Distinguishing between Forensic Copying and Snooping

In Hiscoe, 2011 NSPC 84, the judge didn't mind a quick scan of a cell phone, but objected to the police copying the whole of its memory and analyzing it.  In Jones, 2011 ONCA 632, the court liked a search warrant which permitted searches only for evidence relevant to the offence.

In Mann, 2014 BCCA 231, the court agreed that downloading the entire contents of a cell phone was generally too broad a search.  But the court did not distinguish between copying the contents of the phone and examining the copy. In my view, if you copy the contents of a phone in order to preserve the data, but examine none of them, the violation of the owner's privacy is minimal to non-existent.  The violation starts when you begin to examine what the copy contains. You need to document precisely who accessed the copy, when, and what they looked at.

In Marek, 2016 ABQB 18, the court approved of forensic imaging of a computer's hard drive before the data analysis started.  Copying data without looking at it preserved the original.

Seizing Information - Search Warrant or General Warrant?

Is information a “thing” for the purposes of a search warrant?  According to Mero 2003 BCSC 964, a regular search warrant to search for things and seize them (in that case under CDSA s.11) would be sufficient authority for examining a scene and taking pictures, and you don't need a General Warrant.  If so, then the section must also authorize collecting data from a computer system at a place.

Production Order

A production order requires a person in the jurisdiction to produce documents or data in his or her possession or control. But a justice may only make orders against a person within the jurisdiction. In BC v. Brecknell, 2018 BCCA 5, the court found that a production order can compel a local person to produce data from outside the jurisdiction, and that person can be "virtually" here rather than physically. This meant that a Canadian justice could order Craigslist, a Californian company that does business in BC virtually, to produce data. Other judges disagree.

Stored text messages may be produced by a single production order without triggering an “interception”. In R. v. Jones, 2017 SCC 60, the police obtained a single production order for stored text messages. The defence complained that this was also “interception”. Because it did not produce the content of a conversation in anything close to real time, it was not an interception.

A judge in Newfoundland disagreed: In the Matter of an application to obtain a Production Order pursuant to section 487.014 of the Criminal Code of Canada, 2018, 2018 CanLII 2369 (NL PC)

Warrant for evidence of a defence

It is permissible to obtain a warrant to search for evidence relating to defences.  CanOxy Chemicals Ltd v. Canada (A.G.) [1999] 1 SCR 743.  (Chemical spill.  Investigators sought documents relating to due diligence – which would be a defence to liability based upon negligence.)

When and Where to Analyze

Search warrants traditionally set a time frame during which police may enter a residence to search, but do not specify how long thereafter they may search.  Searches of electronic devices typically take a long time to work their way through the technician's queue.  Therefore, warrants should permit searches to start at a specific time, but should avoid limiting the duration that the technician can do the work.

Police obtained a search warrant for Mr Weir's (2001 ABCA 81) (Alta CA) home because they believed his computer contained images of child sexual abuse. They seized it at the house, did not analyze it until later. Defence argued that s. 487 only permits searching at the scene. Held: Later forensic analysis does not require further authority. (This judgment also provides a good example of how defence will attack an ITO.)  See also Karim, 2012 ABQB 470 at paras 77-80; Ballendine, 2011 BCCA 221. Marek, 2016 ABQB 18;

Perhaps when drafting a warrant to search an electronic device already in your possession, you should draft the order with language like this:

I order that the may, between and be seized and submitted to technicians who may thereafter search it for <evidence sought>.

While executing a search warrant for evidence of a fraud, police found child pornography in Mr Jones, 2011 ONCA 632 computer.  Defence complained that the computer analysis exceeded the time set out on the fact of the warrant to "enter" his residence and "seize" the computer and data in it.  The court held:

"Date parameters are not particularly pertinent to that inquiry and their absence does not allow the police authorities to stray beyond the legitimate targets of the search."

Reading emails - interception?

Police arrested an associate of Mr Giles 2007 BCSC 1147 for trafficking large quantities of cocaine.  They found a Blackberry wireless device on his person, and submitted to technicians for a search because they had reason to believe it contained information relevant to the offence.  Defence complained that the police needed a warrant to search the device because it had not been searched at the time of arrest, and the police needed a wiretap authority to read the emails because they were intercepting private communication.  Defence complained that there is a high expectation of privacy in a Blackberry or other computer device.  The judge rejected all of these arguments.  A search of a computer incidental to arrest may take weeks or months, but it is still incidental to arrest if it done reasonably promptly, for the purpose of finding evidence related to the offence for which the suspect was arrested.

Expert Opinions

In order to satisfy a judge that:
you need an expert in
Deleted data files can be undeleted from a file system
computer file systems
People who download child pornography tend to hoard it
behavioural psychology
An email actually emanated from the suspect, and was not forged
computer networking and email systems

In your information to obtain, you must recite not only the expert's opinion, but also the expertise.

In Morelli, 2010 SCC 8, the ITO recited only the expert's general opinion, but not the expert's qualifications.  For that, and other reasons, the court threw out the warrant.

