Court File and Parties

COURT FILE NO.: CR-21-42 DATE: 2022-04-07 ONTARIO SUPERIOR COURT OF JUSTICE

BETWEEN: HER MAJESTY THE QUEEN – and – KYLE HUGHES Defendant

Counsel: Cameron Peters for the Crown Joel Hechter for Mr. Hughes Deanna M. Exner for the Ontario Provincial Police Anil Kapoor as Amicus Curiae

HEARD: February 7-10, 15, 17 and 28, 2022

Ruling on Mr. Hughes’ Disclosure Application

C. Boswell J.

Introduction

[1] Twenty-four hours a day, seven days a week, law enforcement agencies around the world scour the internet in search of individuals using that platform to share child sexual abuse materials. Many of those agencies make use of advanced software tools capable of automated surveillance, detection, connection and downloading of child pornography from suspect users on peer-to-peer networks. This ruling begins to address the question of what level of access defence counsel should have to those software tools when representing persons accused of sharing child pornography on a peer-to-peer network.

[2] In the summer of 2019, an IP address [^1] associated to Kyle Hughes was flagged by automated law enforcement software combing the BitTorrent peer-to-peer file-sharing network in search of users expressing an interest in child pornography. An investigation was commenced that eventually led to charges against him for both possessing and distributing child pornography.

[3] Every accused person has a constitutional right to make full answer and defence to the charges against him. Implicit in that right is the entitlement to disclosure of all relevant, non-privileged information in the possession or control of the Crown, whether inculpatory or exculpatory. See R. v. Stinchcombe, [1991] 3 S.C.R. 326.

[4] Mr. Hughes complains that he has not received fulsome disclosure of all relevant information from the Crown. He implores the court to make an order that he be provided with certain technical information about the digital tools used by law enforcement to investigate his IP address, his digital devices and his online activities. More specifically, he seeks fully operational copies of the software used by law enforcement to investigate his IP address; the source codes for that software; and all user manuals, training materials and changelogs related to the software in the possession of the Ontario Provincial Police.

[5] Mr. Hughes seeks disclosure of these records for a number of identified reasons. First, to assess whether the software functioned properly at the relevant times. Second, to assess whether the use of automated software to identify his IP address, to connect to his device, and to download files from that device infringed his s. 8 Charter right to be free from unreasonable search and seizure. Third, to aid in an anticipated challenge to the sufficiency of the grounds upon which a warrant to search his residence was granted. His ultimate goal is to challenge the admissibility of evidence obtained by the police through the use of automated software and through the execution of the search warrant.

[6] The Crown resists the application. It argues that (1) it has already made meaningful disclosure relating to the use of the software; (2) the disclosure Mr. Hughes is seeking is not relevant to any live issue in the proceeding; (3) the disclosure sought is not, in any event, within the possession or control of the Crown or the OPP; and (4) the materials sought are protected by either investigative privilege or public interest privilege.

[7] The Crown’s position is supported formally by the OPP and informally by the U.S. law enforcement agencies that control access to the software in issue.

[8] This ruling represents the conclusion of the first stage of the disclosure application. I will take a moment to explain how it fits into the larger scheme.

The Application

[9] The litigants agreed on a specific and detailed procedure to follow in terms of the hearing of Mr. Hughes’ application, which, as I noted, engages issues of relevance and privilege, amongst others.

[10] The analytical framework to be applied depends on whether Mr. Hughes’ disclosure request constitutes first party disclosure or third party disclosure.

[11] First party disclosure constitutes all relevant, non-privileged information in the possession or control of the Crown. It includes all of the fruits of the investigation conducted by law enforcement in relation to the charges against Mr. Hughes and any additional information in the possession of the police that is “obviously relevant” to his case. See R. v. Gubbins, 2018 SCC 44, para. 21.

[12] The Crown’s duty to disclose all information constituting first party disclosure is triggered upon a request by Mr. Hughes. It does not require an application to the court.

[13] Third party disclosure constitutes any records or information sought by an accused person that does not constitute first party disclosure. To obtain disclosure of third party records, an accused person must bring an application to the court.

[14] A third party records application proceeds in two stages. At the first stage, the accused must establish that the records sought are “likely relevant”. If the accused meets this burden, the application will proceed to stage two. At the second stage, the applications judge will review the records in issue to determine whether, and to what extent, they should be produced to the accused. See R. v. O’Connor, [1995] 4 S.C.R. 411.

[15] If the court determines that the records in issue in this case are properly first party disclosure, then the next question will be whether the Crown has appropriately exercised its discretion to refuse production on the basis that the records are not relevant.

[16] If the court determines that the records are relevant first party disclosure, then the final question for determination will be whether the records are subject to a sustainable claim of privilege by the Crown.

[17] If the application gets to this stage, the privilege issue will be addressed in a closed session during which it is anticipated that the Crown will tender further evidence. Because the evidence tendered during that stage of the proceedings is arguably privileged, Mr. Hughes (as well as members of the public generally) will be excluded from that stage. To protect Mr. Hughes’ interests, Mr. Kapoor has been appointed as amicus. He will have the right to cross-examine any Crown witnesses tendered during the closed session and to make any arguments that Mr. Hughes might otherwise have made had he been a participant in the closed session.

[18] On the other hand, if the court determines that the subject records are properly characterized as third party disclosure, the next question will be whether Mr. Hughes has established that they are likely relevant to a live issue in the case. If he meets his burden to do so, then the court will examine the records in a closed session to determine if they ought to be produced to Mr. Hughes. Issues of privilege will again be canvassed in the closed session, which will proceed in essentially the same way as it will if the court determines that the records sought are properly characterized as first party disclosure.

[19] In summary, this ruling addresses the following issues only:

(i) Are the records sought by Mr. Hughes first or third party disclosure? (ii) If first party disclosure, are they relevant? (iii) If third party disclosure, are they likely relevant?

[20] Understanding the issues engaged in the application and the court’s disposition of those issues requires an appreciation of the how the investigation into Mr. Hughes’ IP address progressed as well as the nature of the records sought. The following overview should prove helpful.

