The House has passed the lawful access bill with amendments, still leaving crucial issues in question
The committee tasked with Bill C-22 worked past midnight Wednesday to meet the government’s goal of completing third reading of the bill before the House took its summer break, which begins today. The government curtailed clause-by-clause review of the bill for this purpose, resulting in the committee’s adopting only a few amendments, and without much discussion or public disclosure.
I highlight two changes worth noting that touch on issues that generated the most criticism during the committee hearings: the bill’s potential impact on encryption and its metadata retention provisions.
The first set is being touted as a step forward, but it may not be.
Have the encryption concerns been resolved?
A major concern that Apple, Google, Meta, VPNs, and other companies raised before the committee and in the media was that the bill would compel them to make modifications to their systems that could compromise encryption. The concern was based on two powers in the bill.
One was the general power to order them to install a device or equipment, or develop ‘capabilities,’ that would give law enforcement access to private data. The other was a provision that ruled out being compelled to weaken encryption, since it was too narrowly worded to be effective.
The bill is now amended to make clear that anything a company is ordered to install will be done by the company itself, and the provision that precludes weakening encryption is more broadly worded. Providers need not modify the “protection of an electronic service that creates a credible risk” of unauthorized access, but the exclusion does not cover a risk that stems from a vulnerability that someone with authorized access might exploit.
Here’s the provision itself, with new text bolded:
systemic vulnerability means a vulnerability in the electronic protections of an electronic service that creates a credible risk, based on recognized international technical standards, that secure information could be accessed by a person who does not have any right or authority to do so, other than a risk that relates only to information related to persons with respect to whom a warrant, order or other authority to access information conferred under the Criminal Code or the Canadian Security Intelligence Service Act — or any similar authority conferred under another Act of Parliament — applies.
It’s hard to imagine what such a risk could entail. If a company is asked to do something that would create a risk that police acting with a warrant could exploit, then it would seem to be one that hackers could also exploit.
Another new provision, titled simply ‘Decryption,’ adopts language in US law to the effect that nothing in the act is to be construed to compel a provider to enable decryption, “unless the encryption was provided by the electronic service provider and the provider possesses the information necessary to decrypt the information.” That is, unless the provider holds the key, as Google does, for example, with Gmail or Google Drive; but not in the case of something end-to-end encrypted, like Apple’s Messages or a Signal or WhatsApp chat.
The broad assertion that nothing in the act is to be construed as compelling a provider to decrypt or enable decryption would seem to conflict with the revised definition of ‘systemic vulnerability’ discussed above. But, on one reading, this provision would prevail and rule out doing anything that might compromise end-to-end encryption.
Still, we might envision a scenario in which a government order compels a provider to do something which it believes is tantamount to compelling decryption because it would create a systemic vulnerability, and the government disagrees, on the grounds that the order doesn’t meet the definition of systemic vulnerability.
Put another way, the definition of the term ‘systemic vulnerability’ is the bill’s only mechanism for determining the meaning of the phrase ‘compelled decryption.’
What changed on metadata retention?
Another flashpoint in the bill was the Minister of Public Safety’s power to order providers to retain user metadata for up to a year, for possible use by police or CSIS. The bill is now amended to allow for retention for up to 6 months.
The committee also added a provision that requires the Minister to be “satisfied that the category [of metadata at issue] and all its elements are essential for facilitating effective and timely investigations under the Criminal Code” or the exercise of powers under the CSIS Act.
The amendment is intended to narrow the power. Does it do so in a meaningful way? It’s not clear to me that it does.
This is still a power to order the retention of almost everyone’s metadata without individualized suspicion for a significant period of time. The test of being “essential for facilitating effective and timely investigations” sounds like a high bar to meet. But it wouldn’t be assessed in the way that police having ‘reasonable grounds’ is challenged in a criminal case. A party would need to seek judicial review of the minister’s order. Would it be assessed on the standard of reasonableness, correctness, or palpable and overriding error? It’s not clear, since this would seem to depend on the order, the circumstances, and the way the challenge is framed.
Which brings me to a final point, brought to light by Sean Boynton’s informative coverage of the debate around this bill. In a recent piece on the metadata issue, he cites a Department of Justice official who points out that the metadata provisions in Bill C-22 don’t engage section 8 of the Charter and don’t violate anyone’s privacy, because they don’t in themselves require metadata retention. They merely give the Minister the power to make regulations to do so. It’s the regulations that would attract Charter-scrutiny and call for a separate Charter Statement, which will be provided at that time.
Any regulation passed would “need to be assessed based on what data is covered, who must retain it, for how long, for what purpose, and what safeguards apply.”
Yes, this is a more precise picture of how the metadata provisions in the bill work. But it’s also a concession on the part of the government that critics (like me) have been right all along: metadata retention engages section 8, because the very idea of it constitutes an interference with a reasonable privacy interest in not having our metadata retained for a law-enforcement purpose — regardless of how long it is retained and whether retention is “essential” to making police or CSIS more effective.
Unless I’m mistaken, I do not believe any government lawyer clarified this point in the course of their many appearances before the Public Safety Committee. Given how often this came up and how preoccupied committee members were with it, a clarification may have been helpful earlier in the process.
When Parliament resumes in the fall, the bill will make its way through the Senate, which will likely propose further amendments that will need to be debated in the House, leaving the final form the bill will take in some degree of uncertainty.
But I’ll be following it all here. ■
{To receive new posts by email, follow me on Substack .}