Privacy Expectations Despite Weak Passwords and File Sharing?

If one has a weak password for one’s web-based personal information, is it reasonable to conclude that one has a reduced expectation of privacy with respect to that information?

(Here’s an English list (from 2006) of the 10 most common password and a list of the 500 worst ones, from the point of view of security.)

If someone uses “password” as his or her password, should he or she really be able to claim some privacy interest in the information behind it?

What about file sharing? If one has files or folders or most of one’s computer accessible to peer-to-peer sharing, does one still have some expectation of privacy in the contents somewhere?

Does it matter that unauthorized use of computer resources is illegal? In a prosecution for that offence, one cannot claim authority because of a weak password. After all, it is illegal to trespass on property if there’s a plain, non-threatening sign saying ‘do not trespass’ or ‘keep off’, even without a fence. (For that matter, many trespass laws bar trespass if the trespasser ought to have known the property was private, even without a sign or fence.) Is trespass a good analogy for privacy infringement?

Presumably one does not sacrifice one’s privacy by using P2P just because some uses of P2P may violate copyright (and some don’t).

Enough speculation: do you know of any case law or privacy officer decisions based on such reasoning? I don’t, but maybe I haven’t looked hard enough.

I know that the various governors of the legal profession (law societies, bar associations etc) tend to say that use of email generally or even unencrypted email does not waive any expectation of privacy, and, more important (perhaps), does not negate any privilege in the documents communicated by this method. Lawyers are advised to discuss communications security with their clients (and the subtle advisors warn that the clients may not be very knowledgeable about that topic, and one can’t hide behind that ignorance to establish a permission); but the general rule is that ordinary, unencrypted email is OK. VPNs and Extranets are generally considered OK too — which takes us back to the first question: does it matter how secure the password protection is for such networks?

Any relevant case law on the legal profession’s share of the question?


  1. Looks like the Government of Alberta got caught in exactly this situation

  2. Well, in Alberta the person who came across the site for the forthcoming provincial budget seems to have found the template, live but not yet activated. Once the government started to put content on it, they changed the password from ‘password’ to something more secure.

    In any event, if there had been content and the person who went on the site did so by guessing the password, would he still not be liable for the offence of unauthorized access to a computer system? Does choosing a weak password, or not changing the default password, constitute authority to access the site? That seems to me a hard argument to make.

    Is it any different about the expection of privacy, or does a reduced expectation depend on an implied authority to know (or an ‘ought to have known’ principle)?

  3. What of the privacy of data entrusted to others? If you want to synchronize data between two computers then most software requires that it resides on the software suppliers’ servers. If you use MS Mesh, for example, your data will leave Canada and reside in the US, and be therefore subject to the legal grasp of the US (there is software that does not have this drawback at, but most synchronization software operates in this way).

    And when several sources (e.g. point to many employees being prepared to steal company data when they leave employment, it does make you wonder just where the privacy line is drawn.