The latest attempt at so-called “lawful access” has just dropped in the Parliament of Canada. I have a few things to say about it. It’s better than the government’s last attempt, but take a moment and consider this:
If Bill C-22, the Lawful
Access Act 2026 becomes the law, the government of Canada will be able
to secretly order Apple to build in a capability into its infrastructure to
allow Canadian law enforcement and national security folks to track every
iPhone, every iPad, every Apple watch, every Apple AirPod and every AirTag in
real time.
Then they’ll be able to require Apple to
confirm whether they provide you any services.
Then they can go to a justice of the
peace and get an order – without actually believing that a crime has been or
will be committed – requiring Apple to hand over EVERY device identifier for
every device you use with their services. That’s the digital ID for your
iPhone, iPad, Apple watch, Apple AirPod, Apple TV and AirTag.
With that information, they can go back to the judge and get an order – again without actually believing that a crime has been or will be committed – requiring Apple to give them the moment-by-moment locations of all your devices.
Oh, and that secret order also
required Apple to keep your location history for a full year, so cops can get
that too. Is that a power we want Canadian police and law enforcement to
have?
For literal
decades, Canadian law enforcement and national security folks – working through
both liberal and conservative governments – have tried to give cops and spies
easier access to information about Canadians, and to plug directly into our
digital infrastructure to get access to data.
You might be
thinking … “Didn’t we just do this?”
Yes, that’s
true. [A summary of the previous attempts at “lawful access”: https://blog.privacylawyer.ca/2025/06/past-canadian-lawful-access-attempts.html.]
In 2009,
Conservative prime minister Stephen Harper’s Minister Peter Van Loan introduced
Bill C-47, renamed the “Technical Assistance for Law Enforcement in the 21st
Century Act”. It also did not pass.
A couple of
years later, in 2011 Conservative Stephen Harper’s Minister of Public Safety
Vic Toews tabled Bill C-52 in Parliament. This attempt was called the
“Investigating and Preventing Criminal Electronic Communications Act”. Shocker
– It did not pass.
Apparently a
sucker for punishment, Minister Vic Toews then tried another kick at the can
the next year with Bill C-30, which was branded as the “Protecting Children
from Internet Predators Act”. Yup, you guessed it – this did not pass.
Fast forward to
2025 … The very first substantial bill of the Prime Minister Mark Carney
government was tabled by Public Safety Minister Gary Anandasangaree. That was
Bill C-2 called the Strong Borders Act. Almost ten years dead, “lawful
access” was pulled from its grave, crammed into Parts 14 and 15 of a border
bill, only to be thrown back on the trash-heap. It never made it to committee
because of the backlash over privacy.
I did a couple
of episodes on how problematic Bill C-2 was. (Part
14 and Part
15.) It was universally panned and it was clear that it would not make it
through the minority liberal parliament. Not to be deterred – but to his credit
— the Minister of Public Safety went back to the drawing board to try to find a
way to make it minimally palatable for it to make it through Parliament.
Notably, the current parliament is not as “minority” as it was when Bill C-2
was introduced.
I’m going to go
through the Bill to let you know what it contains and what it is supposed to
do. I’ll try to highlight the differences between what was attempted earlier in
Bill C-2 and the changes they’ve made for Bill C-22, and I’ll also talk about
what’s different from the current status quo.
The bill is in
two parts, which parallel Parts 14 and Parts 15 of Bill C-2, the Strong
Borders Act. In going back to the drawing board, I think the government has
largely fixed the big problems with what was Part 14 related to warrantless
information demands and new production order powers. But I think that Part 2 is
still a HUGE issue.
Part 1 is
called “timely access to data and information”.
It contains
some amendments to the general search warrant provisions of the criminal
code to permit the examination of computer data in conjunction with the
execution of a warrant when it's authorized by a judge. The status quo, as I
understand it, would require the seizure of the computer, returning to court
and then getting further authorization to search it. This creates a bit of a
One-Stop shop. Criminal law practitioners may have more to say about this
provision.
The rest of
Part 1 largely deals with new information demands and production orders. I
should note at the outset that all the new information demands and production
orders are equally available to the Canadian Security Intelligence Service as
they are to the police. I’m just going to go through each of them once, rather
than dealing with the Criminal Code and CSIS Act amendments
separately.
