ONTARIO COURT OF JUSTICE Toronto Region
DATE: 2025 06 05
COURT FILE No.: 4815 998 21 55001658
10 Armoury St., Toronto
B E T W E E N :
HIS MAJESTY THE KING
— AND —
SEAN DONE
Before Justice Joseph Callaghan
Reasons for Decision on s. 8 Charter application (Bykovets issue)
Released on June 5, 2025
B. Donohue......................................................................................... Counsel for the Crown
B. Bytensky.............................................................................................. Counsel for S. Done
J. Callaghan J.:
OVERVIEW
[1] Between January 5 and January 17, 2021, a [Kik][1] account that was ultimately linked to Mr. Done uploaded 17 video files containing images of child sexual abuse material (CSAM)[2].
[2] On February 17, 2021, the National Centre for Missing and Exploited Children ([NCMEC][3]), based in the United States, received a [CyberTipline][4] report from Kik, including the relevant Internet Protocol (IP) address[5], indicating that one of their users uploaded suspected child sexual abuse material to their account. Pursuant to American federal legislation[6], when an electronic service provider (ESP)[7] such as Kik obtains knowledge of any facts or circumstances relating to certain enumerated CSAM offences, they must provide a report to the CyberTipline, and that report may include the relevant IP address.
[3] Kik provided the necessary report to NCMEC and chose to include the suspect IP address in its report.
[4] Based on the location of the upload, which resolved to Canada, NCMEC sent the package of information to the National Child Exploitation Crime Centre (NCECC), a unit of the Royal Canadian Mounted Police (RCMP).
[5] Prior to receiving this report from NCMEC, police in Canada took no steps to seek out or obtain Mr. Done’s IP address. Indeed, they had no knowledge of any offence having been committed until they received the report. And after receiving the report of an alleged crime having been committed, police took no steps to use the IP address to obtain personal or core biographical information without obtaining prior judicial authorization.
[6] In addition, upon receipt of the IP address, nothing in the conduct of the RCMP or TPS investigators resulted in Mr. Done being deprived of the use of his IP address or access to the Internet.
[7] Once the IP address was received, an open-source check was conducted by the RCMP, and it was determined that the IP address resolved to Internet Service Provider (ISP) Bell Canada and in the municipal location of Toronto. After the RCMP confirmed with Bell that the relevant subscriber was indeed in Toronto and that the records had been preserved, the information that NCMEC had provided was forwarded to the Toronto Police Service (TPS) for investigation.
[8] Upon receipt of that IP address, Officer Vijay Shetty, the Officer-in-Charge of the Toronto investigation, conducted his own open-source check, again using a publicly available search engine, to confirm for himself that the IP address originated in Toronto.
[9] Officer Shetty also took the step of confirming that the suspect videos involved were indeed child sexual abuse material. With this information, he sought and obtained the necessary production order from Bell, to obtain the subscriber information of the user attached to the suspect IP address. Consequently, Officer Shetty learned that Mr. Done was the registered subscriber.
[10] The police then obtained a search warrant for Mr. Done’s home and devices, and on May 27, 2021, the police executed the search warrant. During that search, several devices belonging to Mr. Done were seized and subsequently analyzed.
[11] An examination of Mr. Done’s cellphone located a quantity of images and videos containing child sexual abuse material, as well as chats and other relevant information.
[12] As a judge in a busy jurisdiction, having conducted numerous related judicial pre-trials and trials, it is clear to me that the investigative steps followed in this case mirror the steps police take in many investigations leading to charges of accessing, distributing or possessing child pornography. The reported cases reflect this experience.[8]
[13] Following the release of the Supreme Court’s decision in [R. v. Bykovets][9], I allowed Mr. Done to re-open the trial after I had found him guilty[10] and he brought an application challenging the police conduct outlined above, which he asserted breached his section 8 Charter rights.
THE BYKOVETS ISSUE
[14] In Bykovets, the police undertook an investigation into fraudulent online purchases from a liquor store. As part of their investigation, the police contacted the third-party transaction processing company[11] that managed the store’s online sales and requested two IP addresses used for the purchases, without obtaining any prior judicial authorization. Police then obtained a production order in relation to those IP addresses compelling the ISP to disclose the subscriber information of the customer.
[15] Unlike when an IP address is used to access child sexual abuse material, there was no legislative framework that governed reporting requirements of an ISP in these circumstances.
[16] A majority of the Supreme Court in Bykovets held that a reasonable expectation of privacy existed in an IP address and that in the facts and circumstances of that case, s.8 of the Charter was violated due to the police failing to seek judicial authorization prior to requesting and obtaining the IP addresses. The majority in Bykovets made it clear that the context in which they assessed the alleged s. 8 breach was a request made by police for IP addresses.[12]
[17] Flowing from this decision, the main issue for me to decide is whether, in all the circumstances, the police conduct in receiving the complaint and confirming the relevant ISP and municipal location of the IP address, breached Mr. Done’s section 8 rights.
[18] For the reasons that follow, I conclude:
Mr. Done’s section 8 rights were not violated. The passive receipt by the RCMP of a report of an alleged crime from NCMEC was neither a search nor a seizure.
The communication of NCMEC to the RCMP, within the legislative framework in the United States and Canada that governs ISPs and their customers’ use of the Internet to access CSAM, is not the equivalent to the informal arrangement criticized by Justice Doherty in [R. v. Orlandis-Habsburgo][13].
Given the provisions of the [Mandatory Reporting Act][14], I find that the police actions in receiving the IP address from NCMEC and using it in the limited way that they did, was authorized by law.
