Robert Diab

Canada’s Metadata Retention Plan Would Make It an Outlier

Thu, 14 May 2026 00:00:00 +0000

Most of our closest allies do not force telecos to retain everyone’s metadata for up to a year without oversight

Last week, when I appeared before the Standing Committee on Public Safety and National Security on Bill C-22, a question kept coming up from members on both sides of the table: how do other countries handle this? Do our closest allies require electronic service providers to retain the metadata of nearly everyone in the country for a lengthy period, without grounds or individualized suspicion, as the government is proposing to do here?

With one exception, no, the Five Eyes partners have not gone where Bill C-22 proposes to go.

The European experiment

For context, the European Union passed a similar law in 2006 and the European Court of Justice struck it down in 2014. In the Digital Rights Ireland case, the Court acknowledged the general interest in making sure that data is preserved to help investigate and prosecute serious crime, including terrorism. But it held the impact of bulk metadata retention on privacy to be “wide-ranging,” “serious,” and disproportionate. The data retained under the law was not limited to investigating “serious crime.” Police could access it without a warrant. And the periods of data retention bore no connection to the possible usefulness of the data for investigations.

The Australian exception

Shortly thereafter, Australia adopted a mandatory retention regime that reproduced many of the features that led to the European law being struck down. (Perhaps it did so in part because Australia lacks a constitutional bill of rights.)

Australia’s metadata law of 2015 requires telcos to retain subscriber metadata for two years. This includes call duration, location info, email addresses — and police can obtain all of it without a warrant. The government’s intention with the bill was to make metadata available to some 20 law enforcement agencies, but a Parliamentary report in 2020 found that over 80 agencies had gained access to it. Amendments in 2023 curbed the scope of access somewhat, but left the core of the regime — the retention period and warrantless access — intact.

The United Kingdom

The UK has a framework closer in nature to what Bill C-22 is proposing, but with important differences.

Under Part 4 of the UK’s Investigatory Powers Act 2016 , the Secretary of State may issue a “data retention notice” requiring a telecom provider to retain metadata for up to 12 months. But a Judicial Commissioner must approve the notice, by confirming it is necessary and proportionate in relation to one or more statutory purposes, such as national security, serious crime, or public safety.

Under Bill C-22, by contrast, the government can make a regulation that would require all “core providers” to retain metadata for up to a year with no judicial approval and no criteria to satisfy.

The United States

The US has no mandatory metadata retention regime. Under the Stored Communications Act , law enforcement can request that a provider “take all necessary steps to preserve records and other evidence in its possession,” pending a warrant. Preserved records are held for 90 days. Police can make this request without grounds, but to access the data, they need the form of legal process required for the records sought (a warrant in some cases, a subpoena in others).

This is close in nature to what we have in Canada: the preservation demand and order powers in the Criminal Code. Ours require reasonable suspicion for a retention demand lasting 21 days and a warrant on the same grounds for preservation up to 90 days.

Notably, in both Canada and the US, retention is targeted and limited to short periods. Neither country places a general retention burden on providers or generates a pool of data about people who are never investigated.

New Zealand

New Zealand has production orders and preservation directions under its Search and Surveillance Act 2012 similar to those in our Criminal Code, and it does not have an Australian-style bulk metadata retention scheme.

Why be an outlier?

Bill C-22 would put Canada closer to Australia, and further from the approach taken by three of its four closest intelligence partners.

As I’ve noted in my earlier posts on C-22’s metadata retention power, the government appears to assume that this won’t be held contrary to the Charter because an order to preserve metadata that police do not access is not a search or seizure. Merely creating a record of our movements, call duration, and so on for potential police use involves no interference with privacy. It’s only an interference when police access the data retained.

The question here for the courts will be: is it reasonable to expect that our movements in space and time, the coordinates of our calls, won’t be recorded by the state for a law enforcement purpose? Knowing that a record was being kept for this purpose, would a reasonable person feel like they were being surveilled?

The ECJ thought so in the Ireland case. The UK Court of Appeal thought so in 2018. Our own Parliament thought so in 2014 when it added preservation powers to the Code.

Why would we not assume the same is true today? ■

{To receive new posts on law, technology, and digital freedoms in Canada, follow me on Substack .}

Would banning kids from social media and AI be constitutional?

Tue, 12 May 2026 00:00:00 +0000

Probably not, for reasons that point to the limits of what Canada can do here

Recently, governments in Manitoba and Ontario have signalled their support for a ban on social media for children under 16 years of age, and last month, the federal Liberals passed a resolution to this effect at a party convention. Manitoba’s premier Wab Kinew and the national Liberal Party are also keen to ban youth access to “all AI chatbots and other potentially harmful forms of AI interaction.”

Passing a complete ban would entail Canada following Australia’s lead, which, in late 2025, banned social media for everyone under 16. Governments in Europe have taken a less stringent approach by imposing age-verification and parental consent rules around social media access.

It remains to be seen whether Ottawa will choose the European or Australian path. But for reasons I sketch out here briefly, the European path seems more likely — and we may see the Carney government take this path when it soon re-tables the Online Harms Act.

Many commentators have been critical of the idea of Canada imposing a ban on social media or AI for young people due, among other reasons, to the fact that we have a Charter of Rights and Freedoms that guarantees everyone a right to free expression.

If a ban on social media or AI would infringe this right, could it still be legal? Yes it could, because no right in the Charter is absolute. All of our rights under the Charter are subject to reasonable limits — as decided by the courts — under section 1. (And of course, in the case of limits to free expression, we the people have the final say under section 33.)

So if a ban on access to social media or AI from those under 16 would violate section 2(b) of the Charter, would it be a reasonable limit on that right? No, it probably wouldn’t.

The thrust of this post is to briefly show what a challenge would look like and why access with parental consent or other guardrails is likely the furthest Canada can go in restricting youth from their favourite platform or chatbot.

Who would challenge the ban and what would they argue?

Three groups would have standing to challenge a ban: users under 16, creators, and platforms themselves.

The right to free expression under section 2(b) of the Charter protects any activity that conveys or attempts to convey meaning — the sole exception being expression that takes a violent form.

The Supreme Court of Canada recognized in Ford and Irwin Toy , seminal early cases on 2(b), that free expression protects communications between speaker and audience, which encompasses the right to hear or receive expression as well as to convey it.

Scrolling TikTok, Instagram, or querying a chatbot would all convey meaning. Users and content creators would easily make out a violation of 2(b). And so would the social media platforms themselves, on the basis that feed curation itself is a form of expression — or at least, our courts are likely to agree with the US Supreme Court on this point .

What about OpenAI or Anthropic? Would language model composition or tuning be considered comparable to curation? A harder question. But speaking to a chatbot would, I think, be captured by 2(b).

Would the infringement be justified?

Government limits on rights can be valid under the Charter so long as a court decides the limitation is reasonable. To decide this, the court applies a test set out in R v Oakes (1986): the government must show (1) a pressing and substantial objective, and (2) proportionality — meaning a rational connection between the state’s purpose and the limit at issue; minimal impairment of the right; and the benefits of the law outweighing the severity of the rights violation.

Would the government have a ‘pressing and substantial objective’ in banning young people from access to social media or AI?

It would argue that the point of a ban is to protect children from online harms that include mental health damage, predatory behaviour, algorithmic manipulation, and exposure to harmful content. In Irwin Toy itself, a case about restrictions on advertising to children, the Court held that protecting children as a “vulnerable group” from “media manipulation” is a pressing and substantial objective. The government would likely be safe here.

Rational connection

The ban would have to be rationally connected to the government’s aim of reducing harm. The challengers would contest this.

Research on the relationship between social media use and adolescent mental health and other harms is contentious. In response to Jonathan Haidt and Jean Twenge ’s well-known work on social media’s harmful impact on young people, a number of scholars have questioned the causal claims they make. Amy Orben and Andrew Przybylski’s large-dataset studies have found effect sizes too small to justify sweeping intervention, and researchers like Candice Odgers have argued the evidence for social media as a primary driver of adolescent mental illness is weak to nonexistent.

The Supreme Court has, in some cases, including Butler , shown deference to the government at this stage where social science evidence is contested. But challengers might argue that deference has limits, that a measure cannot be rationally connected to an objective on evidence that experts in the field actively dispute.

Minimal impairment

The challengers would be on the strongest ground at the minimal impairment stage. Assuming the court were to accept a rational connection on a balance of probabilities, it would likely find the lack of strong evidence that a ban specifically — and nothing short of it — would reduce harm to be fatal at this stage.

If the evidence suggests that harms are driven by specific features of social media, such as algorithmic amplification of distressing content, infinite scroll, and engagement-maximizing recommendation systems (or in the case of AI, inadequate safeguards), then a total ban on access would not be minimally impairing. More targeted measures could address these concerns with less collateral damage.

Obvious alternative measures include parental controls, algorithmic transparency obligations, time-limit features, and content warnings. The same logic would apply to AI chatbots. Rules around use limits, parental supervision, and so on, present a viable alternative. (In April, seeing which way the wind is blowing, Meta announced child safeguards for AI along these lines.)

Proportionality of effects and objective

If the government manages to clear the rational connection and minimal impairment tests, the court would finally ask whether the salutary effects of the law outweigh its deleterious effects on the right.

The effects would be considerable. A complete ban would remove a sizable demographic from an essential forum for public discourse. Many young people would also use these platforms for purposes entirely remote from the harms the law would target, including political engagement, artistic expression, peer connection, and access to information.

There is also evidence emerging from the Australian experiment that a ban would not have a measurable impact on reducing cyberbullying. And, as Michael Geist has argued , any workable ban would require mandatory age verification, which would mean tens of millions of Canadians submitting government-issued identification to third-party providers, raising privacy issues not only for youth but for the entire adult population.

On the basis that a ban’s salutary effects are at best empirically contested at this point in time, the government is unlikely to succeed at this final stage.

Lawyers behind the scenes at the Department of Justice have probably mapped all this out and are advising the government against following the Australian path of imposing a complete ban, in favour of the European model of imposing stricter rules around access.

The less time kids spend on social media the better. But an absolute ban is probably not workable or lawful. ■

This post first appeared on the Centre for Free Expression’s blog, here , on May 7, 2026

{To receive new posts on law, technology, and digital freedoms in Canada, follow me on Substack .}

The Charter Statement on the lawful access bill is misleading and incomplete

Thu, 07 May 2026 00:00:00 +0000

The government is playing down key concerns, but they haven’t gone away

On Tuesday, Bill C-22 came before the House of Commons’ Standing Committee on Public Safety and National Security. The Ministers of Justice and Public Safety were there to defend the bill in response to strong concerns raised about it by MPs who had clearly done their homework.

Ministers Fraser and Anandasangaree defended the bill largely in line with the government’s Charter Statement on C-22 tabled in the House on April 24th. This is a document intended to set out why the government thinks potentially contentious elements of the bill are Charter compliant.

The Ministers’ appearance before the Committee followed comments by officials from the Department of Justice and the RCMP that were also largely consistent with the framing of the bill in the Charter Statement.

Because the Statement sets out the playbook of the bill’s main advocates, this post looks briefly at what it gets right and what it gets wrong or leaves out.

The Charter Statement gets a few things right.

The reincarnation of the highly contentious ‘information demand’ as the more restricted ‘confirmation of service demand’ allows for what will likely be held to be a reasonable search under section 8 of the Charter. So too, I think, do the ‘request to a foreign entity’ provisions, along with those for the search of data in exigent circumstances, and tweaks to warrants for tracking devices and computer searches.

But the Charter Statement is misleading on a few points, or skirts important Charter dimensions of the bill altogether.

Misleading

The Statement defends the new production order for subscriber information on reasonable suspicion as reasonable under section 8 because: “the subscriber information sought does not by itself constitute particularly sensitive information, since it is limited to information that identifies clients and services, and does not include the contents of communications.” (This is in the proposed s. 487.‍0142 of the Criminal Code, along with the definition of ‘subscriber information’ to be added to s. 487.‍011.)

This is in fact a broad power that can reveal sensitive information. As noted in my earlier post , it permits police to obtain information about a range of digital services, including subscriptions, tiers, channels, and device IDs.

We’re also told the new subscriber information demand power is reasonable because: “[t]he judge would have discretion as to whether to issue an order, and if they choose to issue an order, the judge would have discretion as to what information is specified in it.”

True, a judge does have this discretion (the section contains the standard language: “a justice or judge may order…”). But in virtually all cases where there is a reasonable suspicion of an offence, judges will give police what they ask for, and under the provision, they can ask for a lot.

True but only in part

The Statement asserts: “[T]he bill would clarify, for greater certainty, that no production order, warrant, or confirmation of service demand is necessary for a police officer to receive or act on information if a person provides it voluntarily, or is required by law, including the law of a foreign state, to provide it.” (This is in the proposed s. 487.‍0195(3).)

And this is fine because the provision only clarifies that police do not need authority “to receive information that is voluntarily provided to them by people lawfully in possession of it — for example, victims or witnesses of crime.”

Yes, this is true, but only if what is volunteered is mere information, or more precisely, knowledge of it.

If a victim or witness of a crime volunteers evidence in the form of a document — the text of a chat, an email exchange, a series of private photos — and police receive and review it, that could constitute a search or seizure if the document is private. Police would then need authority, such as a production order or other warrant. This remains an unsettled question in the courts, but a live one.

(The distinction I’m drawing here between knowledge and evidence breaks down in the case of an employee at Shaw who contacts police to convey that someone with the following IP address is involved in suspicious activity. We know from Bykovets that an IP address is private. Do police, receiving this information — for example, by reading an email Shaw has sent to them disclosing the IP address — conduct a search or seizure of it? Arguably, yes they do the moment they decide to act on it. At that point, police are taking possession of private information for an investigative purpose. There is support for this reading in a number of Supreme Court cases including R v Cole .)

In short, police do not need authority in law to ask for or receive documents or information from third parties who volunteer it — except if either of those things is private and police are acting with an investigative intent. (For more on this, see pages 13 to 16 of my C-2 Backgrounder .)

Overlooking important Charter dimensions of the bill

The most contentious part of C-22 is the new statute in Part 2 of the bill, the Supporting Authorized Access to Information Act. This is the Act that compels ’electronic service providers’ to make modifications to their equipment to allow for more direct and immediate access by CSIS and law enforcement acting with lawful authority (such as a warrant).

The Statement claims that the SAAIA “would not grant any new authorities to lawfully access information and data or expand or derogate from any existing authorities for such access.”

As a result, the Charter Statement restricts its commentary to whether the confidentiality requirements in SAAIA violate freedom of expression; whether the inspection powers violate section 8; and whether penalty provisions violate fair trial rights. On all these points, the Statement makes a plausible case for Charter compliance — though it is silent on the Charter dimensions of how SAAIA might work with the CLOUD Act and Second Additional Protocol (as Michael Geist points out ).

However, the Statement’s assertion that the SAAIA “would not grant any new authorities to lawfully access information and data or expand or derogate from any existing authorities for such access” is not true with respect to one major new power in the Act.

This is the power to compel service providers to preserve metadata for up to a year (in s. 5(2)(d) of SAAIA). As I have outlined in an earlier post , this is a power that would affect almost all Canadians, amounting to a seizure of our data — including where and when we used our phones or other devices, and the coordinates of who we were in touch with at those times and places. And all of this without any individualized suspicion or authority.

The Charter Statement fails to address this at all. By excluding it, the Statement implies that if a service provider like Shaw or Telus were to preserve this data following a Ministerial order under SAAIA, this would not entail the provider acting as state agent or the preservation constituting a seizure — on the theory that it would not constitute an interference with our privacy.

For reasons I expand on in my earlier post about this, both propositions are false. Courts have consistently held that metadata is private. And the Criminal Code’s existing preservation demand and order powers assume that when a state agent directs a provider like Shaw or Telus to preserve data, for an investigative purpose, they carry out a seizure — otherwise, why would police need special powers in the Criminal Code to ask for it? And why would the Code make it an offence to hold on to the data beyond the short periods contemplated in those powers?

The Charter validity of the metadata preservation power is a significant oversight in the Statement, especially given that at least a few of us, including me, had flagged it back in March. ■

{To receive new posts on law, technology, and digital freedoms in Canada, follow me on Substack .}

An Open Letter on Bill C-22

Mon, 04 May 2026 00:00:00 +0000

A group of privacy law scholars and lawyers call for amendments to powers in the new lawful access bill that are overbroad and unlikely to survive Charter scrutiny

This morning, I joined a group of privacy law scholars and lawyers in sending an open letter to Members of Parliament (and the Leader of the NDP) calling for amendments to Bill C-22. The letter, signed by all of us listed below, follows. (PDF version here .)

The Right Honourable Mark Carney, P.C., O.C., M.P., Prime Minister of Canada

The Honourable Gary Anandasangaree, P.C., M.P., Minister of Public Safety

The Honourable Sean Fraser, P.C., M.P., Minister of Justice and Attorney General of Canada

The Honourable Pierre Poilievre, P.C., M.P., Leader of the Official Opposition

Mr. Yves-François Blanchet, M.P., Leader, Bloc Québécois

Mr. Avi Lewis, Leader, New Democratic Party

Ms. Elizabeth May, O.C., M.P., Leader, Green Party of Canada

Open Letter Calling for Amendments to Bill C-22

Dear Prime Minister, Ministers, and Honourable Leaders of the Opposition,

We write as lawyers and law professors who teach and practice in the areas of privacy law and constitutional rights in Canada. We welcome the effort that has gone into revising the lawful access framework since Bill C-2. Bill C-22 marks an improvement over its predecessor in several respects. But certain provisions of the bill as currently drafted raise serious constitutional concerns and fail to strike a reasonable balance between the legitimate needs of law enforcement and the privacy rights of Canadians. We urge Parliament to carefully consider the following issues before the bill proceeds further.

