perform their operations, then the justice may permit you to look at those documents to determine who was responsible for the contraband you find.  You could ask to search for documents and data containing what you seek (eg child pornography), and documents and data relating to them either in content - such as emails referring to the images - or in time - such as documents and data date-stamped within hours of the date-stamps on the child pornography.

After police caught Mr Dragos, 2009 CanLII 51517 (ON S.C.) in a hotel room having sex with a 13-year-old girl he had lured there, they got a warrants to search all the data on his computers.  They found child porn.  He complained that it should have been limited to emails and chat logs.  Although his complaint did not succeed, it warns you to specify a wide variety of probative types of data for which to search.

How do you describe a computer and all the associated peripherals and storage devices?  How do you describe the data on it?  You could do worse than write:

In this information to obtain, I use the terms "computer system" and "data"  to mean the same as those words are defined in s.342.1 of the Criminal Code.

Is this overbroad?  Possibly.  Language of this sort was accepted in Phillips 2011 ONSC 1881.

If you're searching for documents or photographs in a house, you need separate authority to search the computers you find in the house for that documentary information.  In Vu 2013 SCC 60, police searched a grow up for evidence of who occupied the place.  They found computers, which they examined in the residence.  They found a computer using MSN Messenger and Facebook. Those programs showed information tending to identify the defendant. They searched the computer and found the defendant's resumé. Defence complained that computers contain so much information that police should obtain specific judicial authorization to search computers.  The court agreed.

In Sop, 2014 ONSC 4610, the court excluded evidence based upon the breadth of the search of a computer.  Based on information that that the target purchased child pornography from AZOV Films, the investigators obtained a warrant to search his computers for child pornography. The trial judge understood that the officers examined all 40TB of the target's computer storage. More probably, the officers scanned the contents using search engines, looking for child pornography.  They found AZOV films material, and other child pornography.  Because the officers searched more broadly than they had reasonable grounds to believe they would find, the judge found that they breached his s.8 rights.  Try to document how much of the target's personal information you actually see, so that you can respond to concerns about overbreadth.

Focus your Search

Distinguishing between Forensic Copying and Snooping

In Hiscoe, 2011 NSPC 84, the judge didn't mind a quick scan of a cell phone, but objected to the police copying the whole of its memory and analyzing it.  In Jones, 2011 ONCA 632, the court liked a search warrant which permitted searches only for evidence relevant to the offence.

In Mann, 2014 BCCA 231, the court agreed that downloading the entire contents of a cell phone was generally too broad a search.  But the court did not distinguish between copying the contents of the phone and examining the copy. In my view, if you copy the contents of a phone in order to preserve the data, but examine none of them, the violation of the owner's privacy is minimal to non-existent.  The violation starts when you begin to examine what the copy contains. You need to document precisely who accessed the copy, when, and what they looked at.

In Marek, 2016 ABQB 18, the court approved of forensic imaging of a computer's hard drive before the data analysis started.  Copying data without looking at it preserved the original.

Seizing Information - Search Warrant or General Warrant?

Is information a “thing” for the purposes of a search warrant?  According to Mero 2003 BCSC 964, a regular search warrant to search for things and seize them (in that case under CDSA s.11) would be sufficient authority for examining a scene and taking pictures, and you don't need a General Warrant.  If so, then the section must also authorize collecting data from a computer system at a place.

Production Order

A production order requires a person in the jurisdiction to produce documents or data in his or her possession or control. But a justice may only make orders against a person within the jurisdiction. In BC v. Brecknell, 2018 BCCA 5, the court found that a production order can compel a local person to produce data from outside the jurisdiction, and that person can be "virtually" here rather than physically. This meant that a Canadian justice could order Craigslist, a Californian company that does business in BC virtually, to produce data. Other judges disagree.

Stored text messages may be produced by a single production order without triggering an “interception”. In R. v. Jones, 2017 SCC 60, the police obtained a single production order for stored text messages. The defence complained that this was also “interception”. Because it did not produce the content of a conversation in anything close to real time, it was not an interception.

A judge in Newfoundland disagreed: In the Matter of an application to obtain a Production Order pursuant to section 487.014 of the Criminal Code of Canada, 2018, 2018 CanLII 2369 (NL PC)

Warrant for evidence of a defence

It is permissible to obtain a warrant to search for evidence relating to defences.  CanOxy Chemicals Ltd v. Canada (A.G.) [1999] 1 SCR 743.  (Chemical spill.  Investigators sought documents relating to due diligence – which would be a defence to liability based upon negligence.)

