The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
I’ve been doing a series of episodes taking a closer look at the elements of the new lawful access bill, Bill C-22. The bill contains a revamped version of something that caused a lot of controversy in the earlier Bill C-2, and is the thing most sought after by the police. That is the production order for subscriber information.
Before we dive into this new production order, a bit of background:
The Bill is in two parts. The first part is called “Timely Access to Data and Information” and the second part of the Bill creates a new statute: the “Supporting Authorized Access to Information Act”.
The two parts do wildly different things. Part one is intended to create new AUTHORITIES by which police and national security folks can require companies to provide them with information about their customers. Part two is intended to create new CAPABILITIES by which police and national security folks can require companies to provide them with information about their customers. Part one is about authorities and part two is about capabilities. The authorities under part one are mostly subject to judicial supervision and control, and I can largely live with them. The capabilities under Part Two cause me a LOT of concern.
The government has clearly tried to fix some of the biggest problems from Bill C-2. But when you look more closely, there are still some very serious issues – particularly around the legal threshold, the scope of information, and just how broadly this power can be used.
So in this episode, I’m going to do three things:
First, I’ll explain what a production order for subscriber information actually is.
Second, I’ll walk through what was proposed in Bill C-2, the Strong Borders Act.
And third, I’ll show what’s changed in Bill C-22, the Lawful Access Act of 2026 — and what hasn’t changed.
Let’s start with the baseline. What are they trying to accomplish? Let’s look at the situation described in the leading case on the topic called R v Spencer from the Supreme Court of Canada. In that case,
“The police identified the Internet Protocol (IP) address of a computer that someone had been using to access and store [CSAM] through an Internet file-sharing program. They then obtained from the Internet Service Provider (ISP), without prior judicial authorization, the subscriber information associated with that IP address. This led them to the appellant, Mr. Spencer. He had downloaded [CSAM] into a folder that was accessible to other Internet users using the same file-sharing program. He was charged and convicted at trial of possession of [CSAM] and acquitted on a charge of making it available.”
The “subscriber information” here is the customer name and address associated with the IP address that the police already had. The Court in Spencer said the police have to get a court order to get that information from the internet service provider, or there has to be a "reasonable law” that enables them to get that info.
Under the current Criminal Code, police already have access to something called a general production order. This allows them to go to a judge or a justice of the peace and, if they meet a legal threshold, compel a third party to produce records relevant to an investigation. That type of order has been available since 2004, ten years before the Spencer decision. The police could have gotten such an order, but they didn’t want to.
For General Production Orders, the police have to show that there are reasonable grounds to believe that an offence has been or will be committed.
That’s a meaningful standard. It requires evidence that would lead a reasonable person to actually believe a crime occurred. And importantly, these orders are targeted. They specify the particular records being sought. The cop has to convince the judge that the particular records sought are relevant and useful.
Now, “subscriber information” is a subset of that. This is the information that links a person to a service. The police have a phone number or an IP address and they want to know who is the particular customer who is associated with that phone number or IP address.
And as the Supreme Court of Canada has said in the leading case called Spencer, this kind of information engages a reasonable expectation of privacy. You have the right to be anonymous on the internet. The Court said the police can only get this type of information pursuant to a court order or a “reasonable law”. They currently get it using a general production order, based on reasonable grounds to believe.
So access to it generally requires judicial authorization or the more nebulous “reasonable law”.
Now let’s look at the former Bill C-2—the Strong Borders Act.
This bill introduced a new, standalone production order for subscriber information.
And it had two major features that drew a lot of criticism. First, the legal threshold was extremely low. Instead of reasonable grounds to believe, the bill required only reasonable grounds to suspect an offence. That’s a much lower standard.
It doesn’t require belief—just suspicion. And in practical terms, it’s just above a hunch.
Second, the scope of information was extremely broad. The definition of subscriber information included any information provided by the customer to obtain the service. And these orders could be directed to anyone who provides service to the public. And that’s where things got concerning.
And on top of that, the order required the production of all subscriber information—not just specific, targeted records. That could include things like banking information, credit card details, and potentially other very sensitive data.
So what you had was a combination of a very low threshold and a very broad scope. And that raised serious concerns.
Now let’s fast forward to Bill C-22. And to be fair, the government has made some meaningful changes.
The first change is to the definition of subscriber information. It’s now more constrained. It includes identifying information like name, address, and email. It includes account identifiers. It includes information about the services provided. And it includes device or equipment identifiers.
subscriber information, in relation to any client of a person who provides services to the public or any subscriber to the services of such a person, means
(a) information that may be used to identify the subscriber or client, including their name, pseudonym, address, telephone number and email address;
(b) identifiers assigned to the subscriber or client by the person, including account numbers; and
(c) information relating to the services provided to the subscriber or client, including
(i) the types of services provided,
(ii) the period during which the services were provided, and
(iii) information that identifies the devices, equipment or things used by the subscriber or client in relation to the services.
But importantly, what’s been removed is that catch-all category of information provided by the customer to obtain the service.
And that’s a big deal because it likely excludes things like payment information, medical intake forms, and other highly sensitive data.
So from a scoping perspective, this is clearly an improvement, but it’s still too broad in my view.
But—and this is important—the order can still be directed at any person who provides services to the public. Not just telecommunications companies. That means banks, hotels, doctors’ offices, online platforms—really, anyone providing services to the public.
So while the type of information has been narrowed, the range of organizations that can be compelled to produce it is still very broad.
But the legal threshold has not changed. It is still reasonable grounds to suspect. Not “believe”. And that matters.
Production order — subscriber information
487.0142 (1) On ex parte application made by a peace officer or public officer, a justice or judge may order a person who provides services to the public to prepare and produce a document containing all the subscriber information that relates to any information, including transmission data, that is specified in the order and that is in their possession or control when they receive the order.
Conditions for making order
(2) Before making the order, the justice or judge must be satisfied by information on oath in Form 5.004 that there are reasonable grounds to suspect that
(a) an offence has been or will be committed under this Act or any other Act of Parliament; and
(b) the subscriber information is in the person’s possession or control and will assist in the investigation of the offence.
Because it means there is no requirement for the officer to actually believe that a crime has been committed or will be committed. Only that there are reasonable grounds that could lead someone to suspect that an offence has occurred. That is a very low bar.
Another important point is that this power is not limited to serious crimes. It applies to any offence under any Act of Parliament. That includes relatively minor regulatory offences.
