Last updated: 2019-04-20
Computers (cell phones, tablets and other information processing devices) may contain evidence probative of any offence. That evidence is usually mere information.
Canadian law treats information differently from physical objects: it offers substantial privacy to personal information, but accords it little property value. Because s.8 of the Charter protects privacy, you need authority to intrude into private information. That means getting warrants or consent from a person who has authority over that information.
Careful how you execute them.
A union hired Stewart 
S.C.R. 96 to help them organize the employees of a hotel. Mr
Stewart bribed a clerk to allow him to photocopy an employee list.
She turned him in. When charged with counselling the commission of
a theft, Stewart argued that his plan was never to deprive the
hotel of anything. Copying confidential information is not theft
of a “thing”. Held: Acquitted.
Similarly, s.487 of the Criminal Code, which authorizes the taking of a
'thing', does not authorize the taking of a credit balance in a bank
account, because it is an intangible. R.
v. Banque Royale du Canada (1985) 18 C.C.C. (3d) 98 (Que CA).
If computer data is not a 'thing' for these purposes, then is it a
'thing' for other purposes, such as search warrants?
In 1998, a court generally agreed with this argument, but admitted
evidence obtained by search warrant anyway. The ITO clearly
explained what the police intended to do with the "things" (the
computers) once they "seized" them. Weir,
1998 ABQB 56
v. Tessling, 2004 SCC 67 the Supreme Court of Canada considered
whether a search warrant was required for police to fly over a house and
obtain FLIR images. The court observed that the FLIR device
revealed very no intimate details of the lifestyle and personal choices
of the individual. The court ruled that it did not require prior
Texting between two users of cell phones may be private. Don't rely upon standing, but ensure you have lawful authority to read their communications. Marakah, 2017 SCC 59.
Even if a technician alerts you that a computer
contains child pornography, the data in the computer remains private
to the owner of the computer. You can't review the data yourself nor
ask the technician to look at the data on your behalf. Villaroman,
2018 ABCA 220.
Personal computers differ from other "receptacles"
because they may receive information from the internet, they
automatically collect personal information, and they retain some
information even after the user thinks its gone. Therefore, you
generally require specific judicial pre-authorization to search
personal computers. Vu,
2013 SCC 60.
After a you lawfully obtain a quantity of private information, you may examine or analyze it for purposes related to your seizure, but searching it for other incriminating material may breach someone's Charter rights. Someone stole Mr Law's (2002 SCC 10) safe, cracked it open, and left it in a field. When police located the safe, they found with it various papers Mr Law had stored in the safe. An officer not connected with the theft investigation suspected Mr Law of tax evasion. He photocopied the documents and forwarded them to Revenue Canada, who found them so compelling that they charged him with tax evasion. Even though the safe was stolen, Mr Law complained that he had a remaining expectation of privacy which the police violated. The court agreed that Law's remaining expectation of privacy in the documents was low, but there remained enough that the police should have respected it more. The evidence was excluded.
Because computers can contain very large quantities of personal information, this case suggests that you should consider whether they the computer you want to search may contain such information. Is there a "reasonable expectation of privacy"? Do you have authority to obtain the information you seek?
When police obtained a search warrant for a residence containing Mr Billings'
2004 BCSC 378 property, they did not include his computer as an item
they sought. They took it anyway, and searched it. The court
found this violated his privacy, and excluded the evidence.
Mr Pommer 2008 BCSC 423 and his wife were on bad terms. She and her daughter slept in the master bedroom, and he slept elsewhere. The daughter discovered a hidden video camera set up and recording in the master bedroom. The wife kicked him out of the house. He took his laptop, but left the family computer behind. Pommer and his wife signed a separation agreement which said that the property remaining at the house was family property, to be divided later. The wife asked a police officer to examine the family computer to see if Mr Pommer used it to distribute pictures of the daughter on the internet. The officer, who dabbled in forensic computer analysis in his spare time, took it home and undeleted some files. He found child pornography on Mr Pommer's password protected account. Defence complained that he should have got a warrant. The judge disagreed. The evidence was admissible because the wife consented to the search.
"Canadians may reasonably expect privacy in the information contained on their own personal computers. In my view, the same applies to information on work computers, at least where personal use is permitted or reasonably expected." - Fish J., Supreme Court of Canada.
