Man with binocular screens of binary code behind him

All Eyes on You: Digital Privacy and Your Devices

  • June 12, 2019
  • Steven Threndyle

Like thousands of other Canadians, you might start your day by lacing up your running shoes and hitting the stopwatch function on your smartwatch or phone as  you begin your daily run.

Though the first iterations of heartrate monitors and sport watches did little more than count heartbeats and mark time, today’s GPS-enabled units are literally like wearing a computer on your wrist. Third-party apps like Strava and RunTracker count every heartbeat and footstep, (even noting where you paused to wait for a traffic light to turn) and that data is then uploaded to a cloud-based server. Advanced app technology can detect patterns in your training program to make suggestions for you and even motivate you to achieve your athletic goals.

What rights do you have when it comes to geotracking?

But what if you were also seen via security footage to be near where a young guy in a hoodie snatched a woman’s purse in the playground you ran past, or where the sexual assault of a co-worker took place the previous month? Should the police come around to pay a call, might they ask to see your smartwatch to determine just where you might have been on the days of the crime? What rights and privacy do you have when it comes to geotracking data on smartwatches, fitness trackers, and of course cellphones?  

Earlier this year in the United Kingdom, Manchester police obtained a murder conviction using data recorded on a smartwatch belonging to Mark Fellows, a local weekend warrior whose day job happened to be a Mob hit man. They cracked the case when they noticed a photo of the suspect wearing a Garmin Forerunner GPS watch during a 10-kilometre race. Data from that watch later put him at the scene of not one, but two gangland-style murders.

What do the courts in Canada say?

It’s not certain at this point whether a similar conviction could be obtained in Canada. Known within the legal community as a ‘go-to expert on privacy law,’ counsel Molly Reynolds of Torys LP says, “Although there is broad recognition that the law has trouble keeping up with technology, the general trend from the courts, especially the Supreme Court of Canada, has been to recognize the sensitivity of information stored on electronic devices as these devices become more prevalent in all parts of our lives.”

The result, according to Reynolds, has been to place greater obligations on police departments to seek appropriate authorizations before seizing information during a criminal investigation. She cautions, however, that “this doesn’t mean that individuals are fully protected from police access to their digital information, but rather that a judge has to approve the balancing of investigative needs with privacy rights in advance.”

Reynolds references recent Supreme Court decisions (notably R. Reeves, 2018 SCC 56) that demonstrate how an individual’s digital privacy rights must be respected, even information that was stored on a computer and then shared with someone who consented to a police search.

She also points to issues around digital communications and data in the context of wearable devices that track fitness or health indicators. “We can expect that courts will require police to have warrants to obtain the data they hold on suspects. Generally, the courts have often noted that health information is especially sensitive information that attracts a strong privacy interest.”  

And what of the cloud-based companies that hold this valuable information within their massive server farms? “The failure to ensure police have proper authorization to seize digital evidence can not only affect the criminal case against an accused, but could lead to regulatory investigations of the company that disclosed the information and potential civil liability,” Reynolds says.

How well informed is the public?

The vast majority of Canadians will never be caught in a criminal act, but we are increasingly aware of privacy issues and hacking when it comes to smartphone or even digital assistant technology.

Toronto lawyer Angela Chaisson is an LL.M candidate at Osgoode Hall, where she and Professor Kate Sutherland are researching online privacy and legal theory. Chaisson’s research primarily focuses on the non-consensual sharing of intimate photos online, and the implications this might have on Canadian tort and criminal law reform. Chaisson is also a research assistant at the Institute for Feminist Legal Studies.

She believes the public is still very naïve when it comes to knowing and reading the fine print on any digital legalese. “The fact is, there isn’t a true delete button on any computer. There’s only a hide button.” Indeed, our digital breadcrumbs spread far and wide from the blogposts we upload to the shoes we search for to the photos we “like.”

She cites the example of “revenge porn”, which most people believe to be the angry retaliation of jilted boyfriends shaming exes with naked images. “Revenge porn — and I don’t like that term — has been a criminal offense in Canada since 2016 and there have been some truly horrifying cases,” Chiasson adds. 

How vulnerable is the public?

More importantly, vengeful partners aren’t the problem. Hackers are.

Chiasson was surprised to find digital scenarios that sound like something out of Netflix’s Black Mirror or a dystopian Atwood novel. “Our research shows that in many cases it is hackers —utterly unknown to the owner of the laptop — who can infiltrate your laptop or phone and use your phone or microphone to secretly record your every move, and then distribute those images randomly to friends, colleagues, and employers. I know of a case where a woman opened her laptop and received a clip of her engaging in sexual activity that she could tell was recorded on her own computer. And, of course, a note demanding that money is paid so that people in her address book are not contacted.”

Such actions do fall under the Criminal Code but in most cases, it’s a long, expensive process to obtain IP addresses and track down perpetrators. The women that Chiasson sees — and they are all women or members of the trans community — do not have a lot of money to seek justice. “They just want it to stop,” she says.  “Quite understandably, the implications for women having their intimate images distributed to their employer or to their friends and family are huge.”

Finally, Chiasson says, “There’s a well-founded fear that you might go to court to try and identify these hackers, and all you’re going to do is call attention to the situation. The last thing these victims want is more publicity. These digital footprints that we all leave might live on forever and never give a victim any peace of mind.”

In late May, the federal government announced its 10-point Digital Charter to protect the rights of Canadians to their data. In Reynolds’ view, “this won't do much to change the current state of the law in criminal investigations. The proposals are largely focused on amending the private sector privacy law (PIPEDA) to enhance individuals' rights vis-a-vis the companies that handle their data, and not in the context of police (or government) access to information or criminal investigations. For example, even if a right to be forgotten was recognized in Canadian privacy law, organizations could be required to maintain information that an individual wants deleted if they have been put on notice that it is relevant to a criminal investigation, regulatory matter, or other legal proceedings. The more significant issue for the digital charter will be how the government balances business needs to collect and use personal information with individuals' rights to control their data.”