So we are talking about a power that is broadly available, triggered on a low threshold, and capable of compelling disclosure of personal information from a wide range of organizations.
So what does this mean in practice?
Well, first, it makes it easier for police to connect an identifier—like an IP address, or a device—to a real person. And that’s clearly the goal.
I have a problem with the fact that the order is “to prepare and produce a document containing ALL THE SUBSCRIBER INFORMATION that relates to any information, including transmission data, that is specified in the order”. ALL the subscriber information. It’s not just the subscriber information that will identify and locate the recipient of the services. That goes beyond the “investigative breadcrumb” the police say they really need.
But even with the narrowed definition, the inclusion of things like service types and device identifiers can still be quite revealing. It can tell you what services someone uses. It can tell you what devices they rely on. And in some cases, that can paint in some details into the picture of an individual’s activities.
It can be directed to a doctor’s office with the requirement to tell the police what services the individual gets. It can include the serial number of your CPAP machine or blood glucose monitor.
It can be directed to an ISP that’s also a telco and a cable company, requiring the production of information about what cable packages you subscribe to, what your phone number is, what is the MAC address of your modem, the IMEI of your phones.
It can be directed at a company like Apple, requiring the production of your iCloud account identifier, the bluetooth device identifiers for all your airtags, your airpods, the identifiers for your MacBook, your iPhone, your iPad.
And because the threshold is lower, judges are being asked to approve these orders with less evidentiary grounding than we would normally expect.
The government is thinking that customer name and address, IP addresses and phone numbers attract a lower expectation of privacy, so can be obtained on a lower standard like “reasonable suspicion”. That may be true and the courts may agree with that point, but the inclusion of “all services” and “all devices” and “all identifiers” would be information that has a higher expectation of privacy, and presents a real risk that the order will be found to violate section 8 of the Charter of Rights and Freedoms.
So, in my view, it’s still too broad.
So stepping back, here’s the comparison.
Bill C-2 had a very, very broad definition of subscriber information, including customer-provided data, combined with a low threshold and bulk disclosure.
Bill C-22 narrows the definition and removes the most sensitive categories of information. But it keeps the low threshold, it still applies broadly, and it still allows relatively expansive disclosure.
So yes, it’s better. But the core issue—the low legal threshold for access to personal data—remains.
Bill C-22 clearly reflects an attempt to respond to the criticism of Bill C-2. And in some respects, it succeeds. But the fundamental policy choice is still there:. To allow police to obtain subscriber information AND MORE on the basis of suspicion, not belief.
And that raises a real question: Is that an appropriate balance between investigative efficiency and privacy? Or does it place the line too far in favour of the state?
That’s the issue Parliament is going to have to grapple with when this gets to committee, and then this will be decided by the courts. I think if they narrow the scope a bit further to remove information about services and devices, this may be Charter compliant. If not, there’s a real risk it’ll be struck down by the courts and the police will be back to the drawing board.
I have to start by giving Public Safety Minister Gary Anandasangaree credit for parking the “lawful access” parts of Bill C-2, going back to the drawing board and introducing a much improved Bill C-22, “An act respecting lawful access.”
As I said, it’s much improved. In a number of ways, it still goes way too far and least in one respect it doesn’t go far enough.
Over the course of a number of episodes, I’m going to do a bit of a deep dive into some of the main features of Bill C-22. I did a forty minute episode going over all of it, but the next ones will be shorter and focused on particular provisions.
Today I’m going to talk about the “Confirmation of Service Demand.” Yes, it is without a warrant but that doesn’t cause me any real concern. And I’ll explain why.
Before we dive into these demands, a bit of background:
The Bill is in two parts. The first part is called “Timely Access to Data and Information” and the second part of the Bill creates a new statute: the “Supporting Authorized Access to Information Act”.
The two parts do wildly different things. Part one is intended to create new AUTHORITIES by which police and national security folks can require companies to provide them with information about their customers. Part two is intended to create new CAPABILITIES by which police and national security folks can require companies to provide them with information about their customers. Part one is about authorities and part two is about capabilities. The authorities under part one are mostly subject to judicial supervision and control, and I can largely live with them. The capabilities under Part Two cause me a LOT of concern.
Over the last twenty years, the government and police have not done a good job explaining why they need either the new authorities or the new capabilities.
To understand whether they should have new authorities and capabilities, I think we need to go through what is the current state of affairs and what the government proposes to change. And then we’ll look at what those changes are and what those changes mean.
Here is a pretty common scenario that plays out all the time. The police have evidence of some sort of online crime. It could be distribution of child abuse materials or it could be extortion. They’re confident a crime has taken place, but they don’t know who the suspect is. They may have an IP address or a phone number, but no name. Using publicly available tools, they can find out who is the internet service provider or who is the telco who first assigned the phone number. But they don’t necessarily know where the suspect may be. If it’s a Rogers, or Bell or Telus IP address, they have customers across the country. If it’s a phone number that was first assigned by Rogers, that customer may have moved provinces and thanks to number portability, the service provider may have changed in the meantime.
So they want to know who is the person – their suspect – connected to this IP address or phone number, who is the current service provider and where they are. The “where” is important, because the crime may have been brought to the attention of the RCMP in Ottawa via international law enforcement partners, but the suspect may be in Montreal, Toronto or Calgary.
But this is not a dead end using their current authorities. The RCMP in Ottawa can go to the court in Ottawa to get a general production order. They’ve been able to do this since 2004, when the Criminal Code was amended to create these third party information orders. So an RCMP constable goes to the court and says – under oath – I have reasonable grounds to believe that a crime has been committed, and here’s the basis for that belief. I also have reasonable grounds to believe that the Telco or ISP has information that will lead me to the identity of the suspect. Therefore I want an order telling the Telco to provide me with the customer name and address associated with the IP address or phone number. And the officer gets a production order that will typically order the Telco to provide the information promptly and usually no later than thirty days. The order can say a shorter time.
The telco will tell the RCMP constable the name and address that the IP address is allocated. Let’s just say it’s John Q. Public of 123 Main Street, Winnipeg, Manitoba. The RCMP in Ottawa will contact the Winnipeg police, send them their investigation file and the information received from the Telco. The Winnipeg police should pick it up from there, and off they go.
This can all be done – and is done daily – using the current authorities in the Criminal Code.
But from time to time, the response from a telco may be “that’s not our phone number” or “yes, that’s our IP address, but it’s actually serviced by a reseller of internet services so we don’t have any customer information”. This doesn’t happen all the time, but it happens.