When and Where to Analyze

Search warrants traditionally set a time frame during which police may enter a residence to search, but do not specify how long thereafter they may search.  Searches of electronic devices typically take a long time to work their way through the technician's queue.  Therefore, warrants should permit searches to start at a specific time, but should avoid limiting the duration that the technician can do the work.

Police obtained a search warrant for Mr Weir's (2001 ABCA 81) (Alta CA) home because they believed his computer contained images of child sexual abuse. They seized it at the house, did not analyze it until later. Defence argued that s. 487 only permits searching at the scene. Held: Later forensic analysis does not require further authority. (This judgment also provides a good example of how defence will attack an ITO.)  See also Karim, 2012 ABQB 470 at paras 77-80; Ballendine, 2011 BCCA 221. Marek, 2016 ABQB 18;

Perhaps when drafting a warrant to search an electronic device already in your possession, you should draft the order with language like this:

I order that the may, between and be seized and submitted to technicians who may thereafter search it for <evidence sought>.

While executing a search warrant for evidence of a fraud, police found child pornography in Mr Jones, 2011 ONCA 632 computer.  Defence complained that the computer analysis exceeded the time set out on the fact of the warrant to "enter" his residence and "seize" the computer and data in it.  The court held:

"Date parameters are not particularly pertinent to that inquiry and their absence does not allow the police authorities to stray beyond the legitimate targets of the search."

Reading emails - interception?

Police arrested an associate of Mr Giles 2007 BCSC 1147 for trafficking large quantities of cocaine.  They found a Blackberry wireless device on his person, and submitted to technicians for a search because they had reason to believe it contained information relevant to the offence.  Defence complained that the police needed a warrant to search the device because it had not been searched at the time of arrest, and the police needed a wiretap authority to read the emails because they were intercepting private communication.  Defence complained that there is a high expectation of privacy in a Blackberry or other computer device.  The judge rejected all of these arguments.  A search of a computer incidental to arrest may take weeks or months, but it is still incidental to arrest if it done reasonably promptly, for the purpose of finding evidence related to the offence for which the suspect was arrested.

Expert Opinions

In order to satisfy a judge that:	you need an expert in
Deleted data files can be undeleted from a file system	computer file systems
People who download child pornography tend to hoard it	behavioural psychology
An email actually emanated from the suspect, and was not forged	computer networking and email systems

In your information to obtain, you must recite not only the expert's opinion, but also the expertise.

In Morelli, 2010 SCC 8, the ITO recited only the expert's general opinion, but not the expert's qualifications.  For that, and other reasons, the court threw out the warrant.

Internet Chat

Is an authorization for wiretap necessary to log an internet chat session?  An unpublished 2008 provincial court decision from Ontario called Kwok says yes, but other courts have viewed his logic with some suspicion.  S.W.F., 2008 ONCJ 740.  Caza 2012 BCSC 525

The Newfoundland Court of Appeal said “no”, but didn’t mention any of the cases on point. R. v Mills, 2017 NLCA 12

I think the answer to this question turns on the facts.  What do typical chat programs do by way of storing chat during the chat and after?  Expectations of privacy may differ between chat rooms.   But most of all, is the habit of anonymity.  On this chat room, do most people choose screen names which conceal their true identity?  If they choose anonymity, surely it is because they do not want their communications linked to themselves.  It demonstrates an assertion of privacy because of the public nature of the forum.  Therefore, they have no expectation of privacy in the words they type, but a large expectation of privacy in their identities.  Therefore, in these cases, no authorization should be required to log the chat, but warrants and production orders should be obtained for the IP addresses and account information.

In Caza 2012 BCSC 525, foreign police busted an American child pornographer, and got his username and password for a file-sharing site.  A Canadian officer used those credentials (without warrant) to review his conversations with Mr Caza, a Canadian.  Caza complained this violated the privacy of his computer.  The court rejected this argument.  The chats weren't stored on Caza's computer.  Caza did not know the American child pornographer, except by his username, and could not know whether the American was a cop or a collector.  He had no remaining expectation of privacy in those chats.

Therefore, the answer to the question is: investigate expectations of privacy.  Determine what the common wisdom is.  Investigate what people usually do on this chat room.  Ask questions.  I found this page indicative of some common wisdom on the net about concealing identity.  On the other hand, I found nothing at www.yahoo.ca's introductory pages on chat which recommended protecting anonymity.

Email me if you want a copy of the unpublished decisions.