Similarly, given the legislative context of the Mandatory Reporting Act and related Regulations[15], Mr. Done’s subjective reasonable expectation of privacy was not objectively reasonable.
Finally, even if I am wrong, and the actions of the RCMP and TPS in this case violated Mr. Done’s s. 8 Charter rights, the evidence of the video, images and related chats found on Mr. Done’s cellphone should not be excluded.
ANALYSIS
Legislative Framework (Context or Totality of the Circumstances)
[19] When assessing any claim of reasonable expectation of privacy, it has always been necessary to understand the context or the totality of circumstances in which a privacy claim is made to determine whether section 8 has been violated.[16]
[20] In the case at bar, unlike in Bykovets, the reasonable expectation of privacy claim occurred in the context of Mr. Done accessing images of child sexual abuse via the Internet, through services provided by an ISP (Bell).
[21] Since 2011, ISPs have been subject to strict reporting obligations under [An Act respecting the mandatory reporting of Internet child pornography by persons who provide an Internet service][17] (referred to as the Mandatory Reporting Act in these reasons) and related [Internet Child Pornography Reporting Regulations][18] (referred to as the Regulations in these reasons).
[22] The duties created by the Mandatory Reporting Act include the following:
Duty to report Internet address
2 If a person is advised, in the course of providing an Internet service to the public, of an Internet Protocol address or a Uniform Resource Locator where child pornography may be available to the public, the person must report that address or Uniform Resource Locator to the organization designated by the regulations, as soon as feasible and in accordance with the regulations.
Duty to notify police officer
3 If a person who provides an Internet service to the public has reasonable grounds to believe that their Internet service is being or has been used to commit a child pornography offence, the person must notify an officer, constable or other person employed for the preservation and maintenance of the public peace of that fact, as soon as feasible and in accordance with the regulations.
Preservation of computer data
4 (1) A person who makes a notification under section 3 must preserve all computer data related to the notification that is in their possession or control for 21 days after the day on which the notification is made.
Destruction of preserved computer data
(2) The person must destroy the computer data that would not be retained in the ordinary course of business and any document that is prepared for the purpose of preserving computer data under subsection (1) as soon as feasible after the expiry of the 21-day period, unless the person is required to preserve the computer data by a judicial order made under any other Act of Parliament or the legislature of a province.
No disclosure
5 A person must not disclose that they have made a report under section 2 or a notification under section 3, or disclose the contents of a report or notification, if the disclosure could prejudice a criminal investigation, whether or not a criminal investigation has begun.
[23] The Mandatory Reporting Act provides civil protection to ISPs who make their reports in good faith[19]. In addition, reports made under the laws of a foreign jurisdiction are deemed to have complied with section 2 of this Act[20].
[24] The similar American act[21] that governed at the relevant time required ISPs who obtain actual knowledge of any facts or circumstances relating to certain enumerated CSAM offences to provide a report to the CyberTipline. The content of that report had specific legislated requirements but gave the ISP discretion to include the suspect IP address[22]. In this case, Kik, a private, third-party company, voluntarily provided the relevant IP address to the designated American recipient organization (NCMEC), who then, per statute, forwarded that information to the designated organization in Canada (NCECC, an arm of the RCMP).
[25] When understanding the legal framework in which to assess the claim of reasonable expectation of privacy, it is also important to consider the Regulations flowing from the Mandatory Reporting Act:
Online Internet address reporting system
3 The designated organization must, for the purpose of receiving reports of Internet addresses under section 2 of the Act, maintain a secure online system that
(a) assigns each service provider a unique identifier for the purpose of making reports;
(b) allows a service provider to report only Internet addresses; and
(c) issues to a service provider, for each report they make, a receipt that indicates the incident number assigned to the report, the service provider’s name and unique identifier and the date and time of the report.
Analysis and communication of findings
4 As soon as feasible after receiving a report under section 2 of the Act, the designated organization must determine whether any material found at the reported Internet address appears to constitute child pornography and, if so,
(a) determine, if possible, the geographic location of the server that the reported Internet address points to and the geographic location of the server hosting the material that appears to constitute child pornography; and
(b) make available to every appropriate Canadian law enforcement agency by secure means
(i) the reported Internet address,
(ii) a description of any geographic location that the designated organization was able to determine under paragraph (a), and
(iii) any other information in the designated organization’s possession that might assist the agency’s investigation.
Retention of records
5 For each report received in accordance with section 2 of the Act, the designated organization must retain the reported Internet address and a copy of the receipt issued under paragraph 3(c) for two years after the day on which the report is received.
Security measures
6 The designated organization must take measures to
(a) ensure its continued ability to discharge its role, functions and activities under the Act, including measures relating to the protection of its physical facilities and technical infrastructure, risk prevention and mitigation, emergency management and service resumption;
(b) protect from unauthorized access any information obtained or generated by the designated organization in the course of discharging its role, functions or activities under the Act; and
(c) ensure that its personnel are capable of fulfilling their duties in the discharge of the designated organization’s role, functions and activities under the Act, including measures relating to their selection and training.
Notification of Ministers
7 The designated organization must notify the Minister of Justice and the Minister of Public Safety and Emergency Preparedness within 24 hours of becoming aware of any incident that jeopardizes the designated organization’s ability to discharge its role, functions or activities under the Act.
Method of reporting
10 For the purpose of section 2 of the Act, an Internet address must be reported by a service provider using the online system referred to in section 3.
