2019: Date for decision in FCS breach expected next month. (FINAL DEFENCE SUBMISSION)

DEFENCE WRITTEN SUBMISSIONS

Court File No.:

ONTARIO COURT OF JUSTICE
(East Region)

BETWEEN:

HER MAJESTY THE QUEEN

- and -

KELLEY DENHAM

DEFENCE WRITTEN SUBMISSIONS

FADY MANSOUR
VANESSA GARCIA

Edelson Friedman Black LLP
600-200 Elgin Street
Ottawa, ON K2P 1L5

Tel. (613) 237-2290
Fax. (613) 237-0071

PART I — OVERVIEW

1. The Family and Child Services of Lanark Leeds and Grenville (FCSLLG) is responsible for providing Children's Aid Society services, including investigating complaints and, where necessary, initiating proceedings to ensure the protection of children.
2. As part of their outreach, the FCSLLG maintained a website which they believed had a public side, where community members could access basic information, and a members' only Board Portal, where confidential FCSLLG materials where kept.
3. However, the FCSLLG did not properly secure the Board Portal. This meant that any member of the public could access confidential documents without needing to enter a username or password. All that was needed to access the confidential documents was to delete the name of a given file and the user would be taken to an open file directory.
4. Among the confidential files accessible to the public on the FCSLLG website was an Excel spreadsheet which contained the names of mothers whose families had been referred to the FCSLLG.
5. This security flaw was uncovered when the accused, Ms. Denham, posted a YouTube video which contained confidential board documents. In response, the FCSLLG shut down their website and hired David Schmidt, a website security expert, to review the website's security.
6. The FCSLLG implemented some but not all of Mr. Schmidt's recommendations before putting the website back online. The file directory was closed from the public, however Board documents had not been removed from the website, contrary to Mr. Schmidt's recommendation.
7. On April 18, 2016 Ms. Denham posted a picture of a hyperlink or hyperlink of the spreadsheet in the private Facebook group Smiths Falls Swap Shop. Members of that Facebook group accessed the spreadsheet.
8. The FCSLLG took down their website and called police to investigate the security breach. The website would have been taken down regardless of how it came to the FCSLLG's attention.
9. As a result of the Facebook post, Ms. Denham is charged with two counts of mischief in relation to computer data, contrary to ss. 430(1.1)(c) and (d) of the Criminal Code.
10. Ms. Denham faces further charges under the Child and Family Services Act (CFSA) of identifying a child (s. 45(8)) and publishing (s. 76(11)).
11. In order to prove that Ms. Denham committed the offences under s. 45(8) of the CFSA, the Crown must make out the following elements:

a. Publication or making publish;

-2-

2. Of information that identifies a child, a child's parent or a member of the child's family;
3. Who is the subject of a hearing or proceeding.

12. Similarly, the Crown must prove under s. 76(11) of the CFSA the elements below:

1. Publication or making public;
2. Of information that identifies a witness, participant, or party;
3. Who is the subject of a hearing.

13. Ms. Denham's post does not make out an offence under ss. 45(8) or 76(11) because

1. There is no publication; and
2. The information in the spreadsheet does not identify children or parties to hearings or proceedings.

14. First, the posting of a hyperlink or picture of a hyperlink is not publishing as Ms. Denham neither created nor had control over the content of the hyperlink. Further, posting in a private Facebook group with membership criteria is not a public post.

15. Second, the spreadsheet posted did not identify children or witnesses part of a hearing or proceeding. In order to determine which names on the list corresponded to a hearing or proceeding, Ms. Von Cramon, the FCSLLG lawyer, had to look through and correlate the spreadsheet with an internal client list. Not only that, Mr. Lemay, the executive director of the FCSLLG, and Ms. Row, a project manager with the FCSLLG, also testified that they had to rely on Ms. Von Cramon's examination of client files to determine which names on the spreadsheet had ongoing proceedings. Thus, a lay person viewing the list of names would not be able to determine which names on the list corresponded to ongoing hearings of proceedings.

16. Furthermore, even when identifying the names on the spreadsheet Ms. Von Cramon could not say whether the ongoing proceeding arose from the incident on the spreadsheet, or whether it was unrelated.

17. In the absence of a link between the names on the list and an ongoing hearing or proceeding, there is no contravention of the CFSA.

18. The elements of the offence of mischief to data under s. 430(1.1) are that:

1. the accused wilfully
2. obstructs, interrupts, or interferes
3. with lawful use of computer data or
4. denies access to computer data to a person who is entitled to access it

-3-

19. Ms. Denham has not committed the above offence because the post did not obstruct, interrupt, or interfere with the computer data. According to the testimony from Mr. Lemay and Ms. Row, the FCSLLG would have taken down the website regardless of how the security flaws were brought to the FCSLLG's attention. Furthermore, Mr. Schmidt testified that his recommendation was to shut down the website. Therefore, Ms. Denham's post made the FCSLLG make changes to their website they would have done at any point where the issue had been uncovered. There was no additional loss created by Ms. Denham's post.

20. The elements of the offence for unauthorized use of a computer are that:

1. the accused fraudulently
2. and without colour of right
3. uses or causes to be used a computer system
4. with intent to commit an offence under s. 430 in relation to computer data or a computer system

21. Ms. Denham has not committed this offence because her accessing the spreadsheet did not require any fraudulent means. Ms. Denham did not hack the website or impersonate another user to access the information. This information was accessible to any member of the public as no username or password was required to access the spreadsheet or other confidential documents. In the absence of deceit, falsehood, or any other fraudulent means Ms. Denham did not commit the offence of unauthorized use of a computer.

PART II — EVIDENCE AT TRIAL

22. The court heard evidence from four Crown witnesses, Raymond Lemay, Margaret Row, David Rakobowchuk, and David Schmidt.

A. The Agreed Statement of Facts

23. Sometime before early February 2016, Ms. Denham accessed and downloaded 252

documents from the FCSLLG website, including spreadsheet 0-5intake-stats.xslsx.

24. The spreadsheet contained the names of 285 mothers of children who had interactions with the FCSLLG.

25. The spreadsheet was located in what the FCSLLG thought was a member's only Board portal but which was at the time publicly accessible through the open website directory.

26. In February 2016, the FCSLLG became aware that Ms. Denham had accessed documents from the Board portal after she posted a YouTube video with FCSLLG documents appearing on the video.

27. As a result of the YouTube video, the FCSLLG hired David Schmidt to assess the website's security and temporarily took down the website.

-4-

28. On April 18, 2016 Ms. Denham posted a hyperlink or picture of a hyperlink of the spreadsheet in the private Facebook group Smiths Falls Swap Shop.
29. Shortly after the hyperlink was posted, it was removed from the Smiths Falls Swap Shop website.
30. In response to the hyperlink being posted, the FCSLLG shut down their website and deleted all documents therein.

B. Raymond Lemay

28. Mr. Lemay holds the highest position as the executive director of the FCSLLG and has been in that position since December 2015.
29. Mr. Lemay's understanding of the website was that there was supposed to be a public part of the website and a secured board members' only portal which was not publicly accessible.'
30. Mr. Lemay testified that the spreadsheet in question, 0-5intake-stats.xslsx, was created by the FCSLLG and intended to be kept private. Mr. Lemay was aware of the duty the FCSLLG had under the CFSA to keep confidential the information of persons who received services from the FCSLLG.²
31. In February 2016, Mr. Lemay became aware that there was an issue with the FCSLLG website and immediately took down the website.³ In order to fix the security issue, the FCSLLG hired a security consultant to look at the website. The FCSLLG did not incorporate all of the consultant's recommendations. Because of this, in April 2016 Mr. Lemay was made aware of a similar issue with the website and the website was taken down as a precaution.⁴
32. Mr. Lemay did not know there were issues with the FCSLLG website until the breaches were brought to his attention. Mr. Lemay testified that regardless of how he found out about the breaches he would have taken the step of taking down the website to fix the security issues.⁵
33. Mr. Lemay testified that in order to determine which cases on the spreadsheet were before the courts, the FCSLLG had to compare the names on the spreadsheet to their computer records. Without comparing the names from the spreadsheet to internal client lists, Mr. Lemay would be unable to say which of the names on the spreadsheet correspond to proceedings:⁶

'Trial Transcript, at pp. 11-12 [Transcript].

