The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
(The full stream of the four hour meeting is here and the Notice of Meeting with the roster of witnesses is here. I was on the second panel in the second hour.)
Here is my opening statement:
Mr. Chairman, honourable members. Thank you very much for your kind invitation to share my views on Bill C-22. I am a partner with the law firm McInnes Cooper in Halifax, where among other things, I advise clients who are on the receiving end of orders for customer information. I also teach at Dalhousie law school.
I am appearing in my personal capacity. These are my own views, and I am not speaking on behalf of any of my clients.
I have to commend the government for its comprehensive consultation with stakeholders since Bill C-2, to which I contributed.
I have a number of concerns and recommendations. I will note that Part 2 of Bill C-22 is VERY problematic. I can’t adequately cover all my concerns in five minutes, so I look forward to the rest of our discussion.
First, narrow the scope or raise the bar for subscriber information production orders.
The bill lowers the threshold for police to obtain a production order for subscriber information from "reasonable grounds to believe" to merely "reasonable grounds to suspect”.
The new production orders can be directed at anyone who provides services to the public. This means police could demand records from doctors' offices, hotels, banks, and grocery stores.
Even though the definition was narrowed from previous bills, police can still demand "all the subscriber information" a service provider holds. This goes beyond a name and address and includes the "types of services provided" and all "device identifiers". This could force a medical clinic to provide info about a patient's CPAP machine, or compel Apple to hand over the digital IDs for every device a person owns, including AirTags and iPads.
Narrow the scope of these orders, or raise the bar to reasonable belief. Or it'll be found to violate the charter.
Part 2 - the Supporting Authorized Access to Information Act (SAAIA) Generally
Nobody has made a persuasive argument that anything in Part 2 of Bill C-22 is really necessary. The Government has had 20+ years to build their case, but as NSICOP observed they only have anecdotes. We should not be undermining the privacy and safety of every single Canadian based on anecdotes.
Part 2 of the bill targets "electronic service providers" (ESPs), but the definition is so broad it likely includes most businesses in Canada.
If it proceeds, the Bill should include necessary guardrails: Under no circumstances should the government be allowed to require an electronic service provider to
(i) make changes to products or services that a business provides in the ordinary course,
(ii) collect and retain any data beyond what the business requires for its own purposes, and
(iii) make any changes that would affect the functionality (including ordering additional functionality) for any products or services offered by the business.
As written, the Minister could issue a secret order to turn your Amazon Alexa into a listening device. CSIS has explicitly said they want to be able to track every single phone in Canada in real time, and telcos must make every cell phone trackable. That’s absurd.
The Government says “we don’t plan to undermine encryption” and there are “no backdoors”. You just have to read the words in the Bill and there’s nothing to prevent that. Government officials said at this committee the Bill is “encryption neutral.” Canadians are not “encryption neutral”.
The words of the bill clearly permit – and certainly do not prohibit – backdoors and mandatory decryption. In secret with no transparency to Canadians and little accountability.
What the government “intends” is not relevant. What is relevant is what words end up in a statute.
The Bill should expressly prohibit undermining or circumvention of encryption.
Next, ministerial orders have to go
Under Part 2, the Minister of Public Safety can issue orders to service providers that come with mandatory, permanent secrecy.
Currently, the police and CSIS can apply to a judge for an “assistance order”, to order a service provider to provide all reasonable assistance to give effect to a warrant. This can be accompanied by a gag order if appropriate. This is judicial control. Nobody from law enforcement has offered evidence that assistance orders are inadequate and should be replaced by secret Ministerial Orders.
The UK equivalent of a Ministerial Order was used by the UK government to secretly order Apple to remove encryption on iCloud globally. Part 2 of Bill C-22 does not contain any guardrails that would prevent that overreach.
Secret ministerial orders have to go.
Massive Cybersecurity Risks from "Backdoors"
As legions of cybersecurity experts have said, forcing companies to build surveillance capabilities into their networks creates inherent vulnerabilities. Use your favourite search engine to look up “Salt Typhoon” or “Vodafone Greece scandal” to see examples of lawful access capabilities being exploited for widespread illicit wiretapping.