While doing routine maintenance, a computer technician at a school found a nude photo of an underage student on a school laptop. The laptop belonged to the school, but Mr Cole, 2012 SCC 53, a teacher at the school, had exclusive use of it, and permission to store private information on it. The school seized the computer, searched it, and copied child pornography from the computer onto separate disks. They gave the computer and the disks to police. Police copied the hard drive and searched it without getting a warrant.
Did Mr Cole enjoy any expectation of privacy over his computer as
against the school? Did the police violate his expectations of
The school's written policy permitted personal use.
In practice, teachers used their laptops for personal purposes.
Computer was password-protected.
Cole kept pictures of his wife on the laptop.
The school's written policy asserted that it owned the computer and the data on it.
Remote access software permitted other school personnel to access the entire contents of the laptop.
Cole knew of this technical capability and used it himself on
other laptops on the school network.
When the officer received the computer from the school, the officer did a sensible thing: he investigated the teacher's expectation of privacy. He read the policies affecting it. Unfortunately, he thought that ownership of the laptop and data determined whether Cole enjoyed a reasonable expectation of privacy.
The court disagreed. Ownership doesn't determine expectations of privacy.
That makes sense. Your doctor owns your medical records, but their contents are private to you.
Although I think it was a close call, the court concluded that Mr Cole
enjoyed a reduced expectation of privacy, but one which s.8 still
The good sense of the investigating officer paid off. Because he
cared about Cole's expectations of privacy, and because he thought about
privacy rights in the laptop, the court found it could admit the
evidence in spite of the breach of s.8. The prosecution will be
able to tender all of the evidence against Mr Cole.
The take-home messages are
If you lawfully seize a cell phone or computer, you don't need a warrant to search it as an object. But you do need a warrant to search the information in it. "[S]earching for hidden compartments, testing that cell phone for fingerprints, or reading the identification number physically inscribed on the cell phone, do not interfere with the heightened expectation of privacy in the accessible information." Fearon, 2014 SCC 77
As part of an investigation into the murder of Mr Little's, 2009 CanLII 41212 (ON S.C.) wife, police obtained a search warrant for his house. As they were searching for other things, they noticed his cell phone, with a blood stain on it. They seized it too. Later, they searched it. Did they need a warrant? This judge said that the seizure was lawful as a "plain view" seizure, or a seizure under s.489(1) of the Criminal Code. But searching its contents required judicial authority.
When searching Ms Brown's
2014 BCSC 112 residence for marijuana, police found a camera. They
turned it on, and examined some of the photographs. The warrant
did not authorize the search of electronic devices. The court
found that the expectation of privacy in a digital camera fell somewhere
between a photo album and a computer. This warrant did not
authorize the search of electronic devices, and therefore this search
violated Ms Brown's expectation of privacy. They should have
obtained another warrant to perform this search.
Two of three judges of the Ontario Court of Appeal found that compelling a person to provide a name so that it can be checked against a police database is a significant interference with privacy. Harris 2007 ONCA 574. But the one said that there's little expectation of privacy in a name, and nobody can expect privacy in the information in a police database. I don't think this case will decide the point. We can expect these questions to persist.
Nobody can waive another person's privacy. If someone gives you an electronic device which contains someone else's private data, you aren't "seizing" the device, but you are "seizing" the private data it contains. Therefore, you should report all receipts of private data to a justice. R. v. Reeves, 2018 SCC 56
|Real world||Digital world|
|Identify the addresses of the places you want to search||Identify all the electronic devices you want to search. Some people recommend asking for authority to search your own exhibit locker as a "place". I recommend describing the devices as "receptacles" (see s.487)|
|Describe the things you want to search for - not just the drugs, but the score sheets and the documents of residency which identify the occupants of the place.||Identify all the data you want to search for: not just the child pornography but the innocent documents and log entries which were made close in time which tend to identify who used the computer.|
|Identify the people - including non-peace officers - who will assist in the search.||Identify the people - including non-peace officers - who will examine the data.|
|On the face of the warrant, specify when you will start the search. In the ITO explain why you need the time frame requested.||On the face of the warrant, specify when you will start the data examination. Avoid writing language which requires you to complete the search within any particular time.|
|If you intend to search in any unusual way, explain why in the ITO.||If you intend to get the data on-site, explain why in the ITO.|
|If you need an order compelling someone to assist in your search explain why in your ITO, and ask for an assistance order.||If you need an order compelling someone to assist in your search explain why in your ITO, and ask for an assistance order.|
|Searching for data on connected devices - s.487(2.1) - give yourself authorization on the face of the warrant, and explain why in the ITO.|
|Don't search for things not mentioned on the face of the warrant.||Don't search for data not mentioned on the face of the warrant.|
|If you encounter evidence of other offences, you may seize it. If you want to search for more, you must apply for another warrant.||If you encounter evidence of other offences, you may seize it. If you want to search for more, you must apply for another warrant.|
Before a justice can issue a warrant for child pornography or
obscenity, the justice must be satisfied that the place contains the
obscene or pornographic images. Must you send copies of the images
to the justice? No. But the ITO must sufficiently describe
the images so that the justice can decide for him- or her-self that they
are indeed contraband. R.
