R v Fearon (privacy in mobile devices)

The Supreme Court of Canada issued heard R. v. Fearon, S.C.C. File No. 35298, 2014 SCC 77, an appeal from the Ontario Court of Appeal that addressed whether it is constitutionally permissible for law enforcement to indiscriminately search mobile devices of individuals upon arrest. Whereas the Charter requires prior judicial authorization based on reasonable grounds in most instances, law enforcement are granted more latitude when searching individuals under arrest. The question in Fearon (and in a similar appeal heard by the United States Supreme Court around the same time - Riley v. California, 134 St.Ct. 2473 (2014)), was whether this broad rule should be applied to mobile devices given the rich amounts of information contained on these devices. In its intervention, CIPPIC argued that the breadth of the power to search on arrest combined with the ubiquitous use and far-ranging data contained on mobile devices will leave few instances where law enforcement cannot rummage through cell phones.

While acknowledging the high privacy interest in mobile devices requires limiting access on arrest to situations where an immediate investigative purpose exists, a split decision of the court provided wide latitude for law enforcement to scour mobile data receptacles on arrest in many if not most instances. This is because, as noted by the dissent, mobile devices are implicated in most of our activities, so law enforcement will almost always be able to advance a general prospect that such a device might yield evidence of a witness, co-conspirator, or object of crime. Similarly, as noted by the dissent, while each and every search of a mobile device will not reveal sensitive information, the knowledge of an impending search is likely to have a chilling effect on the use of such devices and, in those instances where an invasion occurs, there will not be an opportunity to remedy the issue ex post. Indeed, as the Supreme Court held in Morelli​, "[i]t is difficult to imagine a search more intrusive, extensive, or invasive of one’s privacy than the search and seizure of a personal computer." In spite of all this, the majority found that law enforcement interests should prevail. The decision appears at odds with a string of supreme court decisions recognizing the need for strict privacy protections for data receptacles, as well as with United States jurisprudence.

Under the US search on arrest rule (from which the Canadian rule was derived in Cloutier and Caslake), a concern for officer safety and the need to prevent destruction of evidence has, historically, motivated a search on arrest rule as broad as Canada's. But as the Supreme Court of the United States recently found in Riley/Wurie​, this rule simply does not extend to digital data held on mobile devices as there is little or no risk that could justify warrantless access:

Robinson concluded that the two risks identified in Chimel—harm to officers and destruction of evidence—are present in all custodial arrests. There are no comparable risks when the search is of digital data. In addition...any privacy interests retained by an individual after arrest as significantly diminished by the fact of the arrest itself. Cell phones, however, place vast quantities of personal information literally in the hands of individuals. A search of the information on a cell phone bears little resemblance to the type of brief physical search considered in Robinson.

Both the majority and minority in Fearon agreed with the US Supreme Court that neither officer safety nor evidence on the device are at risk (Riley, pp. 10-11; Fearon para. 141). The data on a mobile device will be relevant to officer safety only in the rarest of instances and, in any case, allowances for such instances can be calibrated through a more permissive and deferential exclusionary rule in instances where officer safety is the motivation for a search, as CIPPIC has argued before [para 12]. Data on a mobile device can be easily secured for extraction later, after a warrant is obtained (Riley, pp. 14-15; Fearon, para. 144).

In spite of this lack of investigative necessity, the majority applied the broad historical rule to searches of mobile devices on arrest. The majority attempts to temper this rule by introducing two new contextual factors that might curtail the scope of the rule: a new requirement to measure the legitimacy of law enforcement requirements against the severity of the offence in question and a need for heightened temporal incidence. Neither is helpful, however. First, the new addition of an arbitrary 'severity of the offence' analysis [para. 79] will be difficult for law enforcement to assess. Is a charge of reckless speeding/driving 'serious'? Is a minor road-side drug infraction serious, if scouring the suspect's phone could lead to a drug trafficker? Is being present at a political protest which got out of hand (see, for example, The Vancouver Sun v British Columbia, 2011 BCSC 1736)? This ambiguity is exacerbated by the highly permissive and deferential standard that judges must use when assessing law enforcement judgments in this context [Fearon, paras. 22 and 68]. The standard permits minimal judicial second guessing of law enforcement assessments.