This makes Canadian infrastructure a massive target for cybercriminals.
Metadata Retention
The Bill permits the government to require ESPs to retain metadata, which includes your location history. The government will require everyone’s cellphone to become a retrospective tracking device without any suspicion of wrongdoing. This will almost certainly be found to violate the Charter.
Collected metadata will be sought by Canadian and non-Canadian authorities based on mere suspicion. That’s a record of everyone who sought reproductive health care in Canada, which might be of interest to law enforcement from a Five Eyes partner.
Part 2’s authorities to access data
The government says that Part 2 does not create any new authorities to access data. That’s simply not true. Take a look at section 20. Persons designated by the Minister can enter any premises without a warrant and without notice, and can examine, copy and remove any information found in that place. They can order anyone in that place to provide any data they ask for. That’s a new authority, and if the premises are an ESP’s offices, that includes access to information about their customers. There are simply no guardrails.
[Note: I have 55 exams to mark, so the video and podcast versions of this will unfortunately have to wait.]
Finally, the federal government has released the so-called “Charter Statement” for Bill C-22, the Lawful Access Act of 2026. Forty three days after the bill was tabled in Parliament. I don’t know why it took so long, since they just took the Charter Statement for Bill C-2 and did some editing.
In the Charter Statement, the Minister of Justice significantly mischaracterizes his own bill in a manner that makes it appear more Charter-compliant. Given how the government has spoken about this bill, I’m NOT going to say these are honest mistakes. And the Charter Statement doesn’t even address one of the MOST problematic elements of the revised bill: mandatory metadata retention.
As it is, I do not think that Bill C-22 is Charter compliant, but with some changes, I think that it can be made Charter-compliant.
Some background on what Charter Statements are about can be found in the Charter Statement itself:
Section 4.2 of the Department of Justice Act requires the Minister of Justice to prepare a Charter Statement for every government bill to help inform public and Parliamentary debate on government bills. One of the Minister of Justice’s most important responsibilities is to examine legislation for inconsistency with the Canadian Charter of Rights and Freedoms. By tabling a Charter Statement, the Minister is sharing some of the key considerations that informed the review of a bill for inconsistency with the Charter. A Statement identifies Charter rights and freedoms that may potentially be engaged by a bill and provides a brief explanation of the nature of any engagement, in light of the measures being proposed.
Essentially, this is a half-hearted attempt to say this is how the government thinks this can be called Charter compliant, rather than being an honest assessment of the Charter compliance of Bill C-22. If a student handed this to me as an assessment of the Bill, it would be a bad day for that student.
So let’s dig into it.
It starts by saying “What follows is a non-exhaustive discussion of the ways in which Bill C-22 potentially engages the rights and freedoms guaranteed by the Charter.” As you’ll see, it’s far from “exhaustive.” That said, this essay will not be exhaustive since I’m only going to focus on the deficiencies in the Charter Statement.
With respect to the Production Order for Subscriber Information, they simply misstate what the Bill actually says. The Charter Statement says:
The following considerations support the consistency of the amendments with section 8. The subscriber information sought does not by itself constitute particularly sensitive information, since it is limited to information that identifies clients and services, and does not include the contents of communications. The judge would have discretion as to whether to issue an order, and if they choose to issue an order, the judge would have discretion as to what information is specified in it. [emphasis added]
This last part is not true. It is simply false. The way the Bill is currently written, the judge has NO discretion. Here’s what it says in the proposed new section 487.0142 of the Criminal Code:
487.0142 (1) On ex parte application made by a peace officer or public officer, a justice or judge may order a person who provides services to the public to prepare and produce a document containing all the subscriber information that relates to any information, including transmission data, that is specified in the order and that is in their possession or control when they receive the order.
It says “all the subscriber information”. The words “that is specified in the order” refers to the “that relates to any information, including transmission data” part. The judge has no discretion to order the production of a subset of Subscriber Information. It is all or nothing. And what is “all” is also a problem.