The first
significant new power that the bill conveys on law enforcement and CSIS is
something called a “confirmation of service demand”. Something similar was in
Bill C-2, but this has been significantly scaled back. Essentially the new
section 487.0121 will allow any police officer or any public officer to make a
demand to a telecommunication service provider requiring them to confirm
whether or not they provide or have provided telecommunication services to any
subscriber or client. This could be done using the person's name, account
identifier, IP address or telephone number.
Confirmation of service demand
487.0121 (1) A peace officer or public officer may make a demand in Form 5.0011
to a telecommunications service provider requiring them to confirm, within the
time and in the manner specified in the demand, whether or not they provide or
have provided telecommunication services to any subscriber or client, or to any
account or identifier, specified in the demand.
The conditions
for making the demand are actually quite low, being “reasonable grounds to
suspect” that a federal offense has taken place and that the confirmation that
is demanded will assist inthe investigation of the offense.
Conditions for making demand
(2) The
peace officer or public officer may make the demand only if they have
reasonable grounds to suspect that
(a) an
offence has been or will be committed under this Act or any other Act of
Parliament; and
(b) the
confirmation that is demanded will assist in the investigation of the offence.
The
telecommunication service provider simply has to provide a yes or no answer. Do
they or do they not provide services to that person or in relation to that
identifier. This is MUCH better than what was in Bill C-2. The revised demand
can only be presented to a telecommunications service provider. The Bill C-2
version could have been made to anyone who provides services to the public,
including a doctor’s office or a law firm. The previous version would have
required – without a warrant – producing information about the nature of the
services and anybody else that the service provider knew who might also provide
services to that person.
In Bill C-22,
this is much more tailored and focused only on telecommunication service
providers or TSPs.
I'm actually
surprised that it doesn't include a requirement to confirm the municipality or
location where the services are provided, because it's my understanding that a
large part of the justification for this in the first place was so that not
only would the police be able to determine whether this service provider is the
right person to send a production order to, but also who is the local police of
jurisdiction. On a daily basis, the RCMP in Ottawa receive international
reports related to criminal activity in Canada, such as dissemination of child
abuse imagery and that report only includes an IP address or account
identifier. That information does not necessarily tell them who is the local
police of jurisdiction to refer the file to. I guess the government was so
sensitive to the pushback they received on Bill C-2, that they removed what
seemed to be pretty innocuous information, which had a compelling
justification.
While I think
this is much improved, I am still very concerned that any peace officer or
public officer who makes a demand is able to impose a non-disclosure condition
for up to one year. That is a significant period of time. I would much prefer
it if it was something short like 30 days, and the officer could go to court to
get it extended.
Non-disclosure
(6) The
peace officer or public officer who makes the demand may impose conditions in
the demand prohibiting the disclosure of its existence or some or all of its
contents for a period not greater than one year after the day on which the
demand is made. The peace officer or public officer may impose the conditions
only if they have reasonable grounds to believe that the disclosure during that
period would jeopardize the conduct of the investigation of the offence to
which the demand relates.
Not
surprisingly, they have included in subsection (12), a provision that says a
peace officer public officer can just ask a telecommunications service provider
to voluntarily provide the confirmation, and this confirmation can be provided
as long as the TSP is not prohibited by law from providing it. Then it goes on
to say that the TSP that provides a confirmation in these circumstances does
not incur any liability for doing so. The Bill has other, similar Safe Harbors
for voluntary disclosure, but related to much more sensitive information.
Request for confirmation
(12) Despite
subsection (1), no demand under that subsection is necessary for a peace
officer or public officer to ask a telecommunications service provider to
voluntarily provide the confirmation referred to in that subsection if the
telecommunications service provider is not prohibited by law from providing it.
A telecommunications service provider that provides a confirmation in those
circumstances does not incur any criminal or civil liability for doing so.
The main
feature in my view of Part 1 is a new “production order for subscriber
information”.
Before we get
into it, it's really important to note that the Criminal Code currently
provides for something called a general production order by which a cop can go
to a judge and if they have reasonable grounds to believe a crime has been
committed or will be committed, they can get an order requiring a third party
to produce records that are listed in the production order. On a daily basis,
police seek and obtain subscriber information using these production orders.
What is different here, mainly, is significantly lowering the threshold so that
the officer only has to have reasonable grounds to suspect an offense has been
committed. They don't even have to have reasonable grounds to believe it has
been committed. They don’t even have to believe that a crime has been or will
be committed.