v. Harris, 1987 CanLII 181; R.
v. Smith, 2007 CanLII 32671 (ON S.C.).
The justice must be satisfied that the evidence will still be
there. When police applied to search Mr Morelli's,
2010 SCC 8 computer, they knew that the hard drive had recently
been reformatted. The court wasn't satisfied that the child
pornography would still be there.
Things or data?
Searching for and seizing a computer or cell phone differs from
searching the data inside it. If you want to do both, ask for
authority to do both. Search warrants in Form 5 allow you to
search for and seize things. Form 5 was drafted before the Charter
and before computers existed. It doesn't spell out the difference
between seizing a computer and analyzing the data inside it.
Current case law distinguishes between possessing a computer and
searching its contents. Your warrant must spell out what evidence
you seek. If your searching turns up evidence of a different
crime, you need a new warrant to search for more evidence of that
2011 ONCA 632.
In Marek, 2016 ABQB 18, the searcher delivered all the documents and data from a hard drive to the investigator instead of merely the documents and data of interest. The court found that breached the defendant's rights. This suggests that the technician needs a thorough briefing of the circumstances of the case, and the technician should report out only the relevant evidence. See also Dadmand, 2016 BCSC 878 - technicians must show the focus of the search responded to warrant granted.
Do you just want to search the computer for contraband? The trial
judge knew Mr McGarvie,
2014 ONCA 394 was the one using the family computer for viewing child
pornography in part because his browsing history showed a pattern of
viewing material related to his personal hobbies, interspersed with
searching for and viewing the porn. Consider searching the
computer for evidence of ownership and use, such as:
Don't copy that list into your ITO. You don't need to spell out
what kinds of computer files you want to examine. Instead,
describe the type of data you want to find. Jones,
2011 ONCA 632 at para 43.
If you spell out in your ITO that computers tend to record dates and
times on documents and data as they perform their operations, then the
justice may permit you to look at those documents to determine who was
responsible for the contraband you find. You could ask to search
for documents and data containing what you seek (eg child pornography),
and documents and data relating to them either in content - such as
emails referring to the images - or in time - such as documents and data
date-stamped within hours of the date-stamps on the child pornography.
After police caught Mr Dragos, 2009 CanLII 51517 (ON S.C.) in a hotel room having sex with a 13-year-old girl he had lured there, they got a warrants to search all the data on his computers. They found child porn. He complained that it should have been limited to emails and chat logs. Although his complaint did not succeed, it warns you to specify a wide variety of probative types of data for which to search.
How do you describe a computer and all the associated peripherals and storage devices? How do you describe the data on it? You could do worse than write:
In this information to obtain, I use the terms "computer system" and "data" to mean the same as those words are defined in s.342.1 of the Criminal Code.
Is this overbroad? Possibly. Language of this sort was accepted in Phillips 2011 ONSC 1881.
If you're searching for documents or photographs in a house, you need separate authority to search the computers you find in the house for that documentary information. In Vu 2013 SCC 60, police searched a grow up for evidence of who occupied the place. They found computers, which they examined in the residence. They found a computer using MSN Messenger and Facebook. Those programs showed information tending to identify the defendant. They searched the computer and found the defendant's resumé. Defence complained that computers contain so much information that police should obtain specific judicial authorization to search computers. The court agreed.
