COURT FILE NO.: M125/16 DATE: 20160913
Ontario Superior Court of Justice
Toronto Region
B E T W E E N:
IN THE MATTER OF an application pursuant to s. 15(1) of the Mutual Legal Assistance in Criminal Matters Act, R.S.C. 1985, c. 30 (4th Supp.) for an order sending evidence for use by authorities in the Kingdom of the Netherlands in their investigation of persons believed to be committing criminal offences
S. Tse, for the Attorney General of Ontario on behalf of the requesting state J. Peris, for Ennetcom Group services BV
HEARD: September 9, 2016
Nordheimer J.:
[1] An unusual issue arises in this case with respect to the request for an order under s. 15(1) of the Mutual Legal Assistance in Criminal Matters Act, R.S.C. 1985, c. 30 (4th Supp.) to send evidence from Canada to the Kingdom of the Netherlands. The background to this issue may be briefly outlined. As a starting point, though, I will say that I am satisfied that the material in question was gathered in accordance with the search warrant that I earlier issued. No issue is taken with that fact.
Background
[2] Authorities in the Kingdom of the Netherlands have been investigating very serious criminal offences that include assassinations, violent armed robberies, attempted murder and organized crime. Common to these offences is the use, by the participants, of PGP encrypted BlackBerry devices supplied by Ennetcom. [^1]
[3] Ennetcom is a Dutch company that specializes in secure network communications and cybersecurity. According to the company’s website, as provided to me by its counsel, Ennetcom’s mission is stated to be:
It is our mission to create and develop state-of-the-art products and services that guarantee the overall protection of valuable information and defend against all forms of cybercrime.
Ennetcom features the use of PGP encrypted BlackBerry smartphones as part of its business.
[4] As a result of their ongoing investigations, the Dutch authorities have seized a large number of Ennetcom PGP BlackBerry devices. They have also recovered numerous firearms (including assault rifles, machine guns and handguns), explosives (including grenades), drugs, large sums of money, stolen motor vehicles and vehicle tracking devices.
[5] The Dutch authorities allege that Ennetcom was actively engaged in facilitating the activities of criminal organizations or groups by providing specific PGP encrypted BlackBerry devices for use by members of those criminal organizations or groups to carry out their desired criminal activities and to do so in a manner that would reduce the likelihood of them being detected and identified.
[6] PGP BlackBerry devices are specifically designed to send and receive PGP email messages with other PGP BlackBerry devices. It is recognized that, by their nature, PGP encrypted devices can be used to frustrate the usual methods by which police, and other investigative bodies, intercept communications and identify the communicators. The Dutch authorities say that Ennetcom PGP BlackBerry devices, that they have found in the course of their investigations, have been modified so that they can only send and receive encrypted email. Unusually, these Ennetcom PGP BlackBerry devices cannot send or receive phone calls or conventional text messages, nor can they take pictures. The microphones on the phones have either been removed or disabled. It is also possible for Ennetcom to remotely “wipe” or erase the contents of any of their devices at any time.
[7] The Dutch authorities also discovered that these Ennetcom PGP BlackBerry devices, because of their modifications, could not be used on conventional cellular telephone networks. Rather, they operate through a system run by Ennetcom that generates anonymous email addresses by which the users of these devices can communicate in complete anonymity. The Ennetcom PGP BlackBerry devices can only operate through a BlackBerry Enterprise Server. BlackBerry Enterprise Server is a software package that permits IT administrators, within an organization, to control virtually all functions of BlackBerry devices connected to the organization’s network. It allows those administrators to make the devices as secure as the organization would like. In this case, the Dutch authorities discovered that the Ennetcom PGP BlackBerry devices were only able to communicate via PGP encrypted e-mail with other Ennetcom PGP BlackBerry devices connected to the same Ennetcom network. The Dutch authorities also discovered that the “keys” for the PGP encryption system were generated by the server, rather than by the device. As a result, the Dutch authorities came to believe that the keys to decrypt the PGP encrypted information, on the Ennetcom PGP BlackBerry devices, are stored on Ennetcom’s BlackBerry Enterprise Servers.