Reasonable
grounds to suspect doesn’t mean that they actually have to suspect a crime, it
just means they have reasonable grounds that could make someone suspect a
crime. This is extremely low.
So the new
section 487.0142 says that on an ex parte application made by a peace
officer or a public officer, a justice or judge may order a person who provides
services to the public to prepare and produce a document containing all the
subscriber information that relates to any information, including transmission
data, that is specified in the order and that is in their possession or control
when they receive the order.
Production order — subscriber
information
487.0142 (1) On ex parte application made by a peace officer or public
officer, a justice or judge may order a person who provides services to the
public to prepare and produce a document containing all the subscriber
information that relates to any information, including transmission data, that
is specified in the order and that is in their possession or control when they
receive the order.
Unlike the
confirmation of service demand, this is not limited to telcos. This can involve
anyone who provides services to the public. So this does include doctors
offices, hotels, grocery stores and banks.
You will see
that in subsection (2), it says that before making the order the Justice or
judge must be satisfied by information on oath that there are reasonable
grounds to suspect an offence has been or will be committed under the Criminal
Code or any other Act of Parliament and the subscriber information is in
the person's possession of control and will assist in the investigation of the
offense.
Conditions for making order
(2) Before
making the order, the justice or judge must be satisfied by information on oath
in Form 5.004 that there are reasonable grounds to suspect that
(a) an
offence has been or will be committed under this Act or any other Act of
Parliament; and
(b) the
subscriber information is in the person’s possession or control and will assist
in the investigation of the offence.
You should also
note that this is not limited to serious crimes. These powers can be used for
any offence under federal law, such as offences under the National Parks Act,
like sleeping outside of a campground.
It is also
important to understand what is included in “subscriber information”, and I
will note some of the differences from Bill C-2 to Bill C-22. The bill
says:
subscriber information, in
relation to any client of a person who provides services to the public or any
subscriber to the services of such a person, means
(a) information
that may be used to identify the subscriber or client, including their name,
pseudonym, address, telephone number and email address;
(b) identifiers
assigned to the subscriber or client by the person, including account numbers;
and
(c) information
relating to the services provided to the subscriber or client, including
(i) the
types of services provided,
(ii) the
period during which the services were provided, and
(iii) information
that identifies the devices, equipment or things used by the subscriber or
client in relation to the services.
In Bill C-2,
subscriber information included any information provided by the customer to the
service provider in order to obtain the services. This could have included
banking information and passwords. It could have included medical information.
Remember, such an order can be directed to a medical clinic. When you go to a
clinic for the first time, you fill out a pretty detailed form related to your
medical history, and that would be in the category of “information provided by
the customer in order to receive the services”. Thankfully, that has been
removed. The definition of subscriber information is much more scaled-back in
Bill C-22, but information about the “types of services provided” along with
device and equipment identifiers can be sensitive information that goes beyond
mere identifying a possible suspect. For many people, their internet service
provider is also their cable TV provider. Do those “services” include premium
pay-per-view access? Hmm? Scaled back but still a bit too far.
This new bill
also includes quirky “foreign entity information requests”. These are kind of
weird because what it amounts to is an application to court to get permission
to make a request, which is voluntary, to a foreign entity that provides
telecommunications services.
So what they
end up with is a piece of paper asking an entity to voluntarily provide
subscriber information. It is not an order requiring the entity to produce the
information, but it does have judicial approval in Canada. This is intended to
address the question of whether Canadian orders can be enforced outside of
Canada, or more accurately avoid that question entirely. It should be
applicable where voluntary disclosure can be obtained and where the service
provider wants to be sure that there is some third-party judicial approval. It
also should mean that whatever information is obtained can be used in a Canadian
court, because Canadian police have been authorized by a judge to obtain it.
Personally, I think this is a really clever solution for a real issue.
Subsection 4 of
this provision says that the production request can be required to include
information required by the foreign entity, the foreign state or any magic
words that are required by an international agreement or arrangement to which
Canada and the foreign state are parties.
Earlier I
mentioned the gag orders that can accompany a confirmation of service demand.
Part 1 also amends the existing section 487.0191 of the Criminal Code to
authorize a judge, on an ex parte application, to issue a gag order
related to confirmation of service demands.