In that case, defence also argued that the police should seek specific judicial authorization for each search technique to be used on the computer. The court recognized that computer technologies prevent that from being practical. Defence argued the same idea in John, 2018 ONCA 702, and the court rejected it again.
2014 ONSC 4610, the court excluded evidence based upon the breadth of
the search of a computer. Based on information that that the
target purchased child pornography from AZOV Films, the investigators
obtained a warrant to search his computers for child pornography. The
trial judge understood that the officers examined all 40TB of the
target's computer storage. More probably, the officers scanned the
contents using search engines, looking for child pornography. They
found AZOV films material, and other child pornography. Because
the officers searched more broadly than they had reasonable grounds to
believe they would find, the judge found that they breached his s.8
rights. Try to document how much of the target's personal
information you actually see, so that you can respond to concerns about
In Hiscoe, 2011 NSPC 84, the judge didn't mind a quick scan of a cell phone, but objected to the police copying the whole of its memory and analyzing it. In Jones, 2011 ONCA 632, the court liked a search warrant which permitted searches only for evidence relevant to the offence.
In Mann, 2014 BCCA 231, the court agreed that downloading the entire contents of a cell phone was generally too broad a search. But the court did not distinguish between copying the contents of the phone and examining the copy. In my view, if you copy the contents of a phone in order to preserve the data, but examine none of them, the violation of the owner's privacy is minimal to non-existent. The violation starts when you begin to examine what the copy contains. You need to document precisely who accessed the copy, when, and what they looked at.
2016 ABQB 18, the court approved of forensic imaging of a computer's
hard drive before the data analysis started. Copying data without
looking at it preserved the original.
Is information a “thing” for the purposes of a search warrant? According to Mero 2003 BCSC 964, a regular search warrant to search for things and seize them (in that case under CDSA s.11) would be sufficient authority for examining a scene and taking pictures, and you don't need a General Warrant. If so, then the section must also authorize collecting data from a computer system at a place.
A production order requires a person in the jurisdiction to produce documents or data in his or her possession or control. But a justice may only make orders against a person within the jurisdiction. In BC v. Brecknell, 2018 BCCA 5, the court found that a production order can compel a local person to produce data from outside the jurisdiction, and that person can be "virtually" here rather than physically. This meant that a Canadian justice could order Craigslist, a Californian company that does business in BC virtually, to produce data. Other judges disagree.
Stored text messages may be produced by a single production order without triggering an “interception”. In R. v. Jones, 2017 SCC 60, the police obtained a single production order for stored text messages. The defence complained that this was also “interception”. Because it did not produce the content of a conversation in anything close to real time, it was not an interception.
It is permissible to obtain a warrant to search for evidence relating
to defences. CanOxy
Ltd v. Canada (A.G.)  1 SCR 743. (Chemical
spill. Investigators sought documents relating to due diligence –
which would be a defence to liability based upon negligence.)
Search warrants traditionally set a time frame during which police may
enter a residence to search, but do not specify how long
thereafter they may search. Searches of electronic devices
typically take a long time to work their way through the technician's
queue. Therefore, warrants should permit searches to start at a
specific time, but should avoid limiting the duration that the
technician can do the work.
Police obtained a search warrant for Mr Weir's
(2001 ABCA 81) (Alta CA) home because they believed his computer
contained images of child sexual abuse. They seized it at the house, did
not analyze it until later. Defence argued that s. 487 only permits
searching at the scene. Held: Later forensic analysis does not require
further authority. (This judgment also provides a good example of how
defence will attack an ITO.) See also Karim,
2012 ABQB 470 at paras 77-80; Ballendine,
2011 BCCA 221. Marek,
2016 ABQB 18;
Perhaps when drafting a warrant to search an electronic device already
in your possession, you should draft the order with language like this:
I order that the
may, between and be seized and submitted to technicians who may thereafter search it for <evidence sought>.
While executing a search warrant for evidence of a fraud, police found
child pornography in Mr Jones,
2011 ONCA 632 computer. Defence complained that the computer
analysis exceeded the time set out on the fact of the warrant to "enter"
his residence and "seize" the computer and data in it. The court
"Date parameters are not particularly pertinent to that inquiry and their absence does not allow the police authorities to stray beyond the legitimate targets of the search."
