Computer Privacy and Security: Lawful and Unlawful Access

Canadians increasingly store or access personal information on their computers and mobile devices, much of which can be accessed by others, whether lawfully or not. Cybercrime, or computer crime, is also increasing. As technology advances, cybercriminals are using more sophisticated methods that make it easier for them to avoid detection.

The challenge for lawmakers has been to advance public safety goals and protect Canadians from cybercrime, while ensuring that private information is protected from inappropriate, unwanted or unconstitutional access. These are complex challenges that engage a wide range of laws and responsibilities.

The Criminal Code covers many cybercrimes

The Criminal Code sets out many offences that may cover cybercrime including several prohibiting others from breaching a person’s privacy and accessing their information.

For instance, section 342.1(1) forbids unauthorized uses of a computer and makes hacking illegal. Section 430(1.1), the “mischief to data” section, covers situations in which someone damages or destroys data without prior authorization, such as transmitting computer viruses.

In 2014, the anti-cyberbullying legislation, Bill C-13 (Protecting Canadians from Online Crime Act) criminalized the distribution of intimate images, such as nude photos, without a person’s consent.

Privacy laws set out some rules for protection

Canada’s privacy laws also set out rules protecting private information and preventing its misuse. A breach of the federal Privacy Act or Personal Information Protection and Electronic Documents Act (PIPEDA) may result in an investigation and recommendations from the Privacy Commissioner of Canada. The Commissioner does not however have order-making powers.

In 2015, Bill S-4, which amended PIPEDA, requires companies to notify certain individuals and organizations of any data breaches of personal information under a company’s control that create “a real risk of significant harm”, and to report them to the Privacy Commissioner. They are also required to keep records of such breaches.

PIPEDA also regulates how private companies use the information they gain about users’ online activities.

Magnifying glass showcasing computer, with law enforcement symbol and burglar imagery in background. Visual created by Library of Parliament.

© Library of Parliament

Challenges for law enforcement

Apprehending computer crime suspects can be a challenge for law enforcement. For one, software developers are creating better encryption technology and more secure ways of storing data.

While many users welcome the prospect of being able to fully secure their computer data through such advances as quantum computing, these also make it easier for criminals to keep evidence hidden from police.

In a debate at the international level, law enforcement agencies have requested technology manufacturers to develop ways for police to get around encryption. Some companies are responding that such assistance is either not possible due to the nature of the technology, or not in the public interest.

Another persistent challenge for law enforcement is that perpetrators of a computer crime may operate outside Canada’s criminal law jurisdiction. Canada is a party to bilateral and multinational treaties that aim to facilitate mutual legal assistance with foreign police agencies, including the recently ratified Council of Europe’s Convention on Cybercrime.

Clarity sought on lawful access

In recent years, a number of bills and judicial decisions have sought to clarify rules governing police access to private computer information. This includes identifying information and the metadata and transmission data that are connected to electronic communications.

The Supreme Court of Canada has consistently treated such personal information as engaging significant privacy interests and deserving of Charter protection.

Section 8 of the Canadian Charter of Rights and Freedoms protects Canadians against unreasonable search and seizure. The Supreme Court has confirmed that a specific warrant is generally required for law enforcement agencies to search a person’s computer or similar portable device (R. v. Vu).

A warrantless search of a computer will only be in compliance with section 8 if it is:

  • further to a lawful arrest;
  • incidental to the arrest rather than the reason for it;
  • limited to those areas of the computer where the evidence is likely to be found; and
  • recorded in detailed notes by the officer performing it (R. v. Fearon).

In some cases, police may require information pertaining to a particular user to link them to online activity or other evidence of a computer crime. Debate arose during the 41st Parliament on whether a warrant is required before Internet Service Providers (ISPs) may provide police with subscriber information.

Bill C-30 would have required telecommunications and ISPs to disclose subscriber information to police without court oversight and to have the capacity to intercept transmissions of users’ data.

After Bill C-30 died on the Order Paper, Bill C-13 reintroduced some of the less controversial provisions, including Criminal Code section 487.0195. It provides that so long as no other law prohibits the disclosure of data, an ISP can voluntarily provide data to police without requiring a preservation or production order and without facing any criminal or civil liability for doing so.

The Supreme Court’s Spencer decision

Some commentators have argued that this new provision creates confusion in light of the Supreme Court’s 2014 decision in R v. Spencer. This ruling held that a law enforcement request to an ISP for subscriber information constitutes a search and requires a warrant.

The Supreme Court underscored that individuals have a reasonable expectation of privacy and anonymity in their online activities. The protections of the Charter apply to information which tends to reveal intimate details of the lifestyle and personal choices of an individual.

The Court did allow that in “exigent circumstances”, such as life-threatening situations, a warrant or production order would not be required. This fact was noted by former Minister of Justice Peter MacKay when he testified before a Senate Committee that section 487.0195 was not incompatible with the Spencer decision.

Police agency requests for subscriber information have been significantly affected by the Spencer decision. A 2014 internal RCMP memo noted that ISPs are now requiring judicial authorization before providing subscriber information, and this is having an impact on the agency’s ability to efficiently investigate computer crimes.

Some commentators, including the Privacy Commissioner of Canada, have expressed concern that there is insufficient consensus on the state of lawful access in Canada, including how to interpret the Spencer decision and which police requests for user information require a warrant. RCMP Commissioner Rob Paulson has called for the creation of a “sensible framework” that balances respecting Charter rights with granting the police easier access to subscriber information.

Related resources

Dara Lithwick and Dominique Valiquet, Lawful Access and Privacy: The Legislative Framework, HillNote, Parliamentary Information and Research Service, , Library of Parliament, 21 October 2014.

Christine Morris and Tanya Dupuis, Big Data and the Big Picture in Criminal Investigations, HillNote, Parliamentary Information and Research Service, Library of Parliament, 4 November 2014.

Holly Porteous, Metadata, National Security and Law Enforcement Agencies, HillNote, Parliamentary Information and Research Service, Library of Parliament, 21 November 2014.

Dara Lithwick, R. v. Spencer, Internet Privacy and Parliament, HillNote, Parliamentary Information and Research Service, Library of Parliament, 25 November 2014. 

Nicol, Julian and Dominique Valiquet, Legislative Summary of Bill C-13: An Act to amend the Criminal Code, the Canada Evidence Act, the Competition Act and the Mutual Legal Assistance in Criminal Matters Act. Publication no. 41-2-13-E, Parliamentary Information and Research Service, Library of Parliament, Ottawa, 2014.

Bernal-Castillero, Miguel, Canada’s Federal Privacy Laws. Publication no. 2007-44-E. Parliamentary Information and Research Service, Library of Parliament, Ottawa, 2013.

Valiquet, Dominique. Cybercrime: Issues. Publication no. 2011-36-E. Parliamentary Information and Research Service, Library of Parliament, Ottawa, 2011.

Foreign Affairs, Trade and Development Canada. Cybercrime. Ottawa. Retrieved from Foreign Affairs, Trade and Development Canada on March 10, 2016.

Public Safety Canada. Canada’s Cyber Security Strategy. Ottawa. Retrieved from Public Safety Canada on March 10, 2016.

The Privacy Commissioner of Canada, Privacy and Cyber Security: Emphasizing privacy protection in cyber security activities. Ottawa, 2014.

Author: Julian Walker, Library of Parliament