(The full stream of the four hour meeting is here and the Notice of Meeting with the roster of witnesses is here. I was on the second panel in the second hour.)
Mr. Chairman, honourable members. Thank you very much for your kind invitation to share my views on Bill C-22. I am a partner with the law firm McInnes Cooper in Halifax, where among other things, I advise clients who are on the receiving end of orders for customer information. I also teach at Dalhousie law school.
I am appearing in my personal capacity. These are my own views, and I am not speaking on behalf of any of my clients.
I have to commend the government for its comprehensive consultation with stakeholders since Bill C-2, to which I contributed.
I have a number of concerns and recommendations. I will note that Part 2 of Bill C-22 is VERY problematic. I can’t adequately cover all my concerns in five minutes, so I look forward to the rest of our discussion.
First, narrow the scope or raise the bar for subscriber information production orders.
The bill lowers the threshold for police to obtain a production order for subscriber information from "reasonable grounds to believe" to merely "reasonable grounds to suspect”.
The new production orders can be directed at anyone who provides services to the public. This means police could demand records from doctors' offices, hotels, banks, and grocery stores.
Even though the definition was narrowed from previous bills, police can still demand "all the subscriber information" a service provider holds. This goes beyond a name and address and includes the "types of services provided" and all "device identifiers". This could force a medical clinic to provide info about a patient's CPAP machine, or compel Apple to hand over the digital IDs for every device a person owns, including AirTags and iPads.
Narrow the scope of these orders, or raise the bar to reasonable belief. Or it'll be found to violate the charter.
Part 2 - the Supporting Authorized Access to Information Act (SAAIA) Generally
Nobody has made a persuasive argument that anything in Part 2 of Bill C-22 is really necessary. The Government has had 20+ years to build their case, but as NSICOP observed they only have anecdotes. We should not be undermining the privacy and safety of every single Canadian based on anecdotes.
Part 2 of the bill targets "electronic service providers" (ESPs), but the definition is so broad it likely includes most businesses in Canada.
If it proceeds, the Bill should include necessary guardrails: Under no circumstances should the government be allowed to require an electronic service provider to
(i) make changes to products or services that a business provides in the ordinary course,
(ii) collect and retain any data beyond what the business requires for its own purposes, and
(iii) make any changes that would affect the functionality (including ordering additional functionality) for any products or services offered by the business.
As written, the Minister could issue a secret order to turn your Amazon Alexa into a listening device. CSIS has explicitly said they want to be able to track every single phone in Canada in real time, and telcos must make every cell phone trackable. That’s absurd.
The Government says “we don’t plan to undermine encryption” and there are “no backdoors”. You just have to read the words in the Bill and there’s nothing to prevent that. Government officials said at this committee the Bill is “encryption neutral.” Canadians are not “encryption neutral”.
The words of the bill clearly permit – and certainly do not prohibit – backdoors and mandatory decryption. In secret with no transparency to Canadians and little accountability.
What the government “intends” is not relevant. What is relevant is what words end up in a statute.
The Bill should expressly prohibit undermining or circumvention of encryption.
Next, ministerial orders have to go
Under Part 2, the Minister of Public Safety can issue orders to service providers that come with mandatory, permanent secrecy.
Currently, the police and CSIS can apply to a judge for an “assistance order”, to order a service provider to provide all reasonable assistance to give effect to a warrant. This can be accompanied by a gag order if appropriate. This is judicial control. Nobody from law enforcement has offered evidence that assistance orders are inadequate and should be replaced by secret Ministerial Orders.
The UK equivalent of a Ministerial Order was used by the UK government to secretly order Apple to remove encryption on iCloud globally. Part 2 of Bill C-22 does not contain any guardrails that would prevent that overreach.
Secret ministerial orders have to go.
Massive Cybersecurity Risks from "Backdoors"
As legions of cybersecurity experts have said, forcing companies to build surveillance capabilities into their networks creates inherent vulnerabilities. Use your favourite search engine to look up “Salt Typhoon” or “Vodafone Greece scandal” to see examples of lawful access capabilities being exploited for widespread illicit wiretapping.
This makes Canadian infrastructure a massive target for cybercriminals.
Metadata Retention
The Bill permits the government to require ESPs to retain metadata, which includes your location history. The government will require everyone’s cellphone to become a retrospective tracking device without any suspicion of wrongdoing. This will almost certainly be found to violate the Charter.
Collected metadata will be sought by Canadian and non-Canadian authorities based on mere suspicion. That’s a record of everyone who sought reproductive health care in Canada, which might be of interest to law enforcement from a Five Eyes partner.
Part 2’s authorities to access data
The government says that Part 2 does not create any new authorities to access data. That’s simply not true. Take a look at section 20. Persons designated by the Minister can enter any premises without a warrant and without notice, and can examine, copy and remove any information found in that place. They can order anyone in that place to provide any data they ask for. That’s a new authority, and if the premises are an ESP’s offices, that includes access to information about their customers. There are simply no guardrails.
I look forward to a productive discussion.