Internet Chat

Is an authorization for wiretap necessary to log an internet chat session?  An unpublished 2008 provincial court decision from Ontario called Kwok says yes, but other courts have viewed his logic with some suspicion.  S.W.F., 2008 ONCJ 740.  Caza 2012 BCSC 525

The Newfoundland Court of Appeal said “no”, but didn’t mention any of the cases on point. R. v Mills, 2017 NLCA 12

I think the answer to this question turns on the facts.  What do typical chat programs do by way of storing chat during the chat and after?  Expectations of privacy may differ between chat rooms.   But most of all, is the habit of anonymity.  On this chat room, do most people choose screen names which conceal their true identity?  If they choose anonymity, surely it is because they do not want their communications linked to themselves.  It demonstrates an assertion of privacy because of the public nature of the forum.  Therefore, they have no expectation of privacy in the words they type, but a large expectation of privacy in their identities.  Therefore, in these cases, no authorization should be required to log the chat, but warrants and production orders should be obtained for the IP addresses and account information.

In Caza 2012 BCSC 525, foreign police busted an American child pornographer, and got his username and password for a file-sharing site.  A Canadian officer used those credentials (without warrant) to review his conversations with Mr Caza, a Canadian.  Caza complained this violated the privacy of his computer.  The court rejected this argument.  The chats weren't stored on Caza's computer.  Caza did not know the American child pornographer, except by his username, and could not know whether the American was a cop or a collector.  He had no remaining expectation of privacy in those chats.

Therefore, the answer to the question is: investigate expectations of privacy.  Determine what the common wisdom is.  Investigate what people usually do on this chat room.  Ask questions.  I found this page indicative of some common wisdom on the net about concealing identity.  On the other hand, I found nothing at www.yahoo.ca's introductory pages on chat which recommended protecting anonymity.

Email me if you want a copy of the unpublished decisions.

Facebook Communications

Sometimes a suspect's Facebook messages look damning.  Proving that the suspect wrote them requires substantial evidence.  In Moazami, 2013 BCSC 2398, investigators linked cell phones in the accused's possession to the phone numbers that the accused used to obtain the Facebook accounts; and the found witnesses who could establish that he was the one who sent specific messages from those accounts.  The court concluded on a balance of probabilities that he sent the messages in issue.

Report to a Justice?

Yes. Promptly. see s.489.1

What Kind of Warrant?


Telus stored text messages.  In R v Telus Communications Company, 2013 SCC 16, the police obtained a general warrant which required Telus to gather the text messages received thereafter, and deliver them to police daily.  The majority found this was effectively an interception of private communications - which could only be authorized by wiretap.  Therefore this general warrant was invalid.

Early cell phones and pagers were not private because people listening with similar devices or scanners could pick up the messages. Some courts suggested that interception of such communications did not require wiretap authorizations.  eg. Lubovac (1989) 52 C.C.C. (3d) 551 (Alta CA), Cheung (1995) 100 CCC (3d) 441 (BCSC).

However, later decisions concluded otherwise.  Even if the prospect of partial interception of cell phone conversations removes them from the protection of s.183, intercepting them does violate the remaining expectation of privacy sufficient to engage s.8 of the Charter. A warrant (of some sort) is required to intercept these communications.. R. v. Solomon (1996) 110 CCC (3d) 354 (Que CA) aff’d 118 CCC (3d) 351 (SCC)

Therefore, the prospect that a sysadmin might view email before delivery or sniff packets for the proper maintenance of a computer system does not eliminate the “private” aspect of the communication.

General Warrant

A general warrant authorizes any special investigative technique for which no other authority exists.  If the technique permits the peace officer to "observe" any person engaged in an activity in which privacy is reasonably expected, then the general warrant must meet the standards of wiretap.

Analyzing a computer may not resemble a search through a residence, but in R v KZ, 2014 ABQB 235, the court found that an ordinary search warrant under s.487 sufficed.  Police do not require a s.487.01 general warrant to analyze a computer they have previously seized.

Assistance Order

Section s.487.02 empowers the JP or judge who grants a warrant (or authorization) to order "any person" to provide assistance that is reasonably necessary for the search.

If you seize a computer or data storage device containing encrypted data, can such an order compel a person to decrypt the data?

If the person is not your suspect, absolutely.  That's why the section exists.  Canadian Imperial Bank of Commerce v. R. (1997 Ont S.C.J.)

What if the person is the offender?  No case law addresses this question yet.  I think the answer is yes, but most lawyers disagree with me.  My reasoning is:

  1. The right not to incriminate oneself is not absolute.  For example, Canadian drunk drivers are compelled to blow into breath testing machines every day.
  2. The order compelling the suspect to assist would be made only when an independent decision-maker is satisfied on reasonable and probable grounds that the evidence is there.  This provides much greater protection from abuse than s.254 of the Criminal Code.
  3. The information sought pre-exists the order.  The suspect is not compelled to create evidence, only to reveal it.
  4. No place should be completely free from warranted and justified scrutiny of the state.  Current methods of encryption create such places; judicial orders are required to break down the door.

