Hacked evidence not always admissible

For the London Free Press -  April 25, 2011 Read this on Canoe

There is a common-law rule that illegally obtained evidence is admissible in court no matter how it was obtained. But there are exceptions.

Given the digitally interconnected world we live in, it is not surprising there are cases where evidence has been obtained by way of an unauthorized computer access, or hacking.

Hacking is an indictable offence under the Canadian Criminal Code with a maximum 10 years imprisonment. The code defines hacking as any unauthorized use of a computer to:

  • obtain a computer service (which includes retrieval of data), 
  • intercept any function of a computer system,
  •  destroy, alter or render data meaningless, and
  •  obstruct, interrupt or interfere with the lawful use of data.

Based on the common-law rule, one would think information illegally obtained via unauthorized computer access should be admissible in civil proceedings. However, when it comes to hacked information, application of the common-law rule is not always so clear-cut.

In Autosurvey Inc. v. Prevost, a company concerned that part of its system had been compromised by a former employee hacked into the former employee's own private server and copied everything on it to preserve potential evidence.

The information copied contained, among other things, privileged solicitor-client communications, litigation strategy notes and confidential client information (credit card numbers and passwords) from the employee's other legitimate business interests.

The company's lawsuit against the employee was ultimately stayed by the court. The court called the company's "brute force entry" into the former employee's server egregious. In justifying his stiff decision, the judge said the company's "failure to fully disclose these serious procedural violations to the defendants and the court on any sort of timely basis, and the unquestionable prejudice that will result to the defendants as a consequence, demand public denunciation and the levy of a severe sanction by the court."

In Osiris Inc. v. 1444707 Ontario Ltd., an employee of the defendants hacked into his employer's server and took more than 2,000 documents in an effort to protect himself after refusing to participate in unethical conduct with his employer. The employee in turn provided one of the plaintiffs with 31 of the documents relevant to the litigation and damaging to the defendants.

Unlike in Autosurvey, the documents in question were not privileged and would have been producible under ordinary circumstances.

Ultimately, the 31 documents were allowed to be relied on pending a ruling on their authenticity.

These cases highlight that, despite the common-law rule regarding illegally obtained evidence, information obtained by unauthorized computer access will not always be admissible.

At the very least, the acquired information must be evidence and cannot be something that would not be allowed traditionally such as confidential communications unrelated to the matter at issue. Parties cannot conduct fishing expeditions into opponent's electronic servers, and the courts will punish individuals for such egregious invasions of privacy. And legal counsel cannot have anything to do with the hacking, or advise their clients to do so.