Form and content of notification
11 For the purpose of section 3 of the Act, a notification from a service provider must be in writing and must include the following information:
(a) the child pornography offence that the service provider has reasonable grounds to believe is being or has been committed using their Internet service;
(b) a description of the material that appears to constitute child pornography, including its format;
(c) the circumstances under which the service provider discovered the alleged offence, including the date and time of discovery;
(d) a description of any other evidence relating to the alleged offence in the possession or control of the service provider; and
(e) contact information of the service provider’s representative for the purpose of investigating the matter.
[26] There are additional provisions in the Regulations that require ISPs to submit an annual report to the federal government on the discharge of its duties under the Mandatory Reporting Act, a data preservation provision, as well a requirement to notify the federal government within 24 hours of becoming aware of any incident that jeopardizes an ISP’s ability to discharge its obligations under the Act.[23]
[27] These provisions, contained in the Act and related Regulations, make clear Parliament’s intention to regulate the use of the Internet, including IP addresses used to distribute or access child sexual abuse material.[24]
Applicable legal principles: Section 8 of the Charter
[28] The Supreme Court in [R. v. Campbell][25], has recently summarized the applicable legal principles a court must consider when assessing a claim of a section 8 Charter breach:
Section 8 of the Charter guarantees that "[e]veryone has the right to be secure against unreasonable search or seizure." The main purpose of s. 8 is to protect the right to privacy from unjustified state intrusion (Hunter v. Southam Inc., 1984, at p. 160; R. v. Plant, 1993, at p. 291; Bykovets, at para. 29).
The right to privacy is foundational to a free and democratic society. It is essential to "individual dignity, autonomy, and personal growth" (Bykovets, at para. 29; see also Plant, at p. 292; R. v. Jones, 2017, at para. 38), and to "the relationship between the state and the citizen" (R. v. Tessling, 2004, at para. 12). In an oft-quoted passage in R. v. Dyment, 1988, at pp. 427-28, La Forest J. wrote that "[t]he restraints imposed on government to pry into the lives of the citizen go to the essence of a democratic state." A similar sentiment was echoed by Binnie J. in Tessling, who observed that "[f]ew things are as important to our way of life as the amount of power allowed the police to invade the homes, privacy and even the bodily integrity of members of Canadian society without judicial authorization" (para. 13).
A central preoccupation of this Court's s. 8 jurisprudence has been to balance the often competing aims of personal privacy and the public interest. This quest for balance reflects the constitutional imperative in s. 8 itself, which, expressed negatively, protects against an unreasonable search and seizure or, expressed positively, safeguards only a reasonable expectation of privacy (Hunter, at p. 159). In Hunter, Dickson J., as he then was, explained that s. 8 requires "an assessment ... as to whether in a particular situation the public's interest in being left alone by government must give way to the government's interest in intruding on the individual's privacy in order to advance its goals, notably those of law enforcement" (pp. 159-60). In Tessling, Binnie J. added that "[t]he community wants privacy but it also insists on protection. Safety, security and the suppression of crime are legitimate countervailing concerns" (para. 17; see also Plant, at pp. 291-92).
Section 8 of the Charter is engaged where a person has a "reasonable privacy interest in the object or subject matter of the state action and the information to which it gives access" (Marakah, at para. 10, quoting Cole, at para. 34). A claimant seeking standing to argue that their rights under s. 8 were infringed must show that they subjectively expected the subject matter of the search would remain private, and that their expectation was objectively reasonable having regard to "the totality of the circumstances" (Marakah, at para. 10, quoting R. v. Edwards, 1996, at paras. 31 and 45; see also Spencer, at paras. 17-18; Jones, at para. 13). In making this evaluation, courts are guided by four lines of inquiry: (1) the subject matter of the alleged search; (2) whether the claimant had a direct interest in the subject matter; (3) whether the claimant had a subjective expectation of privacy in the subject matter; and (4) whether the claimant's subjective expectation of privacy was objectively reasonable (Marakah, at para. 11; Cole, at para. 40; Spencer, at para. 18; Bykovets, at para. 31).
Did the police conduct amount to a search or seizure?
[29] The first issue I must decide is whether the police conduct, prior to seeking judicial authorization, amounted to a search or seizure.
Position of the Applicant
[30] On behalf of Mr. Done, Mr. Bytensky argued that the receipt of the IP address by the police in this case constituted a search, despite the police obtaining that information without a request. In his view, pursuant to Bykovets, the police breached Mr. Done’s section 8 rights by not obtaining judicial authorization prior to using the IP address in any way, including their efforts to determine which service provider was the record holder and the relevant municipal location of the IP address.
[31] Mr. Bytensky further argued that where an IP address is provided pursuant to a formal or even an informal arrangement for cooperation between police and a third party, there is a requirement for prior judicial authorization for the police to be able to use the IP address in their investigation. Mr. Bytensky argued that the unrequested receipt an IP address from the NCMEC cannot be treated as the passive receipt of information. Rather, he submitted that this Court should find the relationship between NCMEC and the RCMP to be akin to that which existed between the public electrical utility and the police in Orlandis-Habsburgo.
[32] Finally, Mr. Bytensky argued that even if no search took place, the police decision to receive and review the suspect IP address, without prior judicial authorization, amounted to a seizure.
Position of the Respondent
[33] Ms. Donohue, on behalf of the Crown, argued that there was no search involved in this case. In particular, she argued that in receiving the relevant IP address, no search took place. The police never made a request; rather they passively received the IP address indirectly from a private third-party organization located in the United States, where the Charter has no application.