Overview

[21] The Crown alleges that Mr. Hughes used a software program called “μTorrent, version 3.5.5” to download and share child pornography on the BitTorrent peer-to-peer file-sharing network.

[22] The OPP used proprietary software called “Torrential Downpour” to communicate with Mr. Hughes’ μTorrent account. They say they downloaded a number of files containing child pornography from an electronic device controlled by Mr. Hughes and running the μTorrent software, between July 18 and 19, 2019. The content of the files they downloaded from Mr. Hughes’ alleged device formed the grounds relied on by the police to obtain a warrant to search Mr. Hughes’ residence and seize his computer. When his computer was forensically examined, the police found an installed copy of μTorrent v. 3.5.5 as well as copies of the files they allegedly downloaded from that μTorrent account on July 18-19, 2019.

[23] How the police came to identify Mr. Hughes as a potential download candidate and how they went about downloading files from his computer are matters at the heart of this application.

[24] To understand the police investigation, it is necessary to understand something about how files are shared on the BitTorrent network and how the investigative tools utilized by the police work to identify and target those individuals sharing child sexual abuse materials on that network.

Peer-to-Peer Networks

[25] Peer-to-peer (“P2P”) file sharing networks connect devices directly without the use of a central server. They enable large numbers of personal computers to connect with one another and share files over the internet. They first came to prominence in the public domain with the launch of Napster in 1999. Napster rapidly became a popular means by which individuals could easily (and freely) share mp3 music files with other participants of the network. Napster was shut down by court order as a result of issues relating to copyright infringement. Nevertheless, the appeal of P2P file sharing networks had been established.

[26] Today there are a number of prominent P2P networks freely available on the internet including, amongst others, BitTorrent, Shareaza, Gnutella and eMule. To access one of these networks a user simply needs to download and install readily available P2P client software (in other words, a user program like μTorrent). Once the client software is installed the user can access whatever P2P networks the software supports.

The BitTorrent Network

[27] Most P2P networks work in a similar way. A user wishing to locate and obtain a file will open up his or her client program and enter the name of the file they want into the program’s built-in search engine. The program will access the associated P2P network and provide a list of other users who have, and are willing to share, the file of interest.

[28] The BitTorrent network works a little differently than other P2P networks. The principal difference is that BitTorrent does not provide a search engine to locate files being shared on the network. Instead, users interested in a particular file must locate a “torrent” file on the network associated with the file being sought. For instance, if a user is seeking a copy of the movie, Jurassic Park, he or she must obtain a torrent file associated with that movie.

[29] A torrent file is a small data file that defines a “payload” but does not otherwise contain any of the content of that payload. In my example, the payload would be the movie, Jurassic Park. While the torrent file does not include the payload, it includes instructions that enable BitTorrent client software to find and download the file or files that make up the payload. Most significantly, the torrent file includes information about the hash value(s) of the payload file(s).

[30] A hash value is a fixed length alphanumeric value – in other words, a string of characters – that uniquely identifies data. It is equivalent to a “data fingerprint”. When data files are uploaded to a P2P network they are assigned hash values. Those hash values allow devices using the network to distinguish files from each other.

[31] Users of the BitTorrent network must go out and look for torrents associated with the files they want. Torrents are created by users willing to share files with others on the network.

[32] Finding a torrent of interest generally starts with a search on an internet search engine such as Google. Torrents are available from a number of different sources. It is unnecessary, for the purposes of this ruling, to describe all of those different sources. Returning to my example, simply entering “Jurassic Park torrent” into the Google search engine will return a list of sites hosting a torrent for the movie, Jurassic Park. Once a torrent of interest is obtained, it can be entered into the user’s client software and the download of the associated payload file(s) can be initiated.

[33] The client software identifies other users on the network who have the files associated with the torrent. Again, the method by which it identifies those other users is a detail that I need not delve into for the purposes of this ruling. Suffice it to say that once other users with available copies of the target file(s) are identified, the client software will seek to obtain pieces of the file(s) from multiple other users at the same time, in order to improve download speed. This action is known as “swarming”. As soon as the user downloads a piece of a target file, that piece becomes available for other users of the network to download. In other words, the user becomes, simultaneously, both a downloader and an uploader. He or she becomes a member of the swarm.

The Roundup Suite of Investigative Tools

[34] P2P networks, like BitTorrent, enable files, both large and small, to be distributed freely and easily to large target audiences without unduly taxing one sender’s bandwidth, because the people downloading the file also become distributors of it.

[35] Unfortunately, as Napster proved, P2P networks can easily become platforms for piracy. They have also proved to be a popular means of distributing child pornography.

[36] BitTorrent is a hugely popular P2P protocol. Law enforcement agencies around the world are well aware that some of its users misuse it for the purpose of trafficking in child sexual abuse materials.

[37] Roughly twenty years ago, the U.S. Department of Justice established a multi-jurisdictional task force to combat technology-facilitated child sexual exploitation and internet crimes against children. Known as the Internet Crimes Against Children Task Force (“ICAC”), the program now includes 61 co-ordinated task forces across the U.S.

[38] ICAC utilizes a system for identifying and investigating suspected child pornography distribution on the internet. Its system is known as ICACCOPS. The “COPS” portion of the acronym stands for “Child On-Line Protection System”). The ICACCOPS servers are located in Pennsylvania.

[39] Over the years, law enforcement agents have been able to identify and catalogue the hash values of a large number of known child pornography files. ICACCOPS maintains a database of those hash values. It uses purpose-designed software to conduct automated surveillance of the internet (including P2P networks) with the goal of detecting parties interested in the proliferation of child pornography.

[40] In relation to the BitTorrent network, ICACCOPS uses software known as the Roundup suite of tools. They include a program called Torrential Downpour Receptor and another program called Torrential Downpour.

[41] Torrential Downpour Receptor and Torrential Downpour were developed by the University of Massachusetts (Amherst). UMass owns the copyright to the software. It provides it free to law enforcement. Training on the software is provided by Fox Valley Technical College in Appleton, Wisconsin. Instructors at Fox Valley train authorized law enforcement agents on the use of the software. Fox Valley controls the licensing of the Roundup suite of software to law enforcement agencies around the world. Training through Fox Valley is a pre-requisite to licensing.