The requirement for heightened temporal incidence is likewise of minimal assistance. It holds that law enforcement may only engage the doctrine where there are matters that need to be followed up upon immediately [Fearon, para. 80]. However, as noted by the dissent, mobile devices are implicated in most elements of our lives. Hence, unless the investigation is indeed complete, law enforcement will almost always be able to advance a general prospect that such a device might yield evidence of a witness, co-conspirator, or object of crime - which is all they require to generate a temporal need to follow up under the permissive search incident to arrest standard. Moreover, the new requirement for heightened temporal incidence is undermined by the majority's adoption of an expanded geographical and purposive incidence requirement. The new rule appears to now encompass general public safety concerns that are not directly incidental to evidence-gathering and investigation of the particular offence by the particular arrestee in question (see Riley, pp 11; Fearon, paras. 48, 68). Once arrested, Fearon posed no threat to the officers or to the public. It in effect transforms the traditional incident to arrest search into a far broader fishing expedition that encompasses all aspects and potential implications of the offence. This expansion has potential to be especially broad given the deferential standard used when courts review law enforcement decisions to search a mobile device incident to arrest.

The decision also extends the legitimate objects of a search on arrest to include information that is clearly not within the device itself by granting officers the right to use applications on the mobile device itself and therefore geographically distant. Law enforcement are granted access to remote content accessible through the mobile device, as long as the scouring of this content is generally limited to more recent activity [Fearon, para. 76]. As most applications typically do not require the additional use of a password to engage, this is likely to include access to data stored on remote servers (emails, social networking site interactions, etc), access to remote equipment such as live audio and video streams from home surveillance cameras, and content from home computers through remote access and synced dropbox type applications.

The primary limitation on the historical search on arrest rule was the requirement for both objects searched (as the dissent notes, you cannot take an arrested individual's house key out of their pocket and search their home) and motivating objectives (you cannot search an arrested individual's trunk for evidence of unrelated offences or general public safety concerns) to be truly 'incidental' to the arrest. As such, perhaps ironically given the important privacy interests inherent in mobile devices, law enforcement may now have broader latitude to search mobile phones than they do to search physical objects on arrest.

On the impact of passwords or other locking mechanisms, the court was unanimous in its rejection of the court below's finding that mobile devices do not engage heightened expectations of privacy unless they are secured by a password [see ONCA, para. 32]. Simply put, Canadians should be entitled to having their reasonable expectations of privacy protected against the power of the state even if they do not put in place a practical obstacle such as a password. At the Supreme Court, the majority affirmed this:

An individual’s decision not to password protect his or her cell phone does not indicate any sort of abandonment of the significant privacy interests one generally will have in the contents of the phone. Cell phones — locked or unlocked — engage significant privacy interests. [para. 53]

From a practical perspective, this decision appears at first glance to limit the ability of law enforcement to bypass password-protected phones without a court order. As law enforcement cannot compel individuals to disclose their passwords, access to a locked device in a manner that would still meet Fearon's new heightened temporal incidence requirement may be difficult. iOS devices, for example, must often be sent to Apple in California for manufacturer unlocking. However, there are many ways that law enforcement might bypass this practical barrier. If the data on the device is not encrypted, accessing it without bypassing the password may not pose too significant a challenge. Law enforcement often bring mobile tactical equipment with them that could even be used to access underlying phone data on site.

Moreover, even if encrypted, mobile device passwords are often easy to bypass through 'smudge attacks' (guessing a password through the smudges that are left on the screen from pattern or PIN passwords). As others have pointed out, even devices that use fingerprints in lieu of passwords can be unlocked with a high-quality image of the print. As law enforcement can mandate fingerprinting on arrest, they will likely be able to access such devices with relative ease. As mobile digital fingerprinting becomes more prevalent, there will not even be a need to wait for processing at the station. However, it remains arguable that technical bypasses of this type are more intrusive than a normal search of a mobile device and, hence, violate section 8 of the Charter if conducted in the absence of prior judicial authorization, even on arrest.

Resources

CIPPIC's Intervention:


Tamir Israel, Staff Lawyer