[8] As part of their investigation of these Ennetcom PGP BlackBerry devices, the Dutch authorities discovered that the devices were using a particular IP address. They traced this IP address to a company in Toronto, Bitflow Technologies Inc., that had an address at One Yonge Street. Bitflow Technologies is an internet hosting company. Further investigation discovered two other addresses associated with Bitflow Technologies, one of which was 151 Front Street West in Toronto. The investigators discovered that this latter address was a location that specialized in being a telecommunications hub and carrier hotel.
[9] The Dutch authorities determined that Ennetcom had arranged with Bitflow Technologies to use its location for, among other things, a BlackBerry Enterprise Server. Having made this discovery, the Dutch authorities realized that they needed to gain access to the BlackBerry Enterprise Server being used by Ennetcom in order to find the encryption keys that the Ennetcom PGP BlackBerry devices were using. As I earlier noted, the encryption keys were, in turn, necessary in order to decrypt data that was found on any Ennetcom PGP BlackBerry devices that had been, or would be, seized.
[10] As a consequence of this information, the Kingdom of the Netherlands asked Canada, pursuant to the Mutual Legal Assistance Treaty between the two countries, to obtain a search warrant for the premises of Bitflow Technologies. The investigative plan was to seize the data on the BlackBerry Enterprise Server, located at the Front Street premises, at the same time that the authorities in the Netherlands intended to execute other search warrants, both in the Netherlands and elsewhere, as well as arrest certain individuals.
[11] On April 18, 2016, I granted, on an urgent basis, the search warrant requested pursuant to s. 12 of the Mutual Legal Assistance in Criminal Matters Act. The next day, members of the Toronto Police Service, with the assistance of Dutch investigators, executed the search warrant at the premises on Front Street West. Simultaneously, search warrants were executed in the Netherlands for servers that were located there. A number of people were arrested and a large amount of money, along with other valuables, was seized. There was also a concurrent search conducted in Spain, where another large sum of money, along with a quantity of diamonds, and a large number of unused BlackBerry devices, was found.
[12] I should mention that, prior to the search warrants being executed in the Netherlands on the servers there, the Dutch authorities sent out a broadcast message to 19,000 Ennetcom users in English, Spanish, Dutch and French advising of the investigation and the reason for the service disruption. The message advised that the Ennetcom encrypted BlackBerry system being used by them had been seized by the police for an investigation. To date, the Dutch authorities report that no one has approached them to ask questions about, or to object to, the seizure.
[13] Pursuant to the search warrant executed here in Toronto, a large quantity of data was collected. This process took some time. The Attorney General of Ontario now seeks an order to send the evidence seized, consisting of that data, to the Kingdom of the Netherlands. Under the provisions of the Mutual Legal Assistance in Criminal Matters Act, however, even after this court grants a sending order, the ultimate decision whether any evidence will actually be sent to the Kingdom of the Netherlands is made by the Minister of Justice. In particular, s. 16 of the Mutual Legal Assistance in Criminal Matters Act reads:
No record or thing seized that has been ordered under section 15 to be sent to the state or entity mentioned in subsection 11(1) shall be so sent until the Minister is satisfied that the state or entity has agreed to comply with any terms or conditions imposed in respect of the sending abroad of the record or thing.
[14] When the matter returned before me to consider the request for a sending order, counsel for Ennetcom, with the Crown’s agreement, provided me with a letter from the owner or principal of Ennetcom, Danny Manupassa. Mr. Manupassa was one of the persons who was arrested in the Netherlands on April 19, when the searches were undertaken. He is currently on a release that prohibits him from travelling outside of the Netherlands. Mr. Manupassa’s letter explains the background of his company. Mr. Manupassa denies any conscious involvement with anyone who used the services of his company for criminal purposes. Mr. Manupassa is critical of the Dutch authorities for not requesting assistance and/or information from him, prior to taking the steps that they did.