[42] Torrential Downpour Receptor and Torrential Downpour run independently of one another but in tandem. Both operate through an ICACCOPS online portal.

[43] Torrential Downpour Receptor engages in automated surveillance of the BitTorrent swarm. How exactly it does so is not germane to this specific ruling. But what it does is identify the IP addresses of users in the BitTorrent swarm who are expressing interest in torrents associated with known child pornography. In other words, it looks for anyone showing an interest in torrents that reference hash values in the ICACCOPS database of known child pornography.

[44] Suspect IP addresses identified by any agent running Torrential Downpour Receptor through the ICACCOPS portal are documented in the ICACCOPS system.

[45] ICACCOPS works co-operatively with law enforcement agencies around the world to stem the distribution of child sexual abuse material across the internet. It uses geolocation software to identify the jurisdiction in which a suspect IP address is thought to be operating. It will push a notification of the suspect IP address to any co-operating agency running Torrential Downpour software in the jurisdiction where that IP address is suspected to be.

[46] Licensees (users) of Torrential Downpour software must manually configure its geographic parameters. As an example, a law enforcement agent in Ontario running Torrential Downpour will probably have little interest in suspect IP addresses located in Peru. He or she will likely configure the geographic parameters of the software to limit investigative interest to suspect IP addresses located in Ontario or in some specific area of Ontario. In the result, when Torrential Downpour Receptor identifies a suspect IP address geolocated to Ontario, the ICACCOPS system will push a notification of that address to any investigator running Torrential Downpour software configured for Ontario.

[47] For the most part, Torrential Downpour is designed to run automatically. When a licensed agent’s Torrential Downpour software receives a push notification of a suspect IP address in the jurisdiction the software is configured for, it will automatically attempt to establish a connection to any device operating on the BitTorrent network from that IP address.

The Investigation into IP Address 99.232.162.41

[48] The child exploitation unit of the OPP uses Torrential Downpour software as an investigative tool. A number of its investigators are trained and licensed to use the software.

[49] In mid-July 2019, the ICACCOPS system pushed IP address 99.232.162.41 to the Torrential Downpour software being operated by Detective Constable Neller of the OPP’s child exploitation unit in Orillia. The IP address was associated to a physical address in Beeton, Ontario. It was also associated with two infohashes (hash values) which were known to contain child pornography.

[50] Between July 18, 2019 at 20:02 and July 19, 2019 at 20:02, DC Neller’s version of Torrential Downpour made direct contact with a device at IP address 99.232.162.41. The device reported that it was using μTorrent v. 3.5.5 client software. Torrential Downpour was able to download a number of files from the device which were subsequently viewed by DC Neller and confirmed to be child pornography.

[51] DC Neller was able to determine that IP address 99.232.162.41 was assigned to Rogers Communications. On August 6, 2019 she obtained a production order for Rogers Communications to provide subscriber information for that IP address. Rogers complied with the production order and advised that the subscriber was Athena Hughes, who I understand is the defendant’s mother. A residential address in Beeton was provided as well. DC Neller determined that Ms. Hughes lived at the address with her spouse and two sons, one of whom is the defendant, Kyle Hughes.

[52] On the basis of the information obtained through the operation of Torrential Downpour and from the production order, DC Neller applied for and obtained a warrant to search the Beeton address. A device allegedly belonging to Mr. Hughes was seized from his bedroom and, as I indicated, was found to contain an installed copy of μTorrent v. 3.5.5 as well as child pornography, including copies of the files downloaded by DC Neller’s Torrential Downpour software on July 18-19, 2019.

The Targeted Records

[53] Mr. Hughes has been provided with disclosure relating to the investigation into his IP address which includes the following:

(a) A complete forensic report and associated records generated by DC Neller’s Torrential Downpour software. These records amount to tens of thousands of pages of data recorded by the software, including dates and times that Torrential Downpour attempted to connect to the μTorrent client software at IP address 99.232.162.41 and the files downloaded, with reference to their infohash numbers; and, (b) A copy of the mirrored hard-drives from any seized devices.

[54] In addition, the OPP has offered defence counsel an opportunity to test the software used in this case, provided such testing is arranged and conducted under the supervision of the OPP. I understand the OPP has offered to utilize a software program called “Wire Shark” during any testing of the program. Though I have little evidence about the manner in which Wire Shark works, I understand that it essentially tracks network activity on a granular level, such that it would provide defence counsel with a reasonably detailed log of how Torrential Downpour operates.

[55] Mr. Hughes has rejected the offer of testing on the basis that it would, in his counsel’s view, amount to reverse disclosure.

[56] Defence counsel is generally unsatisfied with the disclosure made regarding the investigation into Mr. Hughes’ IP address.

[57] In connection with this application, he served a subpoena duces tecum on the OPP seeking:

(a) A fully operational copy of the version of Torrential Downpour used by the OPP to investigate IP address 99.232.162.41 in July 2019; (b) The source code for the software; (c) All user manuals, changelogs, and other documentation associated with the software, in the possession of the OPP; and, (d) The results of the Maxmind [^2] queries of investigators in the OPP’s child exploitation unit for the months of July and August 2019.

[58] The OPP responded to the subpoena as follows:

(a) The software system has been replaced by a newer version. They are unable to produce the version sought. In response, defence counsel served a revised subpoena seeking the current version of Torrential Downpour software in use by the OPP. In response to that subpoena, the OPP produced a sealed copy of the installer for the current version of Torrential Downpour. They note that they are mere licensees of the software and that their license does not permit them to provide a copy of the software to any other party. Documents relating to copyright and licensing, with terms and conditions of use, were produced to the court (not under seal); (b) The OPP does not have the source code; (c) The OPP does not have the manual for the software in use in July 2019. It has only an updated version. A copy of the current manual was produced to the court under seal. The changelogs exist in the updated version of the user manual. Those changelogs were produced under seal; (d) The OPP possesses a copy of the presentation Fox Valley uses to train investigators on Torrential Downpour Receptor and Torrential Downpour. Fox Valley has not given permission to the OPP to distribute this material to others. It was produced to the court under seal; and, (e) The OPP do not keep a record of Maxmind search results. They are akin to Google searches. A Maxmind screen shot of DC Neller was produced, along with other screenshots of Maxmind results taken by investigators.