One of the things that the police and national security folks want is a “confirmation of service demand” because they may not know whether the suspect is actually a customer of a particular telco. They want to be able to ask any telco “Hey, do you service this phone number?” And the telco would have to say “yes” or “no”. It may be an IP address, it may be a SIM card number or an IMEI (International Mobile Equipment Identity), which is a unique 15-digit number that identifies mobile devices on a network. (I should note that IP addresses and SIM card numbers are generally and reliably associated with the service provider.)
A confirmation of service demand makes a lot of sense. They can’t really do this with a current production order because they have to have “reasonable grounds to believe” that the recipient of the order has records. They may have reasonable grounds to believe that the phone number may be served by “A Telco”, but they don’t have reasonable grounds to believe that the phone number is served by any particular Telco. There are 39 registered wireless carriers and more than 100 traditional phone companies.
A yes or no answer to “Hey! Bell! Is 902-555-1212 serviced by you?” does not disclose anything meaningfully private or personal about whoever answers when you dial 902-555-1212. Essentially, for the police, it’s knowing where to send any subsequent court orders related to that number.
So in the scenario I mentioned before, the RCMP in Ottawa that got the report can ask the larger telcos whether they provide the service to the number and get a yes or no answer. Then they know where to send a court order for customer information.
When this was first introduced in Part 14 of Bill C-2, the Strong Borders Act, the “information demand” was far too broad and got a lot of pushback. If this had gone through, without a warrant, the police could demand much more than “is this your customer” and it applied to anyone who provides services to the public. That’s in paragraph (a) - do you or have you provided services. But it went further. If the answer to (a) is “yes”, they can demand whether the company has records and where the services were provided. They can demand the dates during which services were provided. They can demand information about anyone else who is known to provide services to the customer.
So the police can go to Dr. Smith, a family doctor, and say “is John Q. Public your patient, and what specialists have also provided services to your patient”? Clearly over the top.
So in the new Lawful Access Bill, Bill C-22, we have a pared back “Confirmation of service demand”.
The new section 487.0121 allows a peace officer or public officer to make a demand to a telecommunications service provider. It’s not just anyone who provides service to the public, but is now limited to registered, regulated telcos. That demand can require them to confirm, within the time and in the manner specified in the demand, whether or not they provide or have provided telecommunication services to any subscriber or client, or to any account or identifier, specified in the demand.
To make this demand, they just have to suspect that an offence has taken place and that the confirmation will assist in the investigation. That’s a low threshold, but defensible in light of the information being sought. Which is just a yes or a no answer.
In pulling back and fixing the former information demand, I think they may have pulled back a little too far. In the old demand, the police could demand “in which municipality do you provide these services.” That’s no longer there. And I would be OK with putting that part back in the new “Confirmation of Service Demand” because that has the potential to move investigations forward with negligible impact on customer privacy.
Going back to the scenario I mentioned earlier, where the RCMP in Ottawa receive a report from another law enforcement agency outside of Canada, but the suspect is in Winnipeg. If the confirmation of service demand included the location where services are provided, the RCMP can make the demand from the major telcos, find out that the suspect is in Winnipeg and just refer the whole file to the Winnipeg police to investigate. The Winnipeg police would then go to a local judge to get a production order for subscriber information (which I’ll get into in a subsequent episode), and carry on with the investigation.
Being able to refer the matter to the local police of jurisdiction at that stage makes sense to me, and as I said has negligible impact on privacy.
So that’s the “confirmation of service demand” in Bill C-22, the Lawful Access Act of 2026. The scaling back has certainly improved it, but in scaling it back, the police may have lost a useful bit of information that had no meaningful privacy impact.
The latest
attempt at so-called “lawful access” has just dropped in the Parliament of
Canada. I have a few things to say about it. It’s better than the
government’s last attempt, but take a moment and consider this:
If Bill C-22, the Lawful
Access Act 2026 becomes the law, the government of Canada will be able
to secretly order Apple to build in a capability into its infrastructure to
allow Canadian law enforcement and national security folks to track every
iPhone, every iPad, every Apple watch, every Apple AirPod and every AirTag in
real time.
Then they’ll be able to require Apple to
confirm whether they provide you any services.
Then they can go to a justice of the
peace and get an order – without actually believing that a crime has been or
will be committed – requiring Apple to hand over EVERY device identifier for
every device you use with their services. That’s the digital ID for your
iPhone, iPad, Apple watch, Apple AirPod, Apple TV and AirTag.
With that information, they can go back
to the judge and get an order – again without actually believing that a crime
has been or will be committed – requiring Apple to give them the
moment-by-moment locations of all your devices.
Oh, and that secret order also
required Apple to keep your location history for a full year, so cops can get
that too. Is that a power we want Canadian police and law enforcement to
have?
For literal
decades, Canadian law enforcement and national security folks – working through
both liberal and conservative governments – have tried to give cops and spies
easier access to information about Canadians, and to plug directly into our
digital infrastructure to get access to data.
In 2005 Liberal
PM Paul Martin’s Justice Minister Anne Maclellan introduced Bill C-74, called
the “Modernization of Investigative Techniques Act”. It didn’t pass.
In 2009,
Conservative prime minister Stephen Harper’s Minister Peter Van Loan introduced
Bill C-47, renamed the “Technical Assistance for Law Enforcement in the 21st
Century Act”. It also did not pass.
A couple of
years later, in 2011 Conservative Stephen Harper’s Minister of Public Safety
Vic Toews tabled Bill C-52 in Parliament. This attempt was called the
“Investigating and Preventing Criminal Electronic Communications Act”. Shocker
– It did not pass.
Apparently a
sucker for punishment, Minister Vic Toews then tried another kick at the can
the next year with Bill C-30, which was branded as the “Protecting Children
from Internet Predators Act”. Yup, you guessed it – this did not pass.
Fast forward to
2025 … The very first substantial bill of the Prime Minister Mark Carney
government was tabled by Public Safety Minister Gary Anandasangaree. That was
Bill C-2 called the Strong Borders Act. Almost ten years dead, “lawful
access” was pulled from its grave, crammed into Parts 14 and 15 of a border
bill, only to be thrown back on the trash-heap. It never made it to committee
because of the backlash over privacy.
I did a couple
of episodes on how problematic Bill C-2 was. (Part
14 and Part
15.) It was universally panned and it was clear that it would not make it
through the minority liberal parliament. Not to be deterred – but to his credit
— the Minister of Public Safety went back to the drawing board to try to find a
way to make it minimally palatable for it to make it through Parliament.
