May Receivers and Trustees Require Disclosure of Passwords to Do Their Work?
Since most information these days is generated, communicated and stored electronically, those who need access to a person’s information need access to the person’s information systems. That access may require a password and perhaps a means of decrypting the information. To what extent can the person with a legal right or even duty to access the information compel disclosure of these access methods?
In Ireland, a receiver is investigating the corporate and personal affairs of Sean Quinn in his dealings with the Bank of Ireland. The High Court of Ireland has ordered that several members of the Quinn family turn over to the receiver the passwords needed to access a number of their personal and business accounts. The court responded to concerns about privacy by limiting the number of people who can have access and the nature and date of the records to be accessed.
The US law firm Steptoe and Johnson has commented with respect to this case,
Courts globally are just beginning to wrestle with whether they can order people to turn over encryption keys or passwords, or to produce unencrypted data, and what limits, if any, to put on searches for electronic evidence that might be buried in a sea of unrelated, private data. So nearly every decision in the area is breaking new ground.
Would this happen in Canada? If not, why not? Does it matter whether it is a criminal case, a civil case or – as here – a regulatory investigation (in a bankruptcy proceeding)?
I’d certainly expect to be asked for passwords (actually encryption keys) in any kind of investigation, because so much of my life is archived on a computer of some kind.
At the same time, I expect most people so asked to be horrified, as so much of their life is on their phone, or on facebook, or on a dropbox somewhere in the “cloud”. And I expect them to then object strongly!
Searching personal (as opposed to work) computers and accounts is at last as intrusive as searching someone’s house, and opens the door for some very effective “fishing expeditions”. If you have everything on one place, then that everything probably contains some secrets you’d not want others to see.
In this case, we saw a limitation on “the number of people who can have access and the nature and date of the records to be accessed”. This is a good start, but we might need to have a discovery-like process, under the eyes of the court, to ensure that what is being used from a computer “repository of everything” is in fact what the case calls for.
–dave