[59] As the application progressed, the disclosure sought by Mr. Hughes evolved. He now seeks:

(a) A fully operational copy of whatever software system ICACCOPS used to identify his IP address as an IP address of interest on the BitTorrent network and to push that address to DC Neller’s Torrential Downpour software; (b) A fully functional copy of the version of Torrential Downpour Receptor used to investigate IP address 99.232.162.41 in July, 2019, or alternatively a fully operational copy of the current version of that software; (c) A fully operational copy of the version of Torrential Downpour that DC Neller used to investigate IP address 99.232.162.41 in July 2019, or alternatively a fully operational copy of the current version of that software; (d) The source codes for the software requested; and, (e) All user manuals, changelogs, training manuals and other documentation associated with the software systems referred to above.

[60] He no longer seeks disclosure of any Maxmind results.

Discussion

(i) Are the Subject Records First or Third Party Disclosure?

The Governing Principles

[61] Stinchcombe clearly established the Crown’s obligation to disclose to the defence all relevant information in its possession relating to the investigation against an accused person. For the purpose of that obligation, “relevant information” includes not only information that the Crown intends to adduce in evidence as part of the case against the accused, but also any information that may assist the accused in the exercise of his or her right to make full answer and defence. See R. v. McNeil, 2009 SCC 3, at para. 17.

[62] The Crown’s obligation to disclose is not absolute. It does not extend to information that is beyond the control of the Crown. Moreover, the Crown has a discretion to refuse to disclose material that is clearly irrelevant or subject to privilege. See Chaplin v. The Queen (1995), 96 C.C.C. (3d) 225 (S.C.C.), at para. 21; R. v. Gubbins, 2018 SCC 44, at para. 19.

[63] The Crown’s discretion is reviewable by the court. On review, the onus is on the Crown to justify its refusal to disclose. See Stinchcombe, para. 21; Gubbins, para. 19.

[64] The Crown, of course, does not generally investigate crime or gather evidence. Those are functions that fall to the police. The police have a duty to disclose to the Crown all material pertaining to their investigation of the accused. The Crown has a corresponding duty to make reasonable inquiries when put on notice of potentially relevant material in the hands of the police or other Crown entities. The Crown cannot explain a failure to disclose relevant material on the basis that the police failed to disclose it to the Crown. See McNeil, para. 24.

[65] The material the police are obliged to provide to the Crown – and which the Crown is obliged to disclose – is often referred to as the “fruits of the investigation”. McNeil, paras. 14 and 22-23. This means the investigative files of the police, not their operational records or background information. In addition, the police may be required to disclose information beyond the traditional fruits of the investigation where the information is “obviously relevant” to the case of the accused. McNeil, para. 59.

[66] The “obviously relevant” standard describes information not in the investigative file, but which must be disclosed because it relates to the ability of the accused to meet the Crown’s case, raise a defence or otherwise consider the conduct of the defence. See R. v. Gubbins, 2018 SCC 44, at para. 23.

[67] Any records that do not fall within the definition of first party disclosure are properly characterized as third party disclosure.

The Parties’ Positions

[68] The parties’ positions are, unsurprisingly, diametrically opposed.

[69] Mr. Hughes’ counsel contends that all of the records sought are first party disclosure. In other words, all are either in the possession or control of the Crown or are otherwise in the possession or control of the investigating police force and are obviously relevant.

[70] Defence counsel takes an expanded view of who the investigating police force is. In his submission, U.S. law enforcement, specifically the ICAC task force, was intimately involved in the investigation of Mr. Hughes’ IP address. They are not a third party. They are an integrated part of the investigating police force. Counsel recognizes that ICAC is not within the jurisdiction of this court but argues that the OPP cannot contract out of their constitutional obligations in terms of disclosure. To hold otherwise would, he says, result in opening the floodgates to offshore policing to avoid adherence to the constitution.

[71] Defence counsel characterizes the involvement of ICAC as going well beyond the provision of a tip. He describes them as “a foreign subscription service that triggers investigations into Canadians by remote-control, without the need for intervention of Canadian authorities for days or weeks.” If they are permitted to carry out their activities without disclosure requirements that enable challenge by defence counsel then who, he asks rhetorically, “is watching the watchers”?

[72] In defence counsel’s submission, the records sought are obviously relevant to a number of live issues between the parties, including:

A. Functionality (a) Whether the software was being used properly and performing as designed on the occasion in question; (b) Whether the software takes actions not directly observable by the user; (c) Whether the system can be configured to stop, pause or provide alerts to investigators;

B. Charter Considerations (d) Whether the system interferes with a normative expectation of privacy; (e) When it would be appropriate to seek prior judicial authorization for the use of the software tools in issue;

C. Warrant-Related Issues (f) What DC Neller knew or ought to have known about the ICACCOPS system, including Torrential Downpour, its functioning and any performance issues at the time she swore an Information to Obtain (“ITO”) the warrant to search Mr. Hughes’ residence; (g) Whether DC Neller made full and frank disclosure in the ITO; and, (h) What information the software may have obtained – and which could have been placed before the court in an ITO – before Torrential Downpour downloaded material from the defendant’s IP address.

[73] The Crown demurs. Crown counsel asserts that none of the records sought are in the possession or control of the Crown. Most are not in the possession or control of the OPP. And those records that are arguably in the possession or control of the police are subject to strict licensing requirements that limit the OPP’s use of the records. None are the “fruits of the investigation”. Moreover, the defence has provided no authority and can point to no evidence to support the assertion that the records sought are obviously relevant to any live issue in the proceedings.

[74] The Crown asserts that it has already provided meaningful and sufficient disclosure of the software tools used during the investigation. They have produced exactly the data that DC Neller relied on when drafting the ITO. They have furthermore offered to facilitate defence testing of the Torrential Downpour software under OPP supervision. All of that is sufficient, counsel argues, to meet the Crown’s first party disclosure obligations.

[75] The OPP joins in the Crown’s position.