Notably, the current parliament is not as “minority” as it was when Bill C-2
was introduced.
I’m going to go
through the Bill to let you know what it contains and what it is supposed to
do. I’ll try to highlight the differences between what was attempted earlier in
Bill C-2 and the changes they’ve made for Bill C-22, and I’ll also talk about
what’s different from the current status quo.
The bill is in
two parts, which parallel Parts 14 and Parts 15 of Bill C-2, the Strong
Borders Act. In going back to the drawing board, I think the government has
largely fixed the big problems with what was Part 14 related to warrantless
information demands and new production order powers. But I think that Part 2 is
still a HUGE issue.
Part 1 is
called “timely access to data and information”.
It contains
some amendments to the general search warrant provisions of the criminal
code to permit the examination of computer data in conjunction with the
execution of a warrant when it's authorized by a judge. The status quo, as I
understand it, would require the seizure of the computer, returning to court
and then getting further authorization to search it. This creates a bit of a
One-Stop shop. Criminal law practitioners may have more to say about this
provision.
The rest of
Part 1 largely deals with new information demands and production orders. I
should note at the outset that all the new information demands and production
orders are equally available to the Canadian Security Intelligence Service as
they are to the police. I’m just going to go through each of them once, rather
than dealing with the Criminal Code and CSIS Act amendments
separately.
The first
significant new power that the bill conveys on law enforcement and CSIS is
something called a “confirmation of service demand”. Something similar was in
Bill C-2, but this has been significantly scaled back. Essentially the new
section 487.0121 will allow any police officer or any public officer to make a
demand to a telecommunication service provider requiring them to confirm
whether or not they provide or have provided telecommunication services to any
subscriber or client. This could be done using the person's name, account
identifier, IP address or telephone number.
Confirmation of service demand
487.0121 (1)A peace officer or public officer may make a demand in Form 5.0011
to a telecommunications service provider requiring them to confirm, within the
time and in the manner specified in the demand, whether or not they provide or
have provided telecommunication services to any subscriber or client, or to any
account or identifier, specified in the demand.
The conditions
for making the demand are actually quite low, being “reasonable grounds to
suspect” that a federal offense has taken place and that the confirmation that
is demanded will assist inthe investigation of the offense.
Conditions for making demand
(2)The
peace officer or public officer may make the demand only if they have
reasonable grounds to suspect that
(a)an
offence has been or will be committed under this Act or any other Act of
Parliament; and
(b)the
confirmation that is demanded will assist in the investigation of the offence.
The
telecommunication service provider simply has to provide a yes or no answer. Do
they or do they not provide services to that person or in relation to that
identifier. This is MUCH better than what was in Bill C-2. The revised demand
can only be presented to a telecommunications service provider. The Bill C-2
version could have been made to anyone who provides services to the public,
including a doctor’s office or a law firm. The previous version would have
required – without a warrant – producing information about the nature of the
services and anybody else that the service provider knew who might also provide
services to that person.
In Bill C-22,
this is much more tailored and focused only on telecommunication service
providers or TSPs.
I'm actually
surprised that it doesn't include a requirement to confirm the municipality or
location where the services are provided, because it's my understanding that a
large part of the justification for this in the first place was so that not
only would the police be able to determine whether this service provider is the
right person to send a production order to, but also who is the local police of
jurisdiction. On a daily basis, the RCMP in Ottawa receive international
reports related to criminal activity in Canada, such as dissemination of child
abuse imagery and that report only includes an IP address or account
identifier. That information does not necessarily tell them who is the local
police of jurisdiction to refer the file to. I guess the government was so
sensitive to the pushback they received on Bill C-2, that they removed what
seemed to be pretty innocuous information, which had a compelling
justification.
While I think
this is much improved, I am still very concerned that any peace officer or
public officer who makes a demand is able to impose a non-disclosure condition
for up to one year. That is a significant period of time. I would much prefer
it if it was something short like 30 days, and the officer could go to court to
get it extended.
Non-disclosure
(6)The
peace officer or public officer who makes the demand may impose conditions in
the demand prohibiting the disclosure of its existence or some or all of its
contents for a period not greater than one year after the day on which the
demand is made. The peace officer or public officer may impose the conditions
only if they have reasonable grounds to believe that the disclosure during that
period would jeopardize the conduct of the investigation of the offence to
which the demand relates.
Not
surprisingly, they have included in subsection (12), a provision that says a
peace officer public officer can just ask a telecommunications service provider
to voluntarily provide the confirmation, and this confirmation can be provided
as long as the TSP is not prohibited by law from providing it. Then it goes on
to say that the TSP that provides a confirmation in these circumstances does
not incur any liability for doing so. The Bill has other, similar Safe Harbors
for voluntary disclosure, but related to much more sensitive information.
Request for confirmation
(12)Despite
subsection (1), no demand under that subsection is necessary for a peace
officer or public officer to ask a telecommunications service provider to
voluntarily provide the confirmation referred to in that subsection if the
telecommunications service provider is not prohibited by law from providing it.
A telecommunications service provider that provides a confirmation in those
circumstances does not incur any criminal or civil liability for doing so.
The main
feature in my view of Part 1 is a new “production order for subscriber
information”.
Before we get
into it, it's really important to note that the Criminal Code currently
provides for something called a general production order by which a cop can go
to a judge and if they have reasonable grounds to believe a crime has been
committed or will be committed, they can get an order requiring a third party
to produce records that are listed in the production order. On a daily basis,
police seek and obtain subscriber information using these production orders.
What is different here, mainly, is significantly lowering the threshold so that
the officer only has to have reasonable grounds to suspect an offense has been
committed. They don't even have to have reasonable grounds to believe it has
been committed. They don’t even have to believe that a crime has been or will
be committed.
Reasonable
grounds to suspect doesn’t mean that they actually have to suspect a crime, it
just means they have reasonable grounds that could make someone suspect a
crime. This is extremely low.
So the new
section 487.0142 says that on an ex parte application made by a peace
officer or a public officer, a justice or judge may order a person who provides
services to the public to prepare and produce a document containing all the
subscriber information that relates to any information, including transmission
data, that is specified in the order and that is in their possession or control
when they receive the order.
Production order — subscriber
information
487.0142 (1)On ex parte application made by a peace officer or public
officer, a justice or judge may order a person who provides services to the
public to prepare and produce a document containing all the subscriber
information that relates to any information, including transmission data, that
is specified in the order and that is in their possession or control when they
receive the order.
