Access to Server Data for Foreign Criminal Investigative Purposes

The impacts of privacy sensitivities continue to expand and affect all manner of technology and other transactions transactions. 

Canada and the United States have a long healthy and constructive relationship in providing assistance to the law enforcement agencies of each country in the investigation of cross boarder criminal activity. Canada has, with the United States and with other countries a series of mutual cooperation arrangements (including Mutual Law Assistance Treaties or MLATs) in place between Canadian and U.S. law enforcement by which criminal and terrorist conduct can be investigated and relevant information exchanged.

Such international cooperation is routine and rarely makes the law reports. The recent case of Canada (United States of America) v. Equinix Inc. v. Megaupload Ltd., 2013 ONSC 193 (CanLII), illustrates the operation of and judicial oversight of the MLAT mechanism and how law enforcement efforts to investigate and prosecute criminal conduct intersects with privacy concerns. This case is an attempt by the US government to get delivery to it of 32 servers belonging to Megaupload. These servers had been seized following an international raid on Megaupload during 2012 organized by the US prior to this application. At issue in the Canadian application were the Ontario servers seized under the warrant.

This case was an application by the Attorney General of Canada, on behalf of the United States of America, pursuant to s.15 (1) of the Mutual Legal Assistance in Criminal Matters Act for an order to copy and send certain data to the Government of the United States of America. The Attorney General of Canada brought the application to send mirror copies of 32 servers to US authorities who were investigating an alleged offence of criminal infringement of copyright, conspiracy to infringe copyright, money laundering and racketeering in relation to wrongful dissemination of copyright protected material such as movies and music.

The servers in question were seized by a search warrant. The Respondent did not to dispute the warrant but rather did suggest that there is an enormous volume of information on the servers in question and the act of sending mirror images of all of this data would be overly broad in the face of the slight evidence connecting the servers to the crimes alleged by the US prosecutors.

The US investigation had identified a very complex scheme to disseminate copyright material using a website operated by the Respondent with losses conservatively estimated at $500,000,000.

The servers in question were alleged to be used to process data.

After reviewing Section 15 of the Mutual, the Court noted that where a judge was satisfied that a sending order should not be made then the judge may return the materials to the lawful owner or may alternatively require the materials to be brought before him.

The Court reviewed R v. Jones, 2011 ONCA 632 and noted in that case that the Court had rejected the idea that authority to search a computer gave unfettered access to all data located there. Of importance in the Jones case was that the warrant contained no limiting terms as to which parts of the computer could be searched. The Court stated:

This is not because the warrant should be struck as “too broad”, in the sense that it contained no limitations on the ability of the police to search the computer, and therefore improperly invaded the high expectation of privacy the respondent had in the contents of his computer, as the respondent argues. It is because the warrant itself is properly restricted in the circumstances. Although it contained no limitations on the types of files that could be examined, it was reasonably focused and limited in the types of evidence the police could seek; and that evidence did not include evidence of child pornography.

In the present case the Court held that an analysis of the servers’ content must be brought before the court before such a broad order could be made. The Court therefore required the present motion to be adjourned and the servers were to be returnable before the Court while counsel were given an opportunity to determine the scope of the relevant material which should be copied.


  1. David Collier-Brown

    Thanks for this analysis of the Megaupload case: it’s illuminating… in part because it suggests that the whole effort is wrong-headed (;-))

    It is arguably valid for such a process to be followed in cases of copyright infringement, and can be critiques on the basis of whether it is necessary and sufficient.

    However, it suggest that at least the U.S. government is trying to deal with a minor crime copyright infringement, because they don’t know how to deal with major ongoing ones, commercial espionage.

    Real “computer crime”is centred around breaking in to people’s machines to steal data or crash them to deny the data to its owners. This is done via viruses, root-kits and the like, communicating across the internet to “bot-nets”, collections of machines used as accomplices and cut-outs. These in turn are run by “bot master” machines in the hands of the criminals.

    To investigate a key-logger (snooping) virus running on the machine of your chief counsel, you need to trace the connections across the internet from the infected machine to the “bot” and thence to the master. This requires cooperation of the police in the jurisdictions where the machines are and the ISPs they are connected to, to trace the connections between machines. To the best of my knowledge, that is barely in discussion at ICANN, and is nowhere part of the law or practice.

    Only once that is done does one need to identify persons, and only one person, the criminal operating the master, and seize the machine for evidence, possibly in a foreign country.

    All the other human beings in the story are victims, whom we do not need to identify, but merely transmit a warning to via their ISP. Once we have seized the master machine, we know the IP addresses (and ISPs) of the people who are being attacked, and the IP addresses of the people whose machines have been taken over by viruses to become the bot-net. Without breaching confidentiality, an ISP can forward a message that they are infected by a criminal’s virus, and in extreme cases require the machine to be cleaned of infectious before being allowed to connect to the ISPs other customers.

    I’m just a bit horrified at our American cousins: right now, people are stealing corporate information, collecting credit-card numbers and sabotaging centrifuges using techniques that neither the police, legislators nor courts are paying any attention to. Instead they are prosecuting a drop-box operator for a misdemeanor.

    They remind me of the story of the drunk looking for his car-keys under the street-light, instead of in the dark garage where he dropped them.