R. v. Beauchamp (Ont. S.C.J) the impact of encrypted information in police investigation and its role in criminal cases
R. v. Beauchamp, 2008 CarswellOnt 2756 (Ont. S.C.J.)
Facts: Henry Beauchamp, Robert Cattral and Catherine Brunet all worked at a company named Canadian Barcode and Plastic Supply Company; Cattral and Brunet were the owner/operators of the business. The police conducted an investigation which lead to the arrests of the three accused — along with several others — for offences related to possession of payment card forgery equipment and data.
When the arrests occurred, the police executed search warrants at the same time. The police seized several computers. A portion of data on the computers was encrypted and the police were unable to unencrypt the data.
Prior to trial, the accused sought to have the encrypted data "disclosed". The Crown resisted. The accused brought an application seeking to force the Crown to disclose the information in question.
Ruling:
In considering the disclosure motion, the trial judge made several findings. First, he noted that it was admitted by all parties that the encrypted information was "relevant". Second, it was admitted that the encrypted information contained both potentially inculpatory and exculpatory information. Third, he noted that there was a "reasonable possibility" that the encrypted files contained business records (which could include payment card data).
With those findings of fact, the court held that the material, although not accessible to the Crown, was in the Crown's possession. However, the court went on to hold:
While I found that the Crown could not refuse to provide disclosure to the defence of the encrypted information solely on the basis that it does not have the complete possession or control of the information on the encrypted hard drives, I find the fact that the Crown has only partial control of the information is a contextual factor to be weighed and considered when deciding if the failure to disclose information denies the accused their right to a fundamentally fair trial [para 39].
With respect to the Crown's refusal to disclose, the court held that it could be justified on the basis of the need to maintain the integrity of the administration of justice.
I have found that there is sufficient evidence to conclude that there is a reasonable possibility that the encrypted files sought to be disclosed by the applicants may contain private credit card and debit card information of members of the public. The Crown has a duty to protect the public interest and to ensure that the privacy interests of any individual, whose credit card ordebit card information is contained in the encrypted files, are protected. The Crown also has a duty to prevent the possibility
of the commission of further criminal acts, which could occur if the encrypted information contains private credit and debit card information and was released to the applicants without adequate safeguards [para 51].
In the end, the court held that the material need not be disclosed unless, and until, the accused provided the key to unencrypt the material and permit the Crown to review and vet as necessary.
Comment: Beauchamp offers another aspect of encryption and password protection that may arise in criminal proceedings. In this case, the encryption used by the accused (which was inferred to be used to protect, inter alia, evidence of criminal activity) provided the Crown with a justifiable excuse for non-disclosure.
While the accused were not ordered to disclose the key to unencrypt the files, they were barred from access to "potentially" exculpatory evidence through their refusal to provide the passwords.