Public Safety Minister Gary Anandasangaree’s Bill C-22 would require ‘electronic service providers’ to adjust their systems to give surveillance and monitoring capabilities to police services and CSIS.Sean Kilpatrick/The Canadian Press
A confidential report for Public Safety Minister Gary Anandasangaree about his lawful-access bill recommended it include a clearly defined role for the watchdog charged with keeping spy agencies in check. But the minister did not adopt the recommendation.
Murray Rankin, a former NDP MP and intelligence watchdog, was tasked by Mr. Anandasangaree with consulting widely and making recommendations before a new version of the federal government’s lawful-access bill was introduced in March. A previous lawful-access bill was shelved last year by the minister in the face of steep criticism.
Mr. Rankin’s confidential report, seen by The Globe and Mail, shows that although the minister accepted the vast majority of his recommendations on Bill C-22, a few were rejected. They included a recommendation that the proposed law clearly define the review role of the National Security and Intelligence Review Agency (NSIRA) as it pertains to lawful-access orders made by the minister.
Bill C-22 would require “electronic service providers,” such as telecoms, internet companies and other digital service providers in Canada, to adjust their systems to give surveillance and monitoring capabilities to police services and the Canadian Security Intelligence Service.
It would allow the Minister for Public Safety to issue secret ministerial orders requiring compliance by electronic service providers, which could enable interception and surveillance capabilities.
What to know about Bill C-22, Canada’s proposed lawful-access legislation
In his report, Mr. Rankin recommended that the Intelligence Commissioner of Canada, a quasi-judicial agency that oversees some of Canada’s security and intelligence activities, should have to approve the Public Safety Minister’s orders to electronic service providers before they take effect.
This provision was included in the new version of the lawful-access bill when it was introduced earlier this year.
But Mr. Rankin’s suggestion that the bill, now being discussed in a Commons committee, clarify that NSIRA “may review Ministerial orders and their use” was not accepted.
Mr. Rankin, who was the first chair of NSIRA when it was set up in 2019, told The Globe that the agency’s jurisdiction “should not be diluted or negated in Bill C-22.” Under its current mandate, NSIRA has the legal right to review information related to national security and intelligence, including classified ministerial orders.
Mr. Rankin said the Intelligence Commissioner and NSIRA have different roles, which it would not make sense to duplicate. But he said NSIRA’s jurisdiction to review intelligence matters should remain and “if there is any ambiguity in the bill” about that, it should be clarified.
“I don’t want to dilute the oversight powers that NSIRA has,” he said in an interview Monday.
The spy watchdog has warned that having to request information under Bill C-22’s lawful-access regime, rather than being given it pro-actively, could delay its oversight work.
Google warns lawful-access bill could create major cybersecurity risks
Current NSIRA chair Marie Deschamps told the Commons public safety committee last month that “given the scope of new powers in this bill, timely and effective independent review is essential.”
With Bill C-22, “NSIRA anticipated a review role that would provide timely and direct visibility into how these authorities are used,” she said. NSIRA suggested a number of amendments to ensure it is pro-actively granted access to classified information.
Appearing last week before the Commons public safety committee, which is preparing to discuss amendments to the bill, Mr. Rankin said bringing forward a lawful-access bill is crucial for helping law enforcement and CSIS, and “should preserve operational effectiveness while protecting privacy, Charter values and cybersecurity.”
Simon Lafortune, spokesperson for Mr. Anandasangaree, said “under Bill C-22, NSIRA’s role, in accordance with its enabling legislation, remains that of a review body rather than an oversight or decision-making authority.”
“As it currently stands, approvals for Ministerial Orders appropriately rest with the Intelligence Commissioner. That said, we recognize the importance of timely access to information, and NSIRA will continue to receive relevant material so it can effectively carry out its mandate of reviewing the activities of agencies such as CSIS and the RCMP,” he added in an e-mail.
Mr. Rankin also suggested in his confidential report that the bill include a “Safe Harbour provision” so that companies are not held financially liable if they carry out a lawful-access request at the behest of government. But the government did not adopt the recommendation and companies would not have automatic immunity from any ensuing lawsuits under the bill.
A detailed report submitted to MPs on the public safety committee by senior researchers at the University of Toronto’s Citizen Lab and the Canadian Civil Liberties Association said the bill has “ill defined safeguards and a framework heavily immunized from judicial authorization and control.”
“More than one aspect of the bill is almost certainly constitutionally fatal,” the report concluded, arguing it would not withstand a Charter challenge.
The report raised concerns that technical changes electronic service providers would have to undertake to enable surveillance would risk creating weaknesses that hackers, including those acting for malevolent foreign regimes, could exploit.
The report, co-authored by Kate Robertson, senior research associate at the Citizen Lab, based in the Munk School of Global Affairs & Public Policy, said government agencies “still hold out hope or hubris that surveillance-driven compromises in companies’ secure networks will not be exploited by commercial or state-backed threat actors.”
The Commons public safety committee will on Tuesday hear from secure messaging service Signal, which uses end-to-end encryption. Last month it told The Globe it would withdraw from Canada if asked to compromise its users’ privacy under Bill C-22.