[34] The police received a report, akin to a complaint filed with the police alleging the commission of a crime. Ms. Donohue argued that police were entitled to use the information provided in the report, including the IP address, in the next step of their investigation (confirming the relevant ISP and municipal location), without prior judicial authorization.
[35] The Crown also submitted that any comparison to the situation in Orlandis-Habsburgo ignores the fact that the RCMP took no steps to direct the NCMEC or make any requests. Indeed, there is no evidence in this case that the NCMEC would cooperate even if the RCMP made a request. It also ignores the fact that there is a clear legislative scheme in the United States and Canada governing the reporting obligations of ISPs.
[36] Ms. Donohue disputed the characterization of the police receipt and use of the suspect IP address as a seizure for purposes of section 8.
[37] Even if the Court finds that the police passive receipt and subsequent use of the IP address provided by NCMEC constituted a search, Ms. Donohue argued that there can be no reasonable expectation of privacy in an IP address used to access child sexual abuse material where the law explicitly requires ISPs to make a report to the police when they become aware that an IP address is connected to an offence involving such material.
The receipt of the IP address from NCMEC did not amount to a search
[38] In this case, there were no positive investigative steps taken by the police to obtain Mr. Done’s IP address. On the contrary, the police merely passively received an IP address from a private third-party organization in the United States (NCMEC), that had received the IP address from a private company (Kik). This is an important distinction.
[39] The comments made by the majority in Bykovets must be interpreted in light of the facts that were before the Supreme Court and the specific finding the majority made, that "the request by the state for an IP address is a search under s. 8 of the Charter”.[26] It was the request by police that made obtaining the two IP addresses in that case constitutionally objectionable.
[40] Since Bykovets, a number of cases have considered whether or not the passive receipt of an IP address from NCMEC or a similar foreign organization[27] amounts to a search. In [R. v. Cofell][28], Justice Vermette, in providing a helpful summary of these cases, noted:
…in most of the cases, the reasoning of the majority in Bykovets was found not to apply to situations where the police did not make a request to obtain an IP address and was voluntarily provided with an IP address by a third party.”
[41] Three additional cases not considered by Justice Vermette, involving almost identical scenarios to the case at bar, are consistent with her conclusion. The decisions in [R. v. Brazeau][29], [R. v. Hillier][30], and [R. v. Miller][31] all distinguished the Bykovets decision and concluded that the passive receipt by police of an IP address forwarded by the NCMEC to the RCMP does not constitute a search.[32]
[42] Similar to Justice Griffin in Miller, I am in complete agreement with Justice Darroch’s conclusion in Brazeau[33]:
The passive receipt of this information is not a search and therefore not subject to the constitutional protection against unreasonable state intrusions to those individuals who have a reasonable expectation of privacy over the subject matter of a search.
[43] To be clear, in Mr. Done’s case, the receiving of the CyberTipline report by Canadian police did not constitute a search or seizure for the purpose of section 8 of the Charter. Further, as Justice Griffin noted in Miller[34]:
[N]o Canadian Police Agency was involved in creating the CyberTipline Report as it was provided by the NCMEC by an American non-profit corporation incorporated under laws of the District of Columbia whose mission it is to reduce child exploitation and prevent child victimization and as such, they are not even subject to the Canadian Charter of Rights and Freedoms.
Application of R. v. Orlandis-Habsburgo
[44] In arguing that the practice of information sharing from NCMEC to the RCMP cannot be treated as the passive receipt of information, Counsel for Mr. Done analogized this information sharing to the arrangement that had been in place between a public electrical utility and the police in Orlandis-Habsburgo.
[45] In that case, the Court of Appeal was critical of the informal arrangement the police had established with the local power authority, in which the power authority would review customers’ electricity usage records and forward a “high consumption list” of users to the police, without prior judicial authorization.
[46] Significantly, however, Justice Doherty took great care to limit the application of the Court’s decision in Orlandis-Habsburgo[35]:
I have considerable difficulty with the submission that s. 8 is engaged if the police look at information in which an accused has a legitimate privacy interest, even if that information is brought to the police by an independent third party acting on its own initiative. On that approach, s. 8 would be engaged if a "whistleblower" took confidential documents belonging to her employer to the police to demonstrate the employer's criminal activity. Must the police refuse to look at the documents to avoid violating the employer's s. 8 rights? As Duarte teaches, it is one thing to say that Canadian values dictate that the state's power to decide when and how it will intrude upon personal privacy must be carefully circumscribed, and quite another to say that an individual's private information is cloaked in the protection of s. 8 no matter how that information comes to the police.
I need not decide whether the appellants' s. 8 rights would be implicated if Horizon, acting on its own initiative, volunteered the energy consumption data to the police. The evidence establishes that the police and Horizon were acting together. They had a mutual interest in finding marihuana grow operations. Those operations were not only criminal, but also posed a significant fire hazard and a threat to Horizon's legitimate interests. Personnel at Horizon and the police developed an informal arrangement whereby Horizon would share energy consumption records with the police on an ongoing basis. Horizon or the police might initiate the request to share the information if either had reason to believe that a customer of Horizon was operating a marihuana grow-op at a particular location. Often when Horizon provided the initial information, the police would request additional data. Horizon always complied.
Given the arrangement between Horizon and the police, the s. 8 analysis in this case should not depend on whether it was Horizon or the police who initiated the contact that led to the police obtaining the appellants' energy consumption data from Horizon. I think it is a fair reflection of the relationship between Horizon and the police to treat the police investigation in this case as beginning when Mr. Franco observed the suspicious pattern of energy consumption at the appellants' residence and forwarded the data to the police.