Unlike the
confirmation of service demand, this is not limited to telcos. This can involve
anyone who provides services to the public. So this does include doctors
offices, hotels, grocery stores and banks.
You will see
that in subsection (2), it says that before making the order the Justice or
judge must be satisfied by information on oath that there are reasonable
grounds to suspect an offence has been or will be committed under the Criminal
Code or any other Act of Parliament and the subscriber information is in
the person's possession of control and will assist in the investigation of the
offense.
Conditions for making order
(2)Before
making the order, the justice or judge must be satisfied by information on oath
in Form 5.004 that there are reasonable grounds to suspect that
(a)an
offence has been or will be committed under this Act or any other Act of
Parliament; and
(b)the
subscriber information is in the person’s possession or control and will assist
in the investigation of the offence.
You should also
note that this is not limited to serious crimes. These powers can be used for
any offence under federal law, such as offences under the National Parks Act,
like sleeping outside of a campground.
It is also
important to understand what is included in “subscriber information”, and I
will note some of the differences from Bill C-2 to Bill C-22. The bill
says:
subscriber information, in
relation to any client of a person who provides services to the public or any
subscriber to the services of such a person, means
(a)information
that may be used to identify the subscriber or client, including their name,
pseudonym, address, telephone number and email address;
(b)identifiers
assigned to the subscriber or client by the person, including account numbers;
and
(c)information
relating to the services provided to the subscriber or client, including
(i)the
types of services provided,
(ii)the
period during which the services were provided, and
(iii)information
that identifies the devices, equipment or things used by the subscriber or
client in relation to the services.
In Bill C-2,
subscriber information included any information provided by the customer to the
service provider in order to obtain the services. This could have included
banking information and passwords. It could have included medical information.
Remember, such an order can be directed to a medical clinic. When you go to a
clinic for the first time, you fill out a pretty detailed form related to your
medical history, and that would be in the category of “information provided by
the customer in order to receive the services”. Thankfully, that has been
removed. The definition of subscriber information is much more scaled-back in
Bill C-22, but information about the “types of services provided” along with
device and equipment identifiers can be sensitive information that goes beyond
mere identifying a possible suspect. For many people, their internet service
provider is also their cable TV provider. Do those “services” include premium
pay-per-view access? Hmm? Scaled back but still a bit too far.
This new bill
also includes quirky “foreign entity information requests”. These are kind of
weird because what it amounts to is an application to court to get permission
to make a request, which is voluntary, to a foreign entity that provides
telecommunications services.
So what they
end up with is a piece of paper asking an entity to voluntarily provide
subscriber information. It is not an order requiring the entity to produce the
information, but it does have judicial approval in Canada. This is intended to
address the question of whether Canadian orders can be enforced outside of
Canada, or more accurately avoid that question entirely. It should be
applicable where voluntary disclosure can be obtained and where the service
provider wants to be sure that there is some third-party judicial approval. It
also should mean that whatever information is obtained can be used in a Canadian
court, because Canadian police have been authorized by a judge to obtain it.
Personally, I think this is a really clever solution for a real issue.
Subsection 4 of
this provision says that the production request can be required to include
information required by the foreign entity, the foreign state or any magic
words that are required by an international agreement or arrangement to which
Canada and the foreign state are parties.
Earlier I
mentioned the gag orders that can accompany a confirmation of service demand.
Part 1 also amends the existing section 487.0191 of the Criminal Code to
authorize a judge, on an ex parte application, to issue a gag order
related to confirmation of service demands.
Part 1 of Bill
C-22 also affects the scheme for judicial review of production orders
generally, not just this new production order for subscriber information. It
compresses the timeline during which the recipient of a production order is
able to seek judicial review, in order to have it modified or revoked. That
deadline will be “within 10 business days after the day on which the order was
received”. In Bill C-2, it was way shorter – five days after the order was
issued – and actually seemed to be designed to prevent the judicial review of
production orders. I have seen production orders served more than five days
after they are issued, so it would be too late by the time you received it. Ten
business days is still pretty short, but much more reasonable than what was in
the Strong Borders Act.
Part 1 of Bill
C-22 also tweaks the existing provisions in the Criminal Code related to
voluntary disclosure of information from any person to the police or a public
officer. It says that documents or information can be provided voluntarily and
it also says that no person incurs any criminal or civil liability for doing
so.
For greater certainty
487.0195 (1)For greater certainty, no preservation demand, preservation
order, keep account open or active order or production order is necessary for a
peace officer or public officer to ask a person to voluntarily preserve data
that the person is not prohibited by law from preserving, to voluntarily keep
an account open or active that the person is not prohibited by law from keeping
open or active or to voluntarily provide a document or information to
the officer that the person is not prohibited by law from disclosing.
No civil or criminal liability
(2)A
person who preserves data, keeps an account open or active or provides a
document or information in those circumstances does not incur any
criminal or civil liability for doing so.
It's kind of
extra weird because subsection (1) says “hey you can voluntarily provide it if
a law doesn't prohibit you from voluntarily providing it”. Then subsection (2)
says if you provide it, you will have no criminal or civil liability. If no law
prevented them from providing it, why do they need immunity from criminal or
civil liability?
This actually
does NOT fix the issue that arose in the Supreme Court of Canada case of
R v.Bycovets.
In that case, a payment service processor voluntarily provided IP address
information related to suspected fraudulent transactions, and the Supreme Court
of Canada said that the police were not able to use that information or even
obtain it without a production order. This does nothing to address that issue.
The Bykovets issue is still there.
We then have a
new subsection (3) that says:
For greater certainty, no production
order or warrant, or confirmation of service demand made under section 487.0121,
is necessary for a peace officer or public officer to receive any information
from a person or a telecommunications service provider, as the case may be, who
is lawfully in possession of it, and to act on the information, if the person,
without being asked for it, provides it voluntarily or is required by law,
including a law of a foreign state, to provide it.
There’s also a
new subsection (4), which says:
For greater certainty, no production
order or warrant, or confirmation of service demand made under section 487.0121,
is necessary for a peace officer or public officer to receive, obtain and act
on any information that is available to the public.
This seems
pretty similar to what was included in Bill C-2, and received a lot of
criticism. A number of smart folks were very concerned that hacked information
and data leaks are included in what would be considered information that is
available to the public. Should the police have the ability to exploit data
that became public unlawfully? But here they can use it willy-nilly. I share
this concern.
