Is There a Reasonable Expectation of Privacy on Work Computers?
May 20, 2009 by Stuart Freen (IPilogue Editor)A recent Ontario Superior Court ruling may impact how employees use computers at work. In R. v. Cole, 2009 CanLII 20699 (ON S.C.) Justice Paul Kane overturned a trial level decision and found that Cole did not have a reasonable expectation of privacy when using a computer provided by his employer.
Mr. Cole was a teacher and network administrator at a Sudbury high school. In the course of his regular admin duties he came across nude photographs of a 16 year-old student which had been sent over the school’s network. Cole saved the photos to his laptop which had been provided by the school board. Later, a board computer technician found the files and reported him to the school, who in turn reported him to the police. The Greater Sudbury Police Service seized the computer (without a warrant) and bypassed his password security system before charging him with possession of child pornography.
The issue raised at appeal was whether Cole’s s. 8 Charter right against unreasonable search and seizure was violated. Justice Kane adapted the test from R. v. Edwards, [1996] 1 S.C.R. 128 to the context of a computer network. The test has two main branches which must be satisfied before a violation is found: Firstly, that there was an objectively reasonable expectation of privacy in the circumstances; and secondly, that the search and/or seizure was conducted in an unreasonable manner. Justice Kane failed Cole on the first branch of the test, finding that he had no reasonable expectation of privacy.
Justice Kane looked at contextual factors including Cole’s acceptance of a User Agreement that expressly indicated that computer files were not private and his knowledge that board technicians could easily access his computer. His exclusive possession of the laptop and the password protection were not sufficient to override other indicators of a lack of privacy. Justice Kane also held that by focussing unduly on the police’s involvement, the trial level decision erroneously ignored other contextual factors relevant under the Edwards test.
This case comes in the wake of other recent decisions which have grappled with the reasonable expectation of privacy, particularly with respect to computers. In another recent unreported (but widely covered) decision R. v. Wilson (10 February 2009), St. Thomas 4191/08 (O.S.C.J.) the Court found that there was no expectation of privacy for internet service provider subscriber information. Similarly, in R. v. Kwok, [2008] O.J. No. 2414 the Court found that there was no expectation of privacy for IP addresses, nor are service providers prohibited from sharing subscriber information with police.
The impact of Cole may be that users of company computers (and possibly other devices like mobile phones) have less of a reasonable expectation of privacy than private computer users. As a result, users on company networks with company property may find themselves exposed to search and seizure without warrant.
2 Responses to “Is There a Reasonable Expectation of Privacy on Work Computers?”
Leave a Reply
All replies and responses are moderated and will not appear on the site immediately. Please see our response policy.
Follow Comments via RSS
I have a hard time accepting the possible conclusion that such an agreement with one’s employers simply eliminates the expectation of privacy in one’s laptop. I think the important thing is: once the employer’s became aware of the child pornography, the teacher no longer had a valid expectation of privacy. In those circumstances, the employers could rightfully hand over the laptop and the police could rightfully inspect it (it seems to me that the school handed over the laptop and CDs to the police). The teacher’s right to privacy might have been engaged if the employers had no reason to hand over the laptop or the police had randomly seized it on the street. Or at least, I hope it would be.
I’ve said it before but I like repeating it. I think that one’s expectation of privacy differs greatly depending on the person invading it. You can’t jump from “He has no expectation of privacy from person X” to “he has no expectation of privacy from anyone.”
Mr. Barnes, your conclusion is spot-on. The same reasoning appears to have been used in the recent R v. Patrick. I expect that city services may see the contents of my garbage, but I do not expect that random people should be able to access my garbage, much less the police.
Furthermore, should contracts of adhesion (which may have been the situation of the User Agreement in Cole) have any role in informing the reasonable expectation to privacy? I find it problematic that they should (and being aware of R. v. Kwok).
Bad facts seem to make bad law – it appears that courts are ready to remove the last vestiges of expectations of privacy simply because child pornography is alleged. Of course, this will be used as precedent for other alleged offences. Given that more and more of our life “occurs” on the internet, this trend is quite worrying.