New lawful access bill still lacking

The federal government has tabled a new version of its lawful access legislation. Although the changes follow extensive stakeholder consultations, privacy lawyers say that only a few of the concerns with the original bill were addressed. 

As a result, serious concerns remain with Bill C-22, which has been separated from C-2, the controversial omnibus border security bill. 

The first part of the new legislation deals primarily with production orders and narrows the scope of who can be asked for subscriber information to telecom providers. It also sets out explicit protections for medical providers and solicitor-client confidentiality, which were concerns raised in C-2.

The bill creates a lawful access framework that some observers complain Canada lacks, unlike our Five Eyes partners and other allies.

Chantal Bernier, co-chair of Dentons Canada LLP’s global privacy and cyber-security group and a former interim federal privacy commissioner, says, as was the case with several past attempts, C-22 seeks to extend the rule of law to the internet, which is necessary. But it’s creating privacy risks.

“Law enforcement and national security powers to access information were developed for an analog world and do not meet the law enforcement challenges created by the internet. So, modalities of enforcement must change,” she says.

“Principles, however, cannot change: the state cannot access personal data except with demonstrated grounds and judicial oversight.”

Bernier notes that while C-22 narrows the scope of new powers from C-2 and increases some oversight, it also expands international cooperation in law enforcement. The bill provides a formalized framework for production requests for foreign platforms such as Google or Meta, though it cannot compel those companies to produce the information.

On the upside, University of Ottawa law professor Michael Geist says that concerns about warrantless access to subscriber information in Bill C-2 have been addressed.

“The government has significantly limited the scope of these powers, now focusing solely on telecommunications providers and whether they provide service to a particular individual,” the Canada Research Chair in Internet and E-Commerce Law said in an email. 

“Access to more personal information will require oversight. That’s a major concession and highlights how Bill C-2 was too broad, dangerous from a privacy perspective, and unlikely to pass constitutional muster.”

Under the revised legislation, the only information that can be granted without a warrant is whether the telecom company services the phone number or IP address in question, which is a yes-or-no response. At that point, investigators can seek judicial authorization to obtain subscriber information associated with that identifier.

David Fraser, a partner at McInnes Cooper in Halifax who specializes in privacy and technology, nevertheless worries that the threshold for obtaining that information remains at the low bar of reasonable grounds to suspect, rather than the higher bar of reasonable grounds to believe.

“The reality is that they currently get production orders all the time on a reasonable ground to believe,” he says. 

“Just suspecting a crime might have happened? They should be investigating crimes that have happened or that they really believe are likely to happen.”

Robert Diab, a law professor at Thompson Rivers University specializing in law and technology and constitutional rights, worries that the production order for subscriber information includes the types of services provided, which could run afoul of the Supreme Court of Canada’s decision in Bykovets.

“This contemplates access, with a warrant but on reasonable suspicion, for information that can be considered invasive,” he says.

“The Supreme Court of Canada has said that there is a high privacy interest in your subscriber information alone—in the name, and address attaching to an IP address—because once they have that, they can connect you to a search history.”

Geist says the legislation also requires telecom companies to build surveillance infrastructure to support law enforcement. That aspect is largely unchanged from this government’s first go around on this, and the concerns about whether it strikes the right balance remain. 

“Indeed, there are real fears that this will be viewed as a behind-the-scenes issue for telco companies and law enforcement to sort out,” he says. 

“But the interests of Canadians and their privacy are essential and cannot be overlooked. Once established, the network surveillance capabilities will be there to stay, so they will require careful study and potential amendments.”

This also concerns Fraser, who says the bill’s second part is a “disaster.” The definition of “core providers” that may be subject to lawful access technical capability orders will be determined through the regulatory process. He also suspects that much of the pushback from telecom companies to C-2 stemmed from concerns about who would pay for installing these new capabilities, rather than from concerns about their users' privacy.

“Essentially, these are backdoors so that the police and CSIS can plug in and get real-time access to their information,” Fraser says.

Part two also grants authorization for ministerial orders that impose demands on these “core providers,” but the improvement over C-2 is that the federal intelligence commissioner must now approve the orders. That said, no new resources are attached to the commissioner in the legislation.

“The commissioner is a retired Superior Court judge who has had a whole career working on criminal and civil cases, and is pretty independent, and is already entrusted in the role with some supervising and approval of what CSIS and CSE do,” Fraser says. 

“So any sort of judicial oversight or control is much better than an order from the minister without any checks or balances.”

Nevertheless, the demand that telecom companies be able to track all their phones in real time would, in essence, turn those phones into tracking devices, whose data can be obtained under a reasonable ground to suspect.

“Any police officer who wants to find out where anyone is will be able to because now they know the data exists,” Fraser says. 

When this was raised during the press conference, Public Safety Minister Gary Anandasangaree said that most providers can already provide location services, and that there is a narrow set of guidelines for when that information would be required.

“It is not required in every particular demand, but at times it may be required for the immediate safety and security needs of an individual who may be human trafficked and whose life may be in danger,” he said. 

“It is under very strict circumstances that would be allowed.”

The bill includes language that requires the government to avoid introducing systemic vulnerabilities into these systems through technical requirements, which differs from the previous version.

Diab notes that systematic vulnerabilities are not defined in the same way as they are in Australia’s lawful access regime, which states that anything that introduces a vulnerability to an entire class of devices or software is a systematic vulnerability.

“We don’t do that, but I’m not sure that our definition is inferior,” he says, noting he suspects that because Canada’s definition includes services, it would mean that iCloud would be considered a service, but not an iPhone.

“It’s certainly better than nothing, but it is curious that it’s limited to an electronic service rather than to equipment.”

Diab is also concerned over the lack of oversight when a minister imposes conditions on “core providers,” though the fact that those conditions are published publicly could be construed as a form of oversight. That said, one of the factors the minister must now consider when making orders is the potential impact of the order on privacy protection and cybersecurity. That was not a part of C-2.

He notes that under C-2, service providers were not allowed to share information regarding a systemic or potential vulnerability. That prohibition was removed, likely due to vocal complaints from some observers.

Given that the Supreme Court of Canada has twice found lawful access to be unconstitutional, most recently in Bykovets, Justice Minister Sean Fraser believes the current bill will pass constitutional muster, given the engagement with experts that took place between the introduction of C-2 and the drafting of C-22.

He told reporters the bulk of the work done in that time by former MP Murray Rankin, who previously chaired the National Security and Intelligence Review Agency (NSIRA), and Professor Leah West brought their combined information law, national security, and cyber security expertise and the voices of others to understand how to protect the security interests of the nation and the privacy interests of citizens at the same time.

“That exercise…gives me confidence that we are going to, in a minimally impairing way, ensure that law enforcement has the information they need to complete their investigations and to prosecute and prevent crime.”