Ottawa is trying again to pass a lawful access bill that would give police quicker access to our personal information.
The Lawful Access Act in Bill C-22, tabled on Thursday, will also compel big telcos like Shaw and Telus to install equipment to collect and preserve more of our data and give law enforcement more direct access to it.
An earlier version of this bill was contained in Bill C-2, tabled last summer. As you may recall, that also contained new law pertaining to customs and immigration. The lawful access portions were carved out to be dealt with in a separate bill — one that would address the strong criticism of those new powers from various quarters.
The aim of this post is to offer a snapshot of key changes that stand out in C-22. (If it’s of interest, I did a deep dive on Bill C-2’s privacy provisions last summer here.)
My last blog post on this topic, back in December, was titled Five Ways to Fix Bill C-2. I’m happy to see that C-22 adopts all five of my recommendations — but, unfortunately, not entirely.
Some of the most controversial elements of C-2 have been narrowed in C-22, but others remain largely intact. And there is one new data retention duty, involving our cellphones, that is subtle but could be quite invasive.
Curtailing the information demand
The most controversial new power in C-2 was the “Information demand,” which allowed police to ask anyone who “provides a service” in Canada a series of questions about who they provided a service to, what it was, where and when. This could include a therapist, a gambling site, and so on.
C-22 renames this power a “Confirmation of service demand” and limits the scope of who can be asked to a “telecommunications service provider,” and what police can ask to simply whether a service was provided to a client or account identifier. Yes or no. Police can then obtain a production order — a warrant — for more information about that account knowing they won’t be barking up the wrong tree.
There were quibbles over the five-day window to challenge a demand, with some calling for a longer period. But it remains five days in the current bill.
Revising the production order for subscriber ID
At the moment police obtain the name and street address of someone linked to an online account by obtaining a warrant (which they then serve on Shaw, etc) on probable grounds to believe an offence has been committed. C-2 created a new warrant that reduced this to reasonable suspicion, but also extended the ambit of “subscriber information” to include not only a user’s name and address but also the “types of services provided.” I suggested either limiting what you can ask for or raising the standard.
C-22 doesn’t really do either. It slightly tweaks what can be obtained from information a person provided “to receive the services” to information that “may be used to identify” them. Hmmm… a distinction without a difference? At the press conference, officials touted this as a major show of restraint. The rest of the provision is the same. It still contains a list of things police can get, including “types of services provided.”
I’m not sure the courts — ultimately the Supreme Court of Canada — will find this to be a reasonable law under section 8 of the Charter. It contemplates access to a wide ambit of private information on something less than a warrant on probable grounds. Did this person, police might ask, subscribe to the following channels as part of his cable package? Were they a paid member of the “premium” tier on your gambling site? A lot of lifestyle information here, going right to the biographical core.
The Supreme Court’s holding in Spencer — that a high degree of privacy attaches to our search history, which police effectively obtain when they have a subscriber ID — would seem to call for more than reasonable suspicion. But it looks like the folks at the Department of Justice would like to roll the dice on this one.
One good thing, though: C-2 had reduced the time limits for challenging various production orders in the Code from 30 days to five days, and would have imposed the same limit on this new subscriber ID order. But in C-22, there will be a 10-day window for challenging these orders.
Changes to the new ‘Supporting Authorized Access to Information Act’
My other concerns and recommendations pertained to the new SAAIA. As you may recall, Bill C-2 contained an entirely new statute that imposed a set of obligations on “electronic service providers” (Shaw, Google) to make technical modifications that would preserve more of our information and give police a direct means of accessing it (if and when they have authority in law).
I joined others in pointing out a few shortcomings in the Act.
These included an assurance that no one would be compelled to introduce a “systematic vulnerability” or backdoor to encryption. But this was a meaningless guarantee since the term “systematic vulnerability” was not defined.
The new Act also contained no oversight of the government’s discretion over the kinds of measures it could impose. And it forced companies to maintain an enormous degree of secrecy — including a prohibition on telcos making known any vulnerabilities they might discover and wish to share with others to help prevent foreseeable data breaches.