First, the new production order for subscriber information, to be added to the Criminal Code as section 487.0142, retains a legal threshold that is too low and a scope of disclosure that is too broad. As affirmed by the Supreme Court of Canada’s decision in R v Spencer, Canadians have had a strong privacy interest in anonymity online. The existing general production order — available since 2004 and readily obtained by telewarrant — already gives police an effective tool to link an IP address or phone number to a named subscriber, and requires them to establish reasonable grounds to believe that an offence has been committed. Bill C-22 creates a new, dedicated subscriber information order that reduces that standard to reasonable grounds to suspect. The courts have held that this distinction is not semantic: in R v West, the Ontario Court of Appeal excluded evidence obtained through a production order precisely because the officer had established only grounds to suspect rather than grounds to believe.

The scope of disclosure under the new order is a further concern. Although the definition of subscriber information has been narrowed compared to Bill C-2, the order still allows for production of a broad scope of information, including the types of services provided and the identifiers of every device associated with the account. This goes well beyond what is needed to connect a name to an IP address. It can be directed to a physician, a cable company, or a platform like iCloud, requiring disclosure of what cable packages a person subscribes to, what medical services they receive, or what devices they use. Much of this information carries a high privacy interest and calls for a higher legal standard. If Parliament seeks to create a subscriber information order that can withstand scrutiny under section 8 of the Charter, it should narrow the scope to basic identifying information — name, address, and the specific account identifier in question — and raise the threshold to reasonable grounds to believe.

Including analogous powers in the Canadian Security Intelligence Service Act (CSIS Act) raises even greater issues. Unlike criminal defendants, “persons of interest” to CSIS are never given an opportunity in court to challenge the intrusion of state power into their private lives. The Charter concerns are more acute with CSIS, and the Service should have to satisfy a “reasonable grounds to believe” threshold for all of these authorities.

Second, we are concerned that Bill C-22 introduces mandatory metadata retention without the constitutional basis to support it. Section 5(2)(d) of the Supporting Authorized Access to Information Act (SAAIA) in Part 2 of the Bill would authorize regulations requiring “core providers” to retain categories of metadata, including transmission data capturing the date, time, duration, type, and location of every communication, for up to one year. This amounts to a blanket obligation to preserve a detailed record of the movements and associations of every Canadian who uses a regulated service, with no requirement for individualized suspicion.

This kind of general and indiscriminate retention of metadata about entire populations has been rejected by the Court of Justice of the European Union as a disproportionate interference with fundamental privacy rights, and similar domestic retention laws have been struck down by the constitutional courts of several EU member states. The Canadian courts are likely to reach the same conclusion. Parliament’s own judgment on this question is instructive. The current Criminal Code scheme for “preservation demands” and “preservation orders” has long proceeded on the assumption that compelling a provider to preserve personal data engages section 8 of the Charter and requires authorization — either lawful grounds or a warrant. A blanket obligation to retain the metadata of millions of Canadians for up to a year without any individualized trigger is not consistent with section 8 and will not survive a constitutional challenge.

Third, the SAAIA’s surveillance-capability framework raises serious concerns about both the security of Canadians and the rule of law. The Act imposes sweeping obligations on “core providers” and potentially on any “electronic service provider” (ESP) to develop, implement, test, and maintain technical capabilities for law enforcement access, including capabilities related to extracting and organizing information. A more balanced approach would limit the scope of these powers to preclude an obligation to (i) make changes to products or services that a business provides in the ordinary course of business, (ii) collect and retain any data beyond what the business requires for its own purposes, and (iii) make any changes that would affect the functionality (including ordering additional functionality) for any products or services offered by the business.

When initially proposed in Bill C-2, the SAAIA had also raised concerns about the meaning of “systemic vulnerability.” This is now defined in Bill C-22 and service providers are not required to comply with an order under the act if compliance would introduce a “substantial” risk of unauthorized access to “secure” information. But the definition of the term remains too narrow. It requires an excessive threshold of substantiality of risk that inherently exposes persons and data in Canada to cyber adversaries and national security threats. Moreover, the definition applies only to vulnerabilities in the electronic protections of an electronic service, meaning it may not extend to the operating systems of devices. A ministerial order could require a company like Apple or Google to build extraction capabilities into its operating system without triggering the safeguard, even if the practical effect would be to undermine end-to-end encryption or device security. The international experience under even narrower legislation — including the vulnerabilities exposed in United States telecommunications networks following the Salt Typhoon intrusion — illustrates concretely how mandated surveillance access creates security risks that adversaries can and do exploit. The legislative scheme further presumes that ESPs will all indeed object and pursue judicial review of orders that present cybersecurity and national security dangers, when international experience has taught that not all will do so.

The SAAIA framework also operates almost entirely in secret. Ministerial orders and conditions imposed on electronic service providers who are not core providers are subject to sweeping confidentiality requirements. There is no independent assessment of the necessity and proportionality of particular orders before they take effect, and no meaningful role for the Privacy Commissioner of Canada. The Intelligence Commissioner’s approval is now required for orders directed at non-core providers, but that office’s mandate concerns national security and telecommunications infrastructure integrity, not the privacy of individual Canadians. Affected ESPs have no right to make representations to the Intelligence Commissioner. Parliament should subject ministerial orders and all provider obligations under the SAAIA to meaningful independent oversight, including review by the Privacy Commissioner, before they take effect. The Minister should also be required to justify, on a per-order basis, the need for secrecy associated with these orders, and any confidentiality requirements should sunset.

We recognize that the government has made an effort to address the most serious failings of Bill C-2. The changes made to the confirmation of service demand are an example of targeted reform in response to constitutional concerns. The concerns we have raised here are equally susceptible to targeted amendment.

Canadians deserve privacy protections that are consistent with the Charter and with the values that the Supreme Court of Canada has consistently affirmed. We offer these observations in the hope that they will contribute to a bill that can withstand the legal challenges that are certain to follow and that protects the security of all Canadians.

Yours sincerely,

Robert Diab, Professor, Faculty of Law, Thompson Rivers University

Michael Karanicolas, Associate Professor of Law and Palmer Chair in Public Policy & Law, Schulich School of Law, Dalhousie University

David TS Fraser, Partner, McInnes Cooper, Adjunct faculty, Schulich School of Law at Dalhousie University

Michael Geist, Canada Research Chair in Internet and E-commerce Law, University of Ottawa, Faculty of Law

Cynthia Khoo, Principal Lawyer, Tekhnos Law, Senior Fellow, The Citizen Lab, University of Toronto

Lisa Austin, Professor of Law, Jackman Law, University of Toronto

Steve Coughlan, Professor of Law, Schulich School of Law, Dalhousie University

Suzie Dunn, Assistant Professor of Law, Schulich School of Law, Dalhousie University

Kate Robertson, Senior Research Associate, Citizen Lab, Munk School of Global Affairs & Public Policy, University of Toronto

Teresa Scassa, Canada Research Chair in Information Law and Policy, University of Ottawa

Matt Malone, Balsillie Scholar, Balsillie School of International Affairs

Katie Szilagyi, Associate Professor of Law, University of Manitoba

Matthew Dylag, Assistant Professor of Law, Schulich School of Law, Dalhousie University

Academic affiliations listed for identification purposes only. ■

{To receive new posts on law, technology, and digital freedoms in Canada, follow me on Substack .}

Political deepfakes are only a symptom of Canada's online news vacuum

Thu, 30 Apr 2026 00:00:00 +0000

Bill C-25’s criminal ban on deepfakes won’t restore credible news to the platforms where many Canadians look for it.

A bill before Parliament, C-25 , will amend the Canada Elections Act to target political deepfakes and misinformation in an effort to better protect the integrity of our elections.

Was fake content much of an issue in the last election? Is it still a concern in online debate over things like Alberta or Quebec separation, or support for party leaders?

In the last federal election, deepfakes did play a role. Researchers have traced numerous cross-platform misinformation campaigns to groups that include the extreme right Canada Proud and to actors linked to China and Russia. Some 24 percent of Canadians saw a social media post in which Pierre Poilievre or Mark Carney appeared in fictitious interviews with CBC or CTV News. Many others saw images portraying party leaders as wounded or under arrest, or, in Carney’s case, as tied to Jeffrey Epstein and Ghislaine Maxwell.

Political deepfakes are now part of our election landscape. Bill C-25 responds by making it an offence to create or distribute an audio or visual deepfake of a candidate or party leader, or material purporting to be from them, with intent to mislead the public. It would also make it an offence to make knowingly false statements about the process or outcome of an election.

There’s certainly a case for making these changes. But Bill C-25 targets only the most visible symptom of a larger problem — not only for our elections but for our democracy as a whole: the dearth of credible news on the platforms most Canadians look for it.

A large part of this was an unintended consequence of the Online News Act in 2023, which required Google and Meta to compensate Canadian news publishers for the use of news content on their platforms. Google reached a deal, but Meta chose instead to stop hosting Canadian news on Facebook and Instagram.

Surveying the damage a year later, McGill’s Media Ecosystem Observatory found that Canadian news outlets lost 85 percent of their engagement on Meta’s platforms, while roughly a third of Canada’s local media outlets became inactive on social media altogether. Roughly three quarters of Canadians surveyed in 2024 were unaware of the ban. The MEO estimated that Canadians were seeing a drop of 11 million views per day of Canadian news online, without realizing it.

What happens when legacy media gets buried

To be clear, Meta didn’t create Canada’s misinformation problem. Mis- and disinformation, foreign interference, influencer politics, and algorithmic amplification all predate the Online News Act. But Meta’s news ban made the problem far worse.

When credible news disappears from major platforms, it’s now clear that the vacuum gets filled by influencers, low-quality commentary, scams, foreign-linked campaigns, and deepfakes. Reuters reported in 2024 that right-wing meme pages and unreliable sources gained engagement after Meta blocked news in Canada, while Canadian and Australian officials warned of the risks to political discourse in election years and during emergencies.

The desert has only grown since. Meta announced in January of 2025 an end to its third-party fact-checking program in the United States, touting the change as a way to “allow more speech.” Elon Musk’s takeover of Twitter, now X, led to a similar relaxation of restrictions, opening the floodgates to false content. And on YouTube and Tiktok, legacy media is often drowned out by partisan influencers boosted by the algorithm.

The Media Ecosystem Observatory’s look back at the federal election in the spring of 2025 confirms the larger pattern. It found influencers to be the “loudest voices in the online political information environment,” while traditional news outlets, politicians, and parties were often less visible on Meta’s platforms and X. The report also found that automated bot activity and false content were widespread, “distorting political debate and confusing voters.”

Making credible media great again

Seen in this larger context, I doubt Bill C-25’s criminal ban on deepfakes will have much of an impact. It won’t restore local news to Facebook or Instagram. It won’t make credible journalism more visible on X, YouTube or TikTok. It won’t give researchers better access to platform data. And it won’t tell the public, in real time, why certain political claims are being amplified while others are buried.

Parliament needs to fix the vacuum it helped create. It should revisit the Online News Act and find a way to restore traditional media’s visibility on Meta’s platforms. But it shouldn’t stop there. We need stronger platform accountability during elections. This doesn’t require giving governments the power to decide which opinions are true or false, or to compel platforms to remove speech that is merely unpopular or inflammatory.

We can craft more restrained but effective law here. We can require large platforms to disclose viral synthetic media quickly during election periods. We can oblige them to give independent researchers meaningful access to data about political content, coordinated campaigns, bot activity, and foreign-linked influence operations. And we can impose duties to act on clearly false claims about election results, or on impersonated candidates and parties.

Many of us are forming opinions about the most pressing issues in our democracy — including whether to keep the country together — in online spaces increasingly shaped fake news and images. Targeting bad actors after the fact will not restore credible news in the volume we need to hear it.

We need to do more than punish the worst lies after they spread. We need to restore balance to the platforms where serious conversation is so easily tuned out. ■

{To receive new posts on law, technology, and digital freedoms in Canada, follow me on Substack .}

Is the Power to Preserve Everyone’s Metadata Constitutional?

Thu, 19 Mar 2026 00:00:00 +0000

It’s hard to see how it is

One of the main concerns with the lawful access bill re-tabled in recent weeks (C-22 ) involves a new power to order our cellphone companies to preserve the metadata attaching to all of our calls, emails, and texts for up to a year.

Metadata as defined in the bill captures precisely where and when we used our phones, and the coordinates of who we were in touch with at those times and places — though not the content of our communications.

Even though police would still need a warrant or other authority, such as exigent circumstances, to access this data from Shaw or Telus, the power to order its preservation has raised concerns. Our government is saying here: we’re now going to keep a record of every time you use your phone and where you used it — just in case. But don’t worry. You’re not being watched.

I’ve already had two journalists ask me if this is constitutional. David Fraser has flagged it in his excellent overview of C-22. And Professor Michael Geist has written a very informative and insightful post about this, noting that efforts to pass similar law in Europe have been struck down by the Court of Justice of the EU and by various constitutional courts.

The point of this short post is to explain, in plain terms, how and why this new power might be held to violate our right to privacy under Canada’s Charter of Rights and Freedoms. (The power appears in section 5(2)(d) of the proposed Supporting Authorized Access to Information Act, found in Part 2 of the bill here .)

A skeptic might ask: if police have to get a warrant or need other authority to obtain this data, why would ordering Shaw to preserve it violate my privacy?

The answer, in short, is that an order to retain this information itself involves state interference with our privacy, and the interference is not justified.

We have a reasonable expectation that our movements in time and space, and the coordinates of who we speak with and when, are private. And that includes an expectation that this information will not be preserved at the government’s behest and stored for lengthy periods of time.

It doesn’t matter that police can’t access it without authority. What matters is that companies are being told to preserve it for the state and for investigative purposes. It treats all of us with suspicion. It puts everyone on notice that you’ll be left alone so long as you don’t break the law — but, just to be sure, we’re keeping watch. We’re keeping records on what everyone is up to for the past year. We just won’t look at them unless we need to.

The Charter challenge in brief

Our right to privacy is protected in section 8 of the Charter. That right is breached if a state agent interferes with our privacy without being authorized by the law to do so. The right is also breached if the law authorizing the interference is unreasonable. A law will be unreasonable here if it fails to strike a proper balance between the state’s interests (in public safety or national security) and personal privacy.

In this case, how do we know the law itself, the power to compel Shaw or Telus to preserve our metadata, involves state interference with our privacy?

The government will likely argue that there’s no interference with privacy unless police or CSIS actually access the data preserved under this power. Merely asking Telus to preserve it is not itself an interference.

The problem with this argument is that, 12 years ago, Parliament took the opposite view. It assumed that the power to ask Shaw or Telus to preserve any “computer data” for up to three weeks would require an officer to have reasonable suspicion of an offence, and it created the preservation demand in the Criminal Code for this purpose. A request to preserve the data for up to 3 months requires a warrant, a preservation order.

Parliament also assumed that once police obtain the data a company had been ordered to preserve, the company must destroy it — and the Code makes it a crime not to do so.

In other words, the Criminal Code scheme for making preservation demands and orders assumes that asking a company to preserve our metadata involves an interference with our privacy — and keeping it for longer than 90 days without lawful authority was a serious enough infringement of privacy to be a criminal offence.

Why else would Parliament have seen the need for special powers set out in law for police to make these demands — if it did not assume that preserving data amounted to an interference with privacy?

Could it be that those earlier powers — preservation demands and orders — pertain to a much wider class of data, i.e., to any “computer data,” which would include things that are obviously private, like emails and texts, whereas metadata is not private?

No, that can’t be the answer. We have ample authority from courts that metadata, including transmission data, is private. Even an IP address is private .

No getting around it

An order to preserve personal data amounts to an interference with our privacy.

And imposing a blanket obligation on a whole class of service providers to preserve everyone’s metadata for law enforcement purposes would amount to a significant interference with the privacy interests of millions of Canadians.

That Bill C-22 would allow for the preservation of everyone’s metadata without individualized suspicion, or any other basis, is likely to be held to be unreasonable under section 8. We should not impair everyone’s privacy on an ongoing basis in order to increase safety in hypothetical cases that are likely to be rare, if they do occur at all.

If the power to compel service providers to retain metadata does become law, and police make use of that data, persons accused of a crime will challenge the law. And when they do, it should be struck down.

Or the government can avoid this by reconsidering the wisdom of mandatory metadata collection. ■

{To receive new posts on law, technology, and digital freedoms in Canada, follow me on Substack .}

Ottawa Reboots Its Lawful Access Bill: What C-22 Fixes and What It Doesn’t

Sat, 14 Mar 2026 00:00:00 +0000

Ottawa is trying again to pass a lawful access bill that would give police quicker access to our personal information.

The Lawful Access Act in Bill C-22 , tabled on Thursday, will also compel big telcos like Shaw and Telus to install equipment to collect and preserve more of our data and give law enforcement more direct access to it.

An earlier version of this bill was contained in Bill C-2, tabled last summer. As you may recall, that also contained new law pertaining to customs and immigration. The lawful access portions were carved out to be dealt with in a separate bill — one that would address the strong criticism of those new powers from various quarters.

The aim of this post is to offer a snapshot of key changes that stand out in C-22. (If it’s of interest, I did a deep dive on Bill C-2’s privacy provisions last summer here .)

My last blog post on this topic, back in December, was titled Five Ways to Fix Bill C-2 . I’m happy to see that C-22 adopts all five of my recommendations — but, unfortunately, not entirely.

Some of the most controversial elements of C-2 have been narrowed in C-22, but others remain largely intact. And there is one new data retention duty, involving our cellphones, that is subtle but could be quite invasive.

Curtailing the information demand

The most controversial new power in C-2 was the “Information demand,” which allowed police to ask anyone who “provides a service” in Canada a series of questions about who they provided a service to, what it was, where and when. This could include a therapist, a gambling site, and so on.