Police arrested an associate of Mr Giles 2007 BCSC 1147 for trafficking large quantities of cocaine. They found a Blackberry wireless device on his person, and submitted to technicians for a search because they had reason to believe it contained information relevant to the offence. Defence complained that the police needed a warrant to search the device because it had not been searched at the time of arrest, and the police needed a wiretap authority to read the emails because they were intercepting private communication. Defence complained that there is a high expectation of privacy in a Blackberry or other computer device. The judge rejected all of these arguments. A search of a computer incidental to arrest may take weeks or months, but it is still incidental to arrest if it done reasonably promptly, for the purpose of finding evidence related to the offence for which the suspect was arrested.
|In order to satisfy a judge that:
||you need an expert in
|Deleted data files can be undeleted
from a file system
||computer file systems
|People who download child
pornography tend to hoard it
|An email actually emanated from the
suspect, and was not forged
||computer networking and email
In your information to obtain, you must recite not only the expert's opinion, but also the expertise.
In Morelli, 2010 SCC 8, the ITO recited only the expert's general opinion, but not the expert's qualifications. For that, and other reasons, the court threw out the warrant.
Is an authorization for wiretap necessary to log an internet communications such as messenger, chat or email? If an undercover police officer engages in a chat with a person who believes that the undercover officer is a child that the person has never met, then the person has no reasonable expectation of privacy. Mills, 2019 SCC 22.
What about other scenarios?
In Caza 2012 BCSC 525, foreign police busted an American child pornographer, and got his username and password for a file-sharing site. A Canadian officer used those credentials (without warrant) to review his conversations with Mr Caza, a Canadian. Caza complained this violated the privacy of his computer. The court rejected this argument. The chats weren't stored on Caza's computer. Caza did not know the American child pornographer, except by his username, and could not know whether the American was a cop or a collector. He had no remaining expectation of privacy in those chats. see also S.W.F., 2008 ONCJ 740.
Therefore, the answer to the
question is: investigate expectations of privacy. Determine what
the common wisdom is. Investigate what people usually
do on this chat room. Ask questions. I found this
page indicative of some common wisdom on the net about
concealing identity. On the other hand, I found nothing at
www.yahoo.ca's introductory pages on chat which recommended protecting
Sometimes a suspect's Facebook messages look damning. Proving that the suspect wrote them requires substantial evidence. In Moazami, 2013 BCSC 2398, investigators linked cell phones in the accused's possession to the phone numbers that the accused used to obtain the Facebook accounts; and the found witnesses who could establish that he was the one who sent specific messages from those accounts. The court concluded on a balance of probabilities that he sent the messages in issue.
Yes. Promptly. see s.489.1
Telus stored text messages. In R v Telus Communications Company, 2013 SCC 16, the police obtained a general warrant which required Telus to gather the text messages received thereafter, and deliver them to police daily. The majority found this was effectively an interception of private communications - which could only be authorized by wiretap. Therefore this general warrant was invalid.
Early cell phones and pagers were not private because people listening with similar devices or scanners could pick up the messages. Some courts suggested that interception of such communications did not require wiretap authorizations. eg. Lubovac (1989) 52 C.C.C. (3d) 551 (Alta CA), Cheung (1995) 100 CCC (3d) 441 (BCSC).
However, later decisions concluded otherwise. Even if the prospect of partial interception of cell phone conversations removes them from the protection of s.183, intercepting them does violate the remaining expectation of privacy sufficient to engage s.8 of the Charter. A warrant (of some sort) is required to intercept these communications.. R. v. Solomon (1996) 110 CCC (3d) 354 (Que CA) aff’d 118 CCC (3d) 351 (SCC)
Therefore, the prospect that a
sysadmin might view email before delivery or sniff packets for the
proper maintenance of a computer system does not eliminate the “private”
aspect of the communication.
A general warrant authorizes any special investigative technique for which no other authority exists. If the technique permits the peace officer to "observe" any person engaged in an activity in which privacy is reasonably expected, then the general warrant must meet the standards of wiretap.
Analyzing a computer may not resemble a search through a residence, but a regular search warrant suffices. Villaroman, 2018 ABCA 220. Police do not require a s.487.01 general warrant to analyze a computer they have previously seized.
Section s.487.02 empowers the JP or judge who grants a warrant (or authorization) to order "any person" to provide assistance that is reasonably necessary for the search.
If you seize a computer or data storage device containing encrypted data, can such an order compel a person to decrypt the data?
