Gerald Chan and Stephen Aylward are lawyers at Stockwoods LLP in Toronto.
Apple Inc. CEO Tim Cook has recently grabbed headlines for his company's strong stance on digital privacy. The U.S. Federal Bureau of Investigation obtained a court order requiring Apple to bypass the security lock features on an iPhone belonging to one of the shooters in the San Bernardino terrorist attack, and Apple is appealing the order.
Canadian iPhone users following this legal skirmish may not be aware that the same issue has already arisen on this side of the border. The scope of our privacy protections, however, remains uncertain even as police become increasingly reliant on technology companies for assistance. Canada needs clearer and stronger limits on when law enforcement can compel private companies to undermine the digital security of their users.
After rumours surfaced in 2013 of a video showing former mayor Rob Ford smoking crack cocaine, Toronto police began investigating Mr. Ford and his driver, Alexander Lisi. Police obtained a search warrant for Mr. Lisi's iPhone, which they believed would contain evidence linking Mr. Ford or Mr. Lisi to criminal activity.
When they discovered that it was locked with a passcode, they returned to court for an "assistance order" requiring Apple to provide "reasonable technical assistance" to bypass the code. An Ontario judge granted the order. Because Apple did not contest the order, however, the judge gave no reasons explaining his decision.
Apple has now begun to push back against similar orders in the United States. The Lisi order is virtually identical to an order that Apple successfully opposed in a New York court case decided last month. The San Bernardino order is also similar, although it goes one step further – it requires Apple to create new software to bypass the passcode lock because the iPhone model has more advanced security features.
Until recently, "assistance orders" such as the one in the Lisi case, have played a minor supporting role in criminal investigations. They have been used to allow police access to a building or to make copies of documents. In a case involving Telus last year, however, assistance orders were given more muscle.
Telus challenged an assistance order requiring it to disclose customer name and address information to police as being overly intrusive. In a setback for technology companies, an Ontario court ruled that assistance orders can go further than connecting wires and flipping switches. They can require a company to do what is necessary to help a warrant "succeed at its intended objective."
Police may also resort to the "production order" power in the Criminal Code, which allows them to require a company to produce data within its control. This, however, may be a more challenging route. It is arguable that the data in the iPhone is not within Apple's "control" if it has to create new software in order to access it. Even if it is, a company can resist a production order on the basis that it would be "unreasonable in the circumstances" (i.e., too onerous).
Canadian companies have had some success challenging production orders. Earlier this year, Rogers and Telus successfully challenged a set of "tower dump" production orders that would have required them to produce call records of more than 40,000 customers (capturing anyone who happened to be near specified cellular towers). The court found that the requested orders went too far because they were not "minimally intrusive" of customer privacy.
Finally, if neither the "assistance order" or "production order" power suffices, police may try to obtain a "general warrant." This is the residual, catch-all power in the Criminal Code that allows police to "use any device or investigative technique or procedure or do any thing described in the warrant" that is not authorized elsewhere in the code.
Most notably, general warrants have been used to authorize police to do "sneak and peek" searches (covert entries into homes and other properties) in drug cases. Whether the "general warrant" can go so far as to require a company like Apple to create software to bypass its own security features remains to be seen.
In the digital age, the keys to our privacy are held by companies like Telus, Rogers and Apple. We rely on these companies to protect our data, defend our privacy and guard against hackers. But until the law catches up with technology, Canadians cannot be sure how their personal information will be protected when law enforcement comes knocking. This situation does not serve either the privacy or the security of Canadians.