Facebook Communications

Sometimes a suspect's Facebook messages look damning.  Proving that the suspect wrote them requires substantial evidence.  In Moazami, 2013 BCSC 2398, investigators linked cell phones in the accused's possession to the phone numbers that the accused used to obtain the Facebook accounts; and the found witnesses who could establish that he was the one who sent specific messages from those accounts.  The court concluded on a balance of probabilities that he sent the messages in issue.

Report to a Justice?

Yes. Promptly. see s.489.1

What Kind of Warrant?

Wiretap

Telus stored text messages.  In R v Telus Communications Company, 2013 SCC 16, the police obtained a general warrant which required Telus to gather the text messages received thereafter, and deliver them to police daily.  The majority found this was effectively an interception of private communications - which could only be authorized by wiretap.  Therefore this general warrant was invalid.

Early cell phones and pagers were not private because people listening with similar devices or scanners could pick up the messages. Some courts suggested that interception of such communications did not require wiretap authorizations.  eg. Lubovac (1989) 52 C.C.C. (3d) 551 (Alta CA), Cheung (1995) 100 CCC (3d) 441 (BCSC).

However, later decisions concluded otherwise.  Even if the prospect of partial interception of cell phone conversations removes them from the protection of s.183, intercepting them does violate the remaining expectation of privacy sufficient to engage s.8 of the Charter. A warrant (of some sort) is required to intercept these communications.. R. v. Solomon (1996) 110 CCC (3d) 354 (Que CA) aff’d 118 CCC (3d) 351 (SCC)

Therefore, the prospect that a sysadmin might view email before delivery or sniff packets for the proper maintenance of a computer system does not eliminate the “private” aspect of the communication.

General Warrant

A general warrant authorizes any special investigative technique for which no other authority exists.  If the technique permits the peace officer to "observe" any person engaged in an activity in which privacy is reasonably expected, then the general warrant must meet the standards of wiretap.

Analyzing a computer may not resemble a search through a residence, but in R v KZ, 2014 ABQB 235, the court found that an ordinary search warrant under s.487 sufficed.  Police do not require a s.487.01 general warrant to analyze a computer they have previously seized.

Assistance Order

Section s.487.02 empowers the JP or judge who grants a warrant (or authorization) to order "any person" to provide assistance that is reasonably necessary for the search.

If you seize a computer or data storage device containing encrypted data, can such an order compel a person to decrypt the data?

If the person is not your suspect, absolutely.  That's why the section exists.  Canadian Imperial Bank of Commerce v. R. (1997 Ont S.C.J.)

What if the person is the offender?  No case law addresses this question yet.  I think the answer is yes, but most lawyers disagree with me.  My reasoning is:

1. The right not to incriminate oneself is not absolute.  For example, Canadian drunk drivers are compelled to blow into breath testing machines every day.
2. The order compelling the suspect to assist would be made only when an independent decision-maker is satisfied on reasonable and probable grounds that the evidence is there.  This provides much greater protection from abuse than s.254 of the Criminal Code.
3. The information sought pre-exists the order.  The suspect is not compelled to create evidence, only to reveal it.
4. No place should be completely free from warranted and justified scrutiny of the state.  Current methods of encryption create such places; judicial orders are required to break down the door.

If you do obtain such an order, do not ask for an order that the suspect reveal the password.  Instead, ask for an order that the suspect "open" or "decrypt" the data.  The password itself may reveal personal information about the suspect.  This will cause even greater difficulty at the trial.

My opinion is not shared by judges who have written opinions about it: Boudreau-Fontaine, 2010 QCCA 1108; Talbot, 2017 ONCJ 814.

If you click the link for Talbot, you won't find the reasons. That case is on appeal to the SCC. Stay tuned.

Seizing and Analyzing Evidence

Because of its fragility, digital evidence must be seized and analyzed with unusual care. This requires different procedures than seizing ordinary objects. The American Department of Justice created some guides which make sensible suggestions:

• Electronic Crime Scene Investigation: A Guide for First Responders
• Electronic Crime Scene Investigation: A Guide for First Responders (the brief version)
• Forensic Examination of Digital Evidence: A Guide for Law Enforcement
• Investigations Involving the Internet and Computer Networks

Disclosure & Encryption

In Beauchamp, 2008 CanLII 27481 (ON S.C.) the court considered whether the Crown is obliged to disclose encrypted data to defence if the Crown can't decrypt it.  Police seized data pursuant to a search warrant.  Some was encrypted, but their software broke the code.  Some was encrypted too well to decrypt.  Defence demanded copies of the encrypted data, but wouldn't say what it was, nor what the password was.  The Crown refused.  The judge agreed with Crown's decision.  The Crown didn't fully "possess" the data because they didn't know what it was; not knowing what it was, the Crown couldn't limit disclosure to prevent misuse of the data; and not all the defendants would know the password, so some could have an unfair advantage over others.  Canadian courts take their first tentative steps into the difficult world of data encryption.

