The Canadian government has introduced Bill C-22, the Lawful Access Act, which scales back warrantless access to personal information but maintains concerning backdoor surveillance provisions that could compromise network security and privacy.
The Canadian government has introduced Bill C-22, the Lawful Access Act, marking a significant shift in the country's approach to digital surveillance and law enforcement access to personal data. This legislation follows last year's controversial attempt to include similar provisions in Bill C-2, a border measures bill that faced immediate backlash over its unprecedented rules permitting widespread warrantless access to personal information.
The Good News: Scaling Back Warrantless Access
The first half of Bill C-22 addresses "timely access to data and information" and represents a notable improvement over previous proposals. The government has scrapped the earlier Bill C-2 iteration of a new information demand power that was astonishingly broad, covering far more than just communications providers by targeting anyone who provides a service in Canada, including physicians and lawyers.
Instead, the government has shifted to a new "confirmation of service" demand power. This would allow law enforcement to demand that telecom providers (not any service provider) confirm whether they provide service to a particular person. The other subscriber information would be subject to a new production order reviewed and approved by a judge.
This change addresses the longstanding police complaint that they may do considerable work seeking information about a subscriber at a provider only to learn that the person isn't a customer and they start over with someone else. The government has significantly limited the scope of warrantless information demand powers, now focusing solely on telecommunications providers and whether they provide service to a particular individual. Access to more personal information will require oversight.
However, concerns remain about the thresholds that the production orders envision, particularly the low "reasonable grounds to suspect" standard. The government has made a major concession by removing the most invasive warrantless access provisions, highlighting how Bill C-2 was too broad, dangerous from a privacy perspective, and unlikely to pass constitutional muster.
The Bad News: Backdoor Surveillance Remains
If the first half of the bill represents progress, the second half is deeply concerning. The Supporting Authorized Access to Information Act (SAAIA) establishes new requirements for communications providers to actively work with law enforcement on their surveillance and monitoring capabilities. These provisions are largely unchanged from Bill C-2 and in some ways worse.
The SAAIA has huge implications for network providers as it envisions providing law enforcement with direct access to provider networks to test capabilities for data access and interception. The bill introduces a new term – "electronic service provider" – that is presumably designed to extend beyond telecom and Internet providers by scoping in Internet platforms like Google, Meta, and others.
An electronic service provider is defined as "a person that, individually or as part of a group, provides an electronic service, including for the purpose of enabling communications, and that (a) provides the service to persons in Canada; or (b) carries on all or part of its business activities in Canada."
All electronic service providers are subject to obligations to "provide all reasonable assistance, in any prescribed time and manner, to permit the assessment or testing of any device, equipment or other thing that may enable an authorized person to access information." Moreover, all are required to keep such requests secret.
Metadata Retention and Security Concerns
The bill introduces new metadata retention requirements that weren't in Bill C-2, actually expanding the scope of obligations. Core providers may be required to retain categories of metadata – including transmission data – for reasonable periods of time not exceeding one year.
There are some limits on data retention: the regulations cannot require providers to retain information that would reveal the content of communications, web browsing history, or social media activities. However, the bill retains an exception for systemic vulnerabilities, stating that a core provider is not required to comply with a provision if compliance would require introducing a systemic vulnerability or prevent rectifying such a vulnerability.
Critics argue this exception is insufficient and that there are real risks that networks may be made less secure by virtue of these rules, with the changes kept secret from the public. As Kate Robertson of the Citizen Lab has discussed, many of these rules appear geared toward global information sharing, including compliance with the Second Additional Protocol to the Budapest Convention (2AP) and the CLOUD Act.
The Bottom Line
The government may have taken warrantless access to subscriber information off the table, but serious privacy concerns remain associated with its lawful access plans. Bill C-22 represents a step forward in protecting personal information from warrantless access, but the backdoor surveillance provisions could fundamentally compromise the security and privacy of Canadian communications networks.
The legislation envisions a significant change to how government agencies interact with Canadian communications networks and network providers, raising enormous privacy and civil liberties concerns that will require careful scrutiny as the bill moves through Parliament.
Comments
Please log in or register to join the discussion