² Mid, at pp. 20, 22-23.

³ Ibid, at pp. 12-13. Mid, at pp. 27-28. Mid, at pp. 25-26. Ibid, at pp. 31-32.

-5-

Q. Right. My friend put to you these spreadsheets, which is tab four of the multi-volume exhibit?

A. Yes, he did

Q. So, you took us to kind of what these things mean, and then you told us that ten of those names were individuals that were involved in proceedings, participants in a proceeding?

A. Yes.

Q. You must have done something outside of looking at this to determine that?

A. Yes, we — at some point we compared the list to our computer records, and determined which of the cases in fact had been before the courts

Q. Okay. Without comparing that, you can't tell me today which of these people are parts of proceedings?

A. I can't tell you, no.

Q. And, you can't tell me today, looking at this list, if a proceeding — if I was to identify for you the ten names, you couldn't tell me when the proceedings started or ended?

A. You are asking me and I don't know that.

C. Margaret Row

37. Ms. Row testified that the FCSLLG website was only taken down after the April 2016 breach. Her recollection was that the website was taken down based on Mr. Lemay's recommendation and that it had been taken down as a precaution to determine the security

issue.

7

38. Mr. Row was advised that the security issue was that the website's file directory was visible. This meant that a person did not need to enter a board username or password to access confidential documents. All a person had to do was go to the address bar of the website and change what was in that address bar. ⁸
39. Ms. Row acknowledged that she would have taken the website down if the IT department had disclosed the same security breach on their own:⁹

Q. Okay. But, when you decided to take down the website, you decided to take down the website because you weren't sure what the security breach was, and so you wanted to make sure that — shutdown, and make sure you fixed whatever it was?

⁷ Ibid, at pp. 40-42. Ibid, at pp. 44-45. ⁹1bid, at p. 48.

-6-

A. That's correct.

Q. No, I'm assuming security is quite important to C.A.S.? A. Yes.

Q. If you had found out some other way about the same security breach, or any security breach, you would have taken the same step, which is shut down the website?

A. Yes.

Q. So, if your I.T. department came to you and said, hey, I think there is a problem, no one has accessed it, but there was a problem, you would have taken the same step of shutting it down?

A. Our I.T. department had nothing to do with the website.

Q. Ma'am, I'm putting to you a hypothetical. If your I.T. department came to you and said there was a security breach on your website...

A. Yes.

Q. ...no one has accessed it yet. Would you have taken it down still? A. Yes.

40. With regards to the spreadsheet, Ms. Row testified that it contained names of clients who had received service from the FCSLLG in a 5-month period.¹⁰ Ms. Row could not say, simply by looking at the list which names on that list were part of proceedings: )1

Q. Okay. My friend put to you exhibit four, tab four, that's that spreadsheet, and you identified I believe six families, seven children, one family with two children?

A. Correct.

Q. Right. Are you the one that determined that?

A. No, that was done by the manager of legal services.

Q. Who is that?

A. Karynn VonCramon.

Q. Okay. Can you spell that for me?

A. Karen, K-A-R-Y-N-N, Von, V-O-N, Cramon, C-R-A-M-O-N.

Q. Okay, and Ms. VonCramon, do you know what she did in order to come up with that list of names?

-7-

A. She would have consulted with the service managers who are responsible for the clients.

Q. Okay. And so, they would have looked at some other internal document that we don't have — that you don't have access to to determine who on this list was involved in a proceeding?

A. Correct.

Q. Okay. You can't tell me, looking at this list today who is involved in a proceeding if the names were visible?

A. No, I cannot.

41. Ms. Row added she knew there was a duty to keep confidential information of clients receiving the FCSLLG's services and that the spreadsheet, because it contained such information, was supposed to be kept confidential.

Q. Okay. What was the purpose of that document?

A. It was a report to the board. The graphs and the statistics on the first tabs of that report were for — well, for management, but also to the board to determine how well, in fact, we were doing in respecting the time frames for intervention with children and families.

Q. Okay. And, was it your organizations intention that that document be public or private?

A. Oh, private. It's — well, the graphs at the beginning are the kind of information we could put on a website and that people could see how well we are performing in terms of government standards and so on. The information further into the document at the last tabs, the client information, that is strictly confidential.

Q. All right. And, why is that?

A. Because — well, first of all there is a general duty to keep confidential the information of clients receiving services, over and but the child welfare, there is a prohibition in the legislation about publishing information that could identify children receiving services from Children's Aid Societies.

D. David Rakobowchuk

-8-

43. Det. Rakobowchuk is himself a member of the above Facebook group. He testified that to join the group, a Facebook user had to request approval from a group administrator.¹²

44. Det. Rakobowchuk testified that there was no breach of password or anything similar used to gain access to the spreadsheet in question:¹³

Q. And, just for the purpose of the record, you have referred to — the information you got there was a hack, I guess?

A. Yes.

Q. But, as the investigation went on it was very — it became clear that there was no actual, I guess, a breach of a password, or anything like that used to gain this information?

A. Exactly.

E. Karynn Von Cramon

45. An agreed statement of facts was prepared for Ms. Von Cramon.

46. In order to determine which names on the spreadsheet were part of a FCSLLG proceeding, Ms. Von Cramon had to manually compare the names on the spreadsheet to an internal list of open files accessible only to the FCSLLG legal department. Without consulting the list, Ms. Von Cramon would be unable to identify if anyone was part of a proceeding.¹⁴

47. Ms. Von Cramon determined that 6 mothers named in the spreadsheet were part of a proceeding. She could not say if the referral that caused them to be on the spreadsheet was the cause of the proceeding, as some of the proceedings predated the referral to FCSLLG.¹⁵

F. David Schmidt

48. Mr. Schmidt was the computer expert hired by the FCSLLG to review their website security and make recommendations.

L Server logs

49. Mr. Schmidt testified that server logs essentially keep track of who visits a webpage: ¹⁶

50. A server logs provides information about the Internet Protocol (IP) address, the date, the time, the web browser used and information on whether the request was successful. Based on the server logs, Mr. Schmidt was able to determine that the document 0-5intake stats.xslsx had been accessed by IP address 72.39.243.162.

¹² Aid, at p. 54.

¹³ Ibid at p. 50.

¹⁴ Ibid, at p. 63.

¹⁵ Ibid, at pp.63-64.

¹⁶ 'bid, at p. 71.

-9-

51. IP address 72.39.243.162 was admitted as belonging to Ms. Denham.'^? ii. Structure of the FCSLLG website
52. In 2016 the FCSLLG used WordPress to design their website. WordPress is the most commonly used software people use to create websites.'⁸ Mr. Schmidt testified that WordPress does not require a special knowledge and that it is not intended for confidential documents:¹⁹

Q. So, you talked about WordPress, right? And, WordPress is used by about sixty million websites worldwide, right?

A. Correct.

Q. It's the most widely used...

A. Yep. Over thirty five percent of public websites use WordPress.

Q. Right. It's open source?

A. Correct.

Q. And, open source just means anybody can use it, you don't need a licence, you don't need to buy anything?

A. Correct.

Q. Anyone can use...

A. And, all the source code is available for viewing by anybody. There is nothing proprietary behind it.

Q. Right. And, it's intended to be pretty user friendly? A. Mm-hmm.

Q. Right?

A. Yes.

Q. Yes. There is quadrants made for it, there is other themes for it. It's intended for the average person to be able to build the website for their home business, or just for fun, or for a blog, or for whatever?