The Charter Statement also says:
The subscriber information sought does not by itself constitute particularly sensitive information, since it is limited to information that identifies clients and services, and does not include the contents of communications.
Subscriber information is actually more than that, and can be much more sensitive than they suggest.
subscriber information, in relation to any client of a person who provides services to the public or any subscriber to the services of such a person, means
(a) information that may be used to identify the subscriber or client, including their name, pseudonym, address, telephone number and email address;
(b) identifiers assigned to the subscriber or client by the person, including account numbers; and
(c) information relating to the services provided to the subscriber or client, including
(i) the types of services provided,
(ii) the period during which the services were provided, and
(iii) information that identifies the devices, equipment or things used by the subscriber or client in relation to the services.
(a) and (b) in the definition mostly do that, but paragraph (c) goes much further than that. It refers to the “types of services provided” and “devices, equipment or things” used by the customer. Remember, this order can be directed to anyone who provides services to the public, which can be a medical clinic. What sort of services you get from a medical clinic is certainly sensitive information in which there is a very high privacy interest. Those devices can include things like pace-makers, CPAP machines and insulin pumps. Again, a very high privacy interest.
If your internet service provider is also your cable company and your cellphone provider, asking for subscriber information based on an IP address can result in information about your cable packages, your cell number, your cell’s IMEI and IMSI numbers, and the serial number of your cable modem. That is way more information than is necessary to simply connect an IP address to a person.
But of course, the government shrugs that off.
Next up is the provision regarding “publicly available information.” This provision says:
(4) For greater certainty, no production order or warrant, or confirmation of service demand made under section 487.0121, is necessary for a peace officer or public officer to receive, obtain and act on any information that is available to the public.
The Charter statement says “Where information is available to the public, a person will usually have no reasonable expectation of privacy in it.” I think that’s generally right. But notice the use of the words “usually”. Some critics of Bill C-2 and now Bill C-22 are concerned that this appears to authorize the cops to use information that was hacked by a third party and leaked on the internet. These hacks and leaks take place all the time. I am also concerned about the police buying location data from companies in the advertising ecosystem. That’s “available to the public”, but I’d argue that the individuals retain a significant privacy interest in that data when it’s associated with them.
The Citizenlab recently reported that US law enforcement, like ICE and the Department of Homeland Security, have been buying this location information for use in their surveillance operations.
I’m not sure that would survive Charter scrutiny in Canada.
Let’s move onto Part 2, which will create the “Supporting Authorized Access to Information Act.” I have said, in general terms, that Part 1 is about new ‘authorities’ to obtain information and Part 2 is generally about new mandatory ‘capabilities’ to obtain information. That’s true in general terms, but Part 2 actually does create new authorities.
At the beginning of the Charter Statement, it largely says “all good" …
The provisions would not grant any new authorities to lawfully access information and data or expand or derogate from any existing authorities for such access.
Now, that’s not entirely true. Part 2 does create two new authorities for accessing data. While they seem intended to allow access to information about “electronic service providers”, the guardrails are lacking.
First of all, we have section 14 which requires electronic service providers to allow the Minister’s designates to assess and test any device, equipment or other thing that may enable an authorized person to access information.
Obligation to assist
14 (1) On request made by the Minister, an electronic service provider must provide all reasonable assistance to a person or class of persons specified in the request to permit the assessment or testing of any device, equipment or other thing that may enable an authorized person to access information.
…
For greater certainty
(4) For greater certainty, the assessment or testing must not have the effect of granting access to personal information.
They’ve sensibly added a bit of a guardrail in subsection (4) that says they can’t use this authority to get access to personal information. That is a new authority to obtain information.
