Bill C-22 would require telecoms, internet companies and other digital service providers to make changes to their systems to give surveillance and monitoring capabilities to the police and CSIS.Fred Lum/The Globe and Mail
Canada’s lawful access bill risks making Canada’s telecoms and internet providers, as well as phones and laptops, more vulnerable to hackers, including foreign intelligence services with malevolent intent, tech and legal specialists are warning.
Bill C-22, introduced by Public Safety Minister Gary Anandasangaree last week, would require telecoms, internet companies and other digital service providers to make changes to their systems to give surveillance and monitoring capabilities to the police and the Canadian Security Intelligence Service.
But experts are warning that the lawful access regime could allow hackers to exploit architecture inserted into electronic systems, including those belonging to internet and telecoms companies.
They are also warning that the requirement in the bill for “core providers” – to be later defined through regulations – to retain metadata could prove a new and valuable target for hackers.
The metadata would not include e-mails or text messages, but it could include information about which telephone numbers have been in touch with each other, and data allowing someone’s location to be pinpointed.
Ottawa limits scope of lawful access bill after outcry
Experts including Natalie Campbell, senior director at the Internet Society, a global charity that promotes a secure and open internet, pointed to a widespread cyberattack in the U.S. in 2024 that resulted from changes made under its lawful access regime.
The Salt Typhoon hackers, alleged to have been working on behalf of the Chinese state, exploited a lawful intercept infrastructure that U.S. telecoms were required by law to build.
The hackers penetrated multiple major U.S. telecommunications companies, giving them access to their networks for months. The attackers were able to intercept phone calls and text messages, reported to include a number of top U.S. officials, president-elect Donald Trump and vice-president-elect JD Vance.
To protect against hacking and weakening system security, Bill C-22 says that providers would not need to make changes that could create a systemic vulnerability in a system.
But experts say that, as currently worded, this is not broad enough to ensure Canada’s systems would be secure.
Shelved border-security bill to be reintroduced with changes after concerns over police powers
Matt Hatfield, executive director of Vancouver-based OpenMedia, a non-profit that promotes a surveillance-free internet, warned that intercept infrastructure created to help law enforcement gain information with a warrant, could become the entry point for unauthorized foreign access.
He said the lawful access regime proposed in Bill C-22 is broader in scope than the one in the U.S., the Communications Assistance for Law Enforcement Act (CALEA).
"The vulnerability C-22 creates could exist in far more targets than CALEA, such as Cloud companies, messaging services and other online services. And the resulting dataset, sitting in a provider’s infrastructure under a mandated retention obligation, is an extraordinarily attractive target for exactly the kind of persistent network intrusion Salt Typhoon demonstrated," he said in an e-mail.
“Fundamentally, you cannot build a door that only opens for Canadian law enforcement. Once the architectural capability exists, it is a target. Who exploits it first is a question of which adversary is most capable and most motivated, including Chinese, Russian and other state actors we know are actively targeting Western telecommunications infrastructure.”
Tamir Israel, director of the Canadian Civil Liberties Association’s privacy, surveillance and technology program, said “the breadth and complexity of the obligations that could be imposed on any digital service provider through this regime dwarfs the obligations that led to compromise of U.S. service providers.”
“This vastly multiplies the likelihood that this could create a vulnerability that could be exploited by our adversaries or cybercriminals,” he said.
Ottawa set to reduce warrantless powers for law enforcement in refined border-security bill
Michael Geist, the University of Ottawa’s Canada Research Chair in Internet and E-Commerce Law, said “concerns regarding vulnerabilities and scope creep are real.”
“Without greater precision, this could be used to target user devices or ultimately make networks less secure,” he said.
David Pierce, vice-president of government relations at the Canadian Chamber of Commerce, said his members, which include Canadian telecoms, understand the need for law enforcement to have a lawful access regime. But he said ensuring that encryption is not compromised, and data are not made vulnerable are key concerns of the business community.
“One of the things on the metadata, is that by telling [internet service providers] they have to hold that data, they become a cybersecurity target, so that is a consideration that needs to be thought through,” he said.
Some telecoms providers don’t collect metadata or retain it for long, but they could be asked to keep it for up to a year.
Leah West, an expert in national security law and cyberoperations at Carleton University, said making changes to a system risks it becoming susceptible to “bad actors” too.
She said, although there are safeguards in the bill and a system of oversight, “there could be room to tighten the definition of systemic vulnerabilities” when the bill enters its committee stage.
The bill currently defines it as “a vulnerability in the electronic protections of an electronic service that creates a substantial risk that secure information could be accessed by a person who does not have any right or authority to do so.”
The bill could allow the minister to later refine what counts as a vulnerability through regulation.
But Robert Diab, a law professor at Thompson Rivers University who specializes in law and technology, said “at minimum, a much stronger, more comprehensive definition that can’t be reinterpreted by the minister later would be an improvement.”
“I’m not sure it would be good enough, but it would at least be a minimum necessary improvement from where we are at.”