Subscribe Now

* You will receive the latest news and updates on the Canadian IT marketplace.

Trending News

Blog Post

Passwords, please!
SECURITY SHELF

Passwords, please! 

CBSA officers have a tough job. They are required to determine the admissibility of goods and persons to Canada and enforce an ever-growing number of laws. In support of this mandate, the Customs Act gives officers broad powers to examine goods entering Canada. The definition of “goods”under the Act specifically includes “any document in any form.”

Overall, this makes sense. Canadians want border agents to stop illegal goods and dangerous people from entering Canada. But should CBSA officers have the right to rifle through email, calendars, notes, contacts, and other data stored on smartphones without at least having reasonable grounds to believe they contain evidence of an offence?

According to documents obtained in 2010 by the BC Civil Liberties Association (BCCLA) under Access to Information, CBSA treats electronic information in the same manner as paper:

“The difference between a paper document and information stored electronically is only the medium that the information is stored on. The principles governing the examination of such information are the same.”

As such, CBSA relies upon section 99 of the Customs Act to search the contents of electronic devices:

“A laptop can be examined for contraband the same as any other goods. This would include opening the laptop, turning it on and perhaps calling up a few files (this is like opening a briefcase and flipping through files).”

While CBSA policy places some limits on reading information, it also makes it clear that officers are authorized to rifle through electronic information even when there is no reason to suspect wrongdoing:

“If you do not have a confirmed offence you may simply peruse a document to identify if there are any indicators indicating a problem with admissibility, legal violation, or intelligence consistent with the CBSA mandate —you are not reading in detail —you are simply scanning the document.”

Unfortunately, the Customs Act was written before smartphones and many other electronic devices existed, let alone were carried by millions of Canadians.

“Smartphones and electronic devices are portals to virtually limitless amounts of personal information,”explained Josh Paterson, Executive Director of the BCCLA. “There is a high expectation of privacy in these devices. They are not like other ‘goods’ that are routinely searched in customs checks at the border. Even though there is a lower expectation of privacy when crossing the border than in other situations, more rigorous standards are required to govern when border officers can search personal electronic devices. The law on border searches hasn’t kept up with the law in terms of police searches, which recognizes the special nature of personal electronic devices when it comes to privacy.”

In addition to copious amounts of sensitive business and personal information, electronic devices may contain remnants of deleted files, web browser artefacts, and even data created by family members who have used it in the past. These devices often contain data that the owner is not aware of, did not intend to create, had no intent to retain, and certainly never intended to transport across an international border.

While one can easily clean out a briefcase prior to travel, most people do not have the ability to clean out their computer, mobile phone, and other electronic devices. Deleting files leaves data on the hard drive; forensic technicians have leveraged this fact to conduct examinations in support of criminal, civil, and administrative investigations.

In some respects, smartphones are even more problematic than laptops. In addition to the data carried on the device, smartphones provide a portal to data stored in the cloud. This information is often accessed by merely selecting an application. Smartphone users are advised to password-protect their device. Major manufactures also incorporate cryptographic protection of data stored on the device. But passwords don’t protect privacy if the owner is required to hand them over just because a government official asks.

All the facts surrounding this recent charges will not be known until the case goes to trial. According to CBC reporter Jack Julian, the man “refused to divulge his cellphone password to Canada Border Services Agency during a customs search”and has “been charged under section 153.1(b) of the Customs Act for hindering or preventing border officers from performing their role under the act.”

The obvious question is whether border officials have the authority to demand a password and whether the act of refusing to provide it constitutes a hindrance or obstruction.

“What this case is about is whether he hindered officers in the performance of their duties. He only hindered them if they were allowed to demand the password. That issue has not been resolved in our courts.”said Rob Currie, Director of the Law and Technology Institute at the Schulich School of Law at Dalhousie University.

Currie questioned what the limits will be. Are individuals obligated to hand over application passwords as well? Are officers entitled to open applications on a smartphone, even if it results in new data being downloaded to the device from cloud? He also pointed out that over the last few years, “the Supreme Court of Canada has been re-shaping the idea of privacy under section 8 of the Charter. They have addressed search warrants and search subsequent to arrest. Border searches are the next frontier.”

“The issue of border searches has been the subject of a longstanding debate,”wrote Professor Michael Geist, Canada Research Chair in Internet and E-commerce Law at the University of Ottawa. “Courts have ruled that the expectation of privacy is lower at a border crossing, which may lead to searches that would not be lawful in other contexts. Similarly, courts have ruled that searching electronic devices is permitted. Requiring a password unlock is another step beyond a mere search, but does reflect the approach that has been emerging within the law.”

Individuals entering Canada with electronic devices won’t know if they are actually required to divulge their passwords until courts rule on the issue or new legislation is passed. In the meantime, CBSA may continue demanding passwords and laying charges against those who refuse to provide them.

New legislation is highly unlikely before the upcoming federal election. However, given the Harper government’s recent efforts to expand law enforcement powers and erode privacy rights, it is unlikely that the Conservatives will act to protect Canadians from unreasonable intrusive searches.

For the foreseeable future your next stop at the Canadian border may include a demand for “passwords, please”as well as your papers.

In a future column, Eric will discuss technical options to protect sensitive data and safeguard privacy at the border. Please email questions to eric.jacksch@iticonline.ca.

Related posts