A. Absolutely.

Q. Right. It doesn't require a special knowledge to use WordPress? A. Not particularly.

¹⁷ Exhibit 1, agreed statement of facts.

¹⁸ Transcript, supra note 1 at p. 98.

¹⁹ Mid, at pp. 106-107.

-10-

Q. Right. And, because of that, it's not actually, as it's set out by default, not intended for confidential documents at all?

A. I guess not.

Q. Well, and the reason I say this is from what you said which is that by default it has a browseable directory...

A. Yep, absolutely.

Q. ...that you could go to that doesn't lock. So, by default, a logical inference is, if you have a directory that's browseable where you can get to every document with no password, that's the default settings.

A. Absolutely.

Q. By default, it is not intended for confidential documents? A. That is true.

53. The FCSLLG had a website that was intended for the public but that also had a Board Portal for members to access internal FCSLLG documents.^2°
54. The private information was supposed to be kept confidential by requiring the use of a username and password to access a Board members' only portal. However, this was not the case. A person could access confidential board documents without needing to enter a username or password.
55. This access was possible because the FCSLLG kept both public and private documents in the same directory.^2I This meant that all documents, whether public or private, which had been uploaded onto the website were visible in the website's directory.
56. Mr. Schmidt testified that where a directory is browseable, as it was with the FCSLLG website in February 2016, all documents in the uploads folder were visible when the directory was accessed:²²

Q. So, if you know what the word uploads means, which is you upload something to the internet, you put something online, right?

A. Yep, yes.

Q. You would be able to look at uploads, and then after that is a year, a month, and a date?

A. A year and a month, in this case.

²⁰ Transcript, supra note 1 at p. 103.

²¹ Ibid, at p. 103.

²² Ibid, at p. 108.

Q. So, the logical inference is that's where things are stored based on year, month, and date?

A. Yep, and that's how WordPress operates. Q. Right

A. That is how WordPress, that is the, the methodology that WordPress uses to store documents that people upload using the content management system.

Q. Correct. Now, once you get there you can go behind the scenes, so to say, and just look at every document, which is what makes it browseable. You can just start clicking...

A. If it is browseable, then yes, you can view it openly. That's correct.

Q. So, you can just start clicking on the different folders, the different months, the different years...

A. Correct.

iii. How the spreadsheet was accessed on the FCSLLG website

57. Mr. Schmidt set up a mock website and did a demonstration of how the spreadsheet could have been accessed. In Mr. Schmidt's example, the mock website's address was environet.ca:²³

A. So, up at the top where the web address is you would see the name of the business. This is a mock up called Environet.ca.

Q. Right.

A. You would have seen FCSLLG.ca up there.

Q. Okay.

57. The environet.ca website was set up with a mock hyperlink which, when clicked on, opened an example document. Clicking on the hyperlink sent the user to the page environet.ca/wp content/uploads/20 1 8/07/basicdocument.txt:²⁴

A. So, I've created a dummy link here to what we are calling a download this example basic document. So, you see where the mouse pointer is, and this is what's called a hyper link.

Q. Yes.

A. And so, when we click on it it takes us to that example document. So, a
couple of details; number one, in the server log, we would see a 200 status

-12-

message saying that this had been downloaded, and we would see the referrer of the main webpage showing us this. If you look up at the top bar where it says environet.ca/wp-content/uploads/2018/07/basicdocument.txt...

Q. Yes.

A. ...that is the exact address of that document.

59. The analogy on the FCSLLG website would have been to click on any PDF document from the website's home page:²⁵

Q. Again, just to keep it related to our case... A. Yes.

Q. Back in 2016, on the Family and Child Services website, if you clicked on a link on their website just as you showed us here...

A. Yep.

Q. ...correct me if I'm wrong, but you would — instead of saying environet.ca, it would say Family and Child Services...

A. Yep.

Q. Right? Would you also see — \wtconent...

A. Only if, only if you accessed, like, a P.D.F. document that they had posted for people to see. If you were just clicking on regular links...

Q. Right.

A. ...you would never see the wp-content show up.

Q. Okay.

A. So, that would show up when, let's say, they posted their brochure, and it's an acrobat P.D.F. document, or something like that.

Q. Right. So, you would see the same thing we have up now only it would be relating to Family and Child Services?

A. Correct.

59. In order to access the uploads folder from the basic document at environet.ca/wp contentJuploads/2018/07/basicdocument.txt, a person would simply have to remove the

-13-

name of the document "basicdocument.txt.", thus leaving "environet.ca/wp content/uploads/2018/07P:²⁶

A. Okay. So, we talked about how, how the visitor could have, could have found the uploads folder.

Q. Yes.

A. And so, if we take our pointer up here to where the address bar is...

Q. Yes.

A. ...we click in it and we remove the name of the document — so, if we remove basicdocument.txt...

Q. Yes.

A. ...which takes us back to, essentially, specifying a folder name, and we hit enter, what we have is a directory listing. So, this is, this is everything that sits on the web server in the wp/content/uploads/2018/07 folder. And, we will see there are a whole bunch of picture files there referring to various photos that are used on the website, and as we scroll down, down into the B's for our basic document example, there is that basicdocument.txt, and this would be a way that we could go to it a different way.

Q. Okay.

A. But, the example I want to show is is if we go down into the S's, where I've just put a dummy sensitive document — sorry, too far — a sensitivedocument.txt, we see the name of it, we are interested in it, we click on it, we now see an example of a document that has content that might be deemed sensitive. So, this would be an example of that 05-intake.xls file, or one of the other documents that the F.C.S. believed was secured with their Board Portal.

Q. Okay.

A. So, that's just a very simple — this is, this is how it would have been seen.

61. Thus, by removing the name of the document, a user would "zoom out" from a specific document to the folder where the document was being kept. Any other documents in that folder would be visible to the user.
62. From environet.ca/wp-content/uploads/2018/07/, removing "2018/07/" would bring a user to the uploads folder, showing the entire upload directory and folders within.

²⁶ Ibid, at pp. 95-96.

-14-

Q. All right. What if you back up all the way to uploads?

A. Yep. So, off we go. Up here to the web address bar, and back up all the way up to uploads, again because there is no extra protection put in place to stop this listing, we are essentially looking through, as it were, a clear pane of glass to see that there are multiple folders there, 2018, 2019, and some other folders relating to the WordPress setup. So, we could then choose a folder, like, 2018. We could then choose a month, like, 0-7, or 0-8, and you see some of these folders are empty because there is not anything in them, but if we go into the, for example, the 0-7 one, we see again the images that make up the website, as well as anything else that's been uploaded, and that's where our two example documents are that I put there as a demonstration.

63. In February 2016, when Mr. Schmidt was retained by the FCSLLG to determine the cause of the breach, he accessed the FCSLLG's directory in the manner demonstrated above.²⁷

Q. In February, 2016, you actually went to the website... A. And, I checked the uploads.

Q. Right. But, you went to the Board Portal?

A. Well, I, I visited the website. I also visited the Board Portal just to see whether anything in the Board Portal itself was open.

Q. And, what did you try doing to get through there?

A. I tried, sort of, random user names and passwords to see if anything, sort of, default would be enabled.

Q. And, when you tried that what happened?

A. The usernames and passwords were incorrect.

Q. And, what did you see on the screen?

A. An error telling me that the password was not, was not valid. Q. So then what did you decide to do?

A. Well, then, then I decided to check whether this particular hole existed.

Q. Right.

²⁷ Mid, at pp. 99-100.