Analysis

[76] In my view, the records sought, with one exception, are not first party disclosure.

[77] I begin with two easy observations:

(a) None of the records are, or ever have been, in the possession of the Crown; and, (b) None of the records in issue are the fruits of the investigation.

[78] The fruits of the investigation have already been disclosed. The fruits generated by the Roundup suite of software tools consist primarily of the 49,000 pages of records created by Torrential Downpour in relation to its attempts to connect to IP address 99.232.162.41 and to download files; the files that were downloaded from the device operating on IP address 99.232.162.41; and the contents of the hardrive of the device seized from Mr. Hughes’ bedroom. All of that material has been disclosed to the defence.

[79] The only basis upon which the court could conclude that the records in issue are first party disclosure is to find that they are in the hands of the investigating police force and are “obviously relevant” to the accused’s case. See McNeil, at para. 59.

Are the Records in the Hands of the Investigating Police Force?

[80] For the most part, I agree with the Crown’s assertion that the records in issue are not in the possession or control of the investigating police force.

[81] To be clear, I view the investigating police force in this instance as the OPP and only the OPP. I do not accept the assertion that the investigative police force includes the OPP and ICAC, or for that matter, any other foreign agency. I do not accept any suggestion that the OPP has in any way outsourced its investigative responsibilities to an out-of-jurisdiction law enforcement agency.

[82] To conduct its investigation in this case, the OPP utilized software tools licensed to them by Fox Valley. Law enforcement agencies around the world use this same software. They work co-operatively to identify persons suspected of disseminating child pornography on the internet. When an IP address geolocated to Ontario is identified as suspected of being involved in sharing child pornography, Ontario law enforcement agents are provided with the IP address, together with the hash value(s) of any child sexual abuse files the IP address is suspected of expressing an interest in. In this case that Ontario law enforcement agency was the OPP.

[83] The OPP conducted the investigation. They used Torrential Downpour to connect to a device at the suspect IP address and to download files from that device. DC Neller personally reviewed the files downloaded and confirmed that they were child pornography. She determined the ISP associated with the suspect IP address. She obtained a production order to ascertain subscriber information associated with that IP address. The OPP conducted surveillance on the address identified by the ISP in response to the production order. DC Neller prepared the ITO to obtain a warrant to search the residence associated with the suspect IP address. OPP officers executed that warrant and seized devices. OPP forensic investigators conducted an examination of the seized devices and prepared a report.

[84] Defence counsel did not provide me with any case law to support the assertion that in circumstances like the ones present here, any of the following have first party disclosure obligations to an accused person: the source of an investigative lead; the manager of a database of hash values of known child pornography (i.e. ICAC); or the creator or licensor of automated investigative software tools (UMass or Fox Valley for instance). I am confident that no such jurisprudence exists.

[85] Counsel did refer me to a recent decision out of the Manitoba Court of Queen’s Bench, R. v. Kuny, 2021 MBQB 96, in which Dewar J. extended the Crown’s first party disclosure obligation to include obviously relevant material in the hands of a third party other than the police.

[86] Mr. Kuny was ticketed for speeding after being purportedly caught in the act by photo radar. He asked for disclosure of the manual for the photo radar equipment and proof of the operator’s training. A judicial justice of the peace (“JJP”) dismissed his request on the basis that the documents were not relevant and not in the possession of the Crown. The City of Winnipeg had outsourced the task of operating the photo radar equipment to a private company. The manual for the equipment was in the possession of that private company.

[87] Dewar J. disagreed with the JPP. He found that the disclosure sought by Mr. Kuny was “obviously relevant”, citing the decision of the Court of Appeal for Ontario in York (Regional Municipality) v. McGuigan, 2018 ONCA 1062. I will have more to say about that case momentarily.

[88] Dewar J. was not troubled by the fact that the material in issue was not in the hands of the Crown or the local constabulary. He essentially found that if the task of detecting an offence and gathering evidence in relation to that offence was delegated to a private company as opposed to the police, then that private company stepped into the shoes of the police for the purposes of disclosure. For the most part, they will be considered a separate entity from the Crown but will be subject to an obligation to provide the Crown with the fruits of their investigation, along with any other material that is obviously relevant to the proceedings.

[89] I note that Dewar J. did not require training materials to be disclosed, on the basis that he did not consider them to be obviously relevant to the proceedings and the request for that material appeared to him to be nothing more than the classic “fishing expedition”.

[90] I do not take issue with Dewar J.’s analysis. Requiring defendants to bring third party record applications to obtain obviously relevant disclosure from the agency tasked with detecting and investigating speeding infractions would be neither efficient nor justified, to borrow Justice Charron’s language from McNeil, whether that agency is the police or a private subcontractor.

[91] I find, however, that the analysis does not apply to the case at bar. I have found, as noted, that none of the OPP’s investigative responsibilities in this case were outsourced to any third party. This is a markedly different set of circumstances than those presenting in the Kuny case.

[92] I conclude that the only investigative police force, for disclosure purposes, is the OPP. In the result, I will assess whether the OPP has possession or control of any of the records sought:

(a) ICACCOPS software: I do not know specifically what software ICACCOPS uses to power its portal. I do know that it is not in the possession or control of the OPP; (b) Operational copies of Torrential Downpour and Torrential Downpour Receptor: On the basis of the evidentiary record before me, I find that the OPP has access to installation files for these two software tools, but that the software operates through the ICACCOPS portal. These tools are not, in other words, free-standing tools that operate independently of the ICACCOPS system. The OPP is permitted, by license, to access the tools and utilize them through the portal. They can not, in my view, be said to possess or control the software. What they possess is a license to use the software; (c) Source codes: I am not clear on this evidentiary record, who has the source codes for the software in issue. I expect that UMass (Amherst) does, but whether others have access to the source codes is something I do not know. There is no evidence that the OPP has access to the codes and they deny that they do. I find that the OPP does not have possession or control of the source codes; (d) User manuals, changelogs and training manuals for Torrential Downpour and Torrential Downpour Receptor: It appears that the OPP does have possession of these materials. They have been produced to the court under seal, at least insofar as they relate to Torrential Downpour. The Torrential Downpour Receptor manual and training materials were not expressly sought in the defendant’s subpoena duces tecum and have not been produced. I expect, however, that the OPP has them and can produce them if ordered to do so.