More troubling is section 20, which creates a search authority on the part of the Minister’s designates to enter any premises other than a dwelling, without a warrant and without notice. They don’t even need to suspect any sort of infraction. It just has to be related to an activity regulated by the Act. Once they’re in, they can examine anything, make copies of it, remove documents, use computers found there, and more:
Authority to enter place 20 (1) Subject to subsection 21(1), a designated person may, for the purpose of verifying compliance or preventing non-compliance with this Act, at any reasonable time enter any place if they have reasonable grounds to believe that anything relevant to that purpose, including any document or electronic data, is located in that place or that an activity regulated by this Act is conducted in that place. … Powers on entry (3) The designated person may, for a purpose referred to in subsection (1),
(a) examine anything found in the place, including any document or electronic data;
(b) make copies of any document or electronic data that is found in the place or take extracts from the document or electronic data;
(c) remove any document found in the place for examination or copying;
(d) use or cause to be used any computer or data processing system at the place to examine or copy electronic data; and
(e) use or cause to be used any copying equipment at the place to make copies of any document.
The Charter Statement says not to worry about it. First they say “Privacy interests are diminished in the regulatory and administrative contexts.” That’s largely correct. Then it says:
“Further, information gathered in this context would generally relate to technical capabilities of ESPs, which would not attract a heightened privacy interest. In addition, the powers would not be available for the purpose of advancing a criminal investigation.” [emphasis added]
The word “generally” is doing a lot of work there. It then says: “The proposed powers are similar to regulatory inspection powers that have been upheld in other contexts.”
Yes, it is true that warrantless inspection powers have been upheld in other regulatory contexts. However, this is unlike other regulatory contexts. For example, inspectors from the Department of Fisheries can – without a warrant – enter a fish plant or a fishing boat, and review all the records of the company’s activities. They can go in and count the halibut.
This context is qualitatively different from that. By definition, an electronic service provider is the custodian of very sensitive information of its customers and all of those customers, whether they're good guys or bad guys – and the majority will be good guys – have a Charter protected right to be free from unreasonable search and seizure. The records of your internet service provider are very different from the records of a fish plant, and the government has not included any guardrails.
The most problematic part of this Charter Statement is what is not said. Perhaps the most problematic part of Bill C-22 – mandatory metadata retention – is not even mentioned. Just because it is one subsection among many is not an excuse.
Core providers — obligations
(2) The Governor in Council may make regulations respecting the obligations of core providers, including regulations respecting ...
(d) the retention of categories of metadata — including transmission data, as defined in section 487.011 of the Criminal Code — for reasonable periods of time not exceeding one year.
In the European Union, the Court of Justice struck down the EU Data Retention Directive in 2014 because the general and indiscriminate retention of all users’ telecommunications metadata was a disproportionate interference with the fundamental right to privacy. The Courts there have held that specific metadata retention associated with specific threats or targets can be justified, but blanket metadata retention cannot. It is simply incompatible with EU fundamental rights.
Currently in Canada, in some circumstances, the police can simply order the retention of information or can get a court order requiring it to be done. Mandatory, blanket metadata retention is wildly problematic and the Charter Statement doesn’t even mention it.
Finally, we have the blanket confidentiality that makes it an offence for anyone to disclose the contents of a ministerial order, the facts that it exists, what information the Minister used to make the order, any communications between the Minister and the electronic service provider and any “prescribed information”, meaning information that is prescribed in the regulations.
Prohibition on disclosure
15 An electronic service provider and any person acting on its behalf must not disclose any of the following information except as permitted under this Act or the Canada Evidence Act:
(a) information contained in an order made under subsection 6(1) [temporary exception for a core provider] or 7(1) [ministerial order];
(b) information on which the Minister relied in making the order;
(c) the fact that the electronic service provider is subject to the order;
(d) information provided in the course of representations made under section 8 or in any response given by the Minister and the fact that the Minister has invited the representations;
(e) information contained in an application referred to in subsection 6(1) or in a decision made under subsection 6(4);
(f) information submitted under subsection 11(2) and any information received from the Minister in response;
(g) any prescribed information.
I have previously shared my view that this is over the top and the Minister should have to justify any confidentiality orders on a case-by-case basis.
