Part 2 of Bill C-22, the Lawful Access Act of 2026, is and remains a huge problem. The outcry associated with the Strong Borders Act was principally focused on warrantless information demands and overbroad subscriber information orders. In a lot of the debate and discussion, Part 15 of that Bill was largely ignored. I really hope that the equivalent of that Part in Bill C-22 gets as much attention as it deserves.
In a nutshell, Part 2 will require a huge range of service providers – well beyond traditional telecommunications service providers – to build in real-time interception and monitoring capabilities so that cops and national security folks can just plug into the systems to access data when “authorized” to do so.
Part 2 creates a new standalone statute called the Supporting Authorized Access to Information Act or SAAIA. Section 3 sets out its purpose:
3 The purpose of this Act is to ensure that electronic service providers can facilitate the exercise of authorities to access information that are conferred on authorized persons.
So it talks about authorities that are conferred on authorized persons to access information. It doesn't say “lawful authorities”, nor does it say “judicially authorized authorities”. It just says authorities. From the discussion about Part 1, it’s clear that the police and CSIS are authorized to obtain data without a warrant by just asking for it.
The Supporting Authorized Access to Information Act has “electronic service providers” in its crosshairs. It is therefore really important to understand what an electronic service provider is. ESP is defined in the bill, as is an electronic service.
electronic service provider means a person that, individually or as part of a group, provides an electronic service, including for the purpose of enabling communications, and that
(a) provides the service to persons in Canada; or
(b) carries on all or part of its business activities in Canada.
You will note that it says it provides an electronic service, “including for the purpose of enabling communications”. The use of the word “including” clearly signals that it is not limited to those providers who are strictly engaged in communications. It goes broader than that. We can see from the very broad definition of electronic service:
electronic service means a service, or a feature of a service, that involves the creation, recording, storage, processing, transmission, reception, emission or making available of information in electronic, digital or any other intangible form by an electronic, digital, magnetic, optical, biometric, acoustic or other technological means, or a combination of any such means.
Hey, I am in the business of creating information in digital form. What is a YouTube video, or podcast? Or emails to my clients. My law firm is in the business of creating information in digital form. The Canadian Broadcasting Corporation, the Globe and Mail and the Canadian Press are in the business of creating information in digital form. I am not sure that any business exists in Canada that is not some way or somehow creating, processing or storing digital information. This is dramatically broad. In conversations I have had with people from Public Safety, it is clearly their intent to cover traditional telcos, internet service providers and ALSO cloud computing providers, social media providers and online game services. Again, this is dramatically broad.
The Bill is going to deal with two broad categories of electronic service providers. The first is something called a “core provider”, and there will be subcategories of core providers. The second group is the rest of the universe that could fit into the category or definition of “electronic service provider”.
The categories of core providers are to be listed in the schedule to the Act, which is currently blank, not surprisingly. So these core providers are going to be subject to a number of obligations that will be set out in the regulations. Subsection (2) describes these obligations, but note the use of the word “including” which means that the regulations and the obligations can go well beyond what is listed in subsections (a) through (d).
(a) the development, implementation, assessment, testing and maintenance of operational and technical capabilities, including capabilities related to extracting and organizing information that is authorized to be accessed and to providing access to such information to authorized persons;
[This is essentially a requirement to build in the operational and technical capabilities to enable access to information on the core provider’s infrastructure or within their systems.]
(b) the installation, use, operation, management, assessment, testing and maintenance of any device, equipment or other thing that may enable an authorized person to access information;
[This can require core providers to install particular devices or equipment on their infrastructure.]
(c) notices to be given to the Minister or other persons, including with respect to any capability referred to in paragraph (a) and any device, equipment or other thing referred to in paragraph (b); and
[It’s not yet clear what these notices are all about ….]
(d) the retention of categories of metadata — including transmission data, as defined in section 487.011 of the Criminal Code — for reasonable periods of time not exceeding one year.
The requirement to retain metadata was NOT in Bill C-2, the Strong Borders Act. This is very concerning. There are some small protections about this, in subsection (4). That says:
(4) Paragraph (2)(d) does not authorize the making of regulations that require core providers to retain information that would reveal
(a) the content — that is to say the substance, meaning or purpose — of information transmitted in the course of an electronic service;
(b) a person’s web browsing history; or
(c) a person’s social media activities.
Ok. That’s some protection. But it does not put location information out of scope, which is concerning. The government clearly wants all cellphones to be trackable, and under this authority they can be required to save your detailed location history for a full year.
Subsection (3) lists a number of factors that the government must take into account in creating and drafting the regulations which place the specific obligations on the core providers. These include …
(a) the benefits of the regulation to the administration of justice, in particular to investigations under the Criminal Code, and to the exercise of powers and the performance of duties and functions under the Canadian Security Intelligence Service Act;
(b) the feasibility of compliance with the regulation for the core providers;
(c) the costs to be incurred by the core providers to ensure compliance with the regulation;
(d) the potential impact of the regulation on the persons to whom the core providers provide services;
(e) the potential impact of the regulation on privacy protection and cybersecurity; and
(f) any other factor that the Governor in Council considers relevant.