If you do obtain such an order, do not ask for an order that the suspect reveal the password.  Instead, ask for an order that the suspect "open" or "decrypt" the data.  The password itself may reveal personal information about the suspect.  This will cause even greater difficulty at the trial.

My opinion is not shared by judges who have written opinions about it: Boudreau-Fontaine, 2010 QCCA 1108; Talbot, 2017 ONCJ 814.

If you click the link for Talbot, you won't find the reasons. That case is on appeal to the SCC. Stay tuned.

Seizing and Analyzing Evidence

Because of its fragility, digital evidence must be seized and analyzed with unusual care. This requires different procedures than seizing ordinary objects. The American Department of Justice created some guides which make sensible suggestions:

Disclosure & Encryption

In Beauchamp, 2008 CanLII 27481 (ON S.C.) the court considered whether the Crown is obliged to disclose encrypted data to defence if the Crown can't decrypt it.  Police seized data pursuant to a search warrant.  Some was encrypted, but their software broke the code.  Some was encrypted too well to decrypt.  Defence demanded copies of the encrypted data, but wouldn't say what it was, nor what the password was.  The Crown refused.  The judge agreed with Crown's decision.  The Crown didn't fully "possess" the data because they didn't know what it was; not knowing what it was, the Crown couldn't limit disclosure to prevent misuse of the data; and not all the defendants would know the password, so some could have an unfair advantage over others.  Canadian courts take their first tentative steps into the difficult world of data encryption.


Printouts from bank computers (s.29 Canada Evidence Act) and business computers (s.30 Canada Evidence Act) may be admitted in evidence so long as:

Even without these sections, courts will admit "business records" as original evidence.  Even if the business outsources record-keeping to a third party, the common law may admit the records under the principled hearsay rules.  R. v. LeMay 2004 BCCA 604.  Even the absence of a record in a database may be admissible.  R. v. Jiao 2005 BCPC 12. 

How does one prove that a printout accurately displays the data that was stored in a computer?  S.31.1 - 31.8 Canada Evidence Act provides for means to prove the authenticity of electronic information.    However, even "authentic" digital information must be admissible.  Suppose Mrs Jones types into her blog that she saw her neighbor, Mr Smith, murder his wife.  The Crown could prove, using s.31.1-31.8 that the documents stored on the server accurately recorded what Mrs Jones typed.  But the court wouldn't accept the blog entry as evidence of who killed Mrs Smith.  It's hearsay.  To prove Mr Smith murdered his wife, the prosecutor would need Mrs Jones to testify.  In Mondor, 2014 ONCJ 135, the prosecution attempted to prove that the accused purchased and possessed child pornography by going through the computer records of the business that sold porn to him.  Without testimony from the people that ran the business, all the records were hearsay.  The Crown's case failed.

Meta-tags in an HTML document are admissible and probative evidence. Mr Smith (2005 Ont C.A.) hosted a website containing images that the Crown said were obscene because they coupled explicit sex and degrading violence. Mr Smith conceded the violence of the images, (naked and apparently dead women depicted with arrows and bullets piercing them) but suggested that the images weren't sexual. However, the meta-tags which advertised his content on search engines destroyed his position: snuff films, naked women, nude women, mature women, slut wives, bikini babes, porn, adult models, sexy, tits, big tits, fetish, fantasy, gunshot wounds, belly fetish, shooting fetish, role playing, horror films, dead women, necro fantasy, necro fetish, and bullets and babes." Therefore he argued that the keywords weren't admissible because they weren't visible on his site. The court disagreed, comparing them to the reviews one finds on the dustcovers of books.


Users of Facebook make an assumption about messages they see from "friends".  If the computer says that the message comes from "BillyG", then the person whose tag is "BillyG" wrote the message.  But courts move more carefully.  How do we know that someone else didn't type the message?  There are ways:

In Christhurajah, 2017 BCSC 1355, police believed that the defendant created a Facebook account using his real family name, and an alias that the offender sometimes used. The court would not admit the Facebook evidence in proof of those assertions. The fact that the accused looked like the pictures on that account helped somewhat, but the judge pointed out that the similarity of family names could account for the similarity of the accused to the pictures posted there. He might be related to the account holder. To prove it was his account, better evidence would include:

Nde Soh, 2014 NBQB 20 The complainant of a sexual assault wrote to her abuser on Facebook, and he wrote incriminatory responses.  When police investigated, she logged onto her Facebook account, and showed the conversation to an officer, who photographed the computer screen as it displayed the conversation, and used the computer to capture screenshots.  Defence opposed admission of the evidence: Electronic evidence can be altered and faked, who can trust that this conversation occurred at all?  Was the person using his account actually him?

When collecting Facebook conversation evidence, therefore, try to collect evidence of past conversations between the parties - to show the identity of the person who uses the account.

Electronic Documents

Personal Information Privacy and Electronic Documents Act (PIPEDA) - Part 2

Among other things, this Act creates Federal recognition for digital signatures.