If the person is not your suspect, absolutely. That's why the section exists. Canadian Imperial Bank of Commerce v. R. (1997 Ont S.C.J.)
What if the person is the offender? No case law addresses this question yet. I think the answer is yes, but most lawyers disagree with me. My reasoning is:
If you do obtain such an order, do not ask for an order that the suspect reveal the password. Instead, ask for an order that the suspect "open" or "decrypt" the data. The password itself may reveal personal information about the suspect. This will cause even greater difficulty at the trial.
If you click the link for Talbot, you won't find the reasons. That case is on appeal to the SCC. Stay tuned.
Because of its fragility, digital evidence must be seized and analyzed with unusual care. This requires different procedures than seizing ordinary objects. The American Department of Justice created some guides which make sensible suggestions:
In Beauchamp, 2008 CanLII 27481 (ON S.C.) the court considered whether the Crown is obliged to disclose encrypted data to defence if the Crown can't decrypt it. Police seized data pursuant to a search warrant. Some was encrypted, but their software broke the code. Some was encrypted too well to decrypt. Defence demanded copies of the encrypted data, but wouldn't say what it was, nor what the password was. The Crown refused. The judge agreed with Crown's decision. The Crown didn't fully "possess" the data because they didn't know what it was; not knowing what it was, the Crown couldn't limit disclosure to prevent misuse of the data; and not all the defendants would know the password, so some could have an unfair advantage over others. Canadian courts take their first tentative steps into the difficult world of data encryption.
Even without these sections, courts will admit "business records" as original evidence. Even if the business outsources record-keeping to a third party, the common law may admit the records under the principled hearsay rules. R. v. LeMay 2004 BCCA 604. Even the absence of a record in a database may be admissible. R. v. Jiao 2005 BCPC 12.
How does one prove that a printout accurately displays the data that was stored in a computer? S.31.1 - 31.8 Canada Evidence Act provides for means to prove the authenticity of electronic information. However, even "authentic" digital information must be admissible. Suppose Mrs Jones types into her blog that she saw her neighbor, Mr Smith, murder his wife. The Crown could prove, using s.31.1-31.8 that the documents stored on the server accurately recorded what Mrs Jones typed. But the court wouldn't accept the blog entry as evidence of who killed Mrs Smith. It's hearsay. To prove Mr Smith murdered his wife, the prosecutor would need Mrs Jones to testify. In Mondor, 2014 ONCJ 135, the prosecution attempted to prove that the accused purchased and possessed child pornography by going through the computer records of the business that sold porn to him. Without testimony from the people that ran the business, all the records were hearsay. The Crown's case failed.
Meta-tags in an HTML document are admissible and probative evidence. Mr Smith (2005 Ont C.A.) hosted a website containing images that the Crown said were obscene because they coupled explicit sex and degrading violence. Mr Smith conceded the violence of the images, (naked and apparently dead women depicted with arrows and bullets piercing them) but suggested that the images weren't sexual. However, the meta-tags which advertised his content on search engines destroyed his position: snuff films, naked women, nude women, mature women, slut wives, bikini babes, porn, adult models, sexy, tits, big tits, fetish, fantasy, gunshot wounds, belly fetish, shooting fetish, role playing, horror films, dead women, necro fantasy, necro fetish, and bullets and babes." Therefore he argued that the keywords weren't admissible because they weren't visible on his site. The court disagreed, comparing them to the reviews one finds on the dustcovers of books.
Users of Facebook make an assumption about messages they see from "friends". If the computer says that the message comes from "BillyG", then the person whose tag is "BillyG" wrote the message. But courts move more carefully. How do we know that someone else didn't type the message? There are ways:
Nde Soh, 2014 NBQB 20 The complainant of a sexual assault wrote to her abuser on Facebook, and he wrote incriminatory responses. When police investigated, she logged onto her Facebook account, and showed the conversation to an officer, who photographed the computer screen as it displayed the conversation, and used the computer to capture screenshots. Defence opposed admission of the evidence: Electronic evidence can be altered and faked, who can trust that this conversation occurred at all? Was the person using his account actually him?
When collecting Facebook conversation evidence, therefore, try to
collect evidence of past conversations between the parties - to show the
identity of the person who uses the account.
Among other things, this Act creates Federal recognition for digital