Part 1 of Bill
C-22 also affects the scheme for judicial review of production orders
generally, not just this new production order for subscriber information. It
compresses the timeline during which the recipient of a production order is
able to seek judicial review, in order to have it modified or revoked. That
deadline will be “within 10 business days after the day on which the order was
received”. In Bill C-2, it was way shorter – five days after the order was
issued – and actually seemed to be designed to prevent the judicial review of
production orders. I have seen production orders served more than five days
after they are issued, so it would be too late by the time you received it. Ten
business days is still pretty short, but much more reasonable than what was in
the Strong Borders Act.
Part 1 of Bill
C-22 also tweaks the existing provisions in the Criminal Code related to
voluntary disclosure of information from any person to the police or a public
officer. It says that documents or information can be provided voluntarily and
it also says that no person incurs any criminal or civil liability for doing
so.
For greater certainty
487.0195 (1) For greater certainty, no preservation demand, preservation
order, keep account open or active order or production order is necessary for a
peace officer or public officer to ask a person to voluntarily preserve data
that the person is not prohibited by law from preserving, to voluntarily keep
an account open or active that the person is not prohibited by law from keeping
open or active or to voluntarily provide a document or information to
the officer that the person is not prohibited by law from disclosing.
No civil or criminal liability
(2) A
person who preserves data, keeps an account open or active or provides a
document or information in those circumstances does not incur any
criminal or civil liability for doing so.
It's kind of
extra weird because subsection (1) says “hey you can voluntarily provide it if
a law doesn't prohibit you from voluntarily providing it”. Then subsection (2)
says if you provide it, you will have no criminal or civil liability. If no law
prevented them from providing it, why do they need immunity from criminal or
civil liability?
This actually
does NOT fix the issue that arose in the Supreme Court of Canada case of
R v. Bycovets.
In that case, a payment service processor voluntarily provided IP address
information related to suspected fraudulent transactions, and the Supreme Court
of Canada said that the police were not able to use that information or even
obtain it without a production order. This does nothing to address that issue.
The Bykovets issue is still there.
We then have a
new subsection (3) that says:
For greater certainty, no production
order or warrant, or confirmation of service demand made under section 487.0121,
is necessary for a peace officer or public officer to receive any information
from a person or a telecommunications service provider, as the case may be, who
is lawfully in possession of it, and to act on the information, if the person,
without being asked for it, provides it voluntarily or is required by law,
including a law of a foreign state, to provide it.
There’s also a
new subsection (4), which says:
For greater certainty, no production
order or warrant, or confirmation of service demand made under section 487.0121,
is necessary for a peace officer or public officer to receive, obtain and act
on any information that is available to the public.
This seems
pretty similar to what was included in Bill C-2, and received a lot of
criticism. A number of smart folks were very concerned that hacked information
and data leaks are included in what would be considered information that is
available to the public. Should the police have the ability to exploit data
that became public unlawfully? But here they can use it willy-nilly. I share
this concern.
Bill C-22 also
amends the current provision in the Criminal Code related to what are
called “exigent circumstances”. Police can search and demand a whole range of
data without a warrant or a court order if the conditions for obtaining an
order exist, but by reason of exigent circumstances it would be impracticable
to obtain an order. It is not all that new, but just extends the authorities to
include the new production order powers.
487.11 A peace officer or public officer may, in the course of their
duties,
(a) exercise any of the
powers described in section 487 [search warrants], 492.1 [tracking warrants]
or 492.2 [transmission data recorder] without a warrant if the
conditions for obtaining a warrant exist but by reason of exigent circumstances
it would be impracticable to obtain a warrant; or
(b) seize any subscriber
information that may be the subject of an order made under subsection 487.0142(1)
[subscriber information] or any data that may be the subject of an order made
under subsection 487.016(1) [transmission data] or 487.017(1) [tracking data]
if the conditions for obtaining an order exist but by reason of exigent
circumstances it would be impracticable to obtain an order.
We will see
that tracking things and tracking people is a theme of this bill. Bill C-22
adds a new subsection to section 492.1 related to tracking orders. These are
orders that are obtained from a judge authorizing a police officer or a public
officer to obtain tracking data related to a person or a thing. Subsection
(2.1) is being added to permit an authorization to track other things that
might be associated with a person where that thing might not have been known to
the officer at the time.
Tracking similar things
(2.1) A justice or judge who
authorizes a peace officer or public officer to obtain tracking data that
relates to the location of a thing that a person uses, carries or wears may, in
the warrant, authorize the peace officer or public officer to obtain tracking
data that relates to the location of any similar thing that is unknown at the
time the warrant is issued if the justice or judge is satisfied that there are
reasonable grounds to suspect that the person will use, carry or wear that
similar thing.