[47] In my view, the police/third party relationship in Orlandis-Habsburgo is not analogous to the circumstances in the case at bar, nor to the reported cases where Canadian police receive information, including an IP address, from NCMEC or their British counterpart.
[48] NCMEC, the private American organization that collects and forwards tips related to child sexual abuse material on the Internet and other offences, does not seek out information at the request of Canadian authorities. On the contrary, the relationship exclusively involves NCMEC forwarding information gathered about potential criminal activity collected by operation of American law.[36] There is no evidence that Canadian authorities made any requests of NCMEC or directed them in any way. In addition, there is no evidence that the American, not-for-profit organization would even comply with such requests or direction.
[49] Unlike in Orlandis-Habsburgo, there is simply no evidence that the police in this case, whether that be the RCMP or the TPS, had any special arrangement with or influence on NCMEC. Rather, it is clear to me that the Canadian authorities simply received a tip from an American organization acting independently.
[50] Finally, the information gathering and sharing by NCMEC is authorized by American law and recognized by Canadian law[37]. As noted earlier, similar Canadian legislation not only authorizes ISPs to share information with the police, it requires ISPs to file a report and, in certain circumstances[38], provide a suspect IP address to the police. No such legislation or legal authorization allowed the information sharing engaged in by the police and the private power utility in Orlandis-Habsburgo.
[51] The circumstances in the case at bar are a far cry from the nudge-nudge, wink-wink, extra-judicial arrangement Justice Doherty rightly criticized in Orlandis-Habsburgo.
Steps taken by police to use the IP address to confirm the existence of records with the relevant ISP did not breach s. 8
[52] In this case, after receiving the suspect IP address from NCMEC, both the RCMP and the TPS used an open-source website to geo-locate where in the country the IP address was located. This website also provided the name of the relevant ISP[39]. Once it was determined that Bell was the ISP, the police confirmed with Bell that they had the relevant records.
[53] Counsel for Mr. Done argued that by taking these steps, police breached Mr. Done’s s. 8 rights. With respect, I do not read paragraphs 41 and 42 of Bykovets[40] to require police to obtain prior judicial authorization to merely determine in which city the IP address was located and with which service provider the IP address was connected.
[54] Obtaining this type of information did not provide the police with any of the details that concerned the Supreme Court in Bykovets, for example, core biographical information about Mr. Done or any details of Mr. Done’s specific and personal online activity. However, knowing the ISP and location of the IP address, and confirming the existence of the ISP’s records, was a necessary step for the police to take the next step and obtain a production order.
[55] Section 487.014(2)(b) of the Criminal Code requires a justice issuing a production order to have grounds to believe that the document is in the possession or control of the person that will receive the production order. To obtain a production order for subscriber information relating to IP addresses, officers first must confirm whether the ISP has such records and would preserve those records for a sufficient period that they could be requested via production order.
[56] Analogous to this situation are the circumstances in [R. v. Dersch][41], where the Supreme Court indicated that hospitals could release neutral medical information, such as confirmation of the presence of a patient in the hospital, to the police without warrant.
[57] This was expanded upon in [R. v. Lillico][42], where the court held that disclosure of general information by confirming only that a particular cheque was deposited into the customer’s account was not an infringement of the privacy of the individual so as to attract the protection of s.8 of the Charter.
[58] This principle was recently affirmed in [R. v. Bhogal][43] in the context of bank records, where the court held:
Consumers reasonably expect that banks will not disclose a customer's transactions to others, without proper authorization. In some cases, police might call a bank to confirm that they have records pertaining to a particular person or corporation. This is sometimes necessary in order to obtain a production order. The police must be able to establish that the institution possesses the records of interest. In that instance, the bank is merely confirming that a particular individual or agency banks at the institution. This is akin to asking whether a person is a patient at a hospital. In R. v. Dersch, 1993, it was held that such inquiry, without more, did not engage s. 8 of the Charter.
[59] Accordingly, I find that the actions of the police, once they had received the IP address from NCMEC, did not breach Mr. Done’s s. 8 rights. Indeed, the police took no steps that could breach Mr. Done’s privacy without seeking prior judicial authorization. In seeking and obtaining a production order for Bell subscriber records, the police fairly disclosed to the authorizing justice the process through which they had obtained the IP address.
The receipt and use of the IP address did not amount to a seizure for purposes of section 8
[60] While I accept that police can convert something that is given to them by a third party into a seizure, that something is generally an object such as a computer or a telephone, not simply information contained in a tip or a report of an alleged crime.
[61] In [R. v. Lambert][44], the accused’s wife turned over her husband’s computers to the police after finding images of child sexual abuse. Once these computers were turned over, police took active steps to assert control over them, by lodging and securing them in police custody, thereby preventing Mr. Lambert from having access.
[62] In overturning the trial judge’s finding that the police conduct did not amount to a seizure for s. 8 purposes, Paciocco J.A. concluded[45]:
I am persuaded that state action occurred and resulted in a seizure when the police accepted the computers and took control over them to the exclusion of Mr. Lambert, thereby impeding his reasonable expectation of privacy.
…In my view, consistent with the definition of “seizure” embraced by the Supreme Court of Canada, the term “seizure must embrace any investigative conduct by the police in which they take control of a thing, to the exclusion of a person holding a reasonable expectation of privacy in a thing.
