U.S. tech giants Google and Apple are raising concerns about the federal government’s Bill C-22, which would require technology companies to modify their systems to grant security agencies lawful access to user data.
The two companies testified before the House of Commons public safety committee on May 26 as it reviews the legislation.
Apple and Google focused their criticism on part 2 of the bill, which would enact the Supporting Authorized Access to Information Act. Through this act, Ottawa would be able to issue secret ministerial orders to electronic service providers to compel them to install equipment that may, among other things, “enable an authorized person to access information.”
The Apple representative warned about impacts to encryption and user privacy, and said the company would never insert “back doors” into its products.
Erik Neuenschwander, a senior director of user privacy, said Apple doesn’t know a way to deploy technology that would provide a bypass to encryption for the “good guys” without creating “new ways for the bad guys to break in.”
He pointed to the major telecommunications cyberattack linked to China and known by the code name “Salt Typhoon.” The operation targeted at least one Canadian company, along with several others worldwide.
Neuenschwander noted how the hackers exploited the systems put in place by internet service providers in the United States to process police wiretap requests following the adoption of the U.S. Communications Assistance for Law Enforcement Act.
“That law was narrower than Bill C-22, so imagine what could happen if more companies were required to create these vulnerabilities,” he said.
Tory MP Frank Caputo said during the committee meeting his party will bring amendments to the bill to protect encrypted systems. Encryption allows, among other things, for two users to exchange information without it being seen by a third party.
Following the committee meeting, Public Safety Minister Gary Anandasangaree said on May 27 the bill would be amended to clarify that encryption will be protected. He also said a clearer definition of metadata would be added to align with similar legislation in the United States.
Neuenschwander also cited the lack of transparency surrounding the ministerial orders introduced in the bill as a cause for concern.
“As you know, this may be one of the last times we’re permitted to discuss the consequences of this legislation publicly,” he said. “That’s because of the bill’s secrecy provisions, which forbid companies like Apple from even discussing the orders we receive with our users or the public.”
The federal government has been pushing back on criticism of the bill, which is coming from various stakeholders and experts.
Anandasangaree previously said the bill will not create a “back door” into electronic service providers’ systems and that it respects people’s rights and privacy.
“Bill C-22 will give law enforcement the tools they need to keep Canadians safe, while respecting the privacy and charter rights of Canadians,” he said in a May 11 social media post.
Ottawa says the legislation is needed to better equip police to combat modern forms of crime and that Canada is lagging behind its peers in establishing a lawful access regime.
Beyond Other Regimes
Google representatives appearing at committee on May 26 said Bill C-22 goes “well beyond” the lawful regimes adopted in other democracies.
“The essentially unbounded nature of the powers that are afforded to direct product changes by companies in secrecy and without judicial oversight, in the case of the ministerial orders, goes beyond any regime that I’m familiar with,” said Katherine Charlet, Google’s senior director of privacy, safety, and security.
The bill as written says companies would not be compelled to install components introducing “systemic vulnerabilities,” but Google’s Jeanette Patell said the definition of the concept in the bill is “dangerously narrow.”
“The law could be used to force the dismantling of critical privacy of architecture, such as breaking encryption, overriding users’ data deletion controls, or building remote access capability, all of which could facilitate foreign interference and weaken global user privacy, at a time when cyber threats are increasing in frequency and sophistication, and malicious actors are using AI tools to find and exploit vulnerabilities more quickly,” said Patell, director of government affairs at Google Canada.
The committee heard from many other stakeholders during the meeting, including the federal privacy commissioner and the Canadian Civil Liberties Association (CCLA).
The CCLA told the committee part 2 of Bill C-22 should be entirely scrapped, citing concerns around privacy and data protections, and risks of breach as exemplified by Salt Typhoon.
Privacy Commissioner Philippe Dufresne said he was consulted by Ottawa after Bill C-2, introduced last year, was shelved. That bill contained an attempt by the Liberal government to enact a lawful access regime.
Dufresne said some of his recommendations were taken into account in the introduction of Bill C-22, while many others were not. Some of his recommendations for C-22 pertain to part 1 of the bill, which relates to the security agencies obtaining subscriber information from electronic service providers without a warrant.
The commissioner recommends narrowing the definition of subscriber information to a client’s name, address, telephone number, and IP address. The bill currently has other identifiers such as pseudonyms and email addresses.
Dufresne also said the entities that can be compelled to produce subscriber information should be limited to telecommunications companies. Currently a large array of businesses could fall under the electronic service provider concept.
Police Support, Charter Concerns
Police forces have welcomed Bill C-22, and OPP Commissioner Thomas Carrique told MPs on the committee it is needed to better combat crime. He said nearly every modern investigation has a digital component and that criminals use encryption to mask their activities.
Speaking in his capacity as president of the Canadian Association of Chiefs of Police, Carrique also pushed back on concerns related to security agencies obtaining new powers.
“Bill C-22 is not about expanding unchecked police powers,” he said, but rather about facilitating investigations authorized through judicial oversight.
“Too often lawful access debates focus exclusively on privacy interests of suspects and financial interests of Big Tech, while overlooking the rights of victims to safety, justice, and timely intervention.”
Previous committee testimony from Meta, Facebook’s parent company, raised similar concerns to those of Apple and Google, saying the lawful access regime proposed by Ottawa would effectively enlist businesses in government surveillance.
Different VPN providers that offer anonymizing services for online activity, as well as the secure messaging app Signal, have said they would leave Canada or refuse to comply if Bill C-22 is adopted in its current form.
Law professors have also raised concerns about a provision in the bill that would compel electronic service providers to preserve the metadata of every user for a period of one year. Experts like law professor Robert Diab said this would amount to a breach of Section 8 of the Charter, which protects against unreasonable search and seizure.
Tory MP Roman Baber raised this issue with Justice Minister Sean Fraser when he appeared before the justice committee on May 25 on separate matters.
“How is that holding of the metadata without a search warrant—without an offence having been committed, but in the event that an offence has been committed—how is that not a breach of arbitrary seizure under the Charter?” Baber asked.
“I don’t view this to be the seizure of information by the government,” Fraser replied.
Baber countered that the private sector would be holding the information as ordered by the government, and would therefore act as an agent of the government.
“But it would be subject to the Charter, as always, in which case your right to reasonable expectation of privacy is protected, subject, of course, to reasonable limits outlined in Section 1,” said Fraser.
Baber responded the provision is “not compliant with the Charter,” adding it “sounds to me like you’re already moving in the direction of Section 1, trying to rely on reasonability.”
“I believe that I’ve made out a prima facie case that it violates the Charter,” Baber said.
Friends Read Free
Copy
Facebook
Tweet