-15-

A. Right? And, I went to the wpcontent/uploads folder and I was then able to browse a directory like we are looking at right now.

Q. Okay. And, it was as simple as backing up the U.R.L...

A. Correct.

Q. ...to...

A. Essentially, we are moving something from the end of it to make it a more generic request.

iv. Mr. Schmidt's recommendations in February 2016

64. Mr. Schmidt testified that it was a foolish practice to keep a website's directory browseable.²⁸

65 He also testified that better practices for websites where confidential information was

stored would be to use an intranet system, to use a VPN access with a username and password, or to put the materials on a separate website requiring a username and password. None of these steps were in place in 2016 with the FCSLLG website.²⁹

66 One of Mr. Schmidt's core recommendations was to take everything from the Board Portal off the public internet.³⁰ After the breach in April, Mr. Schmidt re-iterated the above

recommendation. While the FCSLLG directory was no longer browseable, the FCSLLG had not removed documents from the Board Portal as he had directed.³¹

Q. And in fact, your second recommendation is — you use the vehemently, you say; "I'm telling you this again, like, you have to do this, you have to take this stuff down".

A. Yep, yep. In April essentially I revisited my original recommendations saying; "The only reason we are here is that the original recommendations weren't followed".

Q. Right. It didn't make any sense because in February you are telling them; "Anyone can access this. Here is why. Fix this".

A. Yep.

Q. In April, some of the same problems existing allowing anyone to still access the documents.

zs Ibid, at p. 101.

Mid, at p. 110. " Ibid, at p. 116. ³¹ 'bid, at pp. 116-117.

-16-

A. Correct. The difference in April was that the person would have had to know the exact location of that document.

Q. Right.

A. Whereas previously it was an open book, as it were.

67. Mr. Schmidt also advised the FCSLLG was to keep their website offline until the Board Portal documents were all taken down.³²
68. Mr. Schmidt's recommendation to keep the website offline was independent of the number of documents that needed to be removed from the website.³³

Q. You did not recommend — did you recommend that they take down the website, or did you recommend that they just turn off the browsing function? Did you say it was recommend to do this, you didn't have to take it down? What was your ultimate recommendation in February?

A. My ultimate recommendation was to take down the website, make sure everything was scrubbed before anything went back online, because essentially doing, doing that scrubbing while the site is online isn't safe, right? You want to make sure it's not accessible by anybody while you are cleaning up.

• -

Q. And so, the reason you have to take it down is only if the number is so large that you couldn't possibly do it in a safe enough time, or quick enough?

A. As a general precaution you would take it down anyway. Q. Okay.

A. Even if it was only ten you would want to make sure that you pulled those ten without anybody else accessing those documents.

Q. So that in those few minutes that you are doing your work no one else accesses them?

A. Correct.

³² Ibid, at p. 116.

Ibid, at pp. 118-119.

-17-

v. Indexing

69. Ms. Schmidt testified that starting in 2004 Google started indexing websites. Indexing means that Google used an algorithm to go into open websites and download things on them to make them searchable.³⁴
70. Documents such as Excel spreadsheets are easily indexable by Google.³⁵
71. When a document is indexed by Google or another search engine, the content of the document becomes searcheable and could come up in a Google search:³⁶

Q. I understand. And, if it was indexed, the content would then have been indexed too, because Google could actually read within the document?

A. Correct.

Q. Right. So, if you search a name of someone listed on the document, it could actually come up in the search results?

A. Correct.

Q. So, that's another way that if it was indexed you could actually come upon the documents?

A. Correct.

69. Open directories, like the one the FCSLLG had, would be indexed unless the FCSLLG took an extra step to make sure this did not happen.³⁷
70. Although he was of the opinion that Google did not index the spreadsheet, Mr. Schmidt could not say whether the FCSLLG spreadsheet had been indexed by other search engines such as Bing or Yahoo:³⁸

Q. Did you only check Google, or did you check other

search engines, like Bing, or Yahoo, or anybody else?

A. I did not check Bing, or Yahoo, I just checked Google.

Q. And, you can't tell us if those things indexed any of those?

A. That is correct, I cannot.

³⁴ Ibid, at p. 112.

³⁵ Ibid, at pp. 114-115.

³⁶ Ibid, at p. 115.

³⁷ Mid, at p. 112.

³⁸ Mid, at p. 125.

-18-

PART III —LAW

A. Law

i. Child and Family Services Act offences

74. The CFSA, which has since been replaced by the Child, Youth and Family Services Act, governs the child protection regime in Ontario.

75. Section 45 of the CFSA sets rules related to child protection hearings and orders. As part of these rules, s. 45(8) provides that:³⁹

No person shall publish or make public information that has the effect of identifying a child who is a witness at or a participant in a hearing or the subject of a proceeding, or the child's parent or foster parent or a member of the child's family.

76. The above section prohibits publishing or making public of information that identifies a child, the child's parents or a member of the child's family where that child is either participant in a hearing or the subject of a proceeding.

77. The elements of the offence are as follows:

1. Publication or making publish;
2. Of information that identifies a child, a child's parent or a member of the child's family;
3. Who is the subject of a hearing or proceeding.

78. Similarly, section 76 of the CFSA states that:^4°

No person shall publish or make public information that has the effect of identifying a witness at or a participant in a hearing, or a party to a hearing other than a society.

79. The elements of the offence are as follows:

4. Publication or making public;
5. Of information that identifies a witness, participant, or party;
6. Who is the subject of a hearing.

80. Section 45(8) of the CFSA has been interpreted as requiring that the information published

or made public be linked with identifying participants in a hearing or proceeding:⁴¹

³⁹ Child and Family Services Act, RSO 1990, c. C.11, s. 45(8) [CFSA].

⁴° CCFSA, s. 76(11).

⁴¹ Children's Aid Society of Hamilton-Wentworth v. D.-G. (F), [1995] 21 OR (3d) 643, OJ No. 148, at paras. 46-47 (Ont. Gen. Div.) [CAS Hamilton v D.-G.]

-19-

There are two possible interpretations of s. 45(8). One, that it is an absolute ban against identifying the child or the family who are participants in a hearing or the subject of a proceedings. Secondly, that it is not a ban against identifying anyone unless it is coupled with identifying them as people who are involved in the proceedings.

The second interpretation is the only logical one. The impugned publication must make reference to the proceedings or be contrary to some other rovisions of the Act to *usti an in'unction based on the Act. If the prohibition were against identifying any of the persons listed, then it would be an offence to publish anything about the mother even if no reference is made to the fact that she is involved in any proceedings. It must, to offend the Act, require disclosure that there are proceedings either directly or impliedly and couple the person identified with those proceedings. [emphasis added]

81. In other words, the publication of a newspaper article that mentioned the name of a child part of a CAS proceeding in the context of a hockey tournament does not breach s. 45(8) because there is no link between the name of the child and a CAS proceeding. However, a newspaper article identifying that child's family members as part of a CAS proceeding would contravene s. 45(8).
82. Section 76(11) has not been judicially interpreted. However, given the similarities in language between the two sections, it is logical that for a breach under s. 76(11) the same link between a witness and participation in a hearing is required.

1. The definition of publishing

81. The CFSA offences under which Ms. Denham has been charged particularize that she published, rather than make public, identifying information under the act.
82. The CFSA does not define "publish", however, courts have interpreted the word publish as having its plain language meaning.
83. Generally, courts have cited dictionary definitions of publish:

Publish - To make public; to circulate; to make known to people in general . . . An advising of the public or making known of something to the public for a purpose. ⁴²

Publish - 1 a: to declare publicly: make generally known ... 3a: to place before the public (as through a mass medium) ...⁴³

⁴² Black's Law Dictionary, cited in Edmonton Journal v Alberta (Attorney General), [1985] AJ No. 1060 at para. 19 (ABQB).