I am glad that they have included the potential impact on privacy and cybersecurity. I would like it if it required the government to release their analysis of all these considerations along with the regulatory impact analysis statement that will accompany the regulations when they are first published.
The only good news when dealing with core providers is that these requirements will be in a regulation that will be public. We will be able to understand, at least in general terms, what obligations are being imposed on these core providers.
There is another bit of small comfort in subsection (5) which says
(5) A core provider is not required to comply with a provision of a regulation made under subsection (2), with respect to an electronic service, if compliance with that provision would require the provider to introduce a systemic vulnerability related to that service or prevent the provider from rectifying such a vulnerability.
Of course, this turns on what is a “systemic vulnerability”, which is defined in the bill:
systemic vulnerability means a vulnerability in the electronic protections of an electronic service that creates a substantial risk that secure information could be accessed by a person who does not have any right or authority to do so.
electronic protection means authentication, encryption and any other prescribed type of data protection.
Note that it is limited to systemic vulnerabilities in “services”. It does not include devices or processes. Just the services themselves. Professor Robert Diab has pointed out that there’s enough wiggle room in this for the Minister to say that an operating system, such as Windows or iOS is not a “service”. Firmware is a part of the device, so please root them all. (The use of the word “please” is only because we’re Canadian … it would actually be an order.)
Also, what this does NOT say is that the government is prohibited from requiring an ESP to circumvent or undermine encryption. We have been told by the government that they would never do that, but they do not seem willing to put it in the law.
The second significant power contained in the Supporting Authorized Access to Information Act are ministerial orders, set out in Section 7. Essentially, the minister of Public Safety can issue secret orders directed at any one or more electronic service providers to implement measures that could have been contained in a regulation for a core provider, but these are secret and would be limited to a defined time period. Of course this time can be extended at the discretion of the minister. These orders can also be directed at ESPs that are already core providers. Bonus requirements!
The only real protection introduced since the Strong Borders Act is in subsection (2), which says that these secret orders must be approved by the Commissioner designated under the Intelligence Commissioner Act. I think this is a real protection, principally because the intelligence commissioner has to be a former Superior Court judge who would have spent a career dealing with criminal law matters and Charter rights. He is currently entrusted with approving certain National Security orders as a form of semi-judicial oversight. This is, in my view, real progress.
Subsection (3) of Section 7 sets out the sorts of considerations that the Minister has to take into account before issuing a secret ministerial order. This parallels the considerations that the government would have to take into account in issuing regulations affecting core providers.
And subsection (5) has a parallel provision saying that
(5) The electronic service provider is not required to comply with a provision of the order, with respect to an electronic service, if compliance with that provision would require the provider to introduce a systemic vulnerability related to that service or prevent the provider from rectifying such a vulnerability.
Section 14 creates an obligation for all electronic service providers to assist a range of people to do a range of things on the Minister’s request. Remember, while we review this, that my law firm, your doctor’s office and Apple are all “electronic service providers”. It reads:
14 (1) On request made by the Minister, an electronic service provider must provide all reasonable assistance to a person or class of persons specified in the request to permit the assessment or testing of any device, equipment or other thing that may enable an authorized person to access information.
Persons to be assisted
(2) Only the following persons or classes of persons may receive assistance:
(a) the Minister;
(b) an employee of the Canadian Security Intelligence Service;
(c) a person appointed or employed under Part I of the Royal Canadian Mounted Police Act or a civilian employee referred to in section 10 of that Act;
(d) a civilian employee of another police force;
(e) a peace officer, as defined in section 2 of the Criminal Code.
There is some protection in subsection (4) so that “the assessment or testing must not have the effect of granting access to personal information.”
One of the huge problems I have with these Ministerial Orders is the mandatory secrecy that surrounds them. Without exception, under section 15, an ESP is prohibited by law from revealing that they are subject to an order, the substance or contents of an order, any dialogue they’ve had with the Minister in connection with any order.
This is draconian, overbroad and frankly offensive. There’s no requirement that the Minister be satisfied that disclosure of this information would be harmful to law enforcement or to national security. There is no sunset and no means by which an ESP can challenge the gag order if they think it’s in the public interest to disclose the information. I am not sure that this provision, on its own, would survive a Charter challenge. It also means that a foreign company can’t advise their own government that they are subject to an order.
I can’t help but think of the fact that under the UK equivalent of this law, Apple was issued with a secret order to circumvent or turn off encryption on iCloud. Apple couldn’t tell anyone, yet it somehow leaked. The United States government was of the view that this was contrary to an agreement between the UK and the US, but Apple was prohibited by UK law from letting their own government know what shenanigans the US’ own ally was engaging in.
The bill does anticipate at section 17 that ESPs may seek judicial review of a Minister’s order, but the cards are again stacked in favour of secrecy, and conducting its business outside of public scrutiny.