[63] Paciocco J.A., however, went on to confirm that information, unlike a thing such as a computer, should not be treated the same way[46]:
…[I]ndividuals do not have a reasonable expectation of privacy in the knowledge that others have: see R. v. Molyneaux 2020 PECA 2, at para. 51. Individuals with relevant information about criminal conduct are free to communicate this information to the police, without s. 8 being engaged.
It also appears to be settled that a Charter claimant cannot reasonably expect that a person they share an expectation of privacy with will not disclose information they discover to the police, including after discovering it on an electronic device: R. v. Gomboc 2010 SCC 55, at para. 41; Cole, at para. 73. In this case, had Ms. Lecompte only described what she had seen on the computers instead of handing the computers over, s. 8 would not have been engaged regardless of how extensive the information she provided was.
[64] Accordingly, it is clear to me that no seizure took place in the case at bar. The police receiving a report from NCMEC, which is merely an electronic complaint or tip containing information, is not analogous to the police holding a computer or telephone, to the exclusion of an accused.
[65] In the present case, the police actions in receiving and reviewing the report from NCMEC, and in taking their preliminary steps to identify the ISP and location of the IP address, had no impact on Mr. Done. There was no interference with Mr. Done’s right to privacy. He was not prevented from using the Internet and accessing his personal files while the police continued their investigation.
If police conduct amounted to a search or seizure, it was authorized by law
[66] If I am wrong and the police conduct in this case resulted in a search or a seizure, I find that the police receipt of the report provided by NCMEC was authorized by law.
[67] State intrusion into an accused’s privacy interest will only be reasonable when it was authorized by law, the authorizing law was itself reasonable and the execution of the search was itself reasonable.[47]
[68] In this case, there was no challenge to the constitutionality of the Mandatory Reporting Act, so I will focus on the other two elements.
[69] Section 9 of the Mandatory Reporting Act reads as follows:
Provincial or foreign jurisdiction
A person who has reported information in compliance with an obligation to report child pornography under the laws of a province or a foreign jurisdiction is deemed to have complied with section 2 of this Act in relation to that information.
[70] In my view, this section clearly contemplates the police receiving reports from foreign jurisdictions. Indeed, this is a common scenario in CSAM investigations. Section 9 treats reports made pursuant to foreign laws, such as the American federal law[48] that created reporting duties for ISPs, the same as reports made pursuant to the Mandatory Reporting Act.
[71] The RCMP, and then the TPS, were therefore authorized by the Mandatory Reporting Act to both receive and act upon the report they received from NCMEC.
[72] And consistent with the Supreme Court’s decision in Spencer, the police in this case took no steps to intrude into Mr. Done’s privacy without prior judicial authorization. After confirming the service provider and municipal location of the suspect IP address, they obtained a production order to obtain subscriber information for the person attached to the IP address. Once received, the police used that subscriber information as part of the materials used to obtain a search warrant for Mr. Done’s home and devices.
[73] There was nothing in the manner of how the police received and then used the IP address that was unreasonable.
No reasonable expectation of privacy in an IP address in the circumstances of this case
[74] If I am wrong and the police conduct in this case resulted in a search or a seizure, and was not authorized by law, I find that Mr. Done’s reasonable expectation of privacy in the IP address used to access images of child sexual abuse was so reduced, section 8 would not be engaged.
[75] In most contexts, and for the reasons articulated by the Supreme Court of Canada in Bykovets, an Internet user has a reasonable expectation of privacy in an IP address. However, given the legislative context created by the Mandatory Reporting Act and related Regulations, I find that Mr. Done’s subjective reasonable expectation of privacy was not objectively reasonable.[49]
[76] As is evident from the mandatory reporting obligations and related responsibilities created by the Mandatory Reporting Act and its Regulations, Parliament has chosen to specifically regulate ISPs and therefore IP addresses through which the Internet is accessed, when an IP address is used to make child sexual abuse material available or commit a related CSAM offence.
[77] Given this unique legal framework, it is reasonable to conclude that a person using their IP address to distribute or access images of child sexual abuse has a much-reduced expectation of privacy than an Internet user in any other context.
[78] In addition, the societal interest in protecting vulnerable children from exploitation carried out using the Internet further reduced any expectation of privacy.[50]
[79] To be clear, it is not the subject matter itself (CSAM or related offences) that leads to a conclusion that Mr. Done’s subjective expectation of privacy was not objectively reasonable[51]. Rather, I find that the legislative context that requires ISPs to notify the designated authorities when child sexual abuse material is made available on the Internet or when an IP address has been used to commit a CSAM-related offence, which makes Mr. Done’s subjective expectation of privacy objectively unreasonable. How could Mr. Done have reasonably expected his IP address, with which he accessed and shared child sexual abuse material, to remain private when the law required ISPs to disclose such activity if discovered?[52]
[80] Given the legislative context in both Canada and the United States, I find that someone who engages in such access or distribution, when viewed objectively, would appreciate the risks of detection. Indeed, the communications that were recovered from Mr. Done’s phone demonstrate a real understanding by Mr. Done of the risks he faced of being identified when accessing child sexual abuse material on the Internet.[53]
Not bound by horizontal stare decisis
[81] There currently is an absence of binding appellate authority that deals with the issues in this application. There is also a series of conflicting trial level decisions, with most decisions favouring the position I have taken that the unrequested receipt by the RCMP of a complaint or report from NCMEC is not a search.
[82] The decision of Justice Schreck in [R. v. Asantarajah][54] lacks an analysis of the legislative context when the issue of reasonable expectation of privacy was considered. Additionally, the reasons do not address whether the police actions were authorized by law within the governing legislative framework. I therefore conclude that I am not bound by this trial level decision, per [R. v. Sullivan][55].
