Public Safety Minister Gary Anandasangaree rises during Question Period in the House of Commons on Wednesday.Spencer Colby/The Canadian Press
After weeks of blowback from tech companies and civil-liberties groups, the federal government says it will amend its controversial lawful access legislation, known as Bill C-22.
The bill, if passed, would give police and the country’s spy agency more powers to track suspects online.
Speaking to reporters last week, Public Safety Minister Gary Anandasangaree said the proposed legislation is about ensuring that law enforcement has the right tools to carry out investigations and “is in line with Canadian values.” The amendments would clarify “the more contentious elements” of the bill after backlash that it infringed on privacy rights.
But the Canadian Chamber of Commerce, privacy and civil-liberties advocates and tech companies, including Apple, Google and Meta have warned that the bill could compromise cybersecurity and users’ privacy.
What is Bill C-22, what is behind the backlash and what other countries have lawful access laws? Here’s what you need to know.
What is Bill C-22?
Bill C-22, introduced as the Lawful Access Act, is proposed legislation that would require telecoms, internet companies and other digital service providers to make changes to their systems to give surveillance and monitoring capabilities to police services and the Canadian Security Intelligence Service.
The bill is the federal government’s second major attempt at passing lawful access reform, after widespread criticism of its predecessor, Bill C-2, the Strong Borders Act, which proposed significant amendments to immigration, national security and money-laundering laws. For example, it would have given police and CSIS the ability to demand, without a warrant, information about whether Canadians have used a range of services.
The original bill was sharply criticized for threatening personal privacy, causing the Public Safety Minister to strip apart Bill C-2 last October and introduce a version without the lawful access proposals.
Bill C-22, which was introduced in March, is the government’s latest push at lawful access legislation, though law enforcement and CSIS have been pushing for it for years. The current bill only applies to internet access and telecoms companies and specifies that a demand from CSIS or law enforcement must not be made if it might lead to the disclosure of medical information or information protected by solicitor-client privilege. As well, it would limit the scope of warrantless demands to a “yes” or “no” answer about whether a person, such as someone with a particular phone number, uses their service.
Here are other features the bill would include:
- It would force “electronic service providers” – such as phone companies, messaging apps and tech companies – to adapt their systems and install “technical capabilities” to give the providers access to Canadians’ communications and data. But such ministerial orders would be subject to the approval of Canada’s intelligence commissioner. The definition of “an electronic service provider” is currently so broad that Google and other companies have said it could apply to a huge range of entities, possibly including ordinary businesses outside tech and telecom companies.
- It would require telecoms and other tech companies to retain metadata relating to their customers’ activities for up to a year. The metadata would not include e-mails, web-browsing history, social-media activity or text messages, but it could include information about which telephone numbers have been in touch with each other, and data allowing someone’s location to be pinpointed.
- It would also enable CSIS and law enforcement to find out precisely which phone company a person of interest uses, speeding up the ability to get a targeted warrant to obtain more information.
- It would allow a warrant to be requested to track someone’s location, for example, by using their phone or a computer program.
- It would also require the publication of reports about the use of these new powers, including on how many such orders have been issued or turned down.
What have Ottawa and CSIS said about Bill C-22?
The federal government has said Bill C-22 would help police and security services track and identify people who may be using tools such as online chat apps or internet services to commit crimes or threaten national security.
Mr. Anandasangaree said at the bill’s announcement that the reforms would bring the country’s lawful access laws up to date, as the country is “woefully behind” other G7 countries. He has also said that law-enforcement agencies are “really struggling” with crimes, including extortion, sextortion and childhood sexual exploitation, because technology is outpacing the capabilities of police.
Canada’s spy agency CSIS said in an interview with The Globe and Mail that the lack of a “lawful access” regime has frustrated its ability to help foreign intelligence partners combat transnational threats. Meanwhile, RCMP Superintendent Nicolas Gagné said access to such metadata could be useful to track and identify people, including at the scenes of shootings.
Privacy Commissioner Philippe Dufresne recommended a number of changes to protect privacy rights.Adrian Wyld/The Canadian Press
The bill, which is currently being scrutinized by the House of Commons public safety committee, has garnered criticism from opposition MPs, tech companies and civil-liberties groups about user data and encryption. As a result, Mr. Anandasangaree said on Wednesday that Ottawa will amend the bill to make it clear that encryption would not be compromised by the new law – but will not budge on requiring electronic service providers to retain up to a year’s worth of metadata.