C-22 renames this power a “Confirmation of service demand” and limits the scope of who can be asked to a “telecommunications service provider,” and what police can ask to simply whether a service was provided to a client or account identifier. Yes or no. Police can then obtain a production order — a warrant — for more information about that account knowing they won’t be barking up the wrong tree.

There were quibbles over the five-day window to challenge a demand, with some calling for a longer period. But it remains five days in the current bill.

Revising the production order for subscriber ID

At the moment police obtain the name and street address of someone linked to an online account by obtaining a warrant (which they then serve on Shaw, etc) on probable grounds to believe an offence has been committed. C-2 created a new warrant that reduced this to reasonable suspicion, but also extended the ambit of “subscriber information” to include not only a user’s name and address but also the “types of services provided.” I suggested either limiting what you can ask for or raising the standard.

C-22 doesn’t really do either. It slightly tweaks what can be obtained from information a person provided “to receive the services” to information that “may be used to identify” them. Hmmm… a distinction without a difference? At the press conference, officials touted this as a major show of restraint. The rest of the provision is the same. It still contains a list of things police can get, including “types of services provided.”

I’m not sure the courts — ultimately the Supreme Court of Canada — will find this to be a reasonable law under section 8 of the Charter. It contemplates access to a wide ambit of private information on something less than a warrant on probable grounds. Did this person, police might ask, subscribe to the following channels as part of his cable package? Were they a paid member of the “premium” tier on your gambling site? A lot of lifestyle information here, going right to the biographical core.

The Supreme Court’s holding in Spencer — that a high degree of privacy attaches to our search history, which police effectively obtain when they have a subscriber ID — would seem to call for more than reasonable suspicion. But it looks like the folks at the Department of Justice would like to roll the dice on this one.

One good thing, though: C-2 had reduced the time limits for challenging various production orders in the Code from 30 days to five days, and would have imposed the same limit on this new subscriber ID order. But in C-22, there will be a 10-day window for challenging these orders.

Changes to the new ‘Supporting Authorized Access to Information Act’

My other concerns and recommendations pertained to the new SAAIA. As you may recall, Bill C-2 contained an entirely new statute that imposed a set of obligations on “electronic service providers” (Shaw, Google) to make technical modifications that would preserve more of our information and give police a direct means of accessing it (if and when they have authority in law).

I joined others in pointing out a few shortcomings in the Act.

These included an assurance that no one would be compelled to introduce a “systematic vulnerability” or backdoor to encryption. But this was a meaningless guarantee since the term “systematic vulnerability” was not defined.

The new Act also contained no oversight of the government’s discretion over the kinds of measures it could impose. And it forced companies to maintain an enormous degree of secrecy — including a prohibition on telcos making known any vulnerabilities they might discover and wish to share with others to help prevent foreseeable data breaches.

Systematic vulnerability – and secrecy around it

C-22 now defines ‘systematic vulnerability’ to mean:

a vulnerability in the electronic protections of an electronic service that creates a substantial risk that secure information could be accessed by a person who does not have any right or authority to do so.

But why limit this to “an electronic service”? One answer is: because that’s what the Act is about. It’s about “electronic service providers” and their digital services. It doesn’t target people who make devices. So, the definition here precludes asking Apple to do anything to weaken iCloud’s protections. But it doesn’t preclude asking Apple to make modifications to the iPhone itself — or at least those sold in Canada. Maybe this is too far-fetched?

Well, consider one of the obligations the Minister will be able to impose on a provider like Apple or Google:

the development, implementation, assessment, testing and maintenance of operational and technical capabilities, including capabilities related to extracting and organizing information that is authorized to be accessed and to providing access to such information to authorized persons…

This would seem to allow the Minister to pass a regulation requiring Apple or Google to make a modification to allow for data extraction not just to a service like Gmail or iCloud but to the operating system itself (i.e., iOS26, Android). And if either company took objection to this on the basis that it would introduce a systematic vulnerability, the Minister could say: no, that’s not an “electronic service,” your OS is part of the equipment. And that’s fair game.

But one welcome revision in C-22 is that the list of things that must remain confidential no longer includes “information related to a systemic vulnerability” or the potential for such. If companies discover some new way they can be hacked (relating to modifications under the Bill), and come up with a patch, they’re free to share this.

Oversight of the power to impose conditions

The Act contemplates telcos and large platforms like Google being deemed “core providers,” which would be subject to a set of obligations to be set out in future regulations (made public).

One new addition in C-22 is that the Minister of Public Safety must now consider a set of factors when formulating these obligations, including the costs that telcos would incur and the potential impact on personal privacy and cybersecurity.

A few privacy advocates had called for external review of any obligations imposed under the Act. Some of us suggested a provision requiring the Minister to consult with the Privacy Commissioner of Canada, or obtain their approval.

C-22 takes a step in this direction. Before the Minister can impose an order on ‘electronic service providers’ who are not ‘core providers,’ he or she must first seek the approval of the Intelligence Commissioner of Canada. That official plays a different role, one concerned with foreign signals intelligence and maintaining the integrity of Canada’s telecommunications infrastructure from cyber attack, among other things. In other words, not personal privacy.

A new obligation to retain metadata

One new power in C-22 not in C-2 (I thank Michael Geist for flagging this) is to require telcos to retain “categories of metadata,” such as the time and location in which a communication was sent or received or a service used. This information can be used to track a person’s location in time through cell-tower signals. This can be done now, but some providers don’t retain this data for very long. They can now be asked to retain it for up to a year.

The Bill makes an attempt to limit the scope of what might be captured here by asserting that this metadata-retention power

…does not authorize the making of regulations that require core providers to retain information that would reveal … the content — that is to say the substance, meaning or purpose — of information transmitted in the course of an electronic service.

That may be so. But in some cases, divulging this material would reveal private information about your whereabouts and activities. To be clear, this obligation on Shaw and company to retain this data is not a police power to obtain it. For that police would need a warrant.

In its briefing to journalists on Thursday, the government gave two scenarios to justify the need for this. CSIS is tracking a terrorist group and has a warrant to track a phone, but it’s with a service that doesn’t have location-tracking abilities. A 16-year-old girl goes missing for 10-days and then makes an emergency call; the phone company can confirm the call and pinpoint it to a certain tower, but doesn’t have the phone’s last known location before it was disconnected.

The solution to these problems in C-22 is to make telcos install tracking capabilities (if they lack them) but also to retain metadata about location. The effect of this is to lend a sense that data about all of our movements and communications will now be retained somewhere, for up to a year, with police having ready access. Is this the right trade-off between privacy and security?

There is no doubt more in this bill will come to light in the coming days as more commentators weigh in. I may come back and revise this post or write a follow-up in response.

For now, the short version is that C-22 makes some welcome improvements to C-2, but many of the underlying privacy concerns remain — along with some new ones.

I hope this overview was helpful. ■

{To receive new posts on law, technology, and digital freedoms in Canada, follow me on Substack .}

Is AI Really Destined to Destroy Democracy, Law, and Education?

Tue, 20 Jan 2026 00:00:00 +0000

A viral paper sounds the alarm by abandoning nuance

A paper titled “How AI Destroys Institutions” by two Boston University Law professors, posted to SSRN and forthcoming in the UC Law Journal, has gone viral, with around 17,000 downloads. (The other day it was 9.) Papers in law do well if they get over a few hundred hits. This one was aided in part by Gary Marcus, a well-known gen AI skeptic, boosting it on social media, which is how I came across it.

After reading it, I don’t think it’s a cynical attempt to take an extreme position in the hope of going viral. But the paper is so sweeping, so feverish in its claims, that despite my reluctance to draw further attention to it, I feel compelled to comment.

Sometimes articulating a fear — facing it head on — helps us come to terms with it. The authors, Woodrow Hartzog and Jessica Silbey, point to real dangers here, across many fronts. But their certainty about the doom that lies ahead, about how serious a threat AI poses, comes at the expense of abandoning all nuance — of assuming that because something is possible in theory, it is likely to occur in practice.

The core (overheated) claim

Democratic life, they argue, is grounded in civic institutions: the rule of law, universities, a free press. They rely on “transparency, cooperation, and accountability.” These, in turn, rest on interpersonal relationships among people with shared “civic goals.”

But:

Unfortunately, the affordances of AI systems extinguish these institutional features at every turn. In this essay, we make one simple point: AI systems are built to function in ways that degrade and are likely to destroy our crucial civic institutions. The affordances of AI systems have the effect of eroding expertise, short-circuiting decision-making, and isolating people from each other. […] In short, current AI systems are a death sentence for civic institutions, and we should treat them as such.

Expanding on the core claim at the outset, the authors write:

To clarify, we are not arguing that AI is a neutral or general purpose tool that can be used to destroy these institutions. Rather, we are arguing that AI’s current core functionality—that is, if it is used according to its design—will progressively exact a toll upon the institutions that support modern democratic life. The more AI is deployed in our existing economic and social systems, the more the institutions will become ossified and delegitimized.

The first part of the paper offers a well-sourced overview of the sociology of civic institutions and their role in democracy. It reads as scholarship.

The second part quickly devolves into a lengthy op-ed masquerading as scholarship.

Analysis or advocacy?

The pattern throughout is to hold up outlying events as evidence of the coming apocalypse. DOGE “will be a textbook example of how the affordances of AI lead to institutional rot.” Human judgment was set aside there in reliance on AI; power was “centralized in an opaque way that encouraged abuse, self-dealing, and oppression.” Yes, but how common was DOGE?

A few courts are using AI for bail and sentencing, ergo AI is taking over the law. Some hospitals are using AI for triage or insurance decisions, ergo all of medicine is in the process of being co-opted. Many university teachers are using AI to create material and students to complete assignments — ergo, AI has conquered education, without anything we can do about it.

“At stake in the AI takeover of institutions critical to human flourishing are the values of: the rule of law, the pursuit of knowledge, free expression, and democratic, civic life.” The key word here is “takeover.” We’re not witnessing a transformation, an evolution, a period of adjustment, or a negotiation. It’s a takeover. Full stop.

This is the tenor of the entire second half.

The segment on the rule of law notes the importance of “juries and an independent judiciary with appellate review—to assure conformity with democratic rules and equal justice.” It then cites a few examples of AI at the margins (experiments with sentencing, bail, and benefit calculations) only to conclude: “AI’s proliferation in our legal system bodes badly for the future of the rule of law and its practice on which we rely for a peaceful and just society.”

“AI’s proliferation”? In law? Is it really coming for juries and appellate review? Is it really beyond our control?

AI poses analogous threats to higher education. But again, note how sweeping and categorical the threat is framed:

AI is anathema to the institutional structure of higher education because [of] its affordances: [it] undermines expertise by encouraging cognitive offloading, knowledge ossification, and skill atrophy; short circuits decisionmaking by flattening beneficial hierarchies of authority, sowing distrust, and removing humans from important points of contestation; and isolates humans, depriving institutions of the interpersonal bonds it needs to foster common purpose and adapt to changed circumstances.

Okay, yes, it can do all of the above. And it certainly does do this some of the time. Much of the time? Maybe. But is AI fundamentally “anathema to the institutional structure of higher education”?

There’s more. “The destructive affordances of AI augur havoc for the press. First, the AI slop phenomenon has already devalued and undermined the expertise and legitimacy of trusted outlets and has polluted the public sphere….”

Okay, let’s slow down. AI has already devalued the legitimacy of trusted outlets? Which ones? How badly? (I’m still reading The New York Times, The Atlantic, etc.) The segment ends:

But AI systems rob journalism of authority the less relevant and responsive are its outputs; and AI outputs acculturate readers to expect compliant and copacetic reading. Human-produced journalism will be disregarded, and a bedrock of our First Amendment—the purpose of which is to enable self- government and resist tyranny—will be gutted.”

We’re now into full-blown alarmism. Not “could be gutted”, but “will be”. Unless we destroy all the machines, this, we’re told, is what will happen.

The final segment on democracy is fully in op-ed terrain: “If we continue to embrace AI unabated, social capital and norms of reciprocity will abate, and our center—democracy and civil life—will not hold.” …

The more governments and other civic institutions become intertwined with AI systems, the more these systems’ pathologies around expertise, decision-making, and human connection will stunt and decay the institution. Hierarchies of authority within institutions will flatten, lessening opportunities for knowledge development and transmission and ossifying or degrading collective expertise. Humans will be taken out of the loop, depriving the institution of opportunities for contestation.”

In a short, perfunctory conclusion, just over a page long, the authors write that “without rules to mitigate AI’s cancerous spread, the only remaining roads lead to institutional dissolution.”

Trying to govern AI through “ethics principles” won’t work (consent, risk management guardrails). We need bright-line rules: certain things, like facial recognition surveillance or the bulk sale of personal data, should be outlawed. Beyond this, we should “focus on corporate governance, infrastructure, and systemic and foundational reforms” — but we’re given no specifics.

Turn back the clock?

Hartzog and Silbey concede, then, that we have some agency, but the thrust of their position is clear. We would be better off if the cancer were removed before it spreads.

The service they’ve done for us here is to spell out an opposing view to a common assumption about AI — one that many of us (me included) harbour to maintain our optimism about it. It’s not inherently bad, we tell ourselves. You’re just using it wrong.

On this view, AI is harmful if used without care, understanding, and intention. But if used deliberately and with restraint, it can be a powerful tool for good. For example, just this month the Carnegie Endowment released a report on AI and Democracy finding that: “AI poses substantial threats and opportunities for democracy in an important year ahead for global democracy. Despite the threats, AI technologies can also improve representative politics, citizen participation, and governance.”

Pretty much all the other scholarship I’ve come across on AI and democracy attempts to strike a similar balanced view of the prospects, including these three recent books on point and articles like this one.

But for Hartzog and Silbey, AI is inherently and only bad. There is no upside. They rely here on the notion of affordances.

Affordance theory assumes there are properties of a tool or object that encourage or foster its being used in some ways over others. Reading on paper is more conducive to detachment, patience, and reflection. Reading on screens is more conducive to interaction, impatience, and emotion.

As the authors write: “AI systems have essential features that demand specific responses and foreclose other kinds of engagements.” AI, we’re told, “facilitates the displacement of mental and physical labor.” It “acclimates people to their… diminished power,” it “amplif[ies] biases, pollut[es] our information ecosystem”, “ravages the environment,” and hides “normative judgments behind a Wizard-of-Oz-esque curtain that masks engineered calculations.” And so forth.

It is not neutral. It’s not that you’re using it wrong. There is no right way to use it. Any use will tend, over time, to move us in a certain direction inevitably.

The best thing we can do is curtail its use altogether. Cabin it. Shun it. Treat it as nothing more than a cancer or poison, a deeply anti-human technology.

I don’t share this view, and clearly I’m not alone. You don’t have to be a naive AI booster to believe there are good and bad ways to use it, as there are with smartphones or the web generally. And any evidence one might point to of AI (or smartphones) fostering certain harmful effects through inadvertent use wouldn’t disprove the neutrality theory.

No one is calling for the end of smartphones. We’re not going back. What people call for is etiquette, education, and better habits. We’re encountering the same challenge with AI.

It doesn’t necessarily pose a social threat, but a challenge.

Yes, there is a lot of AI slop out there, but not nearly as much as people feared after the advent of ChatGPT. The much-feared AI zombie-apocalypse, in which most online content would become fake, hasn’t come to pass. More than half of the total content on the web may now be AI , but not on trusted venues. If anything, that makes those venues more valuable.

In each of the spheres the authors point to — law, education, journalism, democracy — the advent of generative AI poses challenges, but not a mortal threat. The damage has been limited in each case, despite at least two years of living with very advanced capabilities to generate text, images, and video.

There are still so many things jurists, educators, journalists, and lawmakers can do to confront the challenge of AI and contain the threat it poses. Our vital social institutions will no doubt be transformed in the wake of AI, just as they have been with smartphones and network technology more broadly.

But we’re not helpless here. We can shape the way change unfolds. We can make rules.

It’s just hard to see this at the moment in Canada and the US, where making rules about AI is currently out of fashion. ■

{To receive new posts on law, technology, and digital freedoms in Canada, follow me on Substack .}

Sexual Deepfakes and Sextortion: Why New Crimes Won’t Solve the Problem

Wed, 14 Jan 2026 00:00:00 +0000

If we want to reduce harm, we need to look upstream

In December, the federal government tabled the ‘Protecting Victims Act’ (Bill C-16 ) to fill a gap in Canada’s Criminal Code on the distribution of sexual deepfakes, and added a new offence of threatening to distribute an intimate image.

In this post, I ask: how prevalent is this conduct in Canada, and will these new offences make a difference? If not, what more should we do?

Briefly, the Criminal Code already makes it an offence to share an intimate image of an adult without consent, but it doesn’t capture deepfakes. Now it will. And while extortion is already an offence, it requires a threat made “with intent to obtain” something. The bill’s new offence of threatening to distribute an intimate image only requires that a threat be made.

The government has yet to release its Charter Statement, but David Fraser wonders whether the deepfake offence is too broad to survive a freedom of expression challenge. There’s a public interest defence, but does it protect satirical deepfakes of politicians? Should there be broader exceptions for this? Will the courts ‘read in’ these exceptions?

All good questions, but I want to address the conduct targeted here. How prevalent is it and will new law help? Short answer: the conduct is prevalent, but I doubt these new laws — or others on the way — will do much to curb it.

How prevalent is it?

We have limited data on how often sextortion occurs or sexual deepfakes are shared. But we know enough to know they’re both happening with some frequency — especially sextortion.

A tipline run by the Canadian Centre for Child Protection receives an average of 6 sextortion reports per day, or roughly 2,300 in 2024. Where gender is known, 83% of victims are male. Typically , a member of a criminal network poses as a young woman, makes contact with a young man on Instagram, gains his trust, obtains an intimate image over Snapchat, and then demands money. Young women, by contrast, tend to be extorted for additional images.