⁴³ Webster's Third New International Dictionary cited in Edmonton Journal v Alberta (Attorney General), [1985] AJ No. 1060 at para. 19 (ABQB).

Publish - to make generally known; to make public announcement of to place before the public; to produce or release for publication; to issue the work of (an author); to put out an edition; to have one's work accepted for publication.'

86. In Re Orr, which considered the meaning of publication in what was then the section of the Criminal Code of publishing obscenity, the trial judge wrote:⁴⁵

[Publication] has other special meanings in law; publication of a will, publication of an invention. But this does not involve the acceptance of those special meanings in connection with unrelated legal subjects and where the word "publication" is used in a penal statute without definition, and with no context which would assign to it a special meaning, it must be considered to bear the meaning it would bear in ordinary English speech or writing. Certainly, where crime is involved a court should not go out of its way to attribute to the word an extraordinary meaning involving the culpability of the accused, but should rather hew strictly to the line resolving any possible doubt in favour of the accused. [emphasis added]

86. In the context of the CFSA, Masse J provided some guidance on the interpretation of s. 45(8) (or s. 41(8) as it then was). In finding that s. 41(8) was constitutional and did not breach the freedom of expression provision of the Charter, Masse J determined the meaning and scope of the section applying principles of statutory construction.
87. First, he found that the prime objective of the CFSA was "to promote the best interests, protection and well-being of children."⁴⁶ Second, the CFSA should be interpreted, where possible, in a manner consistent with the Charter.⁴⁷ Third, all penal statutes should be strictly construed to minimize encroachment by the state upon an individual's freedom.⁴⁸ Finally, the entire context of the statute should be looked at in determining the meaning of any section.⁴⁹
88. Masse J also briefly addressed the effect of the words "publish or make public" and "has the effect of identifying":^5°

These words are very common and ordinary words which the courts will have to interpret depending on the circumstances of each case. Any ambiguity in the meaning of these words in the context of any particular case will be

" Webster's New Collegiate Dictionary cited in R v Daly, 2003 BCSC 1143 at para. 100.

⁴⁵ Re Orr's Stated Case (sub nom Re R v Leong), [1961] 38 WWR 114 at para. 9.

⁴⁶ R v Davies, [1991] 87 DLR (4th) 527 at para. 67 (ONSC) [Davies].

Ibid at paras. 68.

⁴⁸ Ibid at para. 71.

⁴⁹ Ibid at para. 72. ^5° Ibid at para. 74.

-21-

resolved by choosing that meaning that is most favourable to an accused person.

90. The plain language meaning of publishing was adopted by the Child and Family Services Review Board (CFSRB) in J.M. v Family & Children's Services of the Waterloo Region, where the CFSRB considered whether the CAS adducing evidence of court proceedings at the board hearing constituted publication under s. 45(8). In finding that this was not publication, the board stated:⁵¹

The word "publish" is defined in the Canadian Oxford Dictionary as follows: "prepare and issue (a book, a newspaper, information in electronic form, computer software, etc.) for public consumption; make generally known".

In the Board's view, the Society is not "publishing or making public information" when it adduces evidence before the Board. The hearing before the Board is in camera and the evidence received is kept private. Thus, the Society is not making information "generally known" when it adduces evidence to support its jurisdiction motion. The Board does not believe the Society can avoid its evidentiary and legal burdens by relying upon section 45(8) of the Act.

In order to breach the requirements of section 45(8), the publication must identify the child who is the subject of the Board's proceeding and/or the child's parent. While the Board's decision is published (made generally known) when it is posted on the Board's website, there is no identification of the child who is the subject of the Board's proceeding or the child's parent because all identifying information is removed. Therefore, the posting of the Board's decision where the Society's evidence may be referred to does not breach section 45(8) of the Act.

90. The Crown suggests that the definition of publish, as defined in s. 299 of the Criminal Code, should be used as the definition under the CFSA. Such a proposition is cited without any supporting case law. Further, Parliament, in enacting s. 299 saw fit to provide a specific definition of publishing for liable. Had Parliament wanted the same definition to apply in the CFSA or more broadly in the Criminal Code, it could easily have done so.
91. The term "publish" should be given its plain language interpretation given the adoption of this interpretation in Davies, which is binding on this court.

2. What Constitutes Publishing

90. The Supreme Court of Canada in Crookes v Newton considered whether the posting of a hyperlink, that is a reference to data which a user can follow by clicking, was publishing in the context of defamation. In that case, Mr. Crookes sued Mr. Newton on the basis that

-22-

two hyperlinks Mr. Newton used on his website connected to defamatory material and, by posting those hyperlinks, Mr. Newton was therefore publishing the defamatory information.

94. The Court found that the posting of a hyperlink is not publishing. First, a hyperlink is a reference, meaning that the person posting the hyperlink has no control over its content:⁵²

Hyperlinks are, in essence, references. By clicking on the link, readers are directed to other sources. Hyperlinks may be inserted with or without the knowledge of the operator of the site containing the secondary article. Because the content of the secondary article is often produced by someone other than the person who inserted the hyperlink in the primary article, the content on the other end of the link can be changed at any time by whoever controls the secondary page. Although the primary author controls whether there is a hyperlink and what article that word or phrase is linked to, inserting a hyperlink gives the primary author no control over the content in the secondary article to which he or she has linked.

These features - that a person who refers to other content generally does not participate in its creation or development - serve to insulate from liability those involved in Internet communications in the United States. [references omitted]

94. Second, a person hyperlinking a document is not the publishing party, that falls to the creator of the content:⁵³

A reference to other content is fundamentally different from other acts involved in publication. Referencing on its own does not involve exerting control over the content. Communicating something is very different from merely communicating that something exists or where it exists. The former involves dissemination of the content, and suggests control over both the content and whether the content will reach an audience at all, while the latter does not. Even where the goal of the person referring to a defamatory publication is to expand that publication's audience, his or her participation is merely ancillary to that of the initial publisher: with or without the reference, the allegedly defamatory information has already been made available to the public by the initial publisher or publishers' acts. These features of references distinguish them from acts in the publication process like creating or posting the defamatory publication, and from repetition.

94. Thus, according to the Supreme Court, for a person to be publishing material two elements are required: creation and control over the material.

sz Crookes v Newton, 2011 SCC 47 at paras. 27-28 [Crookes] (Crown's Book of Authorities, Tab 4). ⁵³ Ibid at para. 26.

-23-

3. Procedures and Practices for Child Protection Cases

97. Regulation 206/00 of the CFSA, sets out the procedures, practices and standards of service for child protection cases which outline how complaints and files move through the CAS.
98. The first step requires that, where the CAS receives information that a child may be in need of protection, that they assess the information received in accordance with the Child Protection Standards (CPS) and ultimately determine whether or not a child protection investigation should be initiated.⁵⁴
99. The CPS set out the expectations of CASs when they receive new referral, reports of information that a child may be in need of protection. A referral is defined in the practice notes as including "any report or information received from any source (e.g. a child, community member, the police, etc.), and through any method (e.g. by phone, in person, in writing) that a child may be in need of protection."⁵⁵
100. The CPS then list criteria and research CAS workers must complete (e.g. determining whether the child is in the CAS' jurisdiction, obtaining a full report of the incident, checking the Ontario Child Abuse registry, etc.) in order to come to determine the appropriate response. At this stage, the possible referral dispositions are: (1) the referral is opened for child protection or open for other child welfare services; (2) a "community link" is established for families in the community, or (3) no direct contact/ information only.
101. A referral will be open for child protection or for other child welfare services where there are reasonable and probably grounds that a child may be in need of protection.⁵⁶ A community link may be chosen for less serious matters or cases where there is no indication that a parent has failed to protect the child from an alleged perpetrator.
102. The no direct contact/ information disposition "is chosen for cases which do not require a protection investigation or a "community link" service and which do not receive any direct contact from the CAS. This also includes situations where a CAS provides information only (e.g. about appropriate discipline, or at what age a child may be left at home alone)."⁵⁷
103. Thus, not all CAS referrals will lead to a matter being opened for child protection. For example, the CAS could receive a referral and upon investigation, could find the matter to be unfounded and disposed as no direct contact/ information disposition.

sa CFSA, 0. Reg. 206/00: Procedures, Practices and Standards of Service for Child Protection Cases, s. 2.

ss Child Protection Standards 2016 at p .25.