Section 18 allows the government to make a range of regulations related to confidentiality and security. These are scaled back from the absurd scope anticipated in the Strong Borders Act. There are security and confidentiality rules for judicial proceedings provided for in subsection (b). Subsections (c) and (d) authorize regulations related to ESP employees and contractors involved with law enforcement and national security access to information, including security clearances and where they are located, and where facilities are located. As I understand it, most American service providers run this function from the US and I’m sure they will not be interested in moving that to Canada or having their employees subject to Canadian security clearances. I would imagine that some companies will just decide to not do business in Canada.
Part 2 also contains a whole regulatory oversight structure, with inspections, audits and penalties. I’m not going to get into that today.
Throughout this discussion, I can’t help but be reminded that the US has had something similar in their laws for some time, and the mandated intercept capabilities were used by Chinese hackers to get access to data.
The "Salt Typhoon" hacking incident, attributed to a Chinese state-sponsored advanced persistent threat (APT) actor, came to light in late 2024 with revelations that the group had extensively compromised the computer systems of multiple major US telecommunications companies. The stolen information included call and text message metadata, and in some high-profile instances, even audio recordings of phone calls belonging to government officials and political figures.
A critical factor facilitating the Salt Typhoon incident was the very infrastructure put in place to comply with the Communications Assistance for Law Enforcement Act (CALEA). Enacted in 1994, CALEA mandates that telecommunications providers build "lawful intercept" capabilities into their networks to allow law enforcement and intelligence agencies to conduct court-authorized wiretaps. While intended for legitimate surveillance, these mandated "backdoors" created inherent vulnerabilities within the telecom networks. Salt Typhoon exploited these CALEA-mandated systems, effectively turning the tools designed for lawful access into pathways for unauthorized espionage.
This is what’s coming to Canada …
So let’s bring this down to earth and make it more concrete. At a technical briefing this week, the government offered only two examples for why they think we need the Supporting Authorized Access to Information Act:
“CSIS cannot track a cellphone
CSIS is trying to determine the movements of a terrorist group and has received a warrant to track a person of interest’s cellphone. The electronic service provider did not have the necessary capabilities to track the device because they are not required to. As a result, CSIS had to resort to costly and risky in-person surveillance.
With C-22: The GIC will have the authority to make regulations requiring that ESPs develop and maintain location tracking capabilities that are standard in Europe and among the Five Eyes.”
First of all, I don’t really care what they are doing in the other Five Eyes. Essentially, the UK, Australia and New Zealand don’t have a Charter of Rights and Freedoms and their surveillance laws reflect that. And the law doesn’t we’ll just do what they do in “Europe and among the Five Eyes.” I bet the Chinese security services have this capability.
Let’s take a moment to ponder this scenario and what it means. CSIS wants to be able to track any cellphone in real-time, with a warrant. That means that they want every cellphone in Canada to be a tracking device. And they want historical metadata – which includes location data – retained for one year.
The second example is equally sympathetic, but shows that the government wants everyone to be carrying a tracking device:
“Police cannot consistently obtain location information
An at-risk 16-year-old girl was reported missing. She had already been missing for 10 days when she made an emergency call. The telecommunications provider was able to confirm the call and the tower used to make the call but could not provide the last known location of the phone before it was disconnected since they are not required to have that capability.
With C-22: Core providers would be required to maintain accurate and consistent localization capabilities across the country.”
That device in your pocket will be a tracking device. And the law doesn’t say that this data can only be accessed if you’re a suspected terrorist or a missing teenaged girl. It can be tracked by ANY police agency in Canada with an order issued merely on “reasonable grounds to suspect.” Judicial authorization isn’t even required in a whole bunch of cases: There are dozens of laws that permit regulators and others to access this data without judicial authorization.
“If you build it, they will come.” And the government wants ESPs to build the surveillance infrastructure for them, to which the police and others will almost certainly come. And this is even without considering that the backdoors will be a HUGE target for cybercriminals and threat actors.
I don’t think that the government has come close to making any sort of compelling case for Part 2 of Bill C-22, and certainly not one that convinces me that the public safety interest in building all of this surveillance infrastructure outweighs the privacy and cybersecurity risk of doing so.
We should also be looking at this through the lens of what we have now. If the police or CSIS get a production order, a wiretap order or a tracking order, they can also ask the judge to issue an “assistance order”. This is an order, directed at the service provider, ordering them to give all reasonable assistance, reasonably required to give effect to the production order, wiretap order or tracking order. On every occasion when I have brought this up with “lawful access” supporters, nobody has been able to point me to any problems with this. Assistance orders are like one-off ministerial orders that are appropriately tailored to the case and circumstances, and are signed off by a judge. And they’re subject to judicial review. I’m not sure the current system is broken. It just doesn’t give the police friction-free access to the universe of data that they want collected on their behalf.
No comments:
Post a Comment