A recent study of roughly 17,000 people in ten countries found somewhat more even patterns among genders. Fifteen per cent of men and thirteen per cent of women reported being victims of sextortion, roughly one in seven adults. Five per cent of men report perpetrating sextortion. Notably, the most common type of perpetrator identified by victims was a current or former intimate partner, rather than an online stranger.

I haven’t been able to find stats on the prevalence of sexual deepfakes. But we can glean that it’s happening with some frequency by stories reported in the media and through the odd court case — though it’s not clear how frequently.

A recent Ontario case made news when a judge acquitted a man accused of creating a nude deepfake of a woman he photographed wearing a bra. The current offence in the Code did not capture deepfakes.

A search for other deepfake cases only turns up two decisions involving the creation of child porn.

But this doesn’t mean that sexual deepfakes aren’t on the rise in Canada. It means we aren’t seeing prosecutions for it yet — and one obvious reason for this is that police and Crown don’t think they have the tools. The acquittal in Ontario confirms this.

What, then, can we glean about both sextortion and sexual deepfakes from what we know now — and how likely is it that new offences in C-16 will make a difference?

Why new offences will have a limited impact

Running a search of the term ‘sextortion’ in caselaw databases turns up results that lead to two observations.

First, courts come down hard on perpetrators of sextortion, with multi-year jail sentences—10 years in the case of Amanda Todd’s assailant. But since this conduct persists with some frequency (six reports a day), the criminal sanction poses no real deterrent.

The problem has to do in part with social media. As the Centre for Child Protections points out :

Popular platforms have design characteristics that create favourable conditions for predation. Extorters weaponize social media platforms in that they can easily create fake accounts to access potential victims and their personal information and social networks. Victims also pointed to platform reporting functions that failed to provide them with options to accurately describe their situation and a lack of meaningful action being taken by platform operators.

The Online Harms Act (Bill C-63), which died on the order paper last year, was supposed to address this by imposing an obligation to remove images quickly. (The Take It Down Act , just passed in the US, does the same.) Bill C-63 is due to return in short order (and I’ll likely post about it here when it does). That may be a more effective tool for curbing the harm of these images than the criminal law.

But part of the problem also lies with AI providers. As a recent op-ed in The New York Times noted:

Creating abhorrent imagery no longer requires proficiency with Photoshop or aptitude with open-source models; one need only enter the correct text prompt. While both open-source and hosted models typically have safety guardrails built in, these can be surprisingly brittle, and malicious users will find ways around them.

This week, Grok’s AI (from X, formerly Twitter) made news worldwide when it began generating sexual deepfakes using images of women and children uploaded to it — and continued to do so after the platform became aware of it. Calls for law holding platforms liable for this have fallen on deaf ears in Canada and the US, although lawmakers in Britain , Europe , and Australia are threatening action if AI providers like Grok don’t act more responsibly.

Law in Canada and the US — home to most major AI providers — should do more to incentivize meaningful safeguards against the creation of sexual deepfakes. But I suspect there will always be tech at hand for people who want to do this.

A second observation is that the way in which both sextortion and non-consensual sharing cases arise — the variety of scenarios in which they occur — makes it seem unlikely (to me at least) that punishment for conduct in one kind of case will deter conduct in another.

For example, cases range from a stranger in his 30’s in Europe preying upon a 12-year-old he met on social media; an ex-husband demanding money for voyeuristic recordings he made of a house-sitter; a man in his forties who met four local-area teens over snapchat and extorted them for further images by threatening and harassing them over several months; and a case involving a woman who engaged in consensual sex with man who surreptitiously recorded the event and posted it online without her knowledge.

Given the diverse motives of the perpetrators, their identity or situation, and the fact that the prospect of a criminal conviction for extortion or non-consensual sharing posed no deterrence for them suggests that new offences won’t make a difference.

The only hope lies in better enforcement mechanisms against the platforms for enabling this — creating and/or sharing images. But even there, relief will be limited. Digital images are now too easy to make and too hard to contain once shared to ever be truly secure against this menace.

But we should try to do what we can. ■

{To receive new posts on law, technology, and digital freedoms in Canada, follow me on Substack .}

Powers in the new Cyber Security Act are invasive — but do they violate the Charter?

Sat, 27 Dec 2025 00:00:00 +0000

Critics of the bill are right to be concerned, so why the curious silence in the government’s Charter Statement?

Shortly after tabling bill C-2 in June, which I’ve written a few posts about, the government tabled Bill C-8 , the Cyber Security Act. It too raises serious concerns about privacy but hasn’t attracted nearly as much attention.

In broad terms, the bill does two things. It amends telecommunications law to allow the Minister of Industry to order telcos like Shaw and Telus to make changes to their systems to bolster security and investigate breaches. It also creates a new framework for protecting “critical cyber systems” that support infrastructure like pipelines, banking networks, and commercial telecommunications.

With the bill now at second reading, digital rights advocates have argued before a standing committee that portions of the first part of the bill are especially concerning and likely violate section 8 of the Charter, which guarantees the right to be secure against unreasonable search or seizure.

The nub of the issue is the power in bill C-8 to order a telco like Shaw to do something that might involve the incidental collection of personal information or its disclosure to an agency like the Communications Security Establishment (CSE ) investigating a cyberbreach.

To make this more vivid, consider the testimony of Simon Noël, Intelligence Commissioner of Canada, before the committee in October, where he said :

In my experience as IC—with over three years and 45 decisions rendered—for the CSE to analyze and understand a cyber-incident, it must have access to information about the incident. There may be situations where this information is only technical in nature and sharing it with the CSE raises no privacy concerns, as you were told when you met with other witnesses. However, to fully understand the cyber-incident, other situations may require the CSE to have access to information, including technical information, for which Canadians have a reasonable expectation of privacy. I’ve seen it. … I agree that it’s technical information, but I also know that if you want a positive result on an incident of such importance, they need to go into the content. I’ve seen it in every cyber-operation I’ve been involved in.

Critics of the bill point out important gaps in C-8 that fail to address the Commissioner’s concerns. They note features of the bill that might even make problems worse.

Power without accountability?

One section of the bill allows the government to order a telco to do any “specified thing” considered on reasonable grounds to be necessary for securing Canada’s telecommunications networks. Another prevents ordering a telco from intercepting “private communications” as this is defined in the wiretap sections of the Criminal Code. But this, the critics say, wouldn’t preclude an order allowing for the collection of metadata — for example, the date and time I sent emails to a certain address, called certain numbers, or even visited certain websites. Information we know to be highly sensitive.

The Minister can also require a telco to “provide… any information” the Minister has reasonable grounds to believe is “relevant” to making a security-related order. This info can be shared with a host of government agencies, including Foreign Affairs, CSIS, the CSE, or with a foreign government — though it must be treated as confidential and shared only for the purpose of “securing the Canadian telecommunications system or the telecommunications system of a foreign state, including against the threat of interference, manipulation or disruption.”

Rights advocates argue that the power to compel “any information” — which might include metadata — amounts to an unreasonable search under section 8 of the Charter because it doesn’t require a warrant. It should require one, they argue, on the standard of necessity and proportionality, if not on probable grounds.

They also flag a host of other concerns. The bill contemplates imposing ‘deep packet inspection’ capabilities onto telcos, enabling the content of our communications to be scanned. It’s not clear that the bill rules out compelling decryption. It also permits orders cutting off a person’s internet access without explanation, and blocking access to websites without public notice. It contains limited review provisions. Much that is less than ideal.

But does it engage the Charter?

In its Charter Statement for Bill C-8, the government is curiously silent on the section 8 implications of incidentally gathering and sharing metadata, let alone the possible scanning of content. The Statement deals only with a search or seizure carried out against Telus or Shaw to ensure compliance with a ministerial order.

I agree with critics of the bill that the parts of it they flag would likely violate section 8. But in the rest of this post, I want to address an argument the government might make in defence of these powers under the Charter.

As Kate Robertson of CitizenLab has noted in relation to the metadata that could be gathered under C-8, “there is no reasonable dispute that these information sources carry significant privacy interests.”

But does our privacy interest in this info extend to measures the government takes strictly to secure the system from cyber attacks?

Put differently: could the government argue that powers allowing the incidental gathering and sharing of personal info are constitutional because they do not target individuals for an investigative purpose?

When is section 8 engaged?

Section 8 is clearly engaged when a state actor interferes with a reasonable expectation of privacy for an investigative purpose related to a possible criminal or regulatory offence. This is most of the Supreme Court of Canada’s case law on section 8.

But in many cases, the Court decides whether there has been an interference with a privacy interest — and thus a search or seizure — by first distinguishing between things to which we did or didn’t implicitly consent. And this is where the investigative purpose, or lack thereof, becomes important.

The most notable example might be R v Evans . Police knocked on Evans’ front door with the intention of seeing if they could smell the odour of marijuana emanating from inside. Because they had this intent from the outset, police exceeded the limited waiver of privacy entailed in the implied invitation to knock and thus carried out a search.

Put more generally, courts say that any state interference with privacy constitutes a search under section 8, but often find that things done for a non-investigative purpose don’t entail an interference. The thing was either not private (because you implicitly consented to it being done) or the state action didn’t amount to an intrusion.

In their submissions to Parliament, rights advocates are correct to assert that parts of the bill may violate section 8 because they give rise to state action that interferes with something over which we have a reasonable expectation of privacy (i.e., collecting, inspecting, sharing our metadata).

But could a court find that C-8’s privacy invasive measures do not amount to a search or seizure by taking the view that they don’t in fact “interfere” with our privacy — given the law’s non-investigative purpose?

Constitutional privacy beyond investigation

The state often gathers our private information without engaging section 8 because it does so without an investigative or audit-like purpose: for example, in the delivery of health care or the administration of the income-tax system. Courts would hold in these cases that there’s no search or seizure because the collection doesn’t interfere with a reasonable privacy interest. You either consent to have your medical info gathered or it isn’t reasonable to assert a privacy interest against the state in info about your income for tax reporting purposes.

The key point is this: whether the info is private under section 8, or whether its collection amounts to an interference, depends on the purpose for which the state acts. Something will retain a reasonable privacy interest (our blood, our data) if the state acts with an investigative or audit-like purpose — if the state is seeking to learn something about a person to hold them to account for a possible breach of the law. But where the state acts for some other purpose, courts consistently say either that it wasn’t private or it wasn’t an interference.

Two quick examples.

In R v Dyment , a doctor took a blood sample from a patient without his knowledge or consent following a car accident. A majority held that the patient had impliedly consented to a sample being taken for medical purposes and for those alone. It became a seizure under section 8 when the doctor gave the sample to a police officer who received it for an investigative purpose.

R v Cole (2012) presents a closer parallel to Bill C-8. A school board technician found pictures of a student while conducting maintenance on a teacher’s work-issued laptop, and turned the computer over to the principal who turned it over to police. Justice Fish, for the majority, made the broad statement that

As Mr. Cole had a reasonable expectation of privacy in his Internet browsing history and the informational content of his work-issued laptop, any non-consensual examination by the state was a “search”; and any taking, a “seizure”.

Yet, as Justice Fish notes, Cole conceded that the “initial inspection of the laptop by the school technician in the context of routine maintenance activities… did not breach his s. 8 rights.” The Court of Appeal for Ontario explained why :

…the technician was accessing the appellant’s laptop for the limited purpose of maintaining the network. The technician found the images in the course of his legitimate access to the computer. Therefore, the appellant had no expectation of privacy with respect to this limited type of action. Since there was no reasonable expectation of privacy with respect to the technician’s actions, s. 8 of the Charter was not engaged.

It wasn’t until the tech handed the laptop over to the principal — who examined it with an investigative purpose — that Cole’s rights under section 8 were engaged.

What about cybersecurity?

I think a court would consider the incidental collection of metadata or even scanning for deep packet inspection to be an interference with our private information — if it were to find that our info was private against this kind of intrusion. The big question here is whether a court would treat cybersecurity measures as akin to the “routine maintenance activities” in Cole.

Would courts assume that we implicitly consent to such measures, or that it is unreasonable to assert a privacy interest against them, because the collection and sharing are merely incidental to safeguarding the system?

To be clear, the moment personal info gathered under C-8 is used for an investigative purpose against an individual, section 8 would be engaged. We neither consent to this use nor reasonably expect it to occur.

Even so, I agree with critics of the bill that incidental collection and sharing of personal info here would still violate section 8. The reason is simple: the powers in C-8 to share info among domestic agencies and foreign governments are so broad — despite the need that it be kept confidential and used only for the purpose of cybersecurity — that it’s impossible to draw a principled line between investigative and non-investigative use.

If info uncovered in a cybersecurity breach were later used to prosecute a hacker, was the audit about securing the system or investigating crime? The bill offers no clear answer.

I also agree with another argument critics of the bill — including the Privacy Commissioner of Canada — make. The powers in C-8 at issue conflict with the letter, if not the spirit, of quasi-constitutional provisions in privacy legislation such as PIPEDA, the CSE Act, the CSIS Act. These laws impose important safeguards that are notably absent here. Bill C-8 should be amended to bring it into closer conformity with those protections, if not with the Charter itself.

Happy holidays! ■

{To receive new posts on law, technology, and digital freedoms in Canada, follow me on Substack .}

Five ways to fix bill C-2 – and better protect our privacy

Wed, 17 Dec 2025 00:00:00 +0000

As it inches toward a majority in Parliament, the Liberal government is signaling its intention to move ahead with the controversial parts of the Strong Borders Act it chose to shelve back in October — in response to strong opposition from the other parties.

I’ve written about the various privacy-invasive powers in the bill briefly here , and in more detail here .

Last week I had the pleasure of attending a roundtable with the Honourable Minister of Public Safety, Gary Anandasangaree, who asked for ideas about how to improve the bill.

Here are five:

1. Narrow the new “information demand” power to big telcos and only to confirming an account

The bill would amend the Criminal Code to allow police, without a warrant, to demand from any person who “provides services to the public” — a doctor, psychiatrist, or dating app — details about the services they delivered to a particular client or account holder, such as where, when, and how often they provided the service.

The Supreme Court of Canada, hearing a Charter challenge to this, would likely find the scope of this power to be too broad, and the privacy interest it engages to be too high, to strike a reasonable balance between law enforcement and personal privacy. I would think anything less than a warrant on probable grounds would be a tough sell here.

Police say they want this power to be able to quickly ask Shaw, Telus, or Rogers to confirm whether an IP address of interest is connected to an account they host. If that’s what the police want, then why not just narrow this power down to that? Make it applicable only to large electronic service providers and only allow police to demand a yes or no answer to the question: does the user with this IP address have an account with you?

That, on reasonable suspicion alone, might fly.

2. Narrow the scope of the new subscriber ID production order and/or raise the standard

The bill attempts to fill a gap left in the wake of the Spencer decision, which held that the police need authority in law to demand the subscriber ID attached to an IP from a telco like Shaw. The Court held that we have a high privacy interest in this information, given how readily this can connect us with our search history online.

But it’s been unclear since Spencer what a ‘reasonable law’ authorizing this demand would require. To obtain subscriber ID, police have been using the ‘general production order’ power on probable grounds (in section 487.014 of the Code). The bill creates a dedicated subscriber ID production order obtainable on reasonable suspicion. Will this stand, given how high the Court in Spencer assessed the privacy interest at stake here to be? But wait, there’s more.

The new power would work together with another important change. The bill adds a new section of the Criminal Code, which states: “subscriber information means, in relation to any client of a person who provides services to the public… information related to the services provided to the subscriber or client, including (i) the types of services provided, [and] (ii) the period during which the services were provided”.

In short, the new production order for subscriber ID would give police much of the same info about a person as with the “information demand” — except where services were provided. It would engage an even higher privacy interest than what was contemplated in Spencer. A warrant on reasonable suspicion is arguably not enough to constitute a reasonable law here It should be probable grounds.

Parliament should amend the definition of “subscriber information” to narrow the ambit of what can be obtained. Limit it to simply: user name, pseudonym, address, telephone number and email address. Or, amend the order provision itself to require probable grounds — which would be redundant, since the current ‘general production order’ already does this. (But it does this for a good reason: see above.)

3. Don’t reduce the time limit for challenging a production order so drastically

The bill sets the periods for challenging new information demands and production orders for subscriber ID at 5 days. Within that time frame, you must comply or file a court challenge (a review). Currently, production orders give recipients 30 days. Many will find this challenging, thus watering down an important accountability mechanism that helps make these powers reasonable, especially where they allow police to obtain a warrant on reasonable suspicion rather than probable grounds.

Time limits for challenging orders in new powers might be less than 30 days but more than 5. How about 14 days? And not from the time the order was made, but from the time order was received.

4. Rule out back doors to encryption

The bill’s new “Supporting Authorized Access to Information Act” (SAAIA) contains broad powers to compel electronic service providers to make technical modifications that give law enforcement direct access to private data. The bill states that no provider can be compelled to bring about “systemic vulnerabilities” in “electronic protections.” But it allows the Minister to define what constitutes a “systematic vulnerability,” as well as other key terms such as “encryption” or “authentication.”

The bill should be amended to define these terms to rule out compelled decryption. Australia’s Act defines them. We should adopt their definitions.

5. Subject the Minister’s powers under the Act to independent oversight

Under the SAAIA, the Minister can order technical modifications — or make regulations about them — without having to first obtain an independent assessment of their necessity and proportionality. The Act also imposes sweeping secrecy requirements over ministerial measures, without the need to justify them before a court. And the Minister isn’t obliged to report to Parliament about how the powers are being used.

One concern is that some measures could inadvertently result in real-time interceptions without a warrant. Another concern is that a telco might discover a weakness in relation to a given measure and not be able to share it with other telcos to avoid readily foreseeable harm to people’s privacy.