[15] While all of those aspects of Mr. Manupassa’s letter will be dealt with in the Netherlands, he does raise an issue that was also of concern to me in considering this request for a sending order. That issue is, as Mr. Manupassa points out, that Ennetcom has 20,000 registered users. He expresses concern that, not only is private information of these users included in the data seized, it may also include private information of other persons with whom these users communicated. The number of such persons would be exponentially greater.
[16] While counsel for the Attorney General had attempted to put some limiting language into the draft sending order to address this concern, it was not language that I found satisfactory. My concern is that, if all of this data is sent to the Netherlands, there is theoretically nothing that would stop the Dutch authorities from “mining” that information for evidence of other criminal activities by other persons, who are not related to the current investigations, and for which the original search warrant was granted, and who are not currently the subject of any investigation. In other words, the Dutch authorities could go on a “fishing expedition” trolling for information that might reveal criminal activity that is otherwise unknown. While I am not saying that the Dutch authorities would act in that fashion, there is certainly a very real risk of that possibility and that is a risk that, in my view, I have an obligation to protect against in accordance with the requirements of s. 15 of the Mutual Legal Assistance in Criminal Matters Act, to which I shall come in a moment. The issue then became how to protect against that risk.
[17] Counsel for Ennetcom did not dispute that the seized data, as it relates to the four investigations for which the search warrant was obtained, has to be sent to the Kingdom of the Netherlands. That is Canada’s obligation under the treaty that we have with that country. Counsel for Ennetcom contended, though, that only the data, as it specifically relates to those four investigations, should be sent. However, counsel then had to acknowledge that he did not know of any way in which that data could be identified and separated out from the other data. Indeed, it appears to me that, absent a requirement that the Dutch investigators come and review all of the data here in Toronto, there is no practical way of achieving that end, given the nature of the data that is involved. Much of the data is likely to be interrelated, and its relevance to those investigations will only become apparent when the investigators actually see it and match it to other information that they have, such as the unique identifiers for the large number of BlackBerry devices that they have seized in the course of their investigation. It is also, of course, quite likely that the data may reveal contact between persons using known BlackBerry devices and other persons using unknown BlackBerry devices, given the structure of the network through which these devices communicated. Any of those revelations will undoubtedly make some of the data relevant that is not currently known to be relevant. Realistically, there is no way of parsing the data so that some portion of it gets sent to the Netherlands while the remaining portion remains here. Of course, requiring the Dutch investigators to come here to review the data is impractical and also inconsistent with the fundamental purpose of the Mutual Legal Assistance in Criminal Matters Act, and the international treaties that Canada has signed, which is to assist other states in the investigation and detection of crime: see Mutual Legal Assistance in Criminal Matters Act (Re), [1999] O.J. No. 3292 (C.A.), at para. 15.
[18] Given then that the data in total must be sent to the Kingdom of the Netherlands, the real concern remains that there will inevitably be information within the data that relates to individuals, who have nothing to do with the four investigations that gave rise to the search warrant. Indeed, the affidavit from one of the Toronto police officers involved in this matter, and that was filed in support of the request for the sending order, reveals that the investigators in the Netherlands have already been approached by a number of other investigators, both in the Netherlands and in other countries, regarding investigations that they have ongoing that involve these same Ennetcom PGP BlackBerry devices. It is almost certain, therefore, that other investigators will seek to have access to the data in order to further these other investigations.
[19] In dealing with this concern, I should set out the relevant portions of s. 15(1) of the Mutual Legal Assistance in Criminal Matters Act. It reads:
(1) At the hearing to consider the execution of a warrant issued under section 12, after having considered any representations of the Minister, the competent authority, the person from whom a record or thing was seized in execution of the warrant and any person who claims to have an interest in the record or thing so seized, the judge who issued the warrant or another judge of the same court may
(b) in any other case, order that a record or thing seized in execution of the warrant be sent to the state or entity mentioned in subsection 11(1) and include in the order any terms and conditions that the judge considers desirable, including terms and conditions
(i) necessary to give effect to the request mentioned in that subsection,
(ii) with respect to the preservation and return to Canada of any record or thing seized, and
(iii) with respect to the protection of the interests of third parties.