The Charter Statement says:
To achieve this objective, the provisions would place limits on communication about the technical capabilities of ESPs, which are commercial entities. While restrictions on commercial speech can engage the right to freedom of expression, they usually do not implicate the core values of the right. These include the search for political, artistic and scientific truth, the protection of individual autonomy and self-development, and the promotion of public participation in the democratic process. Rather, the restrictions would be narrowly focused on the existence and contents of orders and exemptions, all linked to the objective of protecting sensitive information. Limits on expression that do not engage the core values of the right are more easily justified. [emphasis added]
That may be generally true, but public discussion about massive surveillance of Canadians and potential government overreach and abuse is actually very, very close to the core of “Charter values” – it’s about the protection of individual autonomy and public participation in the democratic process. They’re missing the mark here, widely.
And then there’s the cumulative effect of all of this. The government can require an ESP to retain a year of metadata, which can include the minute-by-minute location of every phone in Canada. And then they can send in inspectors to say “hey, we’re here to inspect your metadata databases.” And by the way we’re making a copy for easier inspection back at the office. That amounts to a HUGE invasion of privacy.
The Charter Statement, not surprisingly says: “it’s fine.”
Part 2 of Bill C-22, the Lawful Access Act of 2026, is and remains a huge problem. The outcry associated with the Strong Borders Act was principally focused on warrantless information demands and overbroad subscriber information orders. In a lot of the debate and discussion, Part 15 of that Bill was largely ignored. I really hope that the equivalent of that Part in Bill C-22 gets as much attention as it deserves.
In a nutshell, Part 2 will require a huge range of service providers – well beyond traditional telecommunications service providers – to build in real-time interception and monitoring capabilities so that cops and national security folks can just plug into the systems to access data when “authorized” to do so.
Part 2 creates a new standalone statute called the Supporting Authorized Access to Information Act or SAAIA. Section 3 sets out its purpose:
3 The purpose of this Act is to ensure that electronic service providers can facilitate the exercise of authorities to access information that are conferred on authorized persons.
So it talks about authorities that are conferred on authorized persons to access information. It doesn't say “lawful authorities”, nor does it say “judicially authorized authorities”. It just says authorities. From the discussion about Part 1, it’s clear that the police and CSIS are authorized to obtain data without a warrant by just asking for it.
The Supporting Authorized Access to Information Act has “electronic service providers” in its crosshairs. It is therefore really important to understand what an electronic service provider is. ESP is defined in the bill, as is an electronic service.
electronic service provider means a person that, individually or as part of a group, provides an electronic service, including for the purpose of enabling communications, and that
(a) provides the service to persons in Canada; or
(b) carries on all or part of its business activities in Canada.
You will note that it says it provides an electronic service, “including for the purpose of enabling communications”. The use of the word “including” clearly signals that it is not limited to those providers who are strictly engaged in communications. It goes broader than that. We can see from the very broad definition of electronic service:
electronic service means a service, or a feature of a service, that involves the creation, recording, storage, processing, transmission, reception, emission or making available of information in electronic, digital or any other intangible form by an electronic, digital, magnetic, optical, biometric, acoustic or other technological means, or a combination of any such means.
Hey, I am in the business of creating information in digital form. What is a YouTube video, or podcast? Or emails to my clients. My law firm is in the business of creating information in digital form. The Canadian Broadcasting Corporation, the Globe and Mail and the Canadian Press are in the business of creating information in digital form. I am not sure that any business exists in Canada that is not some way or somehow creating, processing or storing digital information. This is dramatically broad. In conversations I have had with people from Public Safety, it is clearly their intent to cover traditional telcos, internet service providers and ALSO cloud computing providers, social media providers and online game services. Again, this is dramatically broad.
The Bill is going to deal with two broad categories of electronic service providers. The first is something called a “core provider”, and there will be subcategories of core providers. The second group is the rest of the universe that could fit into the category or definition of “electronic service provider”.