⁵⁶ Child Protection Standards 2016 at p .24.

⁵⁷ Child Protection Standards 2016 at p .32.

-24-

ii. Mischief to computer data

104. Under s. 430(1.1), there are several ways that a person can commit mischief to

computer data:

Everyone commits mischief who wilfully

1. destroys or alters computer data;
2. renders computer data meaningless, useless or ineffective;
3. obstructs, interrupts or interferes with the lawful use of computer data; or
4. obstructs, interrupts or interferes with a person in the lawful use of computer data or denies access to computer data to a person who is entitled to access to it.

105. Sections 430(1.1)(c) and (d) require that the interference be of lawful use of

computer data. The elements of the offence of s. 430(1.1)(c) are:

1. the accused wilfully
2. obstructs, interrupts, or interferes
3. with lawful use of computer data

106. Section (d) provides an alternative route of liability, which is that a person deny

access to computer data that another is entitled to access. The elements of the offence of s. 430(1.1)(d) are:

5. the accused wilfully
6. obstructs, interrupts, or interferes
7. with lawful use of computer data or
8. denies access to computer data to a person who is entitled to access it

107. The mens rea requirement for wilfulness encompasses recklessness on the part of

the accused.

ill. Unauthorized use of a computer

108. Under section 342.1(1)(c) of the Criminal Code:

Everyone is guilty of an indictable offence and liable to imprisonment for a term of not more than 10 years, or is guilty of an offence punishable on summary conviction who, fraudulently and without colour of right,

(a) obtains, directly or indirectly, any computer service;

-25-

2. by means of an electro-magnetic, acoustic, mechanical or other device, intercepts or causes to be intercepted, directly or indirectly, any function of a computer system;
3. uses or causes to be used, directly or indirectly, a computer system with intent to commit an offence under paragraph (a) or (b) or under section 430 in relation to computer data or a computer system

109. The elements of the offence are that:

5. the accused fraudulently
6. and without colour of right
7. uses or causes to be used a computer system
8. with intent to commit an offence under s. 430 in relation to computer data or a computer system

110. The fraudulently requirement is "an independent part of the actus reus of the

offence and requires behaviour that a reasonable person in the circumstances of the defendant could consider a 'dishonest activity'".⁵⁸

111. The term fraud is defined in section 380 of the Criminal Code as consisting of any

"deceit, falsehood or other fraudulent means."

112. These words have been interpreted in the case law. Deceit "involves an untrue

statement made by a person who knows that it is untrue, or has reason to believe that it is untrue and makes the statement despite the risk."⁵⁹

113. A falsehood is "a deliberate lie" and other fraudulent means is "conduct that is

neither a falsehood nor deceitful but can be objectively considered to be dishonest because an average, reasonable person would see it as being at variance with straightforward or honourable dealings."⁶⁰

B. Application of the Law of the Facts

i. CFSA offences

1. There was no publication

114. Ms. Denham's posting of a link or picture of a link to the spreadsheet does not meet

the definition of publishing for two reasons. First, posting a hyperlink has been determined by the Supreme Court of Canada not to constitute publishing. Second, by making the post in a private members' only Facebook group, the post was not made public.

⁵⁸ R v Parent, 2012 QCCA 1653 at para. 37.

⁵⁹ R v Fast, 2018 ONSC 2821 at para. 47. ⁶° Ibid.

-26-

115. According to the Supreme Court, in Crookes v Newton for a person to be publishing material two elements are required: creation and control over the material. Ms. Denham does not meet either criteria.
116. The spreadsheet was created by the FCSLLG, that is not in dispute.
117. Control over the spreadsheet also resided with the FCSLLG. While Ms. Denham could view and download the file by clicking on the hyperlink, she could not control whether the spreadsheet was on the website or not.
118. For example, the FCSLLG could have removed the spreadsheet from their website, as they did, following the recommendation by Mr. Schmidt.
119. The FCSLLG also could have changed what the content was at the end of the hyperlink, replacing the spreadsheet with another document or photo.
120. Furthermore, Ms. Denham posting of the hyperlink in a private Facebook group does not constitute publishing. For publication to occur, information must be made public. Ms. Denham did not make the spreadsheet public by posting in the Smiths Falls Swap Shop (SFSS) Facebook group.
121. The fact that the SFSS is a Facebook group means that only Facebook users can access the group. Not all persons have a Facebook account, therefore, from the start, information available on Facebook is not available to all members of the public.
122. Further restricting the audience of the post is that the SFSS is a private Facebook group. A private Facebook group means that only Facebook users who are members of that group can view and add to the group's content. Thus, even though a person is a Facebook user, they would not have access to content posted in SFSS.
123. Membership in the SFSS group requires that a Facebook user live two hours from Smiths Falls and agree to follow the group rules.⁶¹
124. Det. Rakobowchuk testified that he was a member of the SFSS Facebook group. He testified that the permission must be requested and given for a person to have access to the group:⁶²

Q. The next thing I want to ask you, sir, our agreed statement of fact makes reference to the Smiths Falls Swap Shop website.

A. Yes.

Q. Or, a Facebook group actually. I understand, sir, that you are a member of that?

⁶¹ Exhibit 1, Agreed Statement of Facts

⁶² Transcript, supra note 1 at p. 54.

-27-

A. I am. Along with a number of other Swap Shop and selling Facebook pages. I actually monitor them for stolen goods that might be reported to us on occasion.

Q. All right. So, can you tell us, sir, what is it?

A. Individuals will post things that they have for sale, or looking for advice and recommendations on products and services, that sort of thing.

Q. Okay. How long have you been a member?

A. Oh goodness, I've been assigned to our Crime Unit since January of 2014, and I think about that time I decided to start joining some various groups in and around the Smiths Falls area

Q. Do you remember what it took to join back then?

A. You click on a banner that says join group. You may have to wait a little bit for an administrator to verify who you are, and then you get a notice saying you are now a member of this group.

125. Only persons who have been approved by the SFSS administrators will be invited to the group and be able to view the group's content.
126. Far from posting the hyperlink on a public website, which would be visible to any internet user, Ms. Denham posted the link to a private Facebook group. Not only is a Facebook account required to participate in the group, membership is also restricted to persons living within 2 hours of Smiths Falls who have been approved by the group's administrators.
127. The number of members in the SFSS group when Ms. Denham posted the hyperlink is not known.

2. Information does not identify persons subject of a hearing or proceeding

125. Setting aside the question of publication, the information published does not identify persons subject of a CAS hearing or proceeding as required by ss. 45(8) and 76(11).
126. The prohibition on publication in these sections must link a person's name with a CAS hearing or proceeding. Rosenburg J's comments in Children's Aid Society of Hamilton-Wentworth v D.-G. E bear repeating:⁶³

The impugned publication must make reference to the proceedings or be contrary to some other provisions of the Act to justify an injunction based on the Act. If the prohibition were against identifying any of the persons listed,

⁶³ CAS Hamilton v D.-G., supra note 41 at para. 41.