Are the Records in Issue Obviously Relevant?

[93] Given my conclusion that only the user manuals, changelogs and training manuals are in the possession or control of the OPP, I need not consider whether any of the other records in issue are “obviously relevant”.

[94] The notion that “obviously relevant” information, in the hands of the police but not otherwise part of the fruits of the investigation, must be disclosed to the defence comes from R. v. McNeil. At issue in McNeil was whether certain police disciplinary records formed part of first party disclosure. Justice Charron, writing for a unanimous court, observed, at para. 59,

…[T]he disclosure of relevant material, whether it be for or against an accused, is part of the police corollary duty to participate in the disclosure process. Where the information is obviously relevant to the accused’s case, it should form part of the first party disclosure package to the Crown without prompting.” (Emphasis in original).

[95] Some degree of confusion appears to have arisen, post- McNeil, about what the term “obviously relevant” meant and whether it denoted a particular standard of relevance. The Supreme Court cleared up any confusion by instructing, in Gubbins, that the phrase “obviously relevant”, does not create a new standard or degree of relevance. Instead:

…this phrase simply describes information that is not within the investigative file, but that would nonetheless be required to be disclosed under Stinchcombe because it relates to the accused’s ability to meet the Crown’s case, raise a defence, or otherwise consider the conduct of the defence.

See Gubbins, para. 23.

[96] Gubbins further instructs that the obviously relevant qualifier is significant. It signals that not all police records will be subject to first party disclosure.

[97] Justice Watt has discussed the concept of relevance in numerous decisions, including R. v. Candir, 2009 ONCA 915 at paras. 47-48; R. v. Luciano, 2011 ONCA 89 at paras. 204-211; R. v. Ansari, 2015 ONCA 575 at paras. 102-104; and R. v. Wood, 2022 ONCA 87 at para. 60. In R. v. Jackson, 2015 ONCA 832, he described the concept of relevance as follows, at paras. 120-123:

[120] Relevance is not a legal concept. It is a matter of everyday experience and common sense. It is not an inherent characteristic of any item of evidence. Some have it. Others lack it.

[121] Relevance is relative. It posits a relationship between an item of evidence and the proposition of fact the proponent of the evidence seeks to prove (or disprove) by its introduction. There is no relevance in the air: R. v. Luciano, [2011] O.J. No. 399, 2011 ONCA 89, 267 C.C.C. (3d) 16, at paras. 204-205.

[122] Relevance is also contextual. It is assessed in the context of the entire case and the positions of counsel. Relevance demands a determination of whether, as a matter of human [page184] experience and logic, the existence of a particular fact, directly or indirectly, makes the existence or non-existence of another fact more probable than it would be otherwise: R. v. Cloutier, [1979] 2 S.C.R. 709, [1979] S.C.J. No. 67, at p. 731 S.C.R.

[123] The law of evidence knows no degrees of relevance, despite the frequent appearance of descriptives like "minimally, marginally or doubtfully", "tangentially" and "highly" that tag along for the ride from time to time.

[98] Justice Watt instructed, in Jackson, that describing an item as obviously relevant could not denote a particular degree or character of relevance since, as he said, the law knows no degrees of relevance. In his view, the phrase “obviously relevant” represents “a comment on the obvious nature of the relevance of the record.” Jackson, para 125. See also York (Regional Municipality) v. McGuigan, as above, at para. 84.

[99] An easy example of an obviously relevant record in the possession or control of the police would be the record of a perjury conviction of an important Crown witness.

[100] Defence counsel urged the court to conclude that all of the records sought are obviously relevant. For the reasons I have stated, I am concerned now only with the manuals (which includes the changelogs) and the training presentation.

[101] To support his argument that the manuals and training materials are obviously relevant, defence counsel cited York (Regional Municipality) v. McGuigan, as above. In York, the defendant was charged with speeding. His speed had been clocked on a radar gun. He asked the prosecutor to disclose that part of the user manual for the radar gun that addressed testing and operating procedures. The prosecutor refused the request. The presiding justice of the peace ordered disclosure, but that order was later quashed by a Superior Court justice. The defendant appealed to the Court of Appeal.

[102] The appeal was allowed and the disclosure order of the justice of the peace reinstated on the basis that the manual, or at least the part of it that was in issue, was obviously relevant. In the view of the presiding panel, “by presenting the results obtained by a speed measuring device, the prosecutor is necessarily representing that those results are a reliable measure of vehicle speed. Evidence that has a logical tendency to cast doubt on that claim is therefore relevant.” (Para. 99).

[103] The court of appeal recognized a general principle at play, which it described as follows, as para. 116:

Information that plays a central role in the integrity of evidence gathered by a prosecutor in an investigation is obviously relevant and therefore subject to first party disclosure even though that information was not itself created, produced or located during the investigation.

[104] I am not sure that one could characterize the information contained in the software manual and the training materials as playing a central role in the integrity of any evidence gathered in the investigation of Mr. Hughes’ IP address. Having said that, the software obviously played a central role in the gathering of evidence. For that reason, I am persuaded that a manual that describes the operation and functionality of the software would be of use to defence counsel in his effort to gain an understanding of how his client came to the attention of law enforcement and what they did to obtain files from his computer.

[105] It must be said that having gone through a seven-day voir dire, which included extensive evidence on the operation and functionality of the Roundup suite of software and the ICACCOPS system generally, defence counsel must surely now have a solid working knowledge of the Torrential Downpour software, including what it does and how it does it. But I must be careful not to conflate relevance and redundancy at this stage of the analysis.

[106] I am of the view that the Torrential Downpour manual and the Torrential Downpour Receptor manual are obviously relevant and subject to first party disclosure. This finding remains, as I noted earlier, subject to a determination of the Crown’s assertion of privilege.

[107] I take a different view of the training materials. How officers may be trained on the software is not, in my view, obviously relevant to any live issue in the proceedings.