The bill should be amended to set out factors the Minister must consider before imposing measures on any provider, such as their impact on privacy and cybersecurity. The Minister should have to obtain the Privacy Commissioner of Canada’s approval of any specific measures he or she seeks to impose. Confidentiality orders should require court approval. And the Minister should have to report annually to Parliament on the use of powers under the act.

An inclusive process?

It’s good to see the government seeking input on C-2 from people outside the Department of Justice, the RCMP, and CSIS. It would be even better to see most of not all of these changes made when the bill returns early next year. ■

{To receive new posts on law, technology, and digital freedoms in Canada, follow me on Substack .}

Do CSIS and Police Really Need More ‘Lawful Intercept’ Powers?

Sat, 25 Oct 2025 00:00:00 +0000

Earlier this month, when no other party would support the Liberals in passing Bill C-2—the ‘Strong Borders Act,’ with its controversial surveillance powers—the government shelved it.

More precisely, it split off the contentious parts of the bill from the customs and immigration provisions meant to appease our neighbours to the south and re-tabled those as Bill C-12 .

But it didn’t withdraw C-2. The Minister of Public Safety insists that all of C-2 is still on the agenda.

Among the most concerning parts of C-2 that were temporarily shelved are the ‘lawful access’ provisions found in a new statute that the Bill would have brought about: the ‘Supporting Authorized Access to Information Act.’

As I’ve written earlier , this new law would have given the government the power to compel ‘electronic service providers’ like Shaw or Telus, or Apple and Google, to ‘install equipment’ or make technical modifications to give police and CSIS direct access to private data for real-time interception or seizure of stored communications. That’s your email, texts, and everything you have stored in iCloud, in case you were wondering.

Of course, police or CSIS would still need a warrant or lawful authority (exigent circumstances, etc) before acting. The chief concern was that C-2 imposed few limits on what modifications the government could compel ESPs to make. It also shrouded the whole process of issuing orders and carrying out inspections to oversee them in an enormous degree of secrecy.

The powers were ripe for abuse. Modifications could easily result in inadvertent police access or privacy breaches, without ever coming to light.

More to the point, knowing that our communications and cloud infrastructure would have direct law enforcement access so deeply integrated would leave every Canadian feeling less secure about their privacy online.

If you can never be sure whether the state might be listening, even inadvertently, you begin to assume it. Maybe most people do after Snowden. But with a lawful access regime like the one set out in C-2, the feeling would become all the more palpable, the concern less abstract.

Why Parliament thinks we need it

The National Security and Intelligence Committee of Parliamentarians has studied this issue for three years. In March, it produced a 78-page confidential report, which was lightly redacted before being made public last month. It offers a detailed defence of the need for a lawful access regime, but not one I find persuasive.

However, the report is impressive in its scope. It contains an extensive overview of the privacy issues at stake, problems raised by compelling back doors to encryption, and the history of prior attempts in Canada to pass a lawful access bill. The Committee commissioned and drew upon papers from notable authorities including Ben Goold, Michael Geist, and Ron Deibert, making it a valuable resource.

I briefly highlight here the crux of the committee’s findings. My aim is not to set out a detailed analysis, but to sketch the general argument.

First, CSIS and the RCMP say they need to the power to compel folks at Telus and Shaw to install interception capabilities because they face serious “challenges” in accessing data even after obtaining warrants—though they can’t say how often or how serious those problems are:

The Committee did not see any clear, empirical data to substantiate claims by Canada’s security and intelligence organizations that they face serious lawful access challenges because of rapidly evolving technology. CSIS and the RCMP do not systematically track how often they encounter various technological challenges in their national security investigations, for example, instances in which communications content could not be accessed because of encryption. As a result, they do not know in quantifiable terms the degree of impact and overall significance of these challenges.

Nevertheless, the Committee was satisfied that police and CSIS need more tools:

However, the Committee heard compelling and detailed testimony about how the rapid pace of technological change has increased the complexity, operational risk and cost of national security investigations. More digital devices, more communications applications or apps, and more operating systems mean that investigators need to develop more methods of access, with an impact on both time and resources.

So how specific and compelling was this evidence?

Earlier in the report, the “increasing complexity” refers to communication unfolding on a wider variety of apps and devices. Much of it is end-to-end encrypted. It’s often cross-border or served by platforms based in the US. To illustrate these trends, we’re given a few case studies involving national security investigations, but it isn’t clear how representative they are.

The most concrete data we’re given pertains to the claim that the proliferation of apps and devices has increased the cost and complexity of investigations, including the use of On-Device Investigative Tools (ODITs). One chart shows that over the past seven years, successful deployments of ODITs—using special software to circumvent the encryption on a device like a phone—has declined over time. But the number of cases here is tiny: 2-3 each year from 2017 to 2020 and all uses of ODITs were successful; 15-16 in 2021-2022, with only half successful; then 8 in 2023, with only 2 successful; and none conducted in 2024. In short, over the years, police have struggled to break into a handful of phones.

Another key argument was that often, by the time police or CSIS get a warrant to obtain data from Shaw or Telus, it’s deleted or it’s stored on servers in the US, making retrieval too slow and cumbersome. But again, the numbers are vague. There may be “investigative friction,” as one paper put it, but how much is unclear. We’re left with little more than a sentiment: police don’t like these impediments and would like them removed.

The Committee’s conclusion — that “the RCMP and CSIS face significant challenges” and lawful access is the answer — is never clearly established. Nor is their other general argument for a lawful access bill: our other Five Eyes partners have one, and we should too.

Problems with this picture

But not all of our Five Eyes partners have the kind of lawful access regime the Committee is calling for, and not the kind set out in C-2. Only Australia and the UK compel providers to build intercept capabilities — and just because they do, doesn’t mean we should. As the report notes, the US and New Zealand instead set standards for data retention and access but not law compelling specific companies to install intercept capabilities.

The Committee also sees a lawful access regime playing an important role in negotiations of mutual legal assistance treaties, like the one under way pursuant to the US CLOUD Act or the 2nd Additional Protocol to the Budapest Convention on Cybercrime to which we are a signatory . Having a regime in place, the report argues, will help secure an agreement with the US allowing cross-border data access (from Google, Meta, Shaw) without requiring a court order in the target country.

Now, of course, countries might agree to this in a treaty, but to ratify the treaty in domestic legislation, search powers would have to be Charter-compliant. But it’s easy to imagine some searches taking place beyond the ambit of the Charter.

I’m not alone in positing a scenario where US police obtain data from a provider in Canada without going through Canada’s courts, and then seek the extradition of a Canadian to stand trial in the US. In this case, the person might argue a Charter breach when fighting extradition .

But this kind of impact of lawful access on data sharing agreements doesn’t feature in the report. The Committee touts lawful access without fully canvassing the ways that mutual assistance can compound the consequences of an unlawful search.

Some silver lining

But there are a few bright spots. The report affirms the merits of strong encryption and confirms that neither law enforcement nor government seek a power to compel back doors.

It also recommends that a lawful access bill should define the intercept capabilities the government can impose on service providers and specify mandatory technical standards to be adopted.

Put another way, the report envisions a more constrained set of powers around interception capabilities than the ones found in Bill C-2.

Interestingly, there’s little in the report endorsing the sweeping secrecy provisions in C-2 that would conceal “technical modification” orders and their oversight.

If the report was meant to justify C-2, the drafters of the bill seem to have gone well off script. ■

{To receive new posts on law, technology, and digital freedoms in Canada, follow me on Substack .}

Will Canada’s new hate crime bill impact free speech online?

Fri, 26 Sep 2025 00:00:00 +0000

Last week, the Liberal government tabled Bill C-9 , containing three new criminal offences targeting hate speech — as a response to the alarming and appalling rise in antisemitic violence in Canada in the past two years, along with attacks against places of worship, schools, and community centres.

The new offences primarily capture acts of intimidation of a physical sort: blocking access to a synagogue, mosque, or temple, or promoting hatred by waving flags or symbols of groups listed as terrorist entities.

But two of the offences will apply to speech online and raise questions for me about where they fit in the panoply of hate speech offences in Canada — and whether we’re likely to see further regulation of online speech this fall.

I thought I’d write this short post to help situate the new offences in the Criminal Code’s existing hate speech provisions, highlight what they add to what we already have, and remind readers about Bill C-36 in 2021, which sought to revive a human rights law that would make hate speech a form of actionable discrimination — since it may be coming back.

Existing hate crimes in the Criminal Code (and which of them capture online speech)

Briefly, the Code criminalizes hate speech in the following ways:

the offence of “uttering threats” (s. 264.1) to do violence, which, if motivated by racial animus, would be an aggravating circumstance at sentencing (s. 718.2(a)(i));
advocating or promoting genocide of an identifiable group (s. 318);
public incitement of hatred: communicating a statement in any public place that incites hatred against any identifiable group where such incitement is likely to lead to a breach of the peace (s. 319(1));
wilful promotion of hatred: communicating a statement, other than in private conversation, that wilfully promotes hatred against any identifiable group (s. 319(2);
willful promotion of antisemitism: communicating statements, other than in private conversation, that wilfully promote antisemitism by condoning, denying or downplaying the Holocaust (s. 319(2.1)-(3.1), with a number of exceptions and defences);
under s. 83.2: committing any indictable offence for the benefit of a terrorist group (which could include public incitement of hatred, s. 319(1)).
advocating a terrorism offence in general (s. 83.221): counseling another person to “commit a terrorism offence without identifying a specific terrorism offence”.
(also worth noting: warrant provisions for seizing terrorist propaganda in s. 83.223 and hate propaganda in s. 320)

Key provisions for targeting online speech are those in sections 319(1) and (2) — public incitement and wilful promotion of hatred. They capture speech online given the way the Code defines ‘public place’ and ‘statements’ in these provisions: “any place to which the public have access as of right or by invitation” and “words spoken or written or recorded electronically” (s. 319(7)).

In at least three cases, courts have applied the promotion or incitement offence to speech online. But two of these were decisions about committal to trial (here and here ), and the third was a sentencing case.

In 1990, the Supreme Court of Canada in Keegstra held that section 319(2) — wilful promotion of hatred — infringed the freedom of expression in section 2(b) of the Charter because it targets speech content, but found it to be a reasonable limit on the right under section 1.

The majority in Keegstra held the government’s aim of preventing the social harm of hate speech to be pressing and substantial. The offence minimally impaired expression for various reasons, including its being limited to ‘hatred,’ defined as the intense emotion of ‘vilification’ or ‘detestation’ rather than ‘disdain’ or ‘dislike.’ The dissent found the concept of hatred too vague and subjective, and the scope of the offence too broad given that it didn’t require statements likely to result in violence.

What Bill C-9 adds to the picture

First, C-9 will codify the Keegstra definition of ‘hatred,’ as elaborated in the Supreme Court’s 2013 decision in Whatcott .

Or does it?

The Canadian Constitution Foundation says the definition in the bill “appears to lower the bar for hate speech set by the Supreme Court of Canada in cases like R v Keegstra and R v Whatcott, which could chill speech and public debate.”

In Keegstra, Dickson CJC held: “the term ‘hatred’ [in 319(2)] connotes emotion of an intense and extreme nature that is clearly associated with vilification and detestation.”

In Whatcott, Rothstein J, for the Court, held:

[w]here the term “hatred” is used in the context of a prohibition of expression in human rights legislation, it should be applied objectively to determine whether a reasonable person, aware of the context and circumstances, would view the expression as likely to expose a person or persons to detestation and vilification on the basis of a prohibited ground of discrimination.

But to be clear, the Supreme Court had already taken an objective approach to hatred in the criminal context in Krymowski (2005). There it held that judges must “look at the totality of the evidence and draw appropriate inferences” to decide whether an accused person “intended to target” an identifiable group.

C-9 will add to 319(7): “hatred means the emotion that involves detestation or vilification and that is stronger than disdain or dislike; (haine)”

It will also add in 319(6): “For greater certainty, the communication of a statement does not incite or promote hatred, for the purposes of this section, solely because it discredits, humiliates, hurts or offends.”

I’m not convinced that C-9 lowers the bar for criminalizing hate speech by adding these provisions.

New offences

C-9 also adds three new offences. Cutting and pasting here from the DoJ’s press release , the bill will:

Make it a crime to willfully intimidate and obstruct people from accessing places of worship, as well as schools, community centres and other places primarily used by an identifiable group.
Make hate-motivated crime a specific offence, ensuring such conduct is more clearly denounced and that offenders are held accountable.
Make it a crime to wilfully promote hatred against an identifiable group by displaying certain terrorism [i.e., listed entity] or hate symbols in public.

The second and third offences will apply to speech online. I say this because the third offence (wilful promotion of hatred by displaying in public symbols of a terrorist group) will be slotted into 319, thus drawing on the definition of ‘public place’ noted above.

The second offence here — committing any indictable offence when “motivated by hatred based on race, national or ethnic origin, language, colour, religion, sex, age, mental or physical disability, sexual orientation or gender identity or expression” — points to the new definition of hatred to be added to 319(7).

But it will apply to speech online by virtue of the included offence possibly being 319(1) or (2). For example, if a white supremacist posts antisemitic or Islamophobic content on a blog or social media platform that meets the test for public incitement or wilful promotion under 319(1) or (2), they can be charged with this additional offence.

Anaïs Bussières McNicoll of the Canadian Civil Liberties Association believes the new hate-motivation offence may violate the presumption of innocence:

The new hate crime offence risks stigmatizing defendants throughout the entire judicial process, while they are still presumed innocent. The sentencing judge should continue to be responsible for labeling a defendant’s motivations and weighing their aggravating impact on sentencing, once a defendant has been found guilty of a criminal offence and all relevant evidence has been heard.

Is the new ‘displaying hate symbols’ offence redundant?

Richard Moon, Canada’s leading authority on the Charter right to free speech, in a post offering initial impressions of C-9, put his finger on a key issue about the wilful promotion by flag-waving offence: it doesn’t appear to capture anything new.

As Moon writes:

It is unclear what this provision adds to the existing ban [on wilful promotion of hatred] and indeed whether it will prohibit the public display of the Hezbollah or Hamas flags, which seems to be its purpose.

The public display of a Nazi flag will ordinarily be viewed as communication that wilfuly promotes hatred, contrary to both the existing code provision and the new provision in Bill C-9. But… it is less clear that the display of the flags of Hezbollah, Hamas, or the Popular Front for the Liberation of Palestine can be seen, at least beyond a reasonable doubt, as “wilfully” promoting racial or religious hatred, since the formal mandate of these groups is anti-Zionist rather than antisemitic.”

Put otherwise, waving a Nazi flag can only imply wilful promotion of hatred; waving the flag of a group whose meaning is ambiguous (terrorist org or, as some believe, the resistance) could only be wilful promotion if accompanied by other statements that tie the flag waving to hatred rather some other belief.

Which is really just a way of saying: you can’t prove wilful promotion by flag waving unless you can prove it’s wilful promotion. And if you can do that, then you don’t need this new offence.

I agree with Moon that this new offence may be “simply performative.”

But then what did Justice Minister, Sean Fraser, mean when he said in the press conference introducing C-9 that these new provisions don’t ban wearing these symbols as you walk down the street — including Nazi insignia? (As the Globe reports , Fraser said that whether it’s criminal would “depend upon the person’s behaviour and the circumstances.”)

The bill contemplates a fine line between walking down the street with a Nazi t-shirt and standing on the steps of the Art Gallery in Vancouver (where large protests take place) and waving a big Nazi flag. In the one case, you are merely expressing a belief; in the other, you are wilfully promoting hatred because the public display — i.e., flag waving, rather than merely wearing — entails promotion of hated rather than mere expression.

Again, I think we have this in 319(2) as it is. I don’t see how the new offence makes it easier for Crown to obtain a conviction for wilful promotion — with or without public display of a symbol — than it is now.

The possible return of a human rights law on hate speech?

Bill C-36, as you may recall, contained a version of the second offence here — making it a new offence to commit an indictable offence when motivated by hate — and combined it with the revival of a provision rescinded from the Canadian Human Rights Act in 2013 that allowed for a human rights complaint for hate speech.

C-36 proposed to revive the old section 13 of the Act to make it a discriminatory practice to communicate “hate speech by means of the Internet… in a context in which the hate speech is likely to foment detestation or vilification of an individual or group of individuals on the basis of a prohibited ground of discrimination.”

The bill codified the Supreme Court’s more limited definition of hatred in Whatcott, restricting the potential scope of a human rights action against hate speech.

Briefly, in Whatcott the Court held that a provision in Saskatchewan’s human rights law banning hate speech violated s. 2(b) for being overbroad. The Court read in a more restricted definition of hatred — excluding the standard of “ridicules, belittles or otherwise affronts the dignity of” — and found the provision to be a reasonable limit under section 1.

We may see the return of this provision this fall. I’ll save a discussion of its merits if and when a new bill is tabled — and whether reviving a human rights remedy would help curb the polarization and algorithmic amplification of hate speech that are upending so much of our politics these days. ■

{To receive new posts on law, technology, and digital freedoms in Canada, follow me on Substack .}

Authorship After AI

Fri, 19 Sep 2025 00:00:00 +0000

A new article in AI Magazine draws an illuminating comparison between what AI is doing to writing and what photography did to art in the 1840s. It helps to make sense of a question many of us are thinking about more often: does increasing reliance on AI signal the end of writing?

The insights in this piece resonate with me, given the quantum leap in my own use of AI over the past few months.

I’m now making such frequent use of it — integrating it into my research, writing, and editing — that it has me wondering what’s really happening.

As I describe in a piece for the CBA’s National Magazine, I’ve been dipping in and out of Claude, ChatGPT, and Perplexity constantly — to get a quicker lay of the land on new topics, reword sentences, and tighten drafts. But the pace and intensity feel like a transformation as momentous as the shift from typewriter to computer, or from paper-based research to the internet.

To be clear, I’m not using AI to create texts. But using it more often to edit, it sometimes causes me to think about my claim to authorship. At what point does a suggestion — or re-write of a paragraph — mean it’s no longer me?