Bill C-22 also
amends the current provision in the Criminal Code related to what are
called “exigent circumstances”. Police can search and demand a whole range of
data without a warrant or a court order if the conditions for obtaining an
order exist, but by reason of exigent circumstances it would be impracticable
to obtain an order. It is not all that new, but just extends the authorities to
include the new production order powers.
487.11 A peace officer or public officer may, in the course of their
duties,
(a)exercise any of the
powers described in section 487 [search warrants], 492.1 [tracking warrants]
or 492.2 [transmission data recorder] without a warrant if the
conditions for obtaining a warrant exist but by reason of exigent circumstances
it would be impracticable to obtain a warrant; or
(b)seize any subscriber
information that may be the subject of an order made under subsection 487.0142(1)
[subscriber information] or any data that may be the subject of an order made
under subsection 487.016(1) [transmission data] or 487.017(1) [tracking data]
if the conditions for obtaining an order exist but by reason of exigent
circumstances it would be impracticable to obtain an order.
We will see
that tracking things and tracking people is a theme of this bill. Bill C-22
adds a new subsection to section 492.1 related to tracking orders. These are
orders that are obtained from a judge authorizing a police officer or a public
officer to obtain tracking data related to a person or a thing. Subsection
(2.1) is being added to permit an authorization to track other things that
might be associated with a person where that thing might not have been known to
the officer at the time.
Tracking similar things
(2.1)A justice or judge who
authorizes a peace officer or public officer to obtain tracking data that
relates to the location of a thing that a person uses, carries or wears may, in
the warrant, authorize the peace officer or public officer to obtain tracking
data that relates to the location of any similar thing that is unknown at the
time the warrant is issued if the justice or judge is satisfied that there are
reasonable grounds to suspect that the person will use, carry or wear that
similar thing.
Scope of warrant
(3)The warrant
authorizes the peace officer or public officer, or a person acting under their
direction, to install, activate, use, maintain, monitor and remove the tracking
device, including covertly. The warrant also authorizes a person acting
under the direction of the peace officer or public officer to obtain the
tracking data that is authorized to be obtained under the warrant.
I can imagine
this would include getting an order to track somebody's vehicle, and to add on
authority to track their phone and maybe their smartwatch. Subsection (3) is
also amended to say that an officer can authorize somebody else to obtain the
tracking data authorized to be obtained under the warrant.
Parallel
amendments are made to the similar Criminal Code provisions related to
transmission data warrants.
So that's
largely what is in Part 1 of the new Lawful Access Act, 2026. As you can
see, while there are some things to quibble over, it is a significant
improvement from what was in Part 14 of the Strong Borders Act.
Now we are
going to look at Part 2, which I think is and remains a huge problem. The
outcry associated with the Strong Borders Act was principally focused on
warrantless information demands and overbroad subscriber information orders. In
a lot of the debate and discussion, Part 15 of that Bill was largely ignored. I
really hope that the equivalent of that Part in Bill C-22 gets as much
attention as it deserves.
In a nutshell,
Part 2 will require a huge range of service providers – well beyond traditional
telecommunications service providers – to build in real-time interception and
monitoring capabilities so that cops and national security folks can just plug
into the systems to access data when “authorized” to do so.
Currently the
cops can go to a judge and get a wiretap order to intercept the communications
of a suspect in real time. They can go to a judge to get an order for just
about any data that currently exists.
What the cops
are generally complaining about is that there isn’t a consistent interface for
them to plug into and get the data among all the telcos out there. I can see
that kind of sucks.
But what
they’re not emphasizing is that Part 2 of Bill C-22 will likely require telcos,
AND cloud providers, AND social media companies, AND ai chatbots, AND VPN
services, AND chat services and the like to build in not only the capability
for Canadian police to plug directly in, but Part 2 will also require them to
build in additional surveillance tools and collection capabilities that go well
beyond what data the company actually needs to provide you with services.
I lived in
Romania just after the fall of the Iron Curtain. It was purported that the
state security police had the capability to turn any landline telephone into a
room bug with the flip of a remote switch. Part 2 of Bill C-22 could permit a
secret order directed at telcos to create this capability. The Minister of
Public Safety could order Samsung to turn your smart fridge into a listening
device. The same with your Smart TV or Smart speakers. I find that worrisome.
So let’s talk
about specifically what is in Part 2 of Bill C-22.
Part 2 creates
a new standalone statute called the Supporting Authorized Access to
Information Act or SAAIA. Section 3 sets out its purpose:
3The
purpose of this Act is to ensure that electronic service providers can
facilitate the exercise of authorities to access information that are conferred
on authorized persons.
So it talks
about authorities that are conferred on authorized persons to access
information. It doesn't say “lawful authorities”, nor does it say “judicially
authorized authorities”. It just says authorities. From the discussion about
Part 1, it’s clear that the police and CSIS are authorized to obtain data
without a warrant by just asking for it.
The Supporting
Authorized Access to Information Act has “electronic service providers” in
its crosshairs. It is therefore really important to understand what an
electronic service provider is. ESP is defined in the bill, as is an electronic
service.
electronic service provider means
a person that, individually or as part of a group, provides an electronic
service, including for the purpose of enabling communications, and that
(a)provides
the service to persons in Canada; or
(b)carries
on all or part of its business activities in Canada.
You will note
that it says it provides an electronic service, “including for the purpose of
enabling communications”. The use of the word “including” clearly signals that
it is not limited to those providers who are strictly engaged in
communications. It goes broader than that. We can see from the very broad
definition of electronic service:
electronic service means a
service, or a feature of a service, that involves the creation, recording,
storage, processing, transmission, reception, emission or making available of
information in electronic, digital or any other intangible form by an
electronic, digital, magnetic, optical, biometric, acoustic or other
technological means, or a combination of any such means.
Hey, I am in
the business of creating information in digital form. What is a YouTube video,
or podcast? Or emails to my clients. My law firm is in the business of creating
information in digital form. The Canadian Broadcasting Corporation, the Globe
and Mail and the Canadian Press are in the business of creating information in
digital form. I am not sure that any business exists in Canada that is not some
way or somehow creating, processing or storing digital information. This is
dramatically broad. In conversations I have had with people from Public Safety,
it is clearly their intent to cover traditional telcos, internet service
providers and ALSO cloud computing providers, social media providers and online
game services. Again, this is dramatically broad.