Scope of warrant
(3) The warrant
authorizes the peace officer or public officer, or a person acting under their
direction, to install, activate, use, maintain, monitor and remove the tracking
device, including covertly. The warrant also authorizes a person acting
under the direction of the peace officer or public officer to obtain the
tracking data that is authorized to be obtained under the warrant.
I can imagine
this would include getting an order to track somebody's vehicle, and to add on
authority to track their phone and maybe their smartwatch. Subsection (3) is
also amended to say that an officer can authorize somebody else to obtain the
tracking data authorized to be obtained under the warrant.
Parallel
amendments are made to the similar Criminal Code provisions related to
transmission data warrants.
So that's
largely what is in Part 1 of the new Lawful Access Act, 2026. As you can
see, while there are some things to quibble over, it is a significant
improvement from what was in Part 14 of the Strong Borders Act.
Now we are
going to look at Part 2, which I think is and remains a huge problem. The
outcry associated with the Strong Borders Act was principally focused on
warrantless information demands and overbroad subscriber information orders. In
a lot of the debate and discussion, Part 15 of that Bill was largely ignored. I
really hope that the equivalent of that Part in Bill C-22 gets as much
attention as it deserves.
In a nutshell,
Part 2 will require a huge range of service providers – well beyond traditional
telecommunications service providers – to build in real-time interception and
monitoring capabilities so that cops and national security folks can just plug
into the systems to access data when “authorized” to do so.
Currently the
cops can go to a judge and get a wiretap order to intercept the communications
of a suspect in real time. They can go to a judge to get an order for just
about any data that currently exists.
What the cops
are generally complaining about is that there isn’t a consistent interface for
them to plug into and get the data among all the telcos out there. I can see
that kind of sucks.
But what
they’re not emphasizing is that Part 2 of Bill C-22 will likely require telcos,
AND cloud providers, AND social media companies, AND ai chatbots, AND VPN
services, AND chat services and the like to build in not only the capability
for Canadian police to plug directly in, but Part 2 will also require them to
build in additional surveillance tools and collection capabilities that go well
beyond what data the company actually needs to provide you with services.
I lived in
Romania just after the fall of the Iron Curtain. It was purported that the
state security police had the capability to turn any landline telephone into a
room bug with the flip of a remote switch. Part 2 of Bill C-22 could permit a
secret order directed at telcos to create this capability. The Minister of
Public Safety could order Samsung to turn your smart fridge into a listening
device. The same with your Smart TV or Smart speakers. I find that worrisome.
So let’s talk
about specifically what is in Part 2 of Bill C-22.
Part 2 creates
a new standalone statute called the Supporting Authorized Access to
Information Act or SAAIA. Section 3 sets out its purpose:
3 The
purpose of this Act is to ensure that electronic service providers can
facilitate the exercise of authorities to access information that are conferred
on authorized persons.
So it talks
about authorities that are conferred on authorized persons to access
information. It doesn't say “lawful authorities”, nor does it say “judicially
authorized authorities”. It just says authorities. From the discussion about
Part 1, it’s clear that the police and CSIS are authorized to obtain data
without a warrant by just asking for it.
The Supporting
Authorized Access to Information Act has “electronic service providers” in
its crosshairs. It is therefore really important to understand what an
electronic service provider is. ESP is defined in the bill, as is an electronic
service.
electronic service provider means
a person that, individually or as part of a group, provides an electronic
service, including for the purpose of enabling communications, and that
(a) provides
the service to persons in Canada; or
(b) carries
on all or part of its business activities in Canada.
You will note
that it says it provides an electronic service, “including for the purpose of
enabling communications”. The use of the word “including” clearly signals that
it is not limited to those providers who are strictly engaged in
communications. It goes broader than that. We can see from the very broad
definition of electronic service:
electronic service means a
service, or a feature of a service, that involves the creation, recording,
storage, processing, transmission, reception, emission or making available of
information in electronic, digital or any other intangible form by an
electronic, digital, magnetic, optical, biometric, acoustic or other
technological means, or a combination of any such means.