In “Reclaiming authorship in the age of generative AI: From panic to possibility,” Mohsen Askari argues that we need to abandon the notion that “authorship is defined by the absence of tools” — that using AI contaminates the purity of writing.

He sees AI as part of a continuum of tools from the pen to the typewriter to the reference manager. His central claim is provocative: “[w]hat matters is not whether help was involved, but whether the author stands behind the final work.”

Why AI is like early photography

The sharpest part of his piece is the analogy to photography in France in 1839. Painter Paul Delaroche famously declared: “From today, painting is dead!” The camera’s ability to mechanically capture the world posed an existential threat to painting not unlike our response to AI in writing: “shock, suspicion, and widespread declarations of the end of a creative tradition.”

Early photography was dismissed as craftless. It seemed to require “no imagination, no hand, and no labour.” The prestige artists earned for mastery evaporated. Photography “democratized image-making.”

But painting didn’t die. It ceased to be about reproduction and exploded with creativity through abstraction and experimentation. Meanwhile, photography itself became an art form: “Mastery emerged not from the act of clicking a shutter, but from timing, framing, lighting, and selection. In short: from judgment.”

Askari sees the same happening with AI. Like photography, it produces results quickly and provokes fears of “fraudulence and depersonalization.” Yet using AI well involves more than typing a prompt; it requires “knowing what to ask, how to evaluate, when to refine, and when to reject.”

AI can produce fluent text, he notes, but fluency is “not the same as quality, insight, or originality.” The real work lies in “asking the right questions, rephrasing, discarding early results, and returning with a clearer intent.”

For Askari, writing with AI remains authorship when it involves real “sculpting”: “The user curates meaning. They filter the signal from the noise. Above all they remain accountable for what is kept and what is removed.”

But is it really you?

Askari may be stretching it too far. Surely authorship is more than “augmentation” or “curation.”

But he has a point: authorship can be authentic even if not every sentence is one’s own. In conversation, we often grope toward an idea only for a friend to supply the better phrasing, which we readily adopt. They give us the words; we provided the idea. The proof is that our friend doesn’t just nod but lights up with an “aha.” This is the distinction Askari seems to be after.

For people pressed with time, living with “interrupted attention spans,” or working in “linguistically diverse environments,” AI, he says, isn’t a “crutch or a cheat,” but a “tool that enables a different kind of flow.”

In the academy, the flow he describes sparks anxiety because AI makes suddenly “easier, faster, and more accessible” skills that once took years to develop: “the ability to write well, think clearly, and publish independently.”

We’re still aiming to cultivate these skills rather than handing them off to AI. How do we do this when AI offers to do it all for us?

What about student assignments?

When students hand in work with a strong trace of AI—a paper more polished than we suspect they would have written on their own—Askari urges us to question the reflexive view that AI use entails “the absence of thought.” He suggests we see the tool not as disrupting writing, but as having “supported” it.

The question, he writes, is not “whether AI was used, but whether the author remained present, intentional, and accountable throughout the process.”

This framing helps.

When I recently used AI to revise the opening of a piece, I wondered whether it was still my writing if I adopted the suggestion. Askari’s point is that it’s yours not because you accept AI’s wording, but because what AI is rewording is your idea.

If there’s a visible trace between your draft and AI’s output, then yes, you wrote it. AI only helped.

But what about the term paper I received last spring in one of my courses that seemed written entirely by AI? Askari would say this wasn’t authorship any more than pointing a camera out a window and clicking would be art.

It fails because the student had not “remained present, intentional, and accountable throughout the process.” They simply pointed and clicked. And that’s why it felt wrong.

We might conclude that what matters is not whether AI polished a student’s prose, but whether we can still detect presence and intentionality. Original ideas, analogies, connections.

The line will often be subtle. How much originality or intent is enough? How do we measure it? How do we teach students not to over-rely on AI?

Not easy questions. But Askari’s insights remain useful. ■

{To receive new posts on law, technology, and digital freedoms in Canada, follow me on Substack .}

When AI Turns Deadly: Are Model Makers Responsible?

Sat, 30 Aug 2025 00:00:00 +0000

This week, parents of Adam Raine, a California teen who committed suicide in April after a lengthy interaction with GPT-4o, filed a lawsuit against OpenAI and its CEO, Sam Altman. The case follows a suit brought in late 2024 by the parents of a Florida teen, Sewell Setzer, who took his own life after engaging with a Character.AI chatbot impersonating Daenerys Targaryen from Game of Thrones.

In early August, ChatGPT was also implicated in a murder-suicide in Connecticut involving 56-year-old tech worker Stein-Erik Soelberg, who had a history of mental illness. Although the chatbot did not suggest that he murder his mother, it appears to have fueled Soelberg’s paranoid delusions, which led him to do so.

OpenAI and other companies have been quick to respond with blog posts and press releases outlining steps they are taking to mitigate risks from misuse of their models.

This raises a larger question left unanswered in Canada after the Artificial Intelligence and Data Act died on the order paper in early 2025, when the last Parliament ended: what guardrails exist in Canadian law to govern the harmful uses of generative AI?

Like the United States, Canada has no national or provincial legislation designed to impose liability on AI companies for harms caused by their products. The European Union passed an AI Act in 2024 that does impose liability for harmful AI systems.

But in both the EU law and the Canadian bill that was abandoned, there is a notable flaw in how liability is conceived.

I explored this in a paper I wrote in late 2023, surveying early reports of harmful uses of language models (a suicide in Belgium, help with bomb-making, and other cases).

My article garnered some interest on SSRN but only recently appeared in print (it was published this month). The core argument was this:

Both [the European and Canadian AI] bills are premised on the ability to quantify in advance and to a reasonable degree the nature and extent of the risk a system poses. This paper canvases evidence that raises doubt about whether providers or auditors have this ability. It argues that while providers can take measures to mitigate risk to some degree, remaining risks are substantial, but difficult to quantify, and may persist for the foreseeable future due to the intractable problem of novel methods of jailbreaking and limits to model interpretability.

The problem remains unresolved.

The only guardrails at the moment

The only mechanisms in Canada and the US for holding AI companies liable are laws on product liability, negligence, and wrongful death.

Parents in both the California and Florida cases are suing the model makers (OpenAI and Character.AI, respectively) for wrongful death, a statutory cause of action that allows family members of the deceased to sue for damages including funeral expenses, mental anguish, loss of future financial support, and companionship. Plaintiffs must show the defendant’s negligence or intentional misconduct caused the death.

Here, parents allege that chatbot makers were negligent in product design and failed to provide adequate warnings about risks.

Canadian law works in a similar way. Provinces allow wrongful death suits for a wrongful act. Damage awards in Canada are much smaller than in the US and mostly limited to quantifiable losses. But plaintiffs can also claim that a model maker was negligent in offering a harmful product, or that it was defective or lacked adequate warnings.

At the heart of negligence and product liability is the same question: what steps should OpenAI, Anthropic, or Google reasonably have taken to avoid harm?

Put another way, in making chatbots available, companies clearly owe users a duty of care. The product carries risks, and harm to users is foreseeable.

The key question, though, is: what is the standard of care?

When can OpenAI and others be said to have done enough—or not enough—to avoid harm? If the standard is “reasonably safe” rather than “absolutely safe,” when is that threshold met? And can it even be met, given the nature of these systems?

No one knows. But OpenAI and others are taking—and publicizing —all the steps one might predict a tort lawyer would advise them to take.

OpenAI admits its risk-detection mechanisms work better in shorter conversations and degrade as conversations lengthen. It is working to improve performance in longer chats.

It is also improving detection across different types of harmful conversations, from suicidal to criminal. It has announced plans for parental controls to let parents monitor their child’s activity, and is rolling out systems to route some conversations to human overseers who can terminate the chat and lock the user out of further access.

Whether these steps will be deemed sufficient—enough to absolve OpenAI and others of liability—remains to be seen.

Much may depend on how a model was misused, what jailbreak was employed, and whether that misuse was foreseeable.

In a broader sense, it is worth keeping perspective on AI risks. As tragic as these cases are, hundreds of millions of people use these tools daily, and many find them beneficial. But there are, inevitably, many ways to misuse them. ■

{To receive new posts on law, technology, and digital freedoms in Canada, follow me on Substack .}

Bill C-2 Backgrounder - the missing manual!

Wed, 23 Jul 2025 00:00:00 +0000

Over a month later, the controversy over the Strong Borders Act continues.

Privacy experts are still sounding the alarm over the astonishing breadth of some of the new powers — allowing police to demand from a doctor, lawyer, anyone who “provides a service” information about a person’s account without a warrant; a power to compel Shaw or Google to “install equipment” that would give police or CSIS access to personal data — the list goes on.

Following my last post that looked in some detail at parts of the bill, the government has issued a Charter statement that drew criticism for being self-serving, even misleading. Along with others, I wrote opinion pieces and spoke about the bill on Law Bytes and other venues.

But I noticed there was still some confusion and uncertainty about many aspects of the bill. Rather than wait for a Parliamentary backgrounder to appear, I decided to put together my own overview of all aspects of the bill touching on privacy — and to offer an independent assessment of them in relation to section 8 of the Charter (guaranteeing “a right to be secure against unreasonable search or seizure”).

The result is a paper I’ve posted to SSRN titled “Bill C-2 Backgrounder: New Search Powers in the Strong Borders Act and Their Charter Compliance ”.

I’ve tried to provide more context than is found in the government’s Charter statement, by detailing how new powers expand on or amend those currently in force.

The paper looks at more controversial parts of the bill, including the whole new lawful access act contained in C-2, and declaratory provisions in the Criminal Code asserting that police don’t need a warrant for subscriber ID or an ‘information demand’ with voluntary compliance — and an indemnity for those who comply.

I plan to keep the paper up to date (on SSRN ) as the bill moves through second and third reading — and to post those updates here. Comments are welcome! ■

{To receive new posts on law, technology, and digital freedoms in Canada, follow me on Substack .}

Major new search powers in the Strong Borders Act: are they constitutional?

Sun, 08 Jun 2025 00:00:00 +0000

The Liberal’s first bill in Parliament last week proposes a raft of new search powers to give police easier access to our private data. They may turn out to be the most consequential search powers added to the Criminal Code in the past decade.

They have little to do with the primary aim of the bill, strengthening borders by expanding powers in customs and immigration.

Tucked in the middle of Bill C-2 are measures that revive long-standing aims to pass “lawful access” legislation that will make it easier for police to obtain subscriber information attached to an ISP account (with Shaw or Telus) and give police direct access to private data held by ISPs or platforms like iCloud, Gmail, or Instagram.

I’ve written a general overview of these powers for The Conversation here , and Michael Geist has a very informative op-ed in the Globe that sets out a wider context and walks through some of the provisions in detail. If you’re new to this story, you might begin there.

In this post, I offer a few thoughts on the constitutionality of three key powers in the bill: the new production order for subscriber info; the new information demand power; and the provisions that compel service providers to assist police in gaining direct access to personal data.

This is a long post, almost 3k words. It might have been three shorter ones, but I thought I’d put it all in one post.

It’s meant for those looking for a deeper dive on the constitutional questions.

What do you mean by ‘constitutional’?

The larger issue here is whether these provisions will survive a challenge under section 8 of the Charter of Rights and Freedoms, guaranteeing “everyone has the right to be secure against unreasonable search or seizure.”

Two things to keep in mind about section 8: What is a search? And when will a search be reasonable?

A search for the purpose of section 8 is anything done by a state agent for an investigative purpose that interferes with a reasonable expectation of privacy in a place or thing (R v Bykovets ).

A search will be reasonable where it is authorized by law, the law is reasonable, and it is carried out in a reasonable manner (R v Collins ).

The powers created in this new bill set out authority for a search. The issue here is whether each of them sets out a ‘reasonable law’ authorizing a search.

(In case you’re interested, I’ve co-authored an entire book on section 8, which you can check out here .)

Relevant background: production orders and the Spencer situation

In 2004, Parliament created what are called ‘production orders’ to give police the power to ask an internet or cellphone service provider to hand over data about digital communications, including the content of messages.

That power required reasonable suspicion, and it was challenged under section 8 of the Charter as being too low a standard, giving rise to an unreasonable search.

In 2014, the BC Supreme Court said it was too low: it should be probable grounds; the Alberta Court of Appeal disagreed : it should only be reasonable suspicion.

That same year Parliament passed Bill C-14 , which created a general production order requiring probable grounds (487.014) and four more specific production orders requiring only reasonable suspicion — for tracing communications (e.g., metadata attached to email or phone calls), transmission data (call or text histories); tracking data (location data); and financial data (487.015 to 487.018).

Meanwhile, in June of 2014, Supreme Court of Canada decided R v Spencer , which held that subscriber information attached to an IP address — the name and physical address of the person linked to it — is private, because it associates a person with their online search history. Police can’t demand it from an ISP without authority in law to do so (which may or may not involve a warrant).

The Court in Spencer noted (at para 11) that police had demanded the subscriber ID from Shaw without first obtaining a production order in that case — thus contemplating its use as a means for doing so.

But the Court did not address the question of what kind of search power would be reasonable to obtain subscriber info. After explaining why provisions in private sector legislation (PIPEDA) didn’t authorize the search, the Court simply concluded (in para 73) that “in the absence of exigent circumstances or a reasonable law,” police couldn’t lawfully search (i.e., demand) it.

So what remained unclear after Spencer was: what is a reasonable search law that authorizes police to make a demand for subscriber information?

The presumptive standard for a reasonable search in criminal law (i.e., what constitutes a “reasonable law” authorizing a search) is one involving a warrant issued on “reasonable grounds to believe” (probable grounds) that an offence has been or will be committed, rather than “reasonable suspicion.” It would seem, then, that a demand for subscriber ID should be a warrant on probable grounds.

Things said in Spencer support this inference. It held the privacy interest in subscriber information is high, given that it links a person to search activity that can be highly revealing. Anything less than probable grounds would not strike the right balance between law enforcement interests and personal privacy. But at least one privacy scholar disagrees .

In the wake of Spencer, to obtain subscriber info, police have been using the new general production order power added in 2014, requiring probable grounds. Again, this isn’t a powered tailored specifically for obtaining subscriber ID, so it’s unclear whether anything less would suffice. Police and Crown hope so. Probable grounds is a relatively high standard; why not just a warrant on reasonable suspicion?

Privacy in a set of numbers alone?

And what about demanding an IP address? Sometimes police can’t get far without asking an ISP or an online platform like Instagram to reveal a user’s IP address. Did they need a warrant for this? Was an IP address on its own private?

In R v Bykovets , the Supreme Court of Canada held that an IP address is private because it readily links a person to their online activity. But the Court didn’t specify what kind of power would render a search (demand) for an IP address reasonable.

At para 85 of the decision, Karakatsanis J for the majority, points the production order power in section 487.015(1) of the Code (for transmission data) on reasonable suspicion as possible tool police might use here. This is obiter, since the Court is not being asked whether the use of this to demand an IP address would constitute a reasonable law. Yet we can assume that the judges in the majority think that a warrant on reasonable suspicion would suffice.

New production order in the Strong Borders Act

The new bill gives police and Crown what they want: a production order power tailored to making a demand for subscriber info by obtaining a warrant issued on reasonable suspicion that a federal offence has been or will be committed (a new 487.0181(2) of the Criminal Code).

Will this be constitutional? More specifically, a search conducted under this power will be authorized by law, but is this law reasonable?

There is no single test for when a law authorizing a search is reasonable under section 8 of the Charter. But the Supreme Court has generally considered four factors: whether the power relates to a criminal or regulatory offence; the state or law enforcement interest at issue; the impact on personal privacy; and the oversight and accountability safeguards.

Demanding subscriber info on reasonable suspicion is, I think, likely to be found unreasonable. In this case, the privacy interest is high (i.e., the online activity linked to a person’s name). Given things said about this in Spencer, this alone could favour a finding that nothing less than probable grounds is reasonable.

Further possible support may be found in R v Tse , which held that emergency wiretap provisions of the Code were unreasonable for failing to include a post facto notice requirement to persons affected. In this case, there’s no requirement to advise a person that they were subject to a production order, if charges do not follow. Not sure a court would view production order powers to be sufficiently analogous to wiretap provisions. But I flag it as a potential consideration.

The new “information demand” power

Bill C-2 also creates a new power on the part of police to demand information. In some cases, police may only ask if a service provider has info about something. In other cases, they can demand the info itself.

Under a new section 487.0121 in the Code, police can ask a service provider whether they have “provided services to any subscriber or client, or to any account or identifier.” If so, police can demand to be told where and when service was provided — along with info about any other providers who may have offered the person service.

They can do this on reasonable suspicion alone, without a warrant.

Police can thus ask Shaw or Gmail things like: does this user have an account with you? Do you have an IP address or phone number associated with their account? If so, tell us where and when you provided it.

Why do police need this power? Aren’t police free to ask questions as part of their investigation? Is there not a distinction between a person describing to police what they know or have observed and police demanding to see it themselves? Can’t we assume that police only carry out a search when they ask for and receive private data itself?

Recall that a search is anything done for an investigative purpose that interferes with a reasonable expectation of privacy. Police demanding private information in the hands of a third party can constitute a search. For example, police carried out a search in Spencer by asking Shaw: whose name is attached to this IP address?

What is contemplated here differs in some ways but is similar in others. Police might ask simply: do you have a name (or an account) attaching to this IP address? Did you lease this IP address to a person? Or they might ask: when and where did you provide use of this IP address?

In some cases, depending on the question and the limited info revealed by the answer, it may not amount to a search. But in some cases it can.

If police have a name, or an IP or email address and they ask a dating, gambling, or porn website whether they have a user account related to any of them, a “yes” in response could be quite revealing. If a service provider can link a person to a location, or more than one, in a window of time, this could also be invasive.