The Bill is
going to deal with two broad categories of electronic service providers. The
first is something called a “core provider”, and there will be subcategories of
core providers. The second group is the rest of the universe that could fit
into the category or definition of “electronic service provider”.
The categories
of core providers are to listed in the schedule to the Act, which is currently
blank, not surprisingly. So these core providers are going to be subject to a
number of obligations that will be set out in the regulations. Subsection (2)
describes these obligations, but note the use of the word “including” which
means that the regulations and the obligations can go well beyond what is
listed in subsections (a) through (d).
(a)the
development, implementation, assessment, testing and maintenance of operational
and technical capabilities, including capabilities related to extracting and
organizing information that is authorized to be accessed and to providing
access to such information to authorized persons;
This is
essentially a requirement to build in the operational and technical
capabilities to enable access to information on the core provider’s
infrastructure or within their systems.
(b)the
installation, use, operation, management, assessment, testing and maintenance
of any device, equipment or other thing that may enable an authorized person to
access information;
This can
require core providers to install particular devices or equipment on their
infrastructure.
(c)notices
to be given to the Minister or other persons, including with respect to any
capability referred to in paragraph (a) and any device, equipment or other
thing referred to in paragraph (b); and
It’s not yet
clear what these notices are all about ….
(d)the
retention of categories of metadata — including transmission data, as defined
in section 487.011 of the Criminal Code — for reasonable periods of
time not exceeding one year.
The requirement
to retain metadata was NOT in Bill C-2, the Strong Borders Act. This is
very concerning. There are some small protections about this, in subsection
(4). That says:
(4)Paragraph
(2)(d) does not authorize the making of regulations that require core
providers to retain information that would reveal
(a)the
content — that is to say the substance, meaning or purpose — of information
transmitted in the course of an electronic service;
(b)a
person’s web browsing history; or
(c)a
person’s social media activities.
Ok. That’s some
protection. But it does not put location information out of scope, which is
concerning. The government clearly wants all cellphones to be trackable, and
under this authority they can be required to save your detailed location
history for a full year.
Subsection (3)
lists a number of factors that the government must take into account in
creating and drafting the regulations which place the specific obligations on
the core providers. These include …
(a)the
benefits of the regulation to the administration of justice, in particular to
investigations under the Criminal Code, and to the exercise of powers
and the performance of duties and functions under the Canadian Security
Intelligence Service Act;
(b)the
feasibility of compliance with the regulation for the core providers;
(c)the
costs to be incurred by the core providers to ensure compliance with the
regulation;
(d)the
potential impact of the regulation on the persons to whom the core providers
provide services;
(e)the
potential impact of the regulation on privacy protection and cybersecurity; and
(f)any
other factor that the Governor in Council considers relevant.
I am glad that
they have included the potential impact on privacy and cybersecurity. I would
like it if it required the government to release their analysis of all these
considerations along with the regulatory impact analysis statement that will
accompany the regulations when they are first published.
The only good
news when dealing with core providers is that these requirements will be in a
regulation that will be public. We will be able to understand, at least in
general terms, what obligations are being imposed on these core providers.
There is
another bit of small comfort in subsection (5) which says
(5)A
core provider is not required to comply with a provision of a regulation made
under subsection (2), with respect to an electronic service, if compliance with
that provision would require the provider to introduce a systemic vulnerability
related to that service or prevent the provider from rectifying such a
vulnerability.
Of course, this
turns on what is a “systemic vulnerability”, which is defined in the
bill:
systemic vulnerability means
a vulnerability in the electronic protections of an electronic service that
creates a substantial risk that secure information could be accessed by a
person who does not have any right or authority to do so.
electronic protection means
authentication, encryption and any other prescribed type of data protection.
Note that it is
limited to systemic vulnerabilities in “services”. It does not include devices
or processes. Just the services themselves. Professor Robert Diab has pointed out
that there’s enough wiggle room in this for the Minister to say that an
operating system, such as Windows or iOS is not a “service”. Firmware is a part
of the device, so please root them all. (The use of the word “please” is only
because we’re Canadian … it would actually be an order.)
Also, what this
does NOT say is that the government is prohibited from requiring an ESP to
circumvent or undermine encryption. We have been told by the government that
they would never do that, but they do not seem willing to put it in the law.
The second
significant power contained in the Supporting Authorized Access to Information
Act are ministerial orders, set out in Section 7. Essentially, the minister of
Public Safety can issue secret orders directed at any one or more electronic
service providers to implement measures that could have been contained in a
regulation for a core provider, but these are secret and would be limited to a
defined time period. Of course this time can be extended at the discretion of
the minister. These orders can also be directed at ESPs that are already core
providers. Bonus requirements!
The only real
protection introduced since the Strong Borders Act is in subsection (2),
which says that these secret orders must be approved by the Commissioner
designated under the Intelligence Commissioner Act. I think this is a real
protection, principally because the intelligence commissioner has to be a
former Superior Court judge who would have spent a career dealing with criminal
law matters and Charter rights. He is currently entrusted with approving
certain National Security orders as a form of semi-judicial oversight. This is,
in my view, real progress.
Subsection (3)
of Section 7 sets out the sorts of considerations that the Minister has to take
into account before issuing a secret ministerial order. This parallels the
considerations that the government would have to take into account in issuing
regulations affecting core providers.
And subsection
(5) has a parallel provision saying that
(5)The
electronic service provider is not required to comply with a provision of the
order, with respect to an electronic service, if compliance with that provision
would require the provider to introduce a systemic vulnerability related to
that service or prevent the provider from rectifying such a vulnerability.
Section 14
creates an obligation for all electronic service providers to assist a range of
people to do a range of things on the Minister’s request. Remember, while we
review this, that my law firm, your doctor’s office and Apple are all
“electronic service providers”. It reads:
14 (1)On
request made by the Minister, an electronic service provider must provide all
reasonable assistance to a person or class of persons specified in the request
to permit the assessment or testing of any device, equipment or other thing
that may enable an authorized person to access information.
Persons to be assisted
(2)Only
the following persons or classes of persons may receive assistance:
(a)the
Minister;
(b)an
employee of the Canadian Security Intelligence Service;
(c)a
person appointed or employed under Part I of the Royal Canadian Mounted
Police Act or a civilian employee referred to in section 10 of that Act;
(d)a
civilian employee of another police force;
(e)a
peace officer, as defined in section 2 of the Criminal Code.
There is some
protection in subsection (4) so that “the assessment or testing must not have
the effect of granting access to personal information.”