[108] The defence intends to challenge the admissibility of evidence gathered by the police on Charter grounds. The court scrutinizes conduct, not training, for constitutional compliance. See R. v. Clayton, 2007 SCC 32, [2007] 2 S.C.R. 725, at para. 51. See also R. v. R.W., 2018 ONSC 1806.

[109] Defence counsel argued that the training materials may disclose information about the Torrential Downpour software that DC Neller ought to have put in her ITO. That assertion is completely speculative and, in my view, has no air of reality.

[110] Defence counsel further argued that in order to know what actually happened in this case, we need to know what the investigator was taught to do. I disagree. What actually happened is reflected in the 49,000 pages of logs kept by Torrential Downpour, which have been produced. How Torrential Downpour and Torrential Downpour Receptor function, including how those logs are created, will presumedly be reflected in the manuals. How officers are trained to use the software will tell us nothing about what actually happened in this case.

[111] In summary, I find that of the records sought, only the manuals (including the changelogs) and the training materials are actually in the possession or control of the police. I conclude that the manuals are obviously relevant and form part of first party disclosure, subject to the Crown’s assertion of privilege. I come to a different conclusion about the training materials and find that they are not obviously relevant and do not form part of first party disclosure.

[112] Any records not forming part of first party disclosure must be assessed under the O’Connor third party records framework. I turn to that now.

(ii) Are the Subject Records Likely Relevant?

The Governing Principles

[113] As I noted earlier, the analytical framework for third party disclosure applications was established by the Supreme Court in O’Connor.

[114] The process to be followed on an O’Connor application begins with the issuance of a subpoena duces tecum and its service on a third party record holder. The accused then brings an application in writing and serves it on the prosecuting Crown, the person who is the subject of the records, the record holder and anyone else who may have a privacy interest in the record. See McNeil, para. 27 and Ontario (Provincial Police) v. Thunder Bay (City) Police Service, 2017 ONCA 722 at para. 113.

[115] The application then proceeds in two stages. This ruling addresses only the first stage.

[116] At the first stage, the applicant is required to establish that the records sought are “likely relevant” to the proceedings. In other words, that there is a “reasonable possibility” that the records contain information “logically probative to an issue at trial or the competence of a witness to testify”. See O’Connor, para. 22. To be clear, the phrase “issue at trial” includes evidence relating to the credibility or reliability of witnesses.

[117] The first stage threshold is not an onerous one. It is meant to weed out requests that are unlikely to be relevant or are otherwise speculative, fanciful, disruptive, or unmeritorious. The low threshold at stage one recognizes that the applicant has not seen the targeted records and therefore will not typically be in a position to demonstrate precisely how the records sought might be used at trial. See McNeil, para. 33.

[118] The likely relevance threshold is “designed to prevent fishing expeditions, but nothing more.” See Gubbins, para. 28.

Analysis

[119] I will consider the threshold test in relation to each record sought by the defence.

(a) ICACCOPS software.

[120] The subpoenas issued by the defence did not reference the ICACCOPS software. Mr. Hughes’ application did not seek disclosure of the ICACCOPS software. The request for disclosure of that software arose organically towards the end of the seven-day voir dire. In my view I do not have the jurisdiction to make any rulings with respect to ICACCOPS software.

[121] Even if I had jurisdiction to consider whether ICACCOPS software was likely relevant to these proceedings, I would be in no position to do so. The application, and the evidence adduced during the voir dire, were focused on the Roundup suite of software tools. I do not know what other software is use in the ICACCOPS system. I do not know, for instance, what software drives their portal or may otherwise have been engaged, in one way or another, in the identification of Mr. Hughes’ IP address and the provision of that address to DC Neller’s Torrential Downpour account.

(b) Operational Copies of Torrential Downpour and Torrential Downpour Receptor

[122] I have a similar jurisdictional concern with respect to operational copies of the Roundup suite of software. The OPP was served with a subpoena duces tecum, but as I have noted, they do not, in my view, possess or control the software. They have a license to utilize it through the ICACCOPS portal. The subpoena and the application were not served on the ICAC taskforce.

[123] Having said that, Detective Jim Goodyear participated in the proceedings and gave extensive evidence. He deposed by way of affidavit that he works hand-in-hand with the creator of the ICAC system. He assists with the maintenance and upkeep of the various systems and software that are used in the ICAC system. He said he is familiar with “the creation of the system, the use of the system, and the technical specifications and capabilities of the system.” I find that through his presence, ICAC was certainly aware of these proceedings and that their interests are more or less aligned with the position taken by the Crown. I am prepared to proceed on the basis that I have the jurisdiction to hear and determine the O’Connor application with respect to the Roundup suite of software despite the lack of formal service on ICAC.

[124] I heard extensive evidence about the functionality of Torrential Downpour Receptor and Torrential Downpour and how they were used, in particular, in the course of the investigation into Mr. Hughes’ IP address.

[125] These software tools played a central role in the initial phase of the investigation against Mr. Hughes as well as a central role in the grounds DC Neller relied on in the ITO filed in support of the application for a warrant to search Mr. Hughes’ residence. In these circumstances, I find that they meet the likely relevance bar.

[126] There are a number of issues yet to be resolved with respect to the request for disclosure of this software. They include:

(i) Whether this court has the jurisdiction to order disclosure of software arguably in the possession of U.S. law enforcement; (ii) Whether the Crown, or the OPP, has a sustainable claim of privilege over the Roundup suite of software; (iii) If the Crown is unable to establish a sustainable claim to privilege, then the court will go on to consider the true relevance of the software to the live issues in the proceedings as part of the second stage of the O’Connor application; and, (iv) Even if the software has true relevance, the court will have to assess the Crown’s assertion that it has already made meaningful disclosure of the software through a combination of the production of the records that document all of interactions Torrential Downpour had with any device at Mr. Hughes’ IP address and the offer to conduct a demonstration of the operation of the software under OPP supervision.

(c) Source codes.

[127] As I noted earlier, I am not sure what party has the source codes for Torrential Downpour and Torrential Downpour Receptor. I am confident that the party actually in possession and control of those codes was not served with a subpoena or Mr. Hughes’ disclosure application. In the result, I am not entirely persuaded that I have the jurisdiction to address the production of the source codes.