Hey, I am in
the business of creating information in digital form. What is a YouTube video,
or podcast? Or emails to my clients. My law firm is in the business of creating
information in digital form. The Canadian Broadcasting Corporation, the Globe
and Mail and the Canadian Press are in the business of creating information in
digital form. I am not sure that any business exists in Canada that is not some
way or somehow creating, processing or storing digital information. This is
dramatically broad. In conversations I have had with people from Public Safety,
it is clearly their intent to cover traditional telcos, internet service
providers and ALSO cloud computing providers, social media providers and online
game services. Again, this is dramatically broad.
The Bill is
going to deal with two broad categories of electronic service providers. The
first is something called a “core provider”, and there will be subcategories of
core providers. The second group is the rest of the universe that could fit
into the category or definition of “electronic service provider”.
The categories
of core providers are to listed in the schedule to the Act, which is currently
blank, not surprisingly. So these core providers are going to be subject to a
number of obligations that will be set out in the regulations. Subsection (2)
describes these obligations, but note the use of the word “including” which
means that the regulations and the obligations can go well beyond what is
listed in subsections (a) through (d).
(a) the
development, implementation, assessment, testing and maintenance of operational
and technical capabilities, including capabilities related to extracting and
organizing information that is authorized to be accessed and to providing
access to such information to authorized persons;
This is
essentially a requirement to build in the operational and technical
capabilities to enable access to information on the core provider’s
infrastructure or within their systems.
(b) the
installation, use, operation, management, assessment, testing and maintenance
of any device, equipment or other thing that may enable an authorized person to
access information;
This can
require core providers to install particular devices or equipment on their
infrastructure.
(c) notices
to be given to the Minister or other persons, including with respect to any
capability referred to in paragraph (a) and any device, equipment or other
thing referred to in paragraph (b); and
It’s not yet
clear what these notices are all about ….
(d) the
retention of categories of metadata — including transmission data, as defined
in section 487.011 of the Criminal Code — for reasonable periods of
time not exceeding one year.
The requirement
to retain metadata was NOT in Bill C-2, the Strong Borders Act. This is
very concerning. There are some small protections about this, in subsection
(4). That says:
(4) Paragraph
(2)(d) does not authorize the making of regulations that require core
providers to retain information that would reveal
(a) the
content — that is to say the substance, meaning or purpose — of information
transmitted in the course of an electronic service;
(b) a
person’s web browsing history; or
(c) a
person’s social media activities.
Ok. That’s some
protection. But it does not put location information out of scope, which is
concerning. The government clearly wants all cellphones to be trackable, and
under this authority they can be required to save your detailed location
history for a full year.
Subsection (3)
lists a number of factors that the government must take into account in
creating and drafting the regulations which place the specific obligations on
the core providers. These include …
(a) the
benefits of the regulation to the administration of justice, in particular to
investigations under the Criminal Code, and to the exercise of powers
and the performance of duties and functions under the Canadian Security
Intelligence Service Act;
(b) the
feasibility of compliance with the regulation for the core providers;
(c) the
costs to be incurred by the core providers to ensure compliance with the
regulation;
(d) the
potential impact of the regulation on the persons to whom the core providers
provide services;
(e) the
potential impact of the regulation on privacy protection and cybersecurity; and
(f) any
other factor that the Governor in Council considers relevant.
I am glad that
they have included the potential impact on privacy and cybersecurity. I would
like it if it required the government to release their analysis of all these
considerations along with the regulatory impact analysis statement that will
accompany the regulations when they are first published.
The only good
news when dealing with core providers is that these requirements will be in a
regulation that will be public. We will be able to understand, at least in
general terms, what obligations are being imposed on these core providers.
There is
another bit of small comfort in subsection (5) which says
(5) A
core provider is not required to comply with a provision of a regulation made
under subsection (2), with respect to an electronic service, if compliance with
that provision would require the provider to introduce a systemic vulnerability
related to that service or prevent the provider from rectifying such a
vulnerability.
Of course, this
turns on what is a “systemic vulnerability”, which is defined in the
bill:
systemic vulnerability means
a vulnerability in the electronic protections of an electronic service that
creates a substantial risk that secure information could be accessed by a
person who does not have any right or authority to do so.
electronic protection means
authentication, encryption and any other prescribed type of data protection.
Note that it is
limited to systemic vulnerabilities in “services”. It does not include devices
or processes. Just the services themselves. Professor Robert Diab has pointed out
that there’s enough wiggle room in this for the Minister to say that an
operating system, such as Windows or iOS is not a “service”. Firmware is a part
of the device, so please root them all. (The use of the word “please” is only
because we’re Canadian … it would actually be an order.)
