Canada’s largest business association has warned the federal government its lawful-access bill risks weakening or breaking encryption and could introduce security vulnerabilities in digital systems.
In a letter to Public Safety Minister Gary Anandasangaree and Justice Minister Sean Fraser, the Canadian Chamber of Commerce says that, as currently drafted, Bill C-22 “presents considerable risks to Canadian businesses, investment and the integrity of data systems.”
The bill would require telecoms, internet companies and other digital service providers to make changes to their systems to give surveillance and monitoring capabilities to police services and the Canadian Security Intelligence Service.
The government has argued that Canada is dragging behind other G-7 countries in not having a lawful-access regime. It brought in Bill C-22 to introduce such a regime following calls from law enforcement and CSIS for more powers, including with identifying suspects’ locations and their activity in the digital space.
Lawful access bill could create vulnerabilities for hackers, experts warn
However, the letter from the chamber of commerce, which represents 200,000 businesses across Canada, including telecoms and tech giants, expresses concern about the scope of the bill, saying “to our knowledge, no comparable jurisdiction in the Western world has adopted lawful access provisions of this breadth.”
The United States, for instance, specifically excluded information systems from its lawful intercept law, the Communications Assistance for Law Enforcement Act, the letter says.
Signed by David Pierce, the chamber’s vice-president, government relations, the letter says: “This divergence risks undermining Canada’s attractiveness to foreign investment and raises concerns about the security and privacy of data stored and transmitted through digital systems in Canada.”
It says that the chamber and its members recognize the importance of equipping law enforcement with the legal framework to address evolving threats.
But the letter expresses concern that, as currently worded, the bill could be used to “require companies to create a back door, which would place encrypted systems at risk.” It says Canada should embrace strong encryption to catalyze growth of the Canadian tech sector.
Ottawa limits scope of lawful access bill after outcry
Bill C-22, which is about to enter committee hearings in the House of Commons, is a refined version of a previous bill that was stopped in its tracks last year following concerted criticism from tech experts and civil-liberties advocates about overreach. Previous federal governments have tried to bring in lawful-access regimes but have failed because of opposition, including about threats to privacy.
Experts are concerned that the current bill is being rushed through the Commons with only three sessions devoted to testimony from experts in committee. A motion was passed on Thursday by the committee on public safety and national security to dedicate 10 hours in three meetings to hearing witnesses, including the Public Safety and Justice ministers.
Simon Lafortune, a spokesman for Mr. Anandasangaree, said: “We look forward to Bill C‑22 proceeding through the usual parliamentary process and being studied in committee, where witnesses, including the Canadian Chamber of Commerce, will have the opportunity to provide their perspectives to the committee in person or by written submission.”
He said a modern lawful-access framework would give law-enforcement agencies “the legal tools they need to disrupt organized crime networks and protect Canadians.”
The Canadian Chamber of Commerce, whose members include Rogers, Telus, BlackBerry, Microsoft, Meta, Apple and Google, suggests the government make revisions to the bill to “explicitly protect encrypted networks.” It says that requiring access to digital systems could introduce systemic vulnerabilities that could expose private and public-sector systems to “unacceptable cybersecurity risks.”
Opinion: Canada’s playing catch-up on digital lawful access
Ruby Sahota, Secretary of State for Combatting Crime, has been arguing vociferously for the bill. During a Commons debate last month, she said she thought law enforcement would want even broader powers than Bill C-22 would usher in, saying “that is something we can work on, with this as a first step.”
“We need to get this passed in order to take those other steps in the future. I would be open to going further in the future as well,” she said.
Tech experts have warned that the changes proposed in Bill C-22 could allow hackers to exploit architecture inserted into electronic systems, including those belonging to internet and telecom companies.
They have warned that the requirement for “core providers” – to be later defined through regulations – to retain metadata for up to a year could prove a new and valuable target for hackers.
The metadata would not include e-mails, web-browsing history, social-media activity or text messages, but it could include information about which telephone numbers have been in touch with each other, and data allowing someone’s location to be pinpointed.
The chamber of commerce suggests a series of amendments to the bill, including restricting the long-term retention of metadata. It recommends using targeted, time-limited preservation orders for metadata to reduce security risks.