Section 24(2) Charter analysis in the alternative
[83] In all the circumstances, I find that Mr. Done’s section 8 Charter rights were not infringed; however, if I am incorrect, I would not exclude the evidence pursuant to s. 24(2) of the Charter.
Seriousness of Charter-infringing conduct
[84] In my view, this breach would not tip the scale in my previous Charter analysis[56] to the point where the evidence should be excluded.
[85] Clearly, the police did not have the benefit of the guidance from the Supreme Court in Bykovets when they conducted the investigation in this case. It is not contested that the police in this matter would have taken the necessary steps to obtain a production order to allow them to use the IP address, had that been the law at the time. Therefore, this breach is at the very low end of the spectrum and Counsel for Mr. Done has fairly conceded that it should have no impact on my previous analysis under the first branch of Grant.
Impact of the breach on Mr. Done’s Charter-protected rights
[86] The impact on Mr. Done’s Charter-protected privacy interests is attenuated by the fact that Mr. Done, a person who accessed and shared child sexual abuse material on the Internet, would have a substantially diminished expectation of privacy, given the legislative context I have previously outlined.
[87] In addition, if the police breached Mr. Done’s s. 8 rights by viewing the IP address and using it to determine the relevant IP address and municipal location without prior judicial authorization, this was remedied by the police when they obtained a production order for subscriber information. In their information to obtain the production order, they disclosed to the authorizing justice how they obtained the IP address. This further limits the impact of such a breach on Mr. Done’s s. 8 rights.
[88] Although this factor continues to favour exclusion per my previous analysis, this additional breach does not tip the scale towards ultimate exclusion, when balanced against society’s interests in the completion of this trial, including sentencing.
Society’s interest in the adjudication of the case on its merits
[89] The offence against Mr. Done is very serious. The Court of Appeal has repeatedly stressed the gravity of child pornography offences, most recently in [R. v Pike][57]. The Supreme Court in [R. v. Friesen][58] made it clear that sexual offences against children are violent crimes that wrongfully exploit children's vulnerability and cause profound harm to children, families, and communities.
[90] Online distribution of films or images depicting sexual violence against a child repeats the original sexual violence since the child must live with the knowledge that others may be accessing the films or images, which may resurface in the child's life at any time.[59]
Balancing
[91] When balancing the Grant factors, I find that the admission of the evidence of the video and images of child sexual abuse and related chats found on Mr. Done’s cellphone would better serve the truth-seeking function of the criminal trial process and society’s interest in the adjudication of the case on its merits. Society’s interests include having an accused person who has been found guilty appropriately sentenced.
Application dismissed
[92] Accordingly, Mr. Done’s Charter application is dismissed.
Procedural History[60]
[93] Before concluding my reasons, I wish to outline the procedural history in this matter:
On February 8, 2023, I dismissed Mr. Done’s previous application alleging breaches of sections 7, 8 and 10(b) of the Charter.
On May 29, 2023, I found Mr. Done guilty of accessing child pornography contrary to s. 163.1(4.1) of the Criminal Code.
Following his conviction, I heard an application to stay Mr. Done’s charges pursuant to s. 11(b) of the Charter. That application was dismissed on October 4, 2023.
On May 30, 2024, and June 3, 2024, I heard sentencing submissions. Following the release of the Ontario Court of Appeal’s decision in Pike, I heard additional sentencing submissions on August 20, 2024.
Also on August 20, 2024, Counsel for Mr. Done indicated that he was likely to bring an application to re-open the trial to argue a section 8 Charter application based on the Supreme Court’s decision in Bykovets. On September 17, 2024, Counsel for Mr. Done confirmed that he would bring this application.
On November 25, 2024, I allowed the application to re-open[61] and then heard submissions on the section 8 Charter application. At that time, the evidentiary record was incomplete, and the matter was adjourned to continue arguments on January 9, 2025.
On January 9, 2025, arguments on the section 8 Charter application were adjourned at the request of counsel to await the release of two anticipated Superior Court decisions on the Bykovets issue.
On January 24, 2025, the evidentiary record was completed, and further arguments were heard.
Following the release of Asantarajah, on March 3, 2025, I heard further submissions on April 10, 2025. The matter was then adjourned to June 5, 2025, for a decision on the section 8 Charter application as well as judgment on sentencing, should I dismiss the Charter application.
[94] Finally, I wish to commend Mr. Bytensky and Ms. Donohue for their excellent advocacy in this matter. I am grateful for their professionalism and dedication.
Released: June 5, 2025
Justice Joseph Callaghan
Footnotes
[1]: Kik Interactive Inc. is a private company that operated a freeware instant messaging mobile application.
[2]: When possible, I have used the preferred terminology “child sexual abuse material” or “CSAM” in these reasons, that more accurately reflects the nature of “child pornography”.
[3]: The NCMEC is a private American non-profit organization whose mission is to help find missing children, reduce child sexual exploitation, and prevent child victimization. NCMEC is not a law enforcement agency. It serves as the U.S. clearinghouse for families, victims, private industry, law enforcement, and other professionals on information and programs related to missing and exploited children’s issues.
[4]: The CyberTipline was created by NCMEC to allow persons to report online (and via toll-free telephone) the enticement of children for sexual acts, child sexual molestation, child pornography, child sex tourism, child sex trafficking, unsolicited obscene materials sent to a child, misleading domain names, misleading words or digital images on the Internet. The majority of CyberTipline reports NCMEC receives relate to apparent child pornography and are from electronic service providers (“ESPs”).