Also, what this
does NOT say is that the government is prohibited from requiring an ESP to
circumvent or undermine encryption. We have been told by the government that
they would never do that, but they do not seem willing to put it in the law.
The second
significant power contained in the Supporting Authorized Access to Information
Act are ministerial orders, set out in Section 7. Essentially, the minister of
Public Safety can issue secret orders directed at any one or more electronic
service providers to implement measures that could have been contained in a
regulation for a core provider, but these are secret and would be limited to a
defined time period. Of course this time can be extended at the discretion of
the minister. These orders can also be directed at ESPs that are already core
providers. Bonus requirements!
The only real
protection introduced since the Strong Borders Act is in subsection (2),
which says that these secret orders must be approved by the Commissioner
designated under the Intelligence Commissioner Act. I think this is a real
protection, principally because the intelligence commissioner has to be a
former Superior Court judge who would have spent a career dealing with criminal
law matters and Charter rights. He is currently entrusted with approving
certain National Security orders as a form of semi-judicial oversight. This is,
in my view, real progress.
Subsection (3)
of Section 7 sets out the sorts of considerations that the Minister has to take
into account before issuing a secret ministerial order. This parallels the
considerations that the government would have to take into account in issuing
regulations affecting core providers.
And subsection
(5) has a parallel provision saying that
(5) The
electronic service provider is not required to comply with a provision of the
order, with respect to an electronic service, if compliance with that provision
would require the provider to introduce a systemic vulnerability related to
that service or prevent the provider from rectifying such a vulnerability.
Section 14
creates an obligation for all electronic service providers to assist a range of
people to do a range of things on the Minister’s request. Remember, while we
review this, that my law firm, your doctor’s office and Apple are all
“electronic service providers”. It reads:
14 (1) On
request made by the Minister, an electronic service provider must provide all
reasonable assistance to a person or class of persons specified in the request
to permit the assessment or testing of any device, equipment or other thing
that may enable an authorized person to access information.
Persons to be assisted
(2) Only
the following persons or classes of persons may receive assistance:
(a) the
Minister;
(b) an
employee of the Canadian Security Intelligence Service;
(c) a
person appointed or employed under Part I of the Royal Canadian Mounted
Police Act or a civilian employee referred to in section 10 of that Act;
(d) a
civilian employee of another police force;
(e) a
peace officer, as defined in section 2 of the Criminal Code.
There is some
protection in subsection (4) so that “the assessment or testing must not have
the effect of granting access to personal information.”
One of the huge
problems I have with these Ministerial Orders is the mandatory secrecy that
surrounds them. Without exception, under section 15, an ESP is prohibited by
law from revealing that they are subject to an order, the substance or contents
of an order, any dialogue they’ve had with the Minister in connection with any
order.
This is
draconian, overbroad and frankly offensive. There’s no requirement that the
Minister be satisfied that disclosure of this information would be harmful to
law enforcement or to national security. There is no sunset and no means by
which an ESP can challenge the gag order if they think it’s in the public
interest to disclose the information. I am not sure that this provision, on its
own, would survive a Charter challenge. It also means that a foreign
company can’t advise their own government that they are subject to an
order.
The bill does
anticipate at section 17 that ESPs may seek judicial review of a Minister’s
order, but the cards are again stacked in favour of secrecy, and conducting its
business outside of public scrutiny.
Section 18
allows the government to make a range of regulations related to confidentiality
and security. These are scaled back from the absurd scope anticipated in the Strong
Borders Act. There are security and confidentiality rules for judicial
proceedings provided for in subsection (b). Subsections (c) and (d) authorize
regulations related to ESP employees and contractors involved with law
enforcement and national security access to information, including security
clearances and where they are located, and where facilities are located. As I
understand it, most American service providers run this function from the US
and I’m sure they will not be interested in moving that to Canada or having
their employees subject to Canadian security clearances. I would imagine that
some companies will just decide to not do business in Canada.
Part 2 also
contains a whole regulatory oversight structure, with inspections, audits and
penalties. I’m not going to get into that today.
Throughout this
discussion, I can’t help but be reminded that the US has had something similar
in their laws for some time, and the mandated intercept capabilities were used
by Chinese hackers to get access to data.