[20] It is clear that, under s. 15(1)(b)(iii), I have the authority to include any terms and conditions in the sending order that I view as desirable to protect the interests of third parties such as those persons here, whose information may be included in the data, but who are not involved in the four investigations. As was pointed out in Mutual Legal Assistance in Criminal Matters Act (Re), at para. 20, in crafting the appropriate order, I must balance both “the legitimate state and individual interests at stake”.
[21] To address the concern that I have mentioned, I could include a term that the Dutch authorities are not to allow access to the data by any other investigators other than the investigators involved in the four investigations. In other words, I could include a term that would have the effect of requiring any other investigators, who wish to access the data, to bring a separate application in Canada to obtain access to the data. [^2] However, at least in the case of other Dutch investigations, to impose such a requirement strikes me as promoting process over substance. It would also require the expenditure of time and money that is unnecessary to address the true concern. The point is to protect third parties from having their information accessed without proper judicial authorization.
[22] That protection can be afforded by including a term in the sending order that would require any other Dutch investigators, who wish to access the data, to obtain judicial authorization for that access from a court in the Netherlands. Once the data is actually in the Netherlands, and if a court there is satisfied that there are proper grounds to permit investigators to have access to the data to pursue a legitimate police investigation, then I do not see any reason to deny those investigators the right to do so, by requiring them to get authority from a court in this country. The process underlying mutual legal assistance is country to country. Once Canada has concluded that evidence should be sent from this country to another, it does not strike me as inconsistent with the spirit of the Mutual Legal Assistance in Criminal Matters Act to then permit the courts of that country to decide on any additional use to which that evidence may be put within their own country. I reiterate that, in order to properly protect the interests of third parties, permission to access the data by other investigators should come from a court in the Netherlands and not through any administrative processes that may be available in that country to obtain evidence.
[23] However, I view any request, that might emanate from investigators in a country other than the Kingdom of the Netherlands, in an entirely different way. For lack of a better expression, Canada remains the home of this data. If investigators in another country want to have access to that data, then they ought to have to follow the same procedure that the Dutch authorities utilized here. For one reason, only countries, who have a Mutual Legal Assistance Treaty with Canada, should be able to seek access to what is, effectively, Canadian-based data. That requirement ought not to change simply because a copy of the data happens to now be located in the Kingdom of the Netherlands as a result of a MLAT request by that country. Canada has an ongoing obligation to protect the data, and to ensure that it is not accessed without proper procedures being followed. Canada’s international obligations to permit access to that data only extend to those countries with which we have a Mutual Legal Assistance Treaty. Only those countries should be able to seek access to the data, and then only after having obtained the requisite approvals of the Minister of Justice, and the requisite orders from the appropriate Canadian court.
[24] In summary, the appropriate way, in my view, to protect the rights of third persons in this situation is to include, in the sending order, terms and conditions that:
(i) require that the Kingdom of the Netherlands restrict access to the data to the Dutch investigators involved in the four investigations that formed the basis for the search warrant, and such other Dutch investigators who can satisfy a court in the Netherlands that they should have the right to also access that data, and;
(ii) require that the Kingdom of the Netherlands prohibit access to the data by any persons, including investigators, from any other country.
[25] There were some other small issues regarding the precise wording of the sending order but I believe that those issues were all resolved between counsel and me at the hearing.
[26] The sending order is therefore granted, subject to counsel returning before me with the formal order for signature so that I can be satisfied with the wording of the terms and conditions that I have ordered.
NORDHEIMER J.
Released: September 13, 2016
Reasons for Decision
NORDHEIMER J.
RELEASED:
Footnotes
[^1]: PGP stands for “pretty good privacy”. PGP is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. [^2]: On this point, I should make it clear that the data to be sent to the Kingdom of the Netherlands is a copy of the data seized. The “original” is to remain here in Canada.