Earlier this month, when no other party would support the Liberals in passing Bill C-2—the ‘Strong Borders Act,’ with its controversial surveillance powers—the government shelved it.
More precisely, it split off the contentious parts of the bill from the customs and immigration provisions meant to appease our neighbours to the south and re-tabled those as Bill C-12.
But it didn’t withdraw C-2. The Minister of Public Safety insists that all of C-2 is still on the agenda.
Among the most concerning parts of C-2 that were temporarily shelved are the ‘lawful access’ provisions found in a new statute that the Bill would have brought about: the ‘Supporting Authorized Access to Information Act.’
As I’ve written earlier, this new law would have given the government the power to compel ‘electronic service providers’ like Shaw or Telus, or Apple and Google, to ‘install equipment’ or make technical modifications to give police and CSIS direct access to private data for real-time interception or seizure of stored communications. That’s your email, texts, and everything you have stored in iCloud, in case you were wondering.
Of course, police or CSIS would still need a warrant or lawful authority (exigent circumstances, etc) before acting. The chief concern was that C-2 imposed few limits on what modifications the government could compel ESPs to make. It also shrouded the whole process of issuing orders and carrying out inspections to oversee them in an enormous degree of secrecy.
The powers were ripe for abuse. Modifications could easily result in inadvertent police access or privacy breaches, without ever coming to light.
More to the point, knowing that our communications and cloud infrastructure would have direct law enforcement access so deeply integrated would leave every Canadian feeling less secure about their privacy online.
If you can never be sure whether the state might be listening, even inadvertently, you begin to assume it. Maybe most people do after Snowden. But with a lawful access regime like the one set out in C-2, the feeling would become all the more palpable, the concern less abstract.
Why Parliament thinks we need it
The National Security and Intelligence Committee of Parliamentarians has studied this issue for three years. In March, it produced a 78-page confidential report, which was lightly redacted before being made public last month. It offers a detailed defence of the need for a lawful access regime, but not one I find persuasive.
However, the report is impressive in its scope. It contains an extensive overview of the privacy issues at stake, problems raised by compelling back doors to encryption, and the history of prior attempts in Canada to pass a lawful access bill. The Committee commissioned and drew upon papers from notable authorities including Ben Goold, Michael Geist, and Ron Deibert, making it a valuable resource.
I briefly highlight here the crux of the committee’s findings. My aim is not to set out a detailed analysis, but to sketch the general argument.
First, CSIS and the RCMP say they need to the power to compel folks at Telus and Shaw to install interception capabilities because they face serious “challenges” in accessing data even after obtaining warrants—though they can’t say how often or how serious those problems are:
The Committee did not see any clear, empirical data to substantiate claims by Canada’s security and intelligence organizations that they face serious lawful access challenges because of rapidly evolving technology. CSIS and the RCMP do not systematically track how often they encounter various technological challenges in their national security investigations, for example, instances in which communications content could not be accessed because of encryption. As a result, they do not know in quantifiable terms the degree of impact and overall significance of these challenges.
Nevertheless, the Committee was satisfied that police and CSIS need more tools:
However, the Committee heard compelling and detailed testimony about how the rapid pace of technological change has increased the complexity, operational risk and cost of national security investigations. More digital devices, more communications applications or apps, and more operating systems mean that investigators need to develop more methods of access, with an impact on both time and resources.
So how specific and compelling was this evidence?
Earlier in the report, the “increasing complexity” refers to communication unfolding on a wider variety of apps and devices. Much of it is end-to-end encrypted. It’s often cross-border or served by platforms based in the US. To illustrate these trends, we’re given a few case studies involving national security investigations, but it isn’t clear how representative they are.
The most concrete data we’re given pertains to the claim that the proliferation of apps and devices has increased the cost and complexity of investigations, including the use of On-Device Investigative Tools (ODITs). One chart shows that over the past seven years, successful deployments of ODITs—using special software to circumvent the encryption on a device like a phone—has declined over time. But the number of cases here is tiny: 2-3 each year from 2017 to 2020 and all uses of ODITs were successful; 15-16 in 2021-2022, with only half successful; then 8 in 2023, with only 2 successful; and none conducted in 2024. In short, over the years, police have struggled to break into a handful of phones.
Another key argument was that often, by the time police or CSIS get a warrant to obtain data from Shaw or Telus, it’s deleted or it’s stored on servers in the US, making retrieval too slow and cumbersome. But again, the numbers are vague. There may be “investigative friction,” as one paper put it, but how much is unclear. We’re left with little more than a sentiment: police don’t like these impediments and would like them removed.
The Committee’s conclusion — that “the RCMP and CSIS face significant challenges” and lawful access is the answer — is never clearly established. Nor is their other general argument for a lawful access bill: our other Five Eyes partners have one, and we should too.
Problems with this picture
But not all of our Five Eyes partners have the kind of lawful access regime the Committee is calling for, and not the kind set out in C-2. Only Australia and the UK compel providers to build intercept capabilities — and just because they do, doesn’t mean we should. As the report notes, the US and New Zealand instead set standards for data retention and access but not law compelling specific companies to install intercept capabilities.
The Committee also sees a lawful access regime playing an important role in negotiations of mutual legal assistance treaties, like the one under way pursuant to the US CLOUD Act or the 2nd Additional Protocol to the Budapest Convention on Cybercrime to which we are a signatory. Having a regime in place, the report argues, will help secure an agreement with the US allowing cross-border data access (from Google, Meta, Shaw) without requiring a court order in the target country.
Now, of course, countries might agree to this in a treaty, but to ratify the treaty in domestic legislation, search powers would have to be Charter-compliant. But it’s easy to imagine some searches taking place beyond the ambit of the Charter.
I’m not alone in positing a scenario where US police obtain data from a provider in Canada without going through Canada’s courts, and then seek the extradition of a Canadian to stand trial in the US. In this case, the person might argue a Charter breach when fighting extradition.
But this kind of impact of lawful access on data sharing agreements doesn’t feature in the report. The Committee touts lawful access without fully canvassing the ways that mutual assistance can compound the consequences of an unlawful search.
Some silver lining
But there are a few bright spots. The report affirms the merits of strong encryption and confirms that neither law enforcement nor government seek a power to compel back doors.
It also recommends that a lawful access bill should define the intercept capabilities the government can impose on service providers and specify mandatory technical standards to be adopted.
Put another way, the report envisions a more constrained set of powers around interception capabilities than the ones found in Bill C-2.
Interestingly, there’s little in the report endorsing the sweeping secrecy provisions in C-2 that would conceal “technical modification” orders and their oversight.
If the report was meant to justify C-2, the drafters of the bill seem to have gone well off script.