Admissibility

Printouts from bank computers (s.29 Canada Evidence Act) and business computers (s.30 Canada Evidence Act) may be admitted in evidence so long as:

• Crown gives defence notice
• A person provides testimony (or an affidavit) to explain what they mean

Even without these sections, courts will admit "business records" as original evidence.  Even if the business outsources record-keeping to a third party, the common law may admit the records under the principled hearsay rules.  R. v. LeMay 2004 BCCA 604.  Even the absence of a record in a database may be admissible.  R. v. Jiao 2005 BCPC 12. 

How does one prove that a printout accurately displays the data that was stored in a computer?  S.31.1 - 31.8 Canada Evidence Act provides for means to prove the authenticity of electronic information.    However, even "authentic" digital information must be admissible.  Suppose Mrs Jones types into her blog that she saw her neighbor, Mr Smith, murder his wife.  The Crown could prove, using s.31.1-31.8 that the documents stored on the server accurately recorded what Mrs Jones typed.  But the court wouldn't accept the blog entry as evidence of who killed Mrs Smith.  It's hearsay.  To prove Mr Smith murdered his wife, the prosecutor would need Mrs Jones to testify.  In Mondor, 2014 ONCJ 135, the prosecution attempted to prove that the accused purchased and possessed child pornography by going through the computer records of the business that sold porn to him.  Without testimony from the people that ran the business, all the records were hearsay.  The Crown's case failed.

Meta-tags in an HTML document are admissible and probative evidence. Mr Smith (2005 Ont C.A.) hosted a website containing images that the Crown said were obscene because they coupled explicit sex and degrading violence. Mr Smith conceded the violence of the images, (naked and apparently dead women depicted with arrows and bullets piercing them) but suggested that the images weren't sexual. However, the meta-tags which advertised his content on search engines destroyed his position: snuff films, naked women, nude women, mature women, slut wives, bikini babes, porn, adult models, sexy, tits, big tits, fetish, fantasy, gunshot wounds, belly fetish, shooting fetish, role playing, horror films, dead women, necro fantasy, necro fetish, and bullets and babes." Therefore he argued that the keywords weren't admissible because they weren't visible on his site. The court disagreed, comparing them to the reviews one finds on the dustcovers of books.

Authentication

Users of Facebook make an assumption about messages they see from "friends".  If the computer says that the message comes from "BillyG", then the person whose tag is "BillyG" wrote the message.  But courts move more carefully.  How do we know that someone else didn't type the message?  There are ways:

• Get evidence of prior conversations: did the real BillyG habitually use this identity?
• Prove that only the real BillyG would know what was discussed in this conversation.

In Christhurajah, 2017 BCSC 1355, police believed that the defendant created a Facebook account using his real family name, and an alias that the offender sometimes used. The court would not admit the Facebook evidence in proof of those assertions. The fact that the accused looked like the pictures on that account helped somewhat, but the judge pointed out that the similarity of family names could account for the similarity of the accused to the pictures posted there. He might be related to the account holder. To prove it was his account, better evidence would include:

• Testimony that the pictures are of the defendant
• Testimony that something in the account is authentically of the defendant.
• Testimony about how Facebook works, and how it checks for real identity.

Nde Soh, 2014 NBQB 20 The complainant of a sexual assault wrote to her abuser on Facebook, and he wrote incriminatory responses.  When police investigated, she logged onto her Facebook account, and showed the conversation to an officer, who photographed the computer screen as it displayed the conversation, and used the computer to capture screenshots.  Defence opposed admission of the evidence: Electronic evidence can be altered and faked, who can trust that this conversation occurred at all?  Was the person using his account actually him?

• Relying only on the complainant's explanation of how Facebook worked for her when communicating with family abroad, the judge accepted that Facebook accurately recorded conversations.
• Even without resort to technical IP information from Facebook, the judge found that Mr Soh was the author of the conversation: she previously communicated with him on that account.  In these conversations, he referred to clothing the complainant wore, and other details of an event which only he and she attended.  She never told anyone else about the incident.

When collecting Facebook conversation evidence, therefore, try to collect evidence of past conversations between the parties - to show the identity of the person who uses the account.

Electronic Documents

Personal Information Privacy and Electronic Documents Act (PIPEDA) - Part 2

Among other things, this Act creates Federal recognition for digital signatures.

Top

Home

Contact