A highly anticipated case about border officials demanding passwords for electronic devices came in with a bang and went out with hardly a peep.

Alain Philippon was arrested in March 2015 for refusing to provide a password to his Blackberry that was demanded by border officials.  He was charged under s. 153.1(b) of the Customs Act which provides that:

153.1 No person shall, physically or otherwise, do or attempt to do any of the following:

(b) hinder or prevent an officer from doing anything the officer is authorized to do under this Act.

This case got national and international attention as the likely contender to answer the question, currently unclear in Canadian law, of whether the powers of the Canada Border Services Agency (CBSA) include compelling people to provide passwords.

On the one hand, we know from the Supreme Court of Canada that privacy rights are reduced in the context of border searches.  On the other hand, we know from the Supreme Court of Canada that the privacy interest in electronic devices is extremely high.  What happens when these hands meet is what everyone wants to know.  And the Philippon case isn’t going to tell us, because recently he pled guilty, and no Charter challenge was raised.

So all we know currently is that whether or not it could ultimately be found unconstitutional, you can be arrested for not providing your password to a border official who demands it.

True.  But here’s the breaking news: according to CBSA’s own documents, at least for some period of time, they weren’t supposed to be arresting people for not providing a password.

We have just been provided documents from someone who did an extensive FOI for CBSA records which included recent Operational Bulletins.  We are immensely thankful that this individual shared these documents with us.

These documents indicate that while CBSA maintains the position that they do have the legal authority to compel passwords, they acknowledge the law is not clear.  And, as of June 30, 2015, when Operational Bulletin PRG – 2015 -31 came into effect, people were not supposed to be arrested for failing to provide passwords.

Until further instructions are issued, CBSA officers shall not arrest a traveller for hindering (Section 153.1 of the Customs Act) or for obstruction (paragraph 129(1)(d) of IRPA) solely for refusing to provide a password.  Though such actions appear to be legally supported, a restrained approach will be adopted until the matter is settled in ongoing court proceedings.

It is important to note that the CBSA takes the position that the device itself can nevertheless be detained:

If a traveller refuses to provide a password to allow examination of the digital device, media or documents contained therein, or if there are technical difficulties that prevent a CBSA officer from examining the digital device or media, the device or media may be detained by the CBSA officer under the authority of Section 101 of the Customs Act, on the form K26, Notice of Detention, for examination by a CBSA expert trained in digital forensic examinations.

Further, even when passwords are requested, the requests must be limited:

Passwords are not to be sought to gain access to any type of account (including any social, professional, corporate, or user accounts), files or information that might potentially be stored remotely or on-line.  CBSA officers may only request and make note of passwords required to gain access to information or files if the information or file is known or suspected to exist within the digital device or media being examined.

Conversely, a traveller may voluntarily provide information and passwords to access external data in certain circumstances in order to show compliance; CBSA officers should advise travellers that they are not required to access or provide external information, but may voluntarily choose to do so.  The login information or password shall not be compelled or recorded in these cases.

It’s important to note that the quoted Operational Bulletin’s instruction not to arrest for “hindering” or “obstruction” was designed to be time-limited (“until further instruction”) and may already have changed given that the “ongoing court proceedings” probably meant the Philippon case and those proceedings aren’t proceeding.  We know that there are other cases working their way through the courts, but at any time CBSA could return to making arrests for password refusal.

Meanwhile here are two things to know:

• We’re helping to share these FOI docs from the CBSA because they are full of information that will help you understand how the CBSA says it is supposed to be conducting its business from searches to detention and access to counsel. In our view, these kinds of policy documents are exactly the kind of material that should be pro-actively disclosed by the agency, helping people to understand their rights and to seek effective redress if those rights aren’t upheld.

• The compelled password issue is not only not going away, it’s getting bigger by the moment. The Canadian Association of Chiefs of Police just decided to lobby for legislation that would give the police the ability to get a warrant to “compel the holder of an encryption key or password to reveal it to law enforcement.” There’s a really good analysis of that proposal here.  And if you have things to say on this topic – compelled passwords for CBSA or police – now is the time to say it! Public Safety’s cyber-policy consultation is happening right now and the window for comment is short.