A close look at "Confirmation of service demands" in Bill C-22, Lawful Access Act 2026

I have to start by giving Public Safety Minister Gary Anandasangaree credit for parking the “lawful access” parts of Bill C-2, going back to the drawing board and introducing a much improved Bill C-22, “An act respecting lawful access.” 

As I said, it’s much improved. In a number of ways, it still goes way too far and least in one respect it doesn’t go far enough. 

Over the course of a number of episodes, I’m going to do a bit of a deep dive into some of the main features of Bill C-22. I did a forty minute episode going over all of it, but the next ones will be shorter and focused on particular provisions. 

Today I’m going to talk about the “Confirmation of Service Demand.” Yes, it is without a warrant but that doesn’t cause me any real concern. And I’ll explain why.

Before we dive into these demands, a bit of background:

The Bill is in two parts. The first part is called “Timely Access to Data and Information” and the second part of the Bill creates a new statute: the “Supporting Authorized Access to Information Act”.

The two parts do wildly different things. Part one is intended to create new AUTHORITIES by which police and national security folks can require companies to provide them with information about their customers. Part two is intended to create new CAPABILITIES by which police and national security folks can require companies to provide them with information about their customers. Part one is about authorities and part two is about capabilities. The authorities under part one are mostly subject to judicial supervision and control, and I can largely live with them. The capabilities under Part Two cause me a LOT of concern. 

Over the last twenty years, the government and police have not done a good job explaining why they need either the new authorities or the new capabilities. 

To understand whether they should have new authorities and capabilities, I think we need to go through what is the current state of affairs and what the government proposes to change. And then we’ll look at what those changes are and what those changes mean. 

Here is a pretty common scenario that plays out all the time. The police have evidence of some sort of online crime. It could be distribution of child abuse materials or it could be extortion. They’re confident a crime has taken place, but they don’t know who the suspect is. They may have an IP address or a phone number, but no name.  Using publicly available tools, they can find out who is the internet service provider or who is the telco who first assigned the phone number. But they don’t necessarily know where the suspect may be. If it’s a Rogers, or Bell or Telus IP address, they have customers across the country. If it’s a phone number that was first assigned by Rogers, that customer may have moved provinces and thanks to number portability, the service provider may have changed in the meantime. 

So they want to know who is the person – their suspect – connected to this IP address or phone number, who is the current service provider and where they are. The “where” is important, because the crime may have been brought to the attention of the RCMP in Ottawa via international law enforcement partners, but the suspect may be in Montreal, Toronto or Calgary. 

But this is not a dead end using their current authorities. The RCMP in Ottawa can go to the court in Ottawa to get a general production order. They’ve been able to do this since 2004, when the Criminal Code was amended to create these third party information orders. So an RCMP constable goes to the court and says – under oath – I have reasonable grounds to believe that a crime has been committed, and here’s the basis for that belief. I also have reasonable grounds to believe that the Telco or ISP has information that will lead me to the identity of the suspect. Therefore I want an order telling the Telco to provide me with the customer name and address associated with the IP address or phone number. And the officer gets a production order that will typically order the Telco to provide the information promptly and usually no later than thirty days. The order can say a shorter time.

The telco will tell the RCMP constable the name and address that the IP address is allocated. Let’s just say it’s John Q. Public of 123 Main Street, Winnipeg, Manitoba. The RCMP in Ottawa will contact the Winnipeg police, send them their investigation file and the information received from the Telco. The Winnipeg police should pick it up from there, and off they go. 

This can all be done – and is done daily – using the current authorities in the Criminal Code. 

But from time to time, the response from a telco may be “that’s not our phone number” or “yes, that’s our IP address, but it’s actually serviced by a reseller of internet services so we don’t have any customer information”. This doesn’t happen all the time, but it happens. 

One of the things that the police and national security folks want is a “confirmation of service demand” because they may not know whether the suspect is actually a customer of a particular telco. They want to be able to ask any telco “Hey, do you service this phone number?” And the telco would have to say “yes” or “no”. It may be an IP address, it may be a SIM card number or an IMEI (International Mobile Equipment Identity), which is a unique 15-digit number that identifies mobile devices on a network. (I should note that IP addresses and SIM card numbers are generally and reliably associated with the service provider.)

A confirmation of service demand makes a lot of sense. They can’t really do this with a current production order because they have to have “reasonable grounds to believe” that the recipient of the order has records. They may have reasonable grounds to believe that the phone number may be served by “A Telco”, but they don’t have reasonable grounds to believe that the phone number is served by any particular Telco. There are 39 registered wireless carriers and more than 100 traditional phone companies. 

A yes or no answer to “Hey! Bell! Is 902-555-1212 serviced by you?” does not disclose anything meaningfully private or personal about whoever answers when you dial 902-555-1212. Essentially, for the police, it’s knowing where to send any subsequent court orders related to that number. 

So in the scenario I mentioned before, the RCMP in Ottawa that got the report can ask the larger telcos whether they provide the service to the number and get a yes or no answer. Then they know where to send a court order for customer information. 

When this was first introduced in Part 14 of Bill C-2, the Strong Borders Act, the “information demand” was far too broad and got a lot of pushback. If this had gone through, without a warrant, the police could demand much more than “is this your customer” and it applied to anyone who provides services to the public. That’s in paragraph (a) - do you or have you provided services. But it went further. If the answer to (a) is “yes”, they can demand whether the company has records and where the services were provided. They can demand the dates during which services were provided. They can demand information about anyone else who is known to provide services to the customer. 

So the police can go to Dr. Smith, a family doctor, and say “is John Q. Public your patient, and what specialists have also provided services to your patient”? Clearly over the top. 

So in the new Lawful Access Bill, Bill C-22, we have a pared back “Confirmation of service demand”. 

The new section 487.‍0121 allows a peace officer or public officer to make a demand to a telecommunications service provider. It’s not just anyone who provides service to the public, but is now limited to registered, regulated telcos. That demand can require them to confirm, within the time and in the manner specified in the demand, whether or not they provide or have provided telecommunication services to any subscriber or client, or to any account or identifier, specified in the demand.

To make this demand, they just have to suspect that an offence has taken place and that the confirmation will assist in the investigation. That’s a low threshold, but defensible in light of the information being sought. Which is just a yes or a no answer. 

In pulling back and fixing the former information demand, I think they may have pulled back a little too far. In the old demand, the police could demand “in which municipality do you provide these services.” That’s no longer there. And I would be OK with putting that part back in the new “Confirmation of Service Demand” because that has the potential to move investigations forward with negligible impact on customer privacy. 

Going back to the scenario I mentioned earlier, where the RCMP in Ottawa receive a report from another law enforcement agency outside of Canada, but the suspect is in Winnipeg. If the confirmation of service demand included the location where services are provided, the RCMP can make the demand from the major telcos, find out that the suspect is in Winnipeg and just refer the whole file to the Winnipeg police to investigate. The Winnipeg police would then go to a local judge to get a production order for subscriber information (which I’ll get into in a subsequent episode), and carry on with the investigation. 

Being able to refer the matter to the local police of jurisdiction at that stage makes sense to me, and as I said has negligible impact on privacy. 

So that’s the “confirmation of service demand” in Bill C-22, the Lawful Access Act of 2026. The scaling back has certainly improved it, but in scaling it back, the police may have lost a useful bit of information that had no meaningful privacy impact.