Should this too require a warrant? We’re in genuinely new terrain here.

The information demand power gives police authority to go poking around the edges of our digital lives — knocking on the doors of anywhere we’ve left a digital trace — to ask questions that could readily create a clear picture of who we are and where we’ve been. All on nothing more than reasonable suspicion.

I can see a challenge to this power leading to a deeply divided the Supreme Court decision similar to that in Bykovets , where half the Court says: reasonable suspicion is enough, and the other half says no, it should require a warrant.

I suspect it will come down to half the Court seeing this power as too preliminary to pose a real threat to privacy and police needing some leeway to act without undue hindrance, and half the Court seeing this as too close in nature to a means of circumventing the protections around subscriber ID and IP addresses. In some cases a positive answer to the question: “does this user have an account with you?” will be all the police need to know to link a person with an extensive amount of personal data.

If I were a betting man, which I’m not, I would bet that a majority of the Court will find this power reasonable. (But there will be a wonderful, eloquent dissent, probably by Karakatsanis J or Martin J or maybe both, on the importance of privacy and the need for a warrant.)

Briefly, Bill C-2 also extends to agents of the Canadian Security Intelligence Service the ability to make an information demand on no grounds at all. But they may not target a Canadian citizen or permanent resident. Given the high state interest in these cases and the limited privacy interest engaged, this power is likely to be found reasonable.

The lawful access provisions

Bill C-2 contains a whole new statute called the “Supporting Authorized Access to Information Act,” which brings about a “lawful access” regime for private data that police and Crown have long been seeking.

(See Professor Geist’s Globe article on the history of this.)

The Criminal Code has long had something called an assistance order, which compels third parties to assist police in executing a warrant. (Open that storage locker please.) The lawful access provisions do the same but on a larger scale.

They impose of obligations on “electronic service providers,” or anyone providing a digital service (storage, creation, or transmission of data) to people in Canada or if situated here, and more onerous obligations on a class called “core providers” who can be added to a schedule to the Act.

An ESP can be ordered to “provide all reasonable assistance, in any prescribed time and manner, to permit the assessment or testing of any device, equipment or other thing that may enable an authorized person to access information”.

But core providers will be subject to regulations that mandate the “installation… of any device, equipment or other thing that may enable an authorized person to access information”.

A core provider might be Google or Meta, Shaw or Telus. And the equipment at issue could enable direct access to accounts, stored files, data logs, and so on.

There are two important limits on this.

One is that police (or an authorized person, such as a CSIS agent) can only go ahead and access data or demand it if they have authority to do so under law — which may or may not involve a warrant, reasonable grounds, and so on.

The other limit applies to both ESPs and core providers: they do not have to follow an order “if compliance… would require the provider to introduce a systemic vulnerability in electronic protections related”. I take this to mean that they cannot be compelled to install a backdoor to encryption.

Are these powers immune to challenge under section 8 of the Charter?

They do not contemplate a search directly. But depending on how an assistance order is used, it could result in an unreasonable search.

For example, a while ago, there was a debate about whether using an assistance order to compel a person to provide police their password might amount to an unreasonable search.

The companies subject to a requirement under this new lawful access statute could challenge it in court — either in response to an order made to them specifically or under a regulation that applies to them as a core provider (on administrative law principles).

But it’s harder to imagine a case where police have conducted a search on lawful grounds, or with a valid warrant, which is found to be unreasonable under section 8 because police were able to gain access to private data more readily through technical means of access made possible under this new statute.

But I can envision two possible exceptions.

One is if the means of access mandated under the new Act amounts to an interception: realtime access to data that police use to obtain the data at issue. An accused person would need to show, however, that police came into possession of their private data in realtime and without a warrant under the wiretap (interception) provisions in Part VI of the Criminal Code. (See the Telus case for more on this distinction.)

Another exception is simply that police gained quick access technically, but without a lawful basis (a warrant, etc.).

But it isn’t inconceivable that the Supreme Court might eventually say that mandating certain measures, means, or forms of access amount to an unreasonable search even if used with lawful authority such as a warrant. These might include means that somehow give police with a warrant access to data being created now and in the future, in addition to data already created.

If you’re still with me, thanks for reading! I’ll continue to follow the bill as it makes its way through Parliament and try to post about it here. ■

{To receive new posts on law, technology, and digital freedoms in Canada, follow me on Substack .}

Testing the waters with Deep Research

Tue, 04 Mar 2025 00:00:00 +0000

Last month OpenAI unveiled a new tool for producing lengthy reports with citations to sources on the web. It uses one of the company’s best ‘chain of reasoning’ models to deliver output that far exceeds the quality of what similar tools from Google and Perplexity AI can do – tools that are also called ‘Deep Research,’ as it happens.

But initially, OpenAi’s version was only available to folks with the $200 US a month “pro” subscription. We had to take on faith effusive reviews, like this one from Reddit :

Deep Research has completely changed how I approach research. I canceled my Perplexity Pro plan because this does everything I need. It’s fast, reliable, and actually helps cut through the noise.

For example, if you’re someone like me who constantly has a million thoughts running in the back of your mind—Is this a good research paper? How reliable is this? Is this the best model to use? Is there a better prompting technique? Has anyone else explored this idea?—this tool solves that.

It took a 24-minute reasoning process, gathered 38 sources (mostly from arXiv), and delivered a 25-page research analysis. It’s insane.

Not everyone was so enthused. One commentator noted that it can “miss key details, struggle with recent information and sometimes invents facts.”

The Verge had a piece about using Deep Research to produce a report on the judicial treatment of section 230 of the Communications Decency Act in the last five years – concluding that “it got the facts right but the story wrong.” Although none of the cases it cited were made-up, and its summary was generally accurate, it had one major problem: it ended in 2023. But 2024 was “a rollicking year for Section 230,” with many important developments, as a law scholar quoted in the article pointed out.

When I first read about OpenAI’s new tool, I was keen to find out whether it could look up sources on third-party databases like Canlii or JSTOR . If it could do this, DP would be quite powerful. You could ask it to find a case about X and it would formulate the query, run the search and – most importantly – read through the cases to find the needle in the haystack.

For the moment, however, it doesn’t do this. But OpenAI says that accessing databases like Canlii is on its way.

(Incidentally, I’ve been writing about how much better free or almost free AI has become at doing brief overviews of Canadian law. I’ve got a piece on the way documenting how well OpenAI’s reasoning model GPT o1 produced a summary on the law of unjust enrichment in 500 words, which I knew little about. It came up with a cogent summary, with correct citations to the three leading Supreme Court of Canada decisions on point and the main 3-part test to be applied. Check it out here .)

The thrust of this post, however, is to report on my own test drive with OpenAI’s Deep Research. As a GPT Plus subscriber (30$ Canadian a month), I gained access to DR only last week but couldn’t think of a good query to test it with. With “plus” users getting only 10 queries a month, I’m inclined to be sparing with them.

Here was my ungrammatical query:

What uses are being made in Canada to use artificial intelligence in decision-making by government agencies or entities, and what policy statements or guidelines have been issued by government or agencies with respect to this?

As you may know, before it embarks on a search that can last between about 5 and 30 minutes, it asks you a few questions to sharpen the boundaries. It asked me:

Are you looking for information on AI use by government agencies across all levels (federal, provincial, municipal), or just at the federal level? Also, would you like details on specific areas of application (e.g., public safety, healthcare, immigration, etc.)? Lastly, are you interested in ethical considerations and public consultations regarding AI in government decision-making?

I told it to be as inclusive as possible.

What it produced was thoroughly impressive. It took 7 minutes and came back with an 11,000 word document titled “AI in Government Decision-Making in Canada” that cited 27 sources. You can read it here .

It was both informative and sufficiently engaging that I read it all the way through, and I learned an enormous amount. (I then got it to do a 1,000 word summary, which you can find at the end of the thread.)

The report was impressive both in terms of what it covered and where it pointed. It touched on the use of AI at federal, provincial, and municipal levels across Canada and in various fields: policing, healthcare, immigration, social services, transportation, even the courts.

It also struck a nice balance between useful and reliable government policy docs and reports, and shorter news items.

What struck me reading it was that it would take me easily a week of surfing, reading, note-taking, and compiling to produce something this good. Maybe more.

It would no doubt have been a better report. More selective in some ways, more discerning, maybe more probing.

But this was about 70 to 80% as good as I could do myself – in 7 minutes. It hit all the bases, all the major stories in the government use of AI in recent years: Clearview AI, Chinook, interventions by the Federal Privacy Commissioner, major policy statements on the use of AI.

Quibble with this as you might, but this is not a minor development. The sources are real. The general summary is cogent and more or less accurate as far as it goes. Is it missing that great paper by so-and-so on this or that aspect of the problem? No doubt. Does it contain every relevant story, all the relevant policies, cases, and so on. No it doesn’t.

But is it worth consulting as a starting point? Do I know much more about this topic than I did before I ran the query? Absolutely.

I come away from Deep Research feeling more optimistic about the utility of AI in research, and legal research in particular. I can see a point in time on the horizon when AI will produce a better first draft of an outline of argument or opinion than we could possibly do in less than a few days, even with a good grounding in the field.

It’s even to the point of making me question my assumptions about AI not being a substitute for really knowing the law – that people without a solid foundation in law won’t know how to prompt effectively. Just not sure about this any more. ■

{To receive new posts on law, technology, and digital freedoms in Canada, follow me on Substack .}

Are sexual deepfakes not a crime in Canada?

Sat, 11 Jan 2025 00:00:00 +0000

In late December, the Toronto Star ran a story about a boy in high school who had created a series of pornographic deepfakes of other girls at his school using images of their faces on Instagram. The nude pictures were discovered on his phone inadvertently, during sleepover when a friend went looking for a selfie taken on his device. Once discovered, the girls were alerted (with screenshots) and soon police were at his door.

They grappled with whether creating the images was criminal. After questioning other boys believed to have seen the images and consulting with Crown, police decided not to proceed. But they invited the girls and their parents to the station to explain that they didn’t think it was a crime without more evidence that the images had been shared.

Police appear to have concluded that only one provision of the Code applied — possession of child pornography in section 163.1 — and there was a good chance the boy could rely on the “private use” exception in R v Sharpe , SCC 2001.

The story points to a larger gap or ambiguity in Canadian criminal law around sexual deepfakes — one that Professor Suzie Dunn (Dalhousie) helped explain to the Star.

As she points out in the story and details at greater length in an informative article forthcoming in the McGill Law Journal, two Criminal Code provisions are relevant to sexual deepfakes: the prohibition in section 162.1 on non-consensual distribution of intimate images (NCII) and the prohibition in section 163.1 on making, distributing, or possessing child porn.

The first offence (intimate images) applies to victims of any age. But as Dunn notes, on a plain reading, 162.1 captures only the distribution of authentic images. It prohibits sharing an “intimate image of a person”, defining this as “a visual recording of a person made by any means …in which the person is nude… or is engaged in explicit sexual activity.”

She notes that 162.1 does not appear to have been applied to a deepfake in any Canadian case. Doing a search of all cases involving 162.1 turns up only a few hits.

But as Dunn also notes, a Quebec court has applied the child porn provision in the Criminal Code (s 163.1) to capture the creation of a deepfake video. There is also a BC case from early 2024 in which the court applied section 163.1 where the accused created images using an app call ‘DeepNude’ and shared them with the victim and her friends. (Both are sentencing cases.)

Was it private use?

To be clear, section 163.1 appears to capture deepfake porn involving persons under 18 because it defines ‘child pornography’ to mean

a photographic… or other visual representation, whether or not it was made by electronic or mechanical means … that shows a person who is or is depicted as being under the age of eighteen years and is engaged in or is depicted as engaged in explicit sexual activity.

In other words, the image doesn’t have to be of the person him or herself. It can be an image that depicts them. But they have to be under 18.

In the Toronto high school case, the boy clearly created child pornography within the meaning of 163.1. The question is whether his possession of it fell within the “private use” exception in Sharpe.

In that case, the Supreme Court held that to avoid an unjustifiable limit of free expression under the Charter, a defence of “private use” had to be read into the child porn offence provisions in 163.1. It contemplates two exceptions.

The first involves “the possession of expressive material created through the efforts of a single person and held by that person alone, exclusively for his or her own personal use.” The second involves recordings of lawful sexual activity for private use “created with the consent of those persons depicted.”

In the Star article, Dunn queries whether the first exception would apply here, since the boy would not have created the image by himself — but by relying on an AI app, which likely entails storage of the image on company servers.

Again, police or Crown probably concluded that it would be risky to proceed with a prosecution under 163.1 without clearer evidence that the boy had shared the images — thus taking him out of the Sharpe exception (without any debate about AI and company servers).

Are deepfakes not intimate images under the Code?

But I want to pick up another thread in Dunn’s comments on the gap in the Code on deepfakes — one that pertains to the other provision at issue, the prohibition on non-consensual sharing of intimate images of persons of any age.

I agree that on a plain reading of 162.1 of the Criminal Code, the intimate images must be of the person themselves. But the Supreme Court of Canada has endorsed departures from the principle of strict construction in criminal law where a narrow reading would give rise to arbitrariness or defeat the larger aim or purpose of the provision.

In R v Paré (SCC 1987), the accused murdered a boy two minutes after committing an indecent assault against him. A provision still found in the Code (231(5)) states that “murder is first degree murder in respect of a person when the death is caused by that person while committing” indecent assault or other offences. Paré argued that because it happened two minutes later, the murder was not caused ‘while committing’ the assault — and he should be entitled to a literal reading. For centuries, courts have applied the principle of strict construction in criminal law.

The Court held that it was time to update the doctrine. The original reasons for it (many offences resulting in capital punishment) have been “substantially eroded”. Ambiguities should still be settled in favour of the accused, since criminal penalties are severe. But the question should now be whether “the narrow interpretation of ‘while committing’ is a reasonable one, given the scheme and purpose of the legislation.”

The narrow reading wasn’t reasonable. We couldn’t assume Parliament meant to limit the meaning of ‘while committing’ to ‘simultaneously,’ because, as Justice Wilson held, doing so would result in drawing arbitrary lines between when the assault ended and the murder began. She also held that a wider reading (one that includes a murder immediately following an assault) would be the one that “best expresses the policy considerations that underlie the provision”, i.e., more serious punishment (first degree) for more serious conduct.

Should Paré apply here?

We have the same disconnect with larger purposes and arbitrariness if we read 162.1 strictly — to apply only to real images.

One might argue that the purpose of 162.1 is to prevent not simply the non-consensual distribution of intimate images, but violations of a person’s sexual privacy or integrity through the sharing of intimate images. If one could circumvent the application of 162.1 by merely doctoring a real image of one’s partner nude before posting it online — allowing one to say “but it isn’t actually her body” — that would make little sense.

Put another way, the question is whether 162.1 makes it offence to share intimate pictures only of a person him or herself — or also what looks to be him or her. If the offence doesn’t include the latter, how do we distinguish between a grainy picture of you good enough to make out and a doctored picture of you that seems real enough to be convincing? Why would non-consensual distribution of the one be criminalized and not the other?

One reason might be that in the one case, a person consented to the creation of the image but not the distribution; in the other case, they consented to neither.

But the gravamen of the offence lies in the non-consensual distribution of an intimate image. Do we not find the same gravamen in the sharing of a deepfake? Is the culprit not trying to do the same thing: compromise the victim’s sexual integrity through exposure?

We might add that while section 162.1 clearly contemplates the distribution of intimate images a person consented to have taken of them, it doesn’t require this. The definition in 162.1(2) does say “intimate image means a visual recording of a person made by any means including…” Those means could include AI. So why does the image itself have to include only images of the person themselves? After all, every digital image is doctored to some degree by our devices.

Private law remedies?

Dunn’s forthcoming McGill paper notes that various provinces (aside from Ontario) have passed tort legislation making the non-consensual distribution of intimate images actionable without proof of damages. And as she points out, all are worded in ways that clearly capture deepfakes. For example, in BC’s act, intimate image “means a visual recording or visual simultaneous representation of an individual, whether or not the individual is identifiable and whether or not the image has been altered in any way, in which the individual is or is depicted as…” engaged in sexual activity, nude or “nearly nude.”

Manitoba’s act was amended in 2024 to be more explicit about deepfakes, adding as a defined term “fake intimate image”, which means “any type of visual recording … that in a reasonably convincing manner, falsely depicts an identifiable person (i) as being nude or exposing their genital organs, anal region or breasts, or (ii) engaging in explicit sexual activity.”

These provincial statutes set out various ways to try to have an image taken down or deleted once circulated. Orders against platforms, third-parties, search engines. All of them are potentially helpful, but how helpful (or realistic) is unclear. The federal Online Harms Act in Bill C-63 (which just died on the order paper, with the proroguing of Parliament) would have placed a host of obligations on platforms to prevent circulating NCII or take them down. I expect that bill will be reprised at some point.

A cursory search on Canlii for cases applying these statutes uncovers a few dozen cases mostly seeking monetary damages for threats to distribute or posting of NCII. The focus appears to be on money rather than removal of the images. And to my knowledge, none involve deepfakes.

It may be too early to assess whether tort law will be an effective tool for curbing the use of AI to create and share sexual deepfakes. But soon, I suspect, both tort and criminal law provisions will begin to be tested on this front. ■

{To receive new posts on law, technology, and digital freedoms in Canada, follow me on Substack .}

Why TikTok’s challenge to the order to leave Canada will fail - and how

Sun, 05 Jan 2025 00:00:00 +0000

This past November, the federal government ordered TikTok’s Canadian subsidiary to wind up its operations in Canada, though it didn’t ban the platform itself. The power to make this order is found in the Investment Canada Act , which allows the Minister of Innovation, Science, and Industry to recommend to the Governor in Council that a foreign company be wound up on the basis that allowing it to continue here “would be injurious to national security.”