One of the huge
problems I have with these Ministerial Orders is the mandatory secrecy that
surrounds them. Without exception, under section 15, an ESP is prohibited by
law from revealing that they are subject to an order, the substance or contents
of an order, any dialogue they’ve had with the Minister in connection with any
order.
This is
draconian, overbroad and frankly offensive. There’s no requirement that the
Minister be satisfied that disclosure of this information would be harmful to
law enforcement or to national security. There is no sunset and no means by
which an ESP can challenge the gag order if they think it’s in the public
interest to disclose the information. I am not sure that this provision, on its
own, would survive a Charter challenge. It also means that a foreign
company can’t advise their own government that they are subject to an
order.
I can’t help
but think of the fact that under the UK equivalent of this law, Apple was
issued with a secret order to circumvent or turn off encryption on iCloud.
Apple couldn’t tell anyone, yet it somehow leaked. The United States government
was of the view that this was contrary to an agreement between the UK and the
US, but Apple was prohibited by UK law from letting their own government know
what shenanigans the US’ own ally was engaging in.
The bill does
anticipate at section 17 that ESPs may seek judicial review of a Minister’s
order, but the cards are again stacked in favour of secrecy, and conducting its
business outside of public scrutiny.
Section 18
allows the government to make a range of regulations related to confidentiality
and security. These are scaled back from the absurd scope anticipated in the Strong
Borders Act. There are security and confidentiality rules for judicial
proceedings provided for in subsection (b). Subsections (c) and (d) authorize
regulations related to ESP employees and contractors involved with law
enforcement and national security access to information, including security
clearances and where they are located, and where facilities are located. As I
understand it, most American service providers run this function from the US
and I’m sure they will not be interested in moving that to Canada or having
their employees subject to Canadian security clearances. I would imagine that
some companies will just decide to not do business in Canada.
Part 2 also
contains a whole regulatory oversight structure, with inspections, audits and
penalties. I’m not going to get into that today.
Throughout this
discussion, I can’t help but be reminded that the US has had something similar
in their laws for some time, and the mandated intercept capabilities were used
by Chinese hackers to get access to data.
The "Salt
Typhoon" hacking incident, attributed to a Chinese state-sponsored
advanced persistent threat (APT) actor, came to light in late 2024 with
revelations that the group had extensively compromised the computer systems of
multiple major US telecommunications companies. The stolen information included
call and text message metadata, and in some high-profile instances, even audio
recordings of phone calls belonging to government officials and political
figures.
A critical
factor facilitating the Salt Typhoon incident was the very infrastructure put
in place to comply with the Communications Assistance for Law Enforcement Act
(CALEA). Enacted in 1994, CALEA mandates that telecommunications providers
build "lawful intercept" capabilities into their networks to allow
law enforcement and intelligence agencies to conduct court-authorized wiretaps.
While intended for legitimate surveillance, these mandated
"backdoors" created inherent vulnerabilities within the telecom networks.
Salt Typhoon exploited these CALEA-mandated systems, effectively turning the
tools designed for lawful access into pathways for unauthorized
espionage.
This is what’s
coming to Canada …
So let’s bring
this down to earth and make it more concrete. At a technical briefing this
week, the government offered only two examples for why they think we need the
Supporting Authorized Access to Information Act:
CSIS cannot track a cellphone
CSIS is trying to determine the
movements of a terrorist group and has received a warrant to track a person of
interest’s cellphone. The electronic service provider did not have the
necessary capabilities to track the device because they are not required to. As
a result, CSIS had to resort to costly and risky in-person surveillance.
With C-22: The GIC will have the
authority to make regulations requiring that ESPs develop and maintain location
tracking capabilities that are standard in Europe and among the Five Eyes.
First of all, I
don’t really care what they are doing in the other Five Eyes. Essentially, the
UK, Australia and New Zealand don’t have a Charter of Rights and Freedoms
and their surveillance laws reflect that. And the law doesn’t we’ll just do
what they do in “Europe and among the Five Eyes.” I bet the Chinese security
services have this capability.
Let’s take a
moment to ponder this scenario and what it means. CSIS wants to be able to
track any cellphone in real-time, with a warrant. That means that they want
every cellphone in Canada to be a tracking device. And they want historical
metadata – which includes location data – retained for one year.
The second
example is equally sympathetic, but shows that the government wants everyone to
be carrying a tracking device:
Police cannot consistently obtain
location information
An at-risk 16-year-old girl was reported
missing. She had already been missing for 10 days when she made an emergency
call. The telecommunications provider was able to confirm the call and the
tower used to make the call but could not provide the last known location of
the phone before it was disconnected since they are not required to have that
capability.
With C-22: Core providers would be
required to maintain accurate and consistent localization capabilities across
the country.
That device in
your pocket will be a tracking device. And the law doesn’t say that this data
can only be accessed if you’re a suspected terrorist or a missing teenaged
girl. It can be tracked by ANY police agency in Canada with an order issued
merely on “reasonable grounds to suspect.” Judicial authorization isn’t even
required in a whole bunch of cases: There are dozens of laws that permit
regulators and others to access this data without judicial authorization.
“If you build
it, they will come.” And the government wants ESPs to build the surveillance
infrastructure for them, to which the police and others will almost certainly
come. And this is even without considering that the backdoors will be a HUGE
target for cybercriminals and threat actors.
I don’t think
that the government has come close to making any sort of compelling case for
Part 2 of Bill C-22, and certainly not one that convinces me that the public
safety interest in building all of this surveillance infrastructure outweighs
the privacy and cybersecurity risk of doing so.
We should also
be looking at this through the lens of what we have now. If the police or CSIS
get a production order, a wiretap order or a tracking order, they can also ask
the judge to issue an “assistance order”. This is an order, directed at the
service provider, ordering them to give all reasonable assistance, reasonably
required to give effect to the production order, wiretap order or tracking
order. On every occasion when I have brought this up with “lawful access”
supporters, nobody has been able to point me to any problems with this.
Assistance orders are like one-off ministerial orders that are appropriately
tailored to the case and circumstances, and are signed off by a judge. And
they’re subject to judicial review. I’m not sure the current system is broken.
It just doesn’t give the police friction-free access to the universe of data
that they want collected on their behalf.
I expect I’ll
probably have more to say about this as Bill C-22 works its way through
Parliament. I will reiterate that I’m glad the government largely went back to
the drawing board and largely fixed Part 1. Part 2 is better than it was
before, but I don’t think it should be passed in its current form. It is wildly
problematic.
