Tech giant Meta warned that Ottawa’s lawful access bill could make companies support government surveillance, and create a framework to capture ordinary Canadians’ private information, even if they have no connection to crime.
Giving evidence to a Commons committee Thursday, Meta’s head of public policy in Canada, Rachel Curran, warned the bill would require companies to install government spyware directly on their systems.
The government has argued that the bill is needed to help law enforcement fight crime, arguing that Canada is lagging behind G7 countries in not having a “lawful access” mechanism.
Bill C-22 would require telecoms, internet companies and other digital service providers in Canada to adjust their systems to give surveillance and monitoring capabilities to police services and the Canadian Security Intelligence Service.
Ms. Curran warned that the technical assistance obligations in the bill “could conscript private companies into service as an arm of the government surveillance apparatus.”
She also voiced concerns that the bill would make Meta and other companies “build or maintain capabilities that break or undermine encryption.”
While the bill aims to guard against risks to encryption, by allowing companies to challenge any demands that introduce a “systemic vulnerability,” Ms. Curran said the definition of that type of vulnerability is unclear. The definition of encryption would be defined by regulations issued after the bill is passed.
She added that ministerial orders could override such regulations.
“The technical community’s consensus on this is clear: it is not possible to build backdoors to encrypted systems for law enforcement without creating vulnerabilities that will be – not if – will be exploited by malicious actors,” she said.
“Weakening encryption does not just affect the target of an investigation – it affects every Canadian who depends on secure private communications to bank, access health care, run a business, or simply talk to their family.”
Minister faces calls from MPs to amend lawful access bill to prevent compromising encryption
Her comments follow Apple’s decision to speak out publicly about the risks to cybersecurity in the bill. The Canadian Chamber of Commerce wrote to Public Safety Minister Gary Anandasangaree and Justice Minister Sean Fraser earlier this month to warn the bill could threaten encryption and deter investment in Canada.
Ms. Curran said the bill could ultimately make Canadians less safe and put Canada “out of step with our closest allies.”
Last year, France and Sweden abandoned similar proposals, and the EU guaranteed robust encryption protections in its agreement on online safety, she said.
Ms. Curran was among the witnesses to appear before the committee expressing serious concerns about powers in the bill requiring metadata – which could allow Canadians’ movements to be tracked – to be retained for up to a year.
“The bill’s data retention provisions create a framework to capture the private information of ordinary Canadians with no connection to any crime,” she said.
Lawful-access bill could threaten encryption, deter investment, Chamber of Commerce warns
Meta echoed the Canadian Chamber of Commerce, which also gave evidence to the Commons committee Thursday, in suggesting the bill be split, to allow deeper scrutiny of such provisions.
Ms. Curran recommended a number of changes to the bill. They included removing the obligation for companies to add government or third-party surveillance tools or software to their systems.
The definition of “systemic vulnerability” should be strengthened to rule out any requirement that would weaken or break encryption, Ms. Curran added.
Professor Leah West, a Carleton University professor specializing in national security law, cyber operations and counter terrorism who has advised the federal government and spy agencies, told the MPs that Canada’s laws have not kept pace with criminal and national security threats, or the tools to address them.
Ms. West said Canada really needs a lawful access regime, but bill C-22 “is not there yet,” proposing a series of targeted amendments to improve it.
“Requiring companies to build interception capabilities and retain data that they would not otherwise keep inevitably creates new cybersecurity risks,” she warned. “Every additional access point, every new repository of data, is a potential target.”
China, India among countries active in foreign interference and spying in Canada, CSIS says
She advised strengthening the definition of “systemic vulnerability” and prohibiting the government from weakening it through regulation.
She also suggested prohibiting blanket data retention. The current authority to require it to be held for up to a year could create a cybersecurity risk, she warned.
The bill should also make it explicit that police services and CSIS cannot directly collect or intercept personal or private information from service providers’ systems.
Conservative MP Dane Lloyd asked her about powers requiring companies to enable intercept capabilities, which could allow a remote microphone on a device in someone’s home to be turned on secretly.
Michael Geist, the University of Ottawa’s Canada research chair in internet and e-commerce law, told the committee that there are serious problems with the bill, including requiring metadata – indicating where people have been – to be retained by providers “on every subscriber, regardless of suspicion” for up to a year.
“On a mobile network, that data includes the cell towers each phone connects to and when. Retained at scale, the aggregate amounts to a comprehensive surveillance map of virtually every Canadian: where and when they go and who they interact with,” he said.
A 30-day cap on metadata retention would meet immediate investigative needs, he argued, while a court order could be obtained to extend the time limit.
However, Darcy Fleury, Chief of Police in Thunder Bay, said some investigations can take a long time and ideally metadata should be retained for two or three years.