In a press release in November, Industry Minister François-Philippe Champagne said only that “The decision was based on the information and evidence collected over the course of the review and on the advice of Canada’s security and intelligence community and other government partners.”

The fact that TikTok having offices in Vancouver and Toronto would be injurious to our national security is something we’re being asked to take on faith. I mused about what the reasons could be here , but I could only speculate.

The latest chapter in this story is TikTok’s challenge of the wind-down order in Federal Court, filed in December. TikTok alleges that the Minister’s recommendations and the Governor in Council’s decision to issue the order involved procedural unfairness, were unreasonable, were driven by improper purposes, and were grossly disproportionate in their impact (affecting hundreds of employees and some 250,000 contracts with Canadian advertisers).

But at the very end of their filing, TikTok Canada asks for disclosure “of all materials in the possession of the Minister, the Public Safety Minister and the GIC” when making the decisions to move forward with the ban. This raises two questions.

Will the government have to disclose this material? And can TikTok Canada make a case for the order being improper in some way without the government having to disclose this material?

The government hasn’t responded yet, but we can get a sense of what is likely to unfold by looking at what happened in a recent case involving China Mobile Communications Group. What the government did there it is likely to do here.

In 2021, Minister Champagne recommended that China Mobile’s Canadian subsidiary be wound up and the Governor in Council issued that order. Notably, the preamble to the order offers more specifics as to why it was being issued (as revealed in a case discussed below). The main concerns were:

a) that China Mobile and its subsidiaries and affiliates may be subject to the influence or demands of, or control by, a foreign government;

b) that China Mobile and its subsidiaries and affiliates may disrupt or otherwise compromise Canadian critical telecommunications infrastructure; and

c) that China Mobile and its subsidiaries and affiliates may gain access to highly sensitive telecommunications data and personal information that could be used for non-commercial purposes such as military applications or espionage.

(To my knowledge, there was no equivalent to this in the order against TikTok.)

China Mobile challenged the order. It made some of the same arguments TikTok is making - that the security review of the company was motivated by improper purposes, the final decision was lacking an evidentiary basis, and it was based on the wrong test (‘might be’ injurious rather than ‘would be’).

The company’s challenge to the removal order also contained a request that the government be made to disclose documents used in the decision to issue the order.

In response to the disclosure request, the government issued a certificate under section 39 of the Canada Evidence Act to assert the cabinet confidentiality over the documents. China Mobile then challenged the validity of that certificate.

While it was waiting for a hearing on the certificate, the company sought a stay of the removal order. This entailed showing that it would suffer “irreparable harm” if a stay were not granted and the harm would outweigh harm to the public. The harm alleged here were the many job losses and lost contracts.

The Federal Court held in late 2021 that China Mobile would suffer irreparable harm without a stay of the removal order, but it wouldn’t outweigh the harm to the public in allowing them to remain in Canada. This is as close as a court in Canada appears to have come to assessing the substance of the security concerns motivating the removal of Chinese owned tech companies.

In his reasons (beginning at paragraph 88), Chief Justice Crampton held that the government had provided “some evidence to justify their concerns regarding CMI Canada’s facilitation of espionage and foreign interference activities in Canada by the People’s Republic of China.” This included various third-party threat assessments cited in the judgment. These do little more than repeat what are essentially speculative concerns, but I digress.

Then in early 2022 the Federal Court held that the assertion of cabinet confidentiality over other documents in this case was valid.

China Mobile appealed this ruling and, in late 2023, the Federal Court of Appeal upheld it. The government did all it needed to do under section 39 by attaching a schedule to the certificate describing the date of correspondence between the Ministers of Industry and Public Safety and the fact the documents at issue were (as the schedule put it) “used for or reflecting communications or discussions between ministers of the Crown on matters relating to the making of government decisions or the formulation of government policy.”

And that is where the trail ends for China Mobile, as far as I can tell (it closed operations in BC in early 2022). Without obtaining disclosure of the government’s reasons for having the concerns about national security set out in the preamble to the order, China Mobile couldn’t establish the impropriety (procedural unfairness, unreasonableness) of the decision to issue the order.

To put this another way, the fact that the government can rely on secret information and shield from judicial oversight the reasons for or the manner of arriving at the decision to make the order does not mean it was unfair, involved improper purposes, and so on.

The whole framework in the Investment Canada Act is constructed so as to allow the government to issue an order directing a foreign company to leave Canada based on a belief that it would otherwise be injurious to national security — and the reasons for that belief can remain confidential.

The judge in the China Mobile trial court decision on disclosure comments on this conundrum directly:

The applicants, and the Court, may have nothing to refer to in the assessment of the reasonableness of the Order, other than the Order itself. I am not, however, persuaded that this evidentiary vacuum arises from an improper exercise of authority. Rather, it arises from the nature of the proceedings and the confidences claimed.

At the end of the day, on a challenge to these orders, the government need only show that certain steps were taken: the Industry Minister consulted the Public Safety Minister, a belief was formed, and recommendations were made to the Governor in Council. Again, we have to take it on faith that the belief was reasonable and the decision to order a company like TikTok to leave did not involve improper purposes.

I suspect that TikTok Canada’s challenge to the order is just a means of buying time — possibly until a change of policy around TikTok down south? Or is that too late? Time will tell. ■

{To receive new posts on law, technology, and digital freedoms in Canada, follow me on Substack .}

Are your texts still private when police hijack your recipient’s identity?

Sat, 21 Dec 2024 00:00:00 +0000

In its decision in R v Campbell earlier this month, the Supreme Court of Canada revisited an issue it had dealt with in R v Marakah (2017), but with a twist. In that case, the Court held that a person can retain a privacy interest in a text they send, despite losing control of it in the hands of a recipient. Police had read the sender’s text when they searched the recipient’s phone incident to arrest. In this case, upon seizing the recipient’s phone, police saw new texts coming in on the lock screen and began to respond to them pretending to be the recipient.

Campbell addresses a number of issues, none of them entirely new, but all of them interesting and in need of further clarity. Did police conduct an ‘interception,’ engaging the wiretap provisions of the Criminal Code, when they hijacked a phone in this way? Were police authorized to search the phone as part of the recipient’s arrest, or were they conducting a different investigation once they took over the phone? Did the drug supplier sending the messages give police cause to carry out a warrantless search due to exigent circumstances, given his eagerness to quickly offload a quantity of heroin laced with fentanyl?

In one sense, none of this should concern anyone outside of the drug trade. But in another sense, the Court here is writing the latest chapter in a larger story about the boundaries of digital privacy, or to put it in highfalutin terms, the boundaries of the digital self.

My purpose in this post is to highlight what stands out to me about the case, having surveyed Supreme Court jurisprudence on section 8 extensively , including Marakah (2017) and Mills (2019), two cases to which Campbell forms a companion. For this reason, I won’t try to reconstruct the reasons in detail, but I will sketch the broad outlines.

How police intruded on Campbell’s privacy

Police were investigating a suspected dealer G, one of Campbell’s buyers. They obtained a warrant to search G’s residence and arrested G attempting to drive away from the house. During the arrest, he tossed two phones in the passenger seat, which police seized incident to arrest. A few minutes later, four texts appeared on the lock screen by ‘Dew’ (Campbell’s first name is Dwayne), indicating “I need 1250 for this half” and “What you gonna need that cause I don’t want to drive around with it”. Given the amount involved and their experience with the recent drug trade in Guelph, Ontario, police assumed this was likely a half ounce of heroin mixed with fentanyl, and that there was a good chance Dew would sell it elsewhere quickly, and that it was deadly. An officer began texting with Dew to arrange delivery, in an exchange that lasted over two hours involving some 35 texts. When Campbell turned up at G’s residence shortly thereafter, he was arrested and found with drugs and cash.

Campbell at trial

Campbell argued at trial that he didn’t send the first four texts, which contained the offer to supply heroin. He only sent the texts that followed, sorting out details about delivery. The decision is silent on this point, but I query whether Campbell was trying to place himself on one side of the line drawn in R v Greyeyes (SCC 1997), where the Court held that a person aiding a purchaser is not a party to trafficking. The Court also found in that case that a person who aids both the buyer and the seller is a party to trafficking. At the very least, that’s what Campbell appears to have done here.

Campbell claimed that by entering the conversation, police had interfered with his privacy and had conducted what amounted to an interception of a private communication under Part VI of the Code, requiring a warrant. The trial judge cited Marakah but held that Campbell didn’t have a reasonable privacy interest in this exchange because it “did not reveal any personal or biographical information” about Mr. Campbell and contained only “mundane comments that . . . could have been overheard on a public bus”. But even if it were private, the search was authorized under section 11(7) of the Controlled Drugs and Substances Act, which allows for a search in exigent circumstances.

Campbell on Appeal

The Ontario Court of Appeal held that Campbell did have a reasonable privacy interest in the exchange, because the texts were not “mundane,” but about a drug deal, “something one might make efforts to prevent from being overheard on a bus” – a rationale the Supreme Court would take issue with. Justice Trotter did not deal with the question of whether the exchange was an interception. He affirmed that there were exigent circumstances supporting the use of 11(7) of the CDSA. But a key facet of his ruling is his reading of Mills. A matter of dispute in the case law and commentary since Mills was decided is whether that case contains a majority holding, and if so what it holds.

Briefly, in Mills, police pretended to be a 14 year-old-girl and exchanged email and Facebook messages with the accused, resulting in charges of child luring. Justice Brown, writing for himself and Justices Abella and Gascon, found that an older man could not have a reasonable privacy interest in an online exchange with a 14-year-old girl he didn’t know. Justice Karakatsanis, for herself and Wagner CJ, held that the conversation did not involve an interference with privacy since it was not a surreptitious recording of a conversation (as in R v Duarte , 1990), but one carried out in digital rather than purely oral form (i.e., this was simply a conversation with an undercover officer, which is not a search). Justice Moldaver held that both sets of reasons were “sound in law”. Some courts and commentators had assumed this meant that the Brown opinion formed the majority.

Justice Trotter here was careful to describe the ‘majority’ opinion in Mills as comprising both Karakatsanis and Brown’s opinions (since the two together form the basis for dismissing the appeal), but Brown and Moldaver’s reasons forming the plurality opinion. Justice Trotter distinguishes what happened in Campbell from Mills by pointing to Karakatsanis’ holding that police did not interfere with a private conversation since they were in on it from the outset. Here, Trotter notes, they “insinuated” themselves into it.

Majority opinion at the SCC: was it private?

At the Supreme Court, Justice Jamal, writing for himself and Chief Justice Wagner, along with Justices Kasirer and O’Bonsawin, affirmed the appeal court’s holding but offered different reasons on two key points.

Justice Jamal held that Campbell’s exchange with police was private not because it was “something one might make efforts to prevent from being overheard on a bus” as Justice Trotter had held, but because of the nature of text messages per se. Texting is a form of communication we expect to be free from state interference altogether. And we have this expectation because they have the potential to reveal private information.

Justice Jamal’s analysis of Campbell’s privacy in the exchange largely replicates the one in Marakah, affirming the Court’s holding there that a loss of control over data or communication in a recipient’s possession does not render a sender’s privacy interest unreasonable. But the reasoning here contains fewer qualifications about texts being private. Whereas in Marakah, they can be private, the holding here comes close to asserting that texts are prima facie private, given our normative assumptions about them.

Justice Rowe agreed with Jamal’s reasons on this point without reservation, and the dissenting opinion of Justices Martin and Moreau (joined by Karaktasanis) also affirms privacy in text messages in a broad and unqualified sense (“Conversations that take place over text messaging promise participants a high degree of privacy and are capable of revealing a great deal of personal information.”) Only Justice Côté’s concurring opinion raises the point that Marakah didn’t create a ‘categorical rule’ that all texts attract a reasonable privacy interest. But given the view of eight other members of the Court, it may be that Campbell now stands for the contrary: all texts are presumptively private. And this in itself may be the most significant aspect of the decision.

The eight members of the Court (aside from Côté) also agreed that the intrusion into Campbell’s conversation was not authorized by the power to search incident to G’s arrest, since it was not ‘truly incidental’ to the reason for arresting G. The officer’s purpose in hijacking the conversation was to conduct a search of Dew for a different offence (trafficking) from those involving G. A small point, largely turning on the facts here. But one likely to be applied in future text message hijacking cases (already an emerging sub-genre as the citations in this case attest).

The Mills situation

Another tidbit that stands out to me is Justice Jamal’s discussion of Mills. A question before the Court here was whether Mills had created an exception to Marakah to the effect that where police suspect that a “relationship involves a crime,” communications are not private. Justice Jamal canvasses Mills in some detail to note that both Karakatsanis and Brown’s opinions affirmed Marakah. More to the point, Jamal was adamant that “there was no majority decision in Mills.” When Justice Moldaver asserted that both Karakatsanis and Brown’s opinions were “sound in law,” this did not result in Brown’s opinion becoming the majority holding – creating a Mills exception to Marakah. In other words, Justice Jamal was keen to reject the notion that texts are private unless the content or relationship itself is criminal in nature.

So, while Justice Jamal concludes this portion of the decision by asserting: “It is thus not necessary to decide whether Mills is properly characterized as creating an ‘exception’ to Marakah or as departing from the content‑neutral approach to s. 8 of the Charter” – what I think he’s really done is settled the debate about Mills and reduced the provocative opinions in that case to so much obiter.

Was this a wiretap?

Justice Jamal deals at some length with whether hijacking the phone constituted a wiretap, but he isn’t entirely clear about his reason for finding that it wasn’t. After canvassing the wiretap scheme and noting the Court’s holding in Telus (but not distinguishing it), he asserts: “in my view, Part VI is not engaged here because the police did not use a device employing intrusive surveillance technology.” He notes at one point that Part VI contemplates the use of “a separate ‘device or apparatus’ that effects the interception by surreptitious technological means”.

I take Justice Jamal to mean here that police did not carry out an interception of a private conversation with Campbell because while Cambell didn’t know he was talking to an officer, he knew that his speech was being recorded. I think this makes good sense. The thrust of Justice La Forest’s concern in Duarte (1990) was that the risk of being recorded by the state was a risk of a different order from your interlocutor turning out to be a tattletale. We can’t be assumed to accept the risk of being recorded whenever we speak, since the state could now be doing that at any time. But ever since we began texting, we recognized and accepted the risk that any text we might send could be shared.

Perhaps Justice Jamal assumes here that the risk of the interlocutor turning out to be a state agent is not a risk of a different order from the risk of our texts being turned over to the state by our recipient (which would also engage a privacy interest, a topic on which I happen to have written recently . Justice Jamal reiterates at the close of this segment that while police conduct may not have involved an interception under Part VI, “this was prima facie an intrusion upon Mr. Campbell’s reasonable expectation of privacy.”

To jump ahead to the dissent on this point, Justices Martin and Moreau (joined by Karakatsanis) offered a contrary view in a lengthy segment of their opinion — holding that what police did here should be construed as an interception under Part VI of the Code. Their reasons are twofold. An interception doesn’t require a separate device; Justice Jamal, they believe, misconstrues the definition in the Code. They also cite the Court’s broader definition in R v Jones (2017): an “interception relates to actions by which a third party interjects itself into the communication process in real-time through technological means.” Their second reason is implicit in their argument: while Campbell knew he was conversing in writing — and thus wasn’t being surreptitiously recorded — he didn’t know he was being recorded by the state. This latter rationale would seem to conflict with Karakatsanis’ opinion with Chief Justice Wagner in Mills, where she found the exchange with an undercover officer did not constitute an interception or a privacy intrusion because even though Mills didn’t know he was conversing with a state agent, he did know he was being recorded.

Were there in fact exigent circumstances here?

Put another way, if hijacking the phone constituted a search (since it interfered with a reasonable privacy interest), was the search reasonable? It was reasonable if it was authorized by law (R v Collins , 1987). All three levels of court affirmed that this search was authorized by law, namely section 11(7) of the CDSA.

The remainder of Justice Jamal’s majority opinion deals with the exigency question, affirming the findings below that the requirements of 11(7) were made out here. I don’t believe he adds much to the Court’s earlier decision in Paterson (2017) glossing this provision. And I don’t share the concern on the part of the dissent or by other commentators on this case that a finding of exigency here will vastly expand the scope of that power. I think the finding that there was an immediate and real public safety concern in this case largely turns on the facts. The first four texts make explicit that the Dew was in a rush to be rid of his supply. There was a good reason to believe it contained fentanyl. And the danger that someone could die that day from this supply was real.

As Justice Jamal notes, there had to be a “reasonable probability of the claimed exigency,” and in this case the trial judge’s finding on this point was sound. Police might have been able to obtain a telewarrant, the trial judge reasoned, but Dew was impatient and might have sold the drugs by then. For the majority of the Supreme Court, no error in logic here.

Justices Martin and Moreau (along with Karakatsanis) in dissent held that the circumstances did not give rise to exigency under 11(7), because the danger was only hypothetical. Dew might sell to a buyer who in turn might provide a quantity of fentanyl to a user, but whether and when that would happen was all too speculative to meet the test of a probability of an imminent risk to public safety in 11(7). And as a consequence, the majority’s holding that it did meet this test will water down the requirements of 11(7). It will allow police to carry out warrantless searches in cases involving dangerous drugs too readily – relying on the dangerousness of the drug to create a sense of urgency that isn’t there. But as Justice Jamal and Rowe make clear in their respective opinions, probable grounds to believe danger is imminent does not require a certainty or even a balance of probabilities; simply a reasonable probability.

Again, I admire the sentiment – the sense of caution – in the Martin Moreau dissent, but I think the exigency issue in this case is largely about the particular wording of those first four texts. They were golden facts for the Crown. Not likely to be repeated. But that isn’t to say that Campbell won’t be a frequent citation for the Crown on section 8. It will also be a key case for defence. ■

{To receive new posts on law, technology, and digital freedoms in Canada, follow me on Substack .}