The categories of core providers are to be listed in the schedule to the Act, which is currently blank, not surprisingly. So these core providers are going to be subject to a number of obligations that will be set out in the regulations. Subsection (2) describes these obligations, but note the use of the word “including” which means that the regulations and the obligations can go well beyond what is listed in subsections (a) through (d).
(a) the development, implementation, assessment, testing and maintenance of operational and technical capabilities, including capabilities related to extracting and organizing information that is authorized to be accessed and to providing access to such information to authorized persons;
[This is essentially a requirement to build in the operational and technical capabilities to enable access to information on the core provider’s infrastructure or within their systems.]
(b) the installation, use, operation, management, assessment, testing and maintenance of any device, equipment or other thing that may enable an authorized person to access information;
[This can require core providers to install particular devices or equipment on their infrastructure.]
(c) notices to be given to the Minister or other persons, including with respect to any capability referred to in paragraph (a) and any device, equipment or other thing referred to in paragraph (b); and
[It’s not yet clear what these notices are all about ….]
(d) the retention of categories of metadata — including transmission data, as defined in section 487.011 of the Criminal Code — for reasonable periods of time not exceeding one year.
The requirement to retain metadata was NOT in Bill C-2, the Strong Borders Act. This is very concerning. There are some small protections about this, in subsection (4). That says:
(4) Paragraph (2)(d) does not authorize the making of regulations that require core providers to retain information that would reveal
(a) the content — that is to say the substance, meaning or purpose — of information transmitted in the course of an electronic service;
(b) a person’s web browsing history; or
(c) a person’s social media activities.
Ok. That’s some protection. But it does not put location information out of scope, which is concerning. The government clearly wants all cellphones to be trackable, and under this authority they can be required to save your detailed location history for a full year.
Subsection (3) lists a number of factors that the government must take into account in creating and drafting the regulations which place the specific obligations on the core providers. These include …
(a) the benefits of the regulation to the administration of justice, in particular to investigations under the Criminal Code, and to the exercise of powers and the performance of duties and functions under the Canadian Security Intelligence Service Act;
(b) the feasibility of compliance with the regulation for the core providers;
(c) the costs to be incurred by the core providers to ensure compliance with the regulation;
(d) the potential impact of the regulation on the persons to whom the core providers provide services;
(e) the potential impact of the regulation on privacy protection and cybersecurity; and
(f) any other factor that the Governor in Council considers relevant.
I am glad that they have included the potential impact on privacy and cybersecurity. I would like it if it required the government to release their analysis of all these considerations along with the regulatory impact analysis statement that will accompany the regulations when they are first published.
The only good news when dealing with core providers is that these requirements will be in a regulation that will be public. We will be able to understand, at least in general terms, what obligations are being imposed on these core providers.
There is another bit of small comfort in subsection (5) which says
(5) A core provider is not required to comply with a provision of a regulation made under subsection (2), with respect to an electronic service, if compliance with that provision would require the provider to introduce a systemic vulnerability related to that service or prevent the provider from rectifying such a vulnerability.
Of course, this turns on what is a “systemic vulnerability”, which is defined in the bill:
systemic vulnerability means a vulnerability in the electronic protections of an electronic service that creates a substantial risk that secure information could be accessed by a person who does not have any right or authority to do so.
electronic protection means authentication, encryption and any other prescribed type of data protection.
Note that it is limited to systemic vulnerabilities in “services”. It does not include devices or processes. Just the services themselves. Professor Robert Diab has pointed out that there’s enough wiggle room in this for the Minister to say that an operating system, such as Windows or iOS is not a “service”. Firmware is a part of the device, so please root them all. (The use of the word “please” is only because we’re Canadian … it would actually be an order.)
Also, what this does NOT say is that the government is prohibited from requiring an ESP to circumvent or undermine encryption. We have been told by the government that they would never do that, but they do not seem willing to put it in the law.
The second significant power contained in the Supporting Authorized Access to Information Act are ministerial orders, set out in Section 7. Essentially, the minister of Public Safety can issue secret orders directed at any one or more electronic service providers to implement measures that could have been contained in a regulation for a core provider, but these are secret and would be limited to a defined time period. Of course this time can be extended at the discretion of the minister. These orders can also be directed at ESPs that are already core providers. Bonus requirements!