-28-

then it would be an offence to publish anything about the mother even if no reference is made to the fact that she is involved in any proceedings. It must, to offend the Act, require disclosure that there are proceedings either directly or impliedly and couple the person identified with those proceedings.

130. It is not enough that a person named on the list be a client of the FCSLLG or have been referred to the CAS. For example, a referral could have been made about a mother and that complaint, upon further investigation was unfounded. The inclusion of that mother's name on the spreadsheet does not necessarily mean that there was a hearing or proceeding.
131. Mr. Lemay testified that the names on the spreadsheet were CAS clients, which he defined as having being referred to the FCSLLG by others or by themselves:⁶⁴

Q. And again, a client is a person who...

A. Has been referred to us, or has referred themselves because of child protection concerns.

Q. Okay. And so, it would be the name of — whose name would be here?

A. The parents name. The parents — most often the mother's name, but at least one of the parent's names would be here.

Q. Okay. Would there be a child's name there? A. No.

Q. Okay. And then maybe you could explain to us the rest of the headings, and what they all mean?

A. Well, subsequent there is whether or not we would have more than one referral. The child here is five years old — whether the child — one of the child in the case is if there is a child under five years of age. There are special requirements that are put in for those kids. The referral date, and the date assigned. The referral date is when we receive the referral, and the date assigned is when we assigned it to a worker to investigate. The codes are child protection codes. We have something called the eligibility spectrum. That determines whether or not a referral is eligible for further assistance. That would have been what that code was referring to. And, response time needed is the response time within which we needed to contact the family.

130. Mr. Lemay and Ms. Row both testified that Ms. Von Cramon had to compare the names on the spreadsheet with the FCSLLG's own files to determine whether a name on

⁶⁴ Transcript, supra note 1 at p. 22.

-29-

the list was part of a hearing or proceeding.⁶⁵ Ms. Von Cramon's agreed statement of facts further stated that she could not, solely on the spreadsheet, tell which family had an ongoing CAS hearing or proceeding.⁶⁶

133. In other words, the fact that a mother's name appeared on the spreadsheet could not be linked to an ongoing CAS proceeding or hearing unless a person also had access to the FCSLLG's internal client list.
134. Moreover, Ms. Von Cramon could not say whether the CAS event on the spreadsheet corresponded to the open hearing or proceeding as some of the CAS proceedings pre-dated the complaint on the spreadsheet.⁶⁷ The complaint which caused the mother's name on the spreadsheet was not necessarily the complaint which resulted in an open proceeding or hearing.
135. A lay person would not be able to determine whether a referral led to a hearing or proceeding.
136. A lay person looking at the spreadsheet would be able to ascertain that the list comes from the FCSLLG and that a mother's name appeared on this list. A lay person could not tell, simply from the names, whether there was an ongoing hearing or proceeding. That information is not in the spreadsheet and required going through the FCSLLG's lawyer client list.
137. A lay person would therefore not know that of the 285 persons named on the spreadsheet, only six families had ongoing hearings or proceedings and, moreover, would not be able to identify those six families.
138. In the absence of information drawing a link between a mother's name on the list and an ongoing CAS hearing or proceeding there can be no contravention of ss. 45(8) or 76(11).
139. The spreadsheet in the present case can be distinguished from the postings made by a father in Catholic Children's Aid Society of Toronto v N. B.-R. In N. B.- R., a father posted videoblogs on YouTube which identified his children as part of CAS proceedings:⁶⁸

The judge identified 19 videoblogs which, in her opinion, contained identifying information. While it is the case that the father does not identify the three children by name in his video-blogs, the videoblogs have the effect of doing so indirectly: there are tag lines visible under the blogs containing the words "court", "family", "Toronto", the father's last name and the children's first names; the father refers to the Society, his caseworker, family court, the children's lawyer and court proceedings; and some episodes are

Ibid, at pp. 32, 55.

66 Ibid, at p. 63.

⁶⁷ Ibid.

⁶⁸ Catholic Children's Aid Society of Toronto v N. B.-R., [2013] OJ No. 1586 at para. 27 (Crown's Book of Authorities, Tab 5).

-30-

shot in front of family court or the Society's offices. Furthermore, if any of the children's names are typed into Google, the search connects the viewers with links to the father's videoblogs.

140. The content in the above case was created by the children's father. Here, the spreadsheet was made by the FCSLLG. Setting that aside, the information on the spreadsheet could not be linked to children or families with ongoing hearings or proceedings without looking at internal FCSLLG client files. Having one's name on the spreadsheet was not a guarantee of ongoing CAS proceedings. In N. B. -R., because the father's posts referred specifically to his children and to court proceedings, a lay person would be able to conclude that the children were part of a CAS proceeding or hearing.

ii. Mischief to computer data

1. The post did not obstruct, interrupt or interfere with the computer data

140. The security flaws in the FCSLLG website were not caused by Ms. Denham. They were the result of a poorly designed website where documents that were supposed to be private were actually browseable and viewable through the website itself.
141. Mr. Lemay testified that regardless of how the security breach had been brought to his attention, he would have taken the website down to fix the problem as a precaution.⁶⁹
142. Ms. Row testified that had IT made her aware of the website security issue she would have taken down the website."
143. Mr. Schmidt testified that his recommendation in fixing the security flaw was for the FCSLLG to take their website offline.⁷¹
144. The disruption caused by the taking down of the website would have been the same if the security issue had been raised in another manner.
145. In other words, the FCSLLG would have had to take their website down to address the security issues regardless of how they became aware of the issue.
146. Further, had the FCSLLG properly implemented Mr. Schmidt's recommendations in February, they would not have had to take down the website in April.
147. The disruption in the FCSLLG website was not caused by Ms. Denham, it was a necessary step in fixing the security issue.
148. The Crown relies on Charania as an example of a case where there was obstruction, interruption, or interference with computer data. In Charania, the accused was the employee of a nursing home who remotely accessed the nursing home's computer system by using the Human Resources Coordinator's username and password to forward himself

⁶⁹ Trial Transcript, supra note 1 at pp. 27-28. " Ibid, at p. 48.

Ibid, at p. 116.

-31-

information.⁷² The accused's access to then his co-worker's email prevented her from logging in and accessing her own email account at the time of his use.

150. In Charania the only reason why the co-worker was unable to access her email was because of the accused's actions. In the present case, the website would have had to be shut down in the exact same manner regardless of how the security flaws were made known. Thus, although it was Ms. Denham's posting of the YouTube video and later post on Facebook that led to the website being taken offline, the very same steps would have been taken had the security issue been uncovered in another way. Ms. Denham's actions caused the FCSLLG to do sooner what they would have had to do regardless.
151. Any loss of access to the FCSLLG website was inevitable in the fixing of the website. The website had to be taken down as a precaution, no matter how the security flaw got brought to the FCSLLG's attention.

2. The FCSLLG's use of the computer data was unlawful

150. Should this Court find that Ms. Denham committed an offence under the CFSA, then the FCSLLG's use of the computer data is not lawful and this element of the offence cannot be made out.

iii. Unauthorized use of a computer

150. In order to be found guilty of unauthorized use of a computer, a person must engage in some manner of fraud in their use of the computer system. Ms. Denham's access and downloading of the spreadsheet did not require any fraud.
151. The FCSLLG website was designed to house both public and private FCSLLG documents. The FCSLLG intended that access to private documents be done through the Board Portal, which required a username and password.
152. However, private documents were accessible by the general public. This is because the website's directory was left browseable:⁷³

Q. So, we then go to the problem where we say the directory was browseable. I just want to define what that is, okay? What you showed us today is that you go to the U.R.L. at the top, which is the www.fcsllg, right? And, within that there is an address?