The "Salt
Typhoon" hacking incident, attributed to a Chinese state-sponsored
advanced persistent threat (APT) actor, came to light in late 2024 with
revelations that the group had extensively compromised the computer systems of
multiple major US telecommunications companies. The stolen information included
call and text message metadata, and in some high-profile instances, even audio
recordings of phone calls belonging to government officials and political
figures.
A critical
factor facilitating the Salt Typhoon incident was the very infrastructure put
in place to comply with the Communications Assistance for Law Enforcement Act
(CALEA). Enacted in 1994, CALEA mandates that telecommunications providers
build "lawful intercept" capabilities into their networks to allow
law enforcement and intelligence agencies to conduct court-authorized wiretaps.
While intended for legitimate surveillance, these mandated
"backdoors" created inherent vulnerabilities within the telecom networks.
Salt Typhoon exploited these CALEA-mandated systems, effectively turning the
tools designed for lawful access into pathways for unauthorized
espionage.
This is what’s coming to Canada …
So let’s bring
this down to earth and make it more concrete. At a technical briefing this
week, the government offered only two examples for why they think we need the
Supporting Authorized Access to Information Act:
CSIS cannot track a cellphone
CSIS is trying to determine the
movements of a terrorist group and has received a warrant to track a person of
interest’s cellphone. The electronic service provider did not have the
necessary capabilities to track the device because they are not required to. As
a result, CSIS had to resort to costly and risky in-person surveillance.
With C-22: The GIC will have the
authority to make regulations requiring that ESPs develop and maintain location
tracking capabilities that are standard in Europe and among the Five Eyes.
First of all, I
don’t really care what they are doing in the other Five Eyes. Essentially, the
UK, Australia and New Zealand don’t have a Charter of Rights and Freedoms
and their surveillance laws reflect that. And the law doesn’t we’ll just do
what they do in “Europe and among the Five Eyes.” I bet the Chinese security
services have this capability.
Let’s take a
moment to ponder this scenario and what it means. CSIS wants to be able to
track any cellphone in real-time, with a warrant. That means that they want
every cellphone in Canada to be a tracking device. And they want historical
metadata – which includes location data – retained for one year.
The second
example is equally sympathetic, but shows that the government wants everyone to
be carrying a tracking device:
Police cannot consistently obtain
location information
An at-risk 16-year-old girl was reported
missing. She had already been missing for 10 days when she made an emergency
call. The telecommunications provider was able to confirm the call and the
tower used to make the call but could not provide the last known location of
the phone before it was disconnected since they are not required to have that
capability.
With C-22: Core providers would be
required to maintain accurate and consistent localization capabilities across
the country.
That device in
your pocket will be a tracking device. And the law doesn’t say that this data
can only be accessed if you’re a suspected terrorist or a missing teenaged
girl. It can be tracked by ANY police agency in Canada with an order issued
merely on “reasonable grounds to suspect.” Judicial authorization isn’t even
required in a whole bunch of cases: There are dozens of laws that permit
regulators and others to access this data without judicial authorization.
“If you build
it, they will come.” And the government wants ESPs to build the surveillance
infrastructure for them, to which the police and others will almost certainly
come. And this is even without considering that the backdoors will be a HUGE
target for cybercriminals and threat actors.
I don’t think
that the government has come close to making any sort of compelling case for
Part 2 of Bill C-22, and certainly not one that convinces me that the public
safety interest in building all of this surveillance infrastructure outweighs
the privacy and cybersecurity risk of doing so.
We should also
be looking at this through the lens of what we have now. If the police or CSIS
get a production order, a wiretap order or a tracking order, they can also ask
the judge to issue an “assistance order”. This is an order, directed at the
service provider, ordering them to give all reasonable assistance, reasonably
required to give effect to the production order, wiretap order or tracking
order. On every occasion when I have brought this up with “lawful access”
supporters, nobody has been able to point me to any problems with this.
Assistance orders are like one-off ministerial orders that are appropriately
tailored to the case and circumstances, and are signed off by a judge. And
they’re subject to judicial review. I’m not sure the current system is broken.
It just doesn’t give the police friction-free access to the universe of data
that they want collected on their behalf.
I expect I’ll
probably have more to say about this as Bill C-22 works its way through
Parliament. I will reiterate that I’m glad the government largely went back to
the drawing board and largely fixed Part 1. Part 2 is better than it was
before, but I don’t think it should be passed in its current form. It is wildly
problematic.
No comments:
Post a Comment