The only real protection introduced since the Strong Borders Act is in subsection (2), which says that these secret orders must be approved by the Commissioner designated under the Intelligence Commissioner Act. I think this is a real protection, principally because the intelligence commissioner has to be a former Superior Court judge who would have spent a career dealing with criminal law matters and Charter rights. He is currently entrusted with approving certain National Security orders as a form of semi-judicial oversight. This is, in my view, real progress.
Subsection (3) of Section 7 sets out the sorts of considerations that the Minister has to take into account before issuing a secret ministerial order. This parallels the considerations that the government would have to take into account in issuing regulations affecting core providers.
And subsection (5) has a parallel provision saying that
(5) The electronic service provider is not required to comply with a provision of the order, with respect to an electronic service, if compliance with that provision would require the provider to introduce a systemic vulnerability related to that service or prevent the provider from rectifying such a vulnerability.
Section 14 creates an obligation for all electronic service providers to assist a range of people to do a range of things on the Minister’s request. Remember, while we review this, that my law firm, your doctor’s office and Apple are all “electronic service providers”. It reads:
14 (1) On request made by the Minister, an electronic service provider must provide all reasonable assistance to a person or class of persons specified in the request to permit the assessment or testing of any device, equipment or other thing that may enable an authorized person to access information.
Persons to be assisted
(2) Only the following persons or classes of persons may receive assistance:
(a) the Minister;
(b) an employee of the Canadian Security Intelligence Service;
(c) a person appointed or employed under Part I of the Royal Canadian Mounted Police Act or a civilian employee referred to in section 10 of that Act;
(d) a civilian employee of another police force;
(e) a peace officer, as defined in section 2 of the Criminal Code.
There is some protection in subsection (4) so that “the assessment or testing must not have the effect of granting access to personal information.”
One of the huge problems I have with these Ministerial Orders is the mandatory secrecy that surrounds them. Without exception, under section 15, an ESP is prohibited by law from revealing that they are subject to an order, the substance or contents of an order, any dialogue they’ve had with the Minister in connection with any order.
This is draconian, overbroad and frankly offensive. There’s no requirement that the Minister be satisfied that disclosure of this information would be harmful to law enforcement or to national security. There is no sunset and no means by which an ESP can challenge the gag order if they think it’s in the public interest to disclose the information. I am not sure that this provision, on its own, would survive a Charter challenge. It also means that a foreign company can’t advise their own government that they are subject to an order.
I can’t help but think of the fact that under the UK equivalent of this law, Apple was issued with a secret order to circumvent or turn off encryption on iCloud. Apple couldn’t tell anyone, yet it somehow leaked. The United States government was of the view that this was contrary to an agreement between the UK and the US, but Apple was prohibited by UK law from letting their own government know what shenanigans the US’ own ally was engaging in.
The bill does anticipate at section 17 that ESPs may seek judicial review of a Minister’s order, but the cards are again stacked in favour of secrecy, and conducting its business outside of public scrutiny.
Section 18 allows the government to make a range of regulations related to confidentiality and security. These are scaled back from the absurd scope anticipated in the Strong Borders Act. There are security and confidentiality rules for judicial proceedings provided for in subsection (b). Subsections (c) and (d) authorize regulations related to ESP employees and contractors involved with law enforcement and national security access to information, including security clearances and where they are located, and where facilities are located. As I understand it, most American service providers run this function from the US and I’m sure they will not be interested in moving that to Canada or having their employees subject to Canadian security clearances. I would imagine that some companies will just decide to not do business in Canada.
Part 2 also contains a whole regulatory oversight structure, with inspections, audits and penalties. I’m not going to get into that today.
Throughout this discussion, I can’t help but be reminded that the US has had something similar in their laws for some time, and the mandated intercept capabilities were used by Chinese hackers to get access to data.