[5]: Internet Protocol (IP) address is also known as an "IP number". When a subscriber of an Internet Provider logs onto the Internet using a computer, their Internet Service Provider assigns them an IP address. This number is specific to that computer.
[6]: Title 18, USC § 2258A
[7]: Usually referred to as an Internet Service Provider (ISP) in Canada
[8]: See for example R. v. Leger, 2024 NBKB 72; R. v. Brazeau, 2024 ONCJ 611; R. v. Prys, 2024 ABCJ 166; R. v. Pengelly, 2024 SKKB 192; R. v. Miller (unreported, January 22, 2025 – OCJ - G. Griffin J); R. v. A.K., 2022 AJ No. 9141; R. v. Daniels, 2024 ONSC 344; and R. v. Asantarajah, 2025 ONSC 1377; R. v. Hillier, 2024 NJ No. 263
[9]: 2024 SCC 6
[10]: See the Procedural History section at the conclusion of these reasons.
[11]: Moneris
[12]: See Bykovets, at paras. 14, 30 & 92
[13]: 2017 ONCA 649
[14]: An Act respecting the mandatory reporting of Internet child pornography by persons who provide an Internet service [S.C. 2011, c.4]
[15]: Internet Child Pornography Reporting Regulations [SOR/2011-292]
[16]: See R. v. Spencer, 2014 SCC 43, at paras. 17-18, 54; R. v. Gomboc, 2010 SCC 55, at paras. 27-34; R. v. Cofell, 2024 ONSC 7151, at para. 159; and R. v. Z.E., 2025 ONSC 675, at para. 39
[17]: S.C. 2011, c.4; amended 2024, c. 23: “child pornography” now reads “child sexual abuse and exploitation material”
[18]: SOR/2011-292
[19]: Section 7 of the Mandatory Reporting Act
[20]: Section 9 of the Mandatory Reporting Act
[21]: Title 18, USC § 2258A
[22]: See the Affidavit of Heather Girton
[23]: Sections 7, 12 & 9 of the Regulations
[24]: In Spencer, the Supreme Court undertook a lengthy analysis of PIPEDA, and the privacy policy contained in the relevant ISP contract in that case; however, it appears that the relevance of the Mandatory Reporting Act (and related Regulations) was neither argued nor considered.
[25]: 2024 SCC 42, at paras. 36-39
[26]: See the majority reasons in Bykovets at para. 92, and the minority reasons at para. 135; See also R. v. Cofell, 2024 ONSC 7151 (Vermette J.), at para. 107
[27]: United Kingdom National Crime Agency ("UK NCA") – See R. v. Leger, 2024 NBBR 72
[28]: 2024 ONSC 7151, at paras. 108-117
[29]: 2024 ONCJ 611 (Darroch, J.)
[30]: 2024 NJ No. 263 (Brown, J.)
[31]: Unreported, OCJ - January 22, 2025 (G. J. Griffin, J.)
[32]: In R. v. Daniels, 2024 ONSC 344, Justice Dineen declined to decide the issue.
[33]: See para. 19
[34]: At page 17
[35]: See paras. 34-36 [emphasis added]
[36]: See R. v. Daniels, 2024 ONSC 344 (Dineen J.), at para. 19
[37]: See section 9 of the Mandatory Reporting Act
[38]: See s. 2 of the Mandatory Reporting Act
[39]: When one types in the IP address into the open-source application, the municipal location and the name of the ISP are obtained.
[40]: See Daniels, at para. 20. I note that in Daniels, the police took the additional step of seeking information through an MLAT prior to seeking judicial authorization. No such step was taken in the case at bar.
[41]:, [1993] 3 S.C.R. 768 at para. 23
[42]: [1999] O.J. No. 95 (ONCA), affirming, [1994] O.J. No. 4521 at para. 13
[43]: 2020 ONSC 7327, at para. 53-54
[44]: 2023 ONCA 689
[45]: See Lambert, at paras. 66-74 [emphasis added]
[46]: See Lambert, at paras. 58-59 [emphasis added]
[47]: See R. v. Cole, 2012 SCC 53, at paras. 34-37; Spencer, at para. 68; El-Azrak, 2023 ONCA 440, at para. 29
[48]: Title 18, USC § 2258A
[49]: Justice Griffin’s decision in Miller (at paras. 18-19), in which he made a similar finding, is the only decision of which I am aware that considered the legislative context when assessing whether a subjective reasonable expectation of privacy was objectively reasonable.
[50]: See R. v. Knelsen, 2024 ONCA 501, at para. 45; R. v. P.M., 2025 ONCA 208, at paras. 35-39
[51]: See R. v. Campbell, 2024 SCC 42 at paras. 50-52
[52]: I recognize the distinction between sections 2 and 3 of the Mandatory Reporting Act; however, I find that both sections, when the totality of circumstances are considered, make Mr. Done’s subjective expectation of privacy objectively unreasonable.
[53]: See the chats in trial Exhibits #9 to 17
[54]: 2025 ONSC 1377
[55]: 2022 SCC 19
[56]: See my Reasons for Decision on Charter Application dated February 8, 2023
[57]: 2024 ONCA 608, at paras. 144-165
[58]: 2020 SCC 9, at paras. 1-5
[59]: Friesen, at para. 48
[60]: I do not intend for this to be a complete record of the procedural history; rather, a summary of key, relevant dates.
[61]: The Crown consented to the re-opening.