Systematic vulnerability – and secrecy around it
C-22 now defines ‘systematic vulnerability’ to mean:
a vulnerability in the electronic protections of an electronic service that creates a substantial risk that secure information could be accessed by a person who does not have any right or authority to do so.
But why limit this to “an electronic service”? One answer is: because that’s what the Act is about. It’s about “electronic service providers” and their digital services. It doesn’t target people who make devices. So, the definition here precludes asking Apple to do anything to weaken iCloud’s protections. But it doesn’t preclude asking Apple to make modifications to the iPhone itself — or at least those sold in Canada. Maybe this is too far-fetched?
Well, consider one of the obligations the Minister will be able to impose on a provider like Apple or Google:
the development, implementation, assessment, testing and maintenance of operational and technical capabilities, including capabilities related to extracting and organizing information that is authorized to be accessed and to providing access to such information to authorized persons…
This would seem to allow the Minister to pass a regulation requiring Apple or Google to make a modification to allow for data extraction not just to a service like Gmail or iCloud but to the operating system itself (i.e., iOS26, Android). And if either company took objection to this on the basis that it would introduce a systematic vulnerability, the Minister could say: no, that’s not an “electronic service,” your OS is part of the equipment. And that’s fair game.
But one welcome revision in C-22 is that the list of things that must remain confidential no longer includes “information related to a systemic vulnerability” or the potential for such. If companies discover some new way they can be hacked (relating to modifications under the Bill), and come up with a patch, they’re free to share this.
Oversight of the power to impose conditions
The Act contemplates telcos and large platforms like Google being deemed “core providers,” which would be subject to a set of obligations to be set out in future regulations (made public).
One new addition in C-22 is that the Minister of Public Safety must now consider a set of factors when formulating these obligations, including the costs that telcos would incur and the potential impact on personal privacy and cybersecurity.
A few privacy advocates had called for external review of any obligations imposed under the Act. Some of us suggested a provision requiring the Minister to consult with the Privacy Commissioner of Canada, or obtain their approval.
C-22 takes a step in this direction. Before the Minister can impose an order on ‘electronic service providers’ who are not ‘core providers,’ he or she must first seek the approval of the Intelligence Commissioner of Canada. That official plays a different role, one concerned with foreign signals intelligence and maintaining the integrity of Canada’s telecommunications infrastructure from cyber attack, among other things. In other words, not personal privacy.
A new obligation to retain metadata
One new power in C-22 not in C-2 (I thank Michael Geist for flagging this) is to require telcos to retain “categories of metadata,” such as the time and location in which a communication was sent or received or a service used. This information can be used to track a person’s location in time through cell-tower signals. This can be done now, but some providers don’t retain this data for very long. They can now be asked to retain it for up to a year.
The Bill makes an attempt to limit the scope of what might be captured here by asserting that this metadata-retention power
…does not authorize the making of regulations that require core providers to retain information that would reveal … the content — that is to say the substance, meaning or purpose — of information transmitted in the course of an electronic service.
That may be so. But in some cases, divulging this material would reveal private information about your whereabouts and activities. To be clear, this obligation on Shaw and company to retain this data is not a police power to obtain it. For that police would need a warrant.
In its briefing to journalists on Thursday, the government gave two scenarios to justify the need for this. CSIS is tracking a terrorist group and has a warrant to track a phone, but it’s with a service that doesn’t have location-tracking abilities. A 16-year-old girl goes missing for 10-days and then makes an emergency call; the phone company can confirm the call and pinpoint it to a certain tower, but doesn’t have the phone’s last known location before it was disconnected.
The solution to these problems in C-22 is to make telcos install tracking capabilities (if they lack them) but also to retain metadata about location. The effect of this is to lend a sense that data about all of our movements and communications will now be retained somewhere, for up to a year, with police having ready access. Is this the right trade-off between privacy and security?
There is no doubt more in this bill will come to light in the coming days as more commentators weigh in. I may come back and revise this post or write a follow-up in response.
For now, the short version is that C-22 makes some welcome improvements to C-2, but many of the underlying privacy concerns remain — along with some new ones.
I hope this overview was helpful.