The Privacy Commissioner of Canada has recommended changes to the lawful access bill to protect privacy rights, including letting his office investigate data breaches linked to the new powers.Andrej Ivanov/The Globe and Mail
The federal privacy watchdog warned MPs Tuesday that the government’s lawful access bill in its current form poses risks to Canadians’ privacy.
Philippe Dufresne, Privacy Commissioner of Canada, recommended a number of changes to the bill to protect privacy rights, including allowing his office to investigate if data breaches result from application of the new powers in the legislation.
The bill would give the Minister of Public Safety the power to issue secret orders to force electronic service providers to facilitate the interception or retrieval of data to help the police and CSIS with investigations.
At a meeting of the Commons public safety committee, which is scrutinising the bill, tech giants Apple and Google warned MPs the bill could pose threats to both privacy and cybersecurity.
Erik Neuenschwander, Apple’s senior director of user privacy and child safety, told the committee that this is “maybe one of the last times we’re permitted to discuss the consequences of this legislation publicly.”
“That’s because of the bill’s secrecy provisions, which forbid companies like Apple from even discussing the orders we receive with our users or the public.”
Mr. Dufresne asked MPs to create an exemption to secrecy provisions in the bill to allow companies to disclose information to his office and other regulatory bodies, so they can discharge their duties.
Bill C-22 would require “electronic service providers” in Canada to adjust their systems to give surveillance and monitoring capabilities to police services and the Canadian Security Intelligence Service.
It could also force electronic service providers – such as phone companies, messaging apps and tech companies – to retain metadata relating to their customers’ activities for up to a year.
The metadata would not include e-mails, web browsing history, social media activity or text messages, but it could include information about which telephone numbers have been in touch with each other, and data allowing someone’s location to be pinpointed.
Cybersecurity and tech experts have warned that storing so much metadata could create an enticing target for hackers, including those acting on behalf of malevolent foreign regimes.
The Privacy Commissioner told the committee that he wanted an “overarching requirement” that obligations imposed under the lawful access bill are limited “to what is necessary and proportionate.”
“This would help to ensure that any such obligations – including with respect to the retention of metadata – are tailored to minimize privacy impacts,” he said.
The bill says that an electronic service provider would not be obliged to comply with ministerial orders or regulations if doing so would require the company to introduce a “systemic vulnerability.”
But the privacy watchdog said the definition may currently be too imprecise to minimize privacy and cybersecurity risks. He suggested an amendment to specify that it would not require any action that would render “systemic methods of authentication or encryption less effective.”
Mr. Neuenschwander said “as drafted, this bill allows the government of Canada to force companies to break encryption by inserting back doors into their products – something Apple will never do.”
He said encryption protects Canadians from unlawful surveillance, identity theft, fraud and data breaches, and it should be explicitly protected through an amendment to the bill.
“When you build a backdoor into an encrypted device, anyone can walk through. And because so much depends on encryption, we can’t take that risk,” he added.
Katherine Charlet, Google’s senior director, privacy, safety and security, government affairs and public policy, said the bill’s proposals go beyond other countries’ lawful access regimes, including in the U.S.
Tamir Israel, director of the non-profit Canadian Civil Liberties Association’s privacy, surveillance and technology program, said the proposed lawful access regime is “exceedingly broad” and “applies to any provider of any service that has a digital component.”
He told MPs it would allow the government to impose an array of obligations on electronic service providers “from requiring the ability to covertly reset customer passwords, to requiring an automated tool that generates realistic undercover profiles on social media platforms, to requiring the ability to block a target’s use of encrypted private messaging in order to force the use of insecure alternatives.”
He said the proposed regime poses a significant threat to privacy and cybersecurity.
But Commissioner Thomas Carrique of the Canadian Association of Chiefs of Police, told MPs that outdated laws were hampering criminal investigations. The bill could help the police solve crimes such as homicides, human trafficking and drug smuggling, he said, adding “concerns about encryption and cybersecurity” raised by companies and civil society groups “are overstated.”
Brampton Mayor Patrick Brown argued that the bill is crucial to give the police tools to solve crimes, including by extortionists operating internationally.
“For those that have privacy concerns, my message would be: don’t commit a crime,” he said.
Andrew Ullock, board chair of the Ontario Child Sexual Exploitation Investigators Association, which includes police, said the privacy rights of Canadians are important. But protecting the privacy of children being exploited online is crucial and that police are currently using laws introduced in the 20th century.