Minister of Public Safety Gary Anandasangaree speaks during a press conference at Cartier Square Drill Hall in Ottawa.Spencer Colby/The Canadian Press
A major professional hacking company is among cybersecurity experts warning that the government’s lawful access bill could create vulnerabilities ripe for exploitation by criminals.
Packetlabs, an ethical hacking company that simulates real-world cyberattacks against organizations to find security weaknesses, is also cautioning that Bill C-22 could weaken encryption.
The white hat hacking company has tested the cybersecurity of clients including fighter jet manufacturers, the federal government, and 911 systems. It is among the tech experts warning that, especially with AI boosting the capabilities of hackers, Bill C-22 has the potential for making malevolent penetration of Canadian systems easier.
Minister faces calls from MPs to amend lawful access bill to prevent compromising encryption
Bill C-22, which is being scrutinised by the Commons public safety committee, would require telecoms, internet companies and other digital service providers to make changes to their systems to give surveillance and monitoring capabilities to police services and the Canadian Security Intelligence Service.
The government has argued that Canada is dragging behind other G7 countries in not having a lawful-access regime. It brought in Bill C-22 following calls from law enforcement and CSIS for more powers, including with identifying suspects’ locations and their activity in the digital space.
But cyber security experts and businesses, including Apple – whose products include iPhones, iPads and smart watches – have warned that the proposed changes risk creating a weakness that malevolent actors, could exploit.
Richard Rogerson, CEO, founder of Packetlabs and co-chair of the Canadian Chamber of Commerce’s Cyber Security Council, said in a statement that from a cybersecurity standpoint, the idea of a ‘secure backdoor’ is a contradiction. He added that the bill “would require engineers to enable access to encrypted systems for law enforcement without degrading their integrity, something that isn’t technically feasible.
“Any such mechanism would create vulnerabilities that threat actors could also exploit. Criminals are increasingly sophisticated and we should not miss the mark on this important legislation,” Mr. Rogerson added.
Among the ethical hacks his company carried out was to test the security of a bank. It gave Pocketlabs access to a test card with $500 and the hackers found a way to turn it into $150,000. In a test for an oil and gas company, it compromised a gas station with the ability to change gas prices to 0.01c/l at any pump.
Opinion: Canada’s playing catch-up on digital lawful access
A widespread cyberattack in the U.S. in 2024 resulted from changes made under its lawful access regime. The Salt Typhoon hackers, alleged to have been working on behalf of the Chinese state, exploited a lawful intercept infrastructure that U.S. telecoms were required by law to build.
They were able to intercept phone calls and text messages, reported to include a number of top U.S. officials, president-elect Donald Trump and vice-president-elect JD Vance.
Natalie Campbell, senior director at the Internet Society, a global charity that promotes a secure and open internet, warned the bill will make Canada a bigger target for cybercriminals.
“There’s no such thing as a backdoor that only “good guys” can walk through. C-22 would force online services to weaken encryption, creating backdoors that are open to anyone that can find them," she said in an email. “Cybercriminals can now spot and exploit these vulnerabilities at near-lightspeed thanks to AI-powered hacking tools.”
The bill requires “core providers” – to be later defined through regulations – to retain metadata for up to a year, which tech experts have warned could prove a new and valuable target for hackers.
The metadata would not include e-mails, web-browsing history, social-media activity or text messages.
Kim Chandler McDonald, global vice president of the non-profit Cybersecurity Advisors Network, warned the bill could “increase systemic vulnerability across communications platforms, cloud services, and encrypted business systems.”
Matt Hatfield, director of OpenMedia, a non-profit that advocates for widespread and inexpensive internet access, said: “Canada asking our most sensitive services to develop new security vulnerabilities at the exact same time that frontier AI models are becoming extremely capable security vulnerability exploitation systems would be extraordinarily reckless.
“All electronic service providers can be ordered to accept surveillance devices being added to their systems if the government wants them to do so” under the provisions in Bill C-22, he added.
Tamir Israel, director, privacy, surveillance and technology program, at the Canadian Civil Liberties Association, warned that the bill could enable surveillance using everyday electronic devices, including phones, software in cars and cameras on people’s doorsteps.
He added that in most instances the government would need court orders to do that. But he warned that the new capability could be exploited by “malicious cybercrime syndicates or foreign spy agencies.”
Simon Lafortune, spokesperson for Public Safety Minister Gary Anandasangaree, said the government “categorically rejects claims that Bill C-22 would enable to the surveillance of Canadians through everyday devices such as cars, home cameras or smart TVs, or that it would require companies to introduce so-called ‘backdoors’ into their products so that the government could gain access to customer data.”
He said the bill “does not grant the government new powers to indiscriminately access private devices or communications.”
“Any lawful access to information would continue to require appropriate legal authorization, such as a warrant issued by an independent court.”