For the last few months several civil liberties groups, numerous legal experts, the Canadian Chamber of Commerce, as well as tech companies like Apple, Google, and Signal, have all been sounding the alarm on the privacy and cybersecurity issues contained in the Carney government’s Lawful Access Act, or Bill C-22.
Two of the most troubling aspects of the bill are metadata retention and new measures that would compel electronic service providers — companies that provide cloud services, messaging apps, social media platforms, and companies that provide internet services — to build a permanent backdoor surveillance mechanism for law enforcement and CSIS, breaking any encryption.
After weeks of suggesting that anyone who was criticizing the bill was simply misunderstanding it, the government has finally conceded that aspects of the bill need amendments. In speaking to reporters, Public Safety Minister Gary Anandasangaree confirmed that will include protection for end-to-end encryption. This is welcomed news.
The worry over mandating backdoor surveillance and breaking encryption was made especially clear in the letter that the American House Judiciary and Foreign Affairs committees sent to Public Safety Minister Gary Anandasangaree earlier this month, which stated: “…if enacted, Bill C-22 would allow Canadian government officials to compel American companies to build backdoors into their encrypted systems, thereby introducing systemic vulnerabilities that could be exploited by hackers, foreign adversaries, and cybercriminals.”
Basically: once you introduce a surveillance mechanism, that built-in backdoor exists for everyone, including hostile state actors and other cyber criminals who wish to exploit it. (And thanks to the advent of unregulated AI tools, our near future could very well see a scenario in which the powers of a skilled hacker are available to any plebe with a web browser and a working internet connection.)
With our trade issues still left unresolved with the U.S., and with Trump officials looking for any weakness on the Canadian side to exploit to their advantage, moving forward with an encryption breaking bill that we knew would piss off the Americans seemed like an uncharacteristic and blatant misstep from the Carney government on the U.S. trade file. It’s good to see that rectified.
But the government still seems intent on retaining some of its more troubling provisions related to metadata retention.
As written, C-22 would compel service providers to retain metadata for up to a year. That means there would be a record of every person you contacted and who contacted you, how long you talked for, on what device, as well as a complete picture of your movements, including locations one might want to keep private, like protests or medical appointments.
Additionally, asking service providers to hang onto the metadata of every user is a massive cyber-security risk — the trove of metadata would be a valuable target for hackers — as well as a rather exorbitant financial burden for service providers. (Though the government has indicated that it is willing to amend the wording in the bill so that telecom companies like Rogers and Bell are provided with some level of compensation for making their systems compliant for law enforcement and CSIS.)
Part of the government’s justification is that they need to be in line with other jurisdictions when it comes to retaining metadata. That argument starts to fall apart when you realize that there is no comparable requirement under federal U.S. law (the closest comparison is a 90-day retention period) and European courts have consistently found that metadata that links online activity to one’s identity is considered private.
Oh, and our own Supreme Court has held up that standard as well. In a 2024 case, the Supreme Court even found that Section 8 of the Charter, which protects Canadians against unlawful search and seizure, extended to IP addresses: “If s. 8 of the Charter is to meaningfully protect the online privacy of Canadians in today’s overwhelmingly digital world, it must protect their IP addresses.”
The government hasn’t really provided any insight into how the metadata retention would be Charter compliant, as the government’s own Charter statement on the bill is curiously silent on the issue. In the absence of any justification, and with existing jurisprudence, the notion that this part of the bill would survive a judicial review or that it is in line with the Charter is hard to believe.
The government had to scrap its first attempt at lawful access, Bill C-2, because of the level of opposition it received. Now, it is once again facing backlash over its second attempt with Bill C-22. Instead of trying to ram through legislation that might not be compliant with the Charter, the government might want to go back to the drawing board for a third time.