[128] Having said that, even if I have the jurisdiction to order production of the source codes, I am not satisfied that the likely relevance threshold has been made out in relation to them. I have not been offered an explanation as to why a granular dissection of the software used by investigative law enforcement is likely relevant to any live issue in this proceeding.

[129] For the purposes of this application, the relevance of the sought-after records was tethered to three general areas: (1) the integrity of the software – whether it performed properly; (2) whether the activity engaged in by the software infringed Mr. Hughes’ s. 8 Charter right; and (3) whether there is some information relating to the software and its functionality that might impact on the sufficiency of the grounds relied upon by DC Neller in the application to obtain the warrant to search Mr. Hughes’ residence.

[130] I will take a moment to consider each area of asserted likely relevance, beginning with the issue of the integrity of the software.

1. Integrity

[131] There was a significant amount of evidence tendered during the seven-day voir dire. None of that evidence would, as Watt J.A. said in Jackson, at para. 135, “imbue the claim of …malfunction or operator error with an air of reality.”

[132] Detective Goodyear testified that he was not aware of any malfunction issues with the Roundup suite of tools. He has done hundreds of investigations using the software and has never had a single case where the software identified an IP address that was not actually sharing child sexual abuse material on the network. I was not pointed to anything in the logs kept by Torrential Downpour of its interactions with Mr. Hughes’ alleged μTorrent account indicative of malfunction or error.

[133] Indeed, the results of the forensic analysis of the computer seized from Mr. Hughes’ bedroom appears to support the conclusion that the software functioned properly. DC Neller personally viewed the files downloaded from the defendant’s IP address by Torrential Downpour. She confirmed that they contained child pornography. The device seized from Mr. Hughes’ bedroom was found to contain an installed copy of μTorrent v. 3.5.5 as well as copies of the very files downloaded from a device at Mr. Hughes’ IP address by Torrential Downpour.

[134] There is, as I said, no air of reality to the suggestion that there was any problem with the functionality of the software.

2. The Alleged s. 8 Breach

[135] The s. 8 application is for another date. I have yet to hear arguments on it. I note, however, that applying the reasoning from R. v. Spencer, 2014 SCC 43, an IP address, on its own, does not trigger a reasonable expectation of privacy. Instead, s. 8 protection is triggered when the police take steps to connect the IP address to a name or address. See also R. v. Nguyen, 2017 ONSC 1341.

[136] There is no evidence that Torrential Downpour or Torrential Downpour Receptor did anything more than identify a suspect IP address and attempt to download publicly available files from that IP address. There is no evidence that they probed any of Mr. Hughes’ devices or that they left any sort of artifacts on those devices. Indeed, the evidence is to the contrary.

[137] In the result, I fail to appreciate how the source codes for Torrential Downpour and Torrential Downpour Receptor could be relevant to the s. 8 issue.

3. The Potential Garofoli [^3] Application

[138] Finally, I similarly fail to see how the source codes for the software could be of any relevance to any potential future Garofoli application.

[139] The role of a reviewing judge on a Garofoli application is a narrow one. He or she must decide, based on the record that was before the issuing justice, as amplified on review, whether the authorizing judge could have granted the warrant. In connection with that role, the reviewing justice must decide if any part of the information in the ITO is incorrect, misleading or unreliable. He or she must also decide if the affiant of the ITO made full and frank disclosure to the court.

[140] DC Neller does not have the source codes for the Roundup software. It could not be said, in the circumstances, to be material information that she was aware of but omitted from the ITO. In any event, I am hard-pressed to think of any circumstance in which it would be necessary for the affiant of an ITO to provide details of the source coding of software tools utilized in an investigation.

[141] I have not been persuaded that the source codes have the potential to undermine the content of the ITO in any way, by demonstrating that it was incorrect, misleading or unreliable.

[142] In the result, I am not satisfied that the likely relevance threshold has been met with respect to the source codes for Torrential Downpour and Torrential Downpour Receptor.

(d) Training materials

[143] Earlier I reached the conclusion that the training materials are not relevant. Although relevance and likely relevance are somewhat different concepts, I am not persuaded, for the reasons I expressed above, that the training materials are likely relevant to a live issue in these proceedings.

Summary

[144] I have concluded that the Torrential Downpour and Torrential Downpour Receptor manuals are part of first party disclosure on the basis that they are obviously relevant.

[145] I have concluded that operational copies of Torrential Downpour and Torrential Downpour Receptor are third party disclosure and that Mr. Hughes has met the initial threshold to establish the likely relevance of that software to the proceedings.

[146] The disclosure hearing with respect to the manuals and the Roundup software will proceed to the next stage of the hearing, which will involve the Crown’s assertion of privilege.

[147] The balance of the application is dismissed.

C. Boswell J. Released: April 7, 2022

[^1]: IP, or Internet Protocol, addresses are unique numerical labels assigned by Internet Service Providers to devices accessing the internet. They serve two purposes: identification and location addressing. IP addresses distinguish devices on the internet and thereby facilitate communication. Any device that transmits or receives internet traffic will be assigned an IP address. IP addresses are managed globally by the Internet Assigned Numbers Authority and by five regional internet registries. The registry for North America is known as ARIN (American Registry for Internet Numbers). ARIN is a publicly available source of information. If one has a known IP address, the organization it has been assigned to can be determined through ARIN. In this case, the IP address of interest to investigators was actually registered to Mr. Hughes’ mother, with whom he resided at the relevant times. [^2]: Maxmind is a geolocation service. It is a private company that provides information about where IP addresses are located geographically. ICACCOPS pays a license to incorporate Maxmind geolocation services into their devices. [^3]: R. v. Garofoli, [1990] 2 S.C.R. 1421. A Garofoli application is a defence-initiated review of the sufficiency of the evidentiary record that supported the granting of a judicial authorization or warrant. The goal is to exclude evidence the Crown seeks to tender at trial, on the basis that the evidence filed in support of the authorization or warrant failed to meet the standard required by s. 8 of the Charter. See R. v. Ontario (Provincial Police) v. Thunder Bay (City) Police Service, 2017 ONCA 722, at endnote 2.