The "Salt Typhoon" hacking incident, attributed to a Chinese state-sponsored advanced persistent threat (APT) actor, came to light in late 2024 with revelations that the group had extensively compromised the computer systems of multiple major US telecommunications companies. The stolen information included call and text message metadata, and in some high-profile instances, even audio recordings of phone calls belonging to government officials and political figures.
A critical factor facilitating the Salt Typhoon incident was the very infrastructure put in place to comply with the Communications Assistance for Law Enforcement Act (CALEA). Enacted in 1994, CALEA mandates that telecommunications providers build "lawful intercept" capabilities into their networks to allow law enforcement and intelligence agencies to conduct court-authorized wiretaps. While intended for legitimate surveillance, these mandated "backdoors" created inherent vulnerabilities within the telecom networks. Salt Typhoon exploited these CALEA-mandated systems, effectively turning the tools designed for lawful access into pathways for unauthorized espionage.
This is what’s coming to Canada …
So let’s bring this down to earth and make it more concrete. At a technical briefing this week, the government offered only two examples for why they think we need the Supporting Authorized Access to Information Act:
“CSIS cannot track a cellphone
CSIS is trying to determine the movements of a terrorist group and has received a warrant to track a person of interest’s cellphone. The electronic service provider did not have the necessary capabilities to track the device because they are not required to. As a result, CSIS had to resort to costly and risky in-person surveillance.
With C-22: The GIC will have the authority to make regulations requiring that ESPs develop and maintain location tracking capabilities that are standard in Europe and among the Five Eyes.”
First of all, I don’t really care what they are doing in the other Five Eyes. Essentially, the UK, Australia and New Zealand don’t have a Charter of Rights and Freedoms and their surveillance laws reflect that. And the law doesn’t we’ll just do what they do in “Europe and among the Five Eyes.” I bet the Chinese security services have this capability.
Let’s take a moment to ponder this scenario and what it means. CSIS wants to be able to track any cellphone in real-time, with a warrant. That means that they want every cellphone in Canada to be a tracking device. And they want historical metadata – which includes location data – retained for one year.
The second example is equally sympathetic, but shows that the government wants everyone to be carrying a tracking device:
“Police cannot consistently obtain location information
An at-risk 16-year-old girl was reported missing. She had already been missing for 10 days when she made an emergency call. The telecommunications provider was able to confirm the call and the tower used to make the call but could not provide the last known location of the phone before it was disconnected since they are not required to have that capability.
With C-22: Core providers would be required to maintain accurate and consistent localization capabilities across the country.”
That device in your pocket will be a tracking device. And the law doesn’t say that this data can only be accessed if you’re a suspected terrorist or a missing teenaged girl. It can be tracked by ANY police agency in Canada with an order issued merely on “reasonable grounds to suspect.” Judicial authorization isn’t even required in a whole bunch of cases: There are dozens of laws that permit regulators and others to access this data without judicial authorization.
“If you build it, they will come.” And the government wants ESPs to build the surveillance infrastructure for them, to which the police and others will almost certainly come. And this is even without considering that the backdoors will be a HUGE target for cybercriminals and threat actors.
I don’t think that the government has come close to making any sort of compelling case for Part 2 of Bill C-22, and certainly not one that convinces me that the public safety interest in building all of this surveillance infrastructure outweighs the privacy and cybersecurity risk of doing so.
We should also be looking at this through the lens of what we have now. If the police or CSIS get a production order, a wiretap order or a tracking order, they can also ask the judge to issue an “assistance order”. This is an order, directed at the service provider, ordering them to give all reasonable assistance, reasonably required to give effect to the production order, wiretap order or tracking order. On every occasion when I have brought this up with “lawful access” supporters, nobody has been able to point me to any problems with this. Assistance orders are like one-off ministerial orders that are appropriately tailored to the case and circumstances, and are signed off by a judge. And they’re subject to judicial review. I’m not sure the current system is broken. It just doesn’t give the police friction-free access to the universe of data that they want collected on their behalf.