The federal privacy watchdog told the committee earlier last week that the bill in its current form poses risks to Canadians’ privacy. Philippe Dufresne recommended a number of changes to protect privacy rights, including allowing his office to be informed if data breaches result from the application of the new powers. Critics, including Apple, have expressed concern that the bill allows the safety minister to issue secret orders.
Which groups are against the lawful access bill?
EXPERTS:
Cybersecurity and tech experts have warned that the lawful access bill would require the storage of vast amounts of metadata, which would be an enticing target for hackers and those acting on behalf of malevolent foreign regimes. Some telecom providers don’t collect metadata or retain it for long, but they could be asked to keep it for up to a year.
Experts are warning that the bill could allow hackers to exploit architecture inserted into electronic systems, including those belonging to internet and telecoms companies, making phones and laptops more vulnerable.
BUSINESS:
Canada’s largest business association has warned the federal government the bill could introduce security vulnerabilities in digital systems and suggests revisions to the bill to “explicitly protect encrypted networks.”
Many tech companies use encryption to protect customers’ personal data and to shield people from unlawful surveillance, identity theft and fraud.
The Canadian Chamber of Commerce – which represents 200,000 businesses across Canada and whose members include Rogers, Telus, BlackBerry, Microsoft, Meta, Apple and Google – said in a letter that, as drafted, Bill C-22 “presents considerable risks to Canadian businesses, investment and the integrity of data systems.”
APPLE, GOOGLE AND META:
Tech companies, such as Apple, Google and Meta, have individually voiced their concerns, saying its metadata requirements could weaken or break encryption and create implications for users’ privacy.
“This legislation could allow the Canadian government to force companies to break encryption by inserting backdoors into their products – something Apple will never do,” the company warned in a statement.
Google said it has “significant concerns” about parts of the bill, including wording that “gives the Minister of Public Safety sweeping powers to issue secret orders” to facilitate the interception or retrieval of data.
Meta’s head of public policy in Canada, Rachel Curran, warned that the bill would require companies to install government spyware directly on their systems and create a framework to capture ordinary Canadians’ private information, even if they have no connection to crime. She also voiced concerns that the bill would make Meta and other companies “build or maintain capabilities that break or undermine encryption.”
Are companies threatening to leave Canada as a result?
In short, yes. There have been at least two companies so far that have said they would leave the country over the federal bill – private messenger app Signal and Canadian online privacy company Windscribe.
Signal, which uses end-to-end encryption, warned it would withdraw from Canada if asked to compromise its users’ privacy under Bill C-22. Udbhav Tiwari, Signal vice-president of strategy and global affairs, said the company has deep concerns and “would rather pull out of the country than be compelled to compromise on the privacy promises we have made to our users.”
Meanwhile, Toronto-based Windscribe has started looking at moving to another country because of Bill C-22. Chief executive Yegor Sak said in an interview that if the bill became law, it would be “impossible” for the company to maintain its existing privacy policy, which promises users it does not collect data about them.
“It basically forces us to leave Canada as our home jurisdiction,” he said.
Do other countries have lawful access regimes?
Yes, all other G7 countries (France, Germany, Italy, Japan, the United Kingdom and the United States), the Five Eye partners (Australia, New Zealand, the United Kingdom, and the United States) and most European countries have access to lawful access frameworks, according to the government of Canada website.
The U.S. has a lawful access law that is not as broad as the powers proposed in Canada’s bill. It requires telecom companies and internet service providers to design their networks to facilitate government wiretapping, but it does not apply to “electronic service providers” or require metadata to be stored for up to a year.
What’s next?
The Public Safety Minister told reporters last week that the government is “working on a number of amendments.” He said the new wording would be very similar to language in the U.S. lawful access law, which is narrower in scope than Canada’s proposed regime.
Mr. Anandasangaree said the government is “looking at” tightening up the definition of a systemic vulnerability in response to concerns raised. He also indicated that he would be prepared to clarify wording on providing compensation for companies asked to make changes to their systems to aid law enforcement and CSIS.
Ruby Sahota.Supplied
The Conservatives and Bloc Québécois have asked for more time to consider the complex bill at committee, blaming the government for rushing it through with only three meetings to question experts.
Meanwhile, Ruby Sahota, Secretary of State for Combatting Crime, has been arguing for the bill. During a Commons debate in April, she said she thought law enforcement would want even broader powers than Bill C-22 would usher in, saying “that is something we can work on, with this as a first step.”
“We need to get this passed in order to take those other steps in the future. I would be open to going further in the future as well,” she said.
With reports from Marie Woolf.