A. Correct.

Q. The first part is the F-C-S-L-L-G, which is the website? A. The domain.

R v Charania, 2012 ONCJ 637 (Crown's Book of Authorities, Tab 3). ⁷³ Ibid, at p. 108.

-32-

Q. After that is says the word, "WP", which is for WordPress? A. Yep.

Q. Right?

A. "WP content"

Q. After that it says uploads, correct?

A. Correct.

Q. So, if you know what the word uploads means, which is you upload something to the internet, you put something online, right?

A. Yep, yes.

Q. You would be able to look at uploads, and then after that is a year, a month, and a date?

A. A year and a month, in this case.

Q. So, the logical inference is that's where things are stored based on year, month, and date?

A. Yep, and that's how WordPress operates. Q. Right

A. That is how WordPress, that is the, the methodology that WordPress uses to store documents that people upload using the content management system.

Q. Correct. Now, once you get there you can go behind the scenes, so to say, and just look at every document, which is what makes it browseable. You can just start clicking...

A. If it is browseable, then yes, you can view it openly. That's correct.

Q. So, you can just start clicking on the different folders, the different months, the different years...

A. Correct. Q. ...etcetera.

-33-

1 56. In other words, the private materials on the FCSLLG were publicly accessible. Mr.

Schmidt opined that there was no "hack", or any form of fraud used to access the spreadsheet:⁷⁴

Q. And, at this point you don't know the cause of how this information got out?

A. Correct.

Q. All lot of the time, or some times when information gets out it gets out because someone has done something — I'm going to call it dishonest, or nefarious...

A. Mm-hmm.

Q. And, what I mean by that is this, I will define it for you; it's like hacking. So, for example, you download a program, or use certain code, or you do something to get past a username and a password.

A. Breaching passwords, finding an exploit, or something like that, yeah. Q. Right. But, it requires, one; a certain level of knowledge, right?

A. Mm-hmm.

Q. Yes.

A. Yes.

Q. I know you are nodding, but...

A. Sorry, yes. For the record, yes.

Q. And two; it would require excessive knowledge of a certain amount of

dishonesty on your part to try and get past a username and password that is clearly intended to block you?

A. Dishonesty, interest in what's behind it, yes, absolutely. Q. I'm not talking from a moral sense...

A. Yep.

Q. ...I'm talking from a computer sense, you are trying to get past something that's intended to stop you?

Ibid, at pp. 105-106.

-34-

A. That's intended not to be, not to be accessed, yeah.

Q. Right. In this case the directory had no password, nothing in it was intended to stop you from getting to it?

A. That's correct.

In accessing the spreadsheet Ms. Denham did not engage in any act of fraud. She did not, for example, guess or obtain a Board member's username and password. She did not "hack" the website or get around any security features.

157. It is the absence of hacking or other fraudulent access of the website which differentiates Ms. Denham's circumstances from the cases provided by the Crown.
158. In Livingston, the Ontario Premier's chief of staff and deputy chief of staff enlisted another party, Mr. Faist, to erase data from the hard drives of computers of certain staff members and their own computers. The erased data related to the Premier's decision to cancel and relocate two gas plants. In order to erase the data, Mr. Faist purchased software designed to clean data and had the accused obtain administrative rights to each computer which would allow for installation of this software. The accused got the administrative rights from the Secretary of Cabinet without telling the Secretary the true purpose for needing administrative access to certain computer accounts.
159. In finding the accused guilty of unauthorized use of a computer, Lipson J stated that:⁷⁵

The Crown has presented a compelling circumstantial case against Mr. Livingston. The totality of evidence proves beyond a reasonable doubt that he was neither justified nor authorized nor had colour of right to arrange for the wiping of the hard drives of employees of the Office of the Premier, including his own. He was clearly aware of his obligation to retain records with respect to the gas plant issues.

Nevertheless, Mr. Livingston resorted to extreme and unauthorized measures to permanently delete records he and Ms. Miller believed existed on computers in the Office of the Premier. First, he dishonestly obtained administrative rights from the Secretary. Then, using Mr. Faist, a non-OPS consultant, he attempted to destroy data on the hard drives of colleagues who could have saved copies of e-mails or attachments on their computers at a time when FOI requests in relation to gas plant documents were still outstanding and when a Standing Committee Production Order was foreseeable in a new session of the Legislature. [emphasis added]

Mr. Faist's wiping of the OPO computers was not the careful and selective deletion of personal information that the Cabinet Office permitted. Mr.

R v Livingston, 2018 ONCJ 25 at paras. 174-176 (Crown's Book of Authorities, Tab 1).

-35-

Livingston's plan to eliminate sensitive and confidential work-related data, in my view, amounted to a "scorched earth" strategy, where information that could be potentially useful to adversaries, both within and outside of the Liberal Party, would be destroyed.

161. The accused in Charania was also charged and found guilty of unauthorized use of a computer. The accused used a co-worker's email username and password without her permission. The trial judge found that the accused obtained and used without permission his co-worker's username and password.
162. Ms. Denham's actions showed no such fraudulent actions. She did not gain access to the FCSLLG documents by requesting access under a false pretense. She did not purchase software to hack the website. She did not obtain the username and password of a Board member in order to access the FCSLLG website.

161. Ms. Denham's access to the spreadsheet was due to the negligence of the FCSLLG in designing their website. The manner in which Ms. Denham accessed the documents could have been done by any internet user with a basic understanding of how a website address works. In fact, because the FCSLLG did not keep proper server logs, it is possible that other persons accessed the spreadsheet and other confidential information.
162. There is no evidence that Ms. Denham engaged in any fraud to access the FCSLLG website and spreadsheet.

iv. The Crown's Analogy

161. The Crown draws an analogy of Ms. Denham's conduct to a person who enters the FCSLLG's office through an unlocked backdoor, enters a private office, discovers a confidential document, takes a picture of it and posts it on the internet. In response to the information being posted, the building is temporarily closed.
162. This analogy is an oversimplification of the elements needed to prove that Ms. Denham's actions were unlawful.
163. Mischief to data requires wilful obstruction, interruption or interference with lawful use of computer data. In the Crown's analogy, the temporary closing of the building represents the obstruction, interruption or interference.
164. The Crown's analogy relies on the assumption that "closing the building" was done because of Ms. Denham's actions and would not otherwise have to be done. This is not the case. The evidence of Mr. Lemay, and Ms. Row was that the website would have been taken down regardless of how the security flaw had been brought to the FCSLLG's attention while Mr. Schmidt added that this was his recommendation.
165. Thus, there was no choice but to "temporarily close the building". This was not a situation where the FCSLLG would have followed a different course of action had they otherwise become aware of the security flaw.

-36-

170. Unauthorized use of a computer requires fraudulent use of a computer system with the intention to commit mischief to data.
171. In the Crown's analogy, the trespass onto the private offices by opening a backdoor is the fraudulent element. Fraud in this context means deceit, falsehood, or other fraudulent means. This element is both missing from the Crown's analogy and Ms. Denham's actions.
172. The trespass on private property described by the Crown, while illegal, would not meet the definition of fraudulent. Access to the building was not gained by lying about one's identify or using another's key. There is no fraudulent activity in walking into an unlocked room. Similarly, Ms. Denham's access to the FCSLLG's confidential documents required no fraud. In the absence of a fraudulent element, the offence cannot be made out.

PART TV — ORDER REQUESTED

170. That an acquittal be entered on all criminal and Child and Family Services Act offences.

All of which is submitted this 16^th day of December 2019.

(7(,k)11.1,0,. Fady Mansour

Counsel for Ms. Denham

DID KIM MORROW FORMER DIRECTOR OF SERVICE FOR FCSLLG REALLY SAY...

WATCH THE VIDEO:

https://www.facebook.com/FamiliesUnitedOntario/videos/499149713628131/