The Liberal government is making a second attempt in the current Parliament to establish a legal regime that would allow security agencies to more easily identify users of cellphone and internet services and access certain account data.
Law enforcement has welcomed the move as necessary to conduct investigations in the modern world, while civil liberties advocates are raising privacy concerns.
Ottawa says the bill is necessary to modernize legislation and provide law enforcement and the Canadian Security Intelligence Service (CSIS) with better tools to pursue investigations into everything from drug trafficking to foreign interference.
Some modifications have been made to the lawful access regime proposed in Bill C-22 compared to Bill C-2. The government has narrowed the types of service providers that can receive information requests from security agencies.
“By restricting the definition of service provider to electronic service providers, effectively cellphone companies, internet service providers, we can communicate to Canadians that our intent is not to go after health-care information from a family physician,” Justice Minister Sean Fraser said when the bill was introduced on March 12.
The government is also proposing increased oversight and transparency in its lawful access regime.
What remains in Bill C-22 is a provision allowing security agencies to ask a telecom or internet service provider whether it offers services to a specific individual, based on a “reasonable suspicion” that a crime has been or will be committed. No judicial authorization would be needed to obtain this private information.
Data Retention
Security agencies are already able to obtain a sizeable amount of data on their investigation subjects through judicial authorization, including intercepting communications, but in some cases the historical information they are seeking might not be available.Part 2 of Bill C-22, the Supporting Authorized Access to Information Act, seeks to address that situation.
The entities impacted could broadly include electronic service providers such as telecommunications companies, cloud server businesses, or social media companies. “Electronic service” is defined in the bill as any service that involves “the creation, recording, storage, processing, transmission, reception, emission or making available of information in electronic, digital or any other intangible form” by an electronic, digital, acoustic, or other technological means.
The federal government intends to, through ministerial orders, compel service providers identified as “core providers” to create and maintain the technological infrastructure that would allow the extraction of information sought by law enforcement or CSIS.
This could include the installation of a device within the core providers’ systems to enable access by security agencies.
Core providers would be required to retain user information for a period of time not exceeding one year, and this would include categories of metadata such as transmission data.
This suggests that the bill would grant security agencies the ability to trace back a person’s whereabouts during a period of one year by examining which technical infrastructure was being accessed by a device at what time, such as cell towers.
The bill notes, however, that core providers would not be required to retain the content of communications, such as text written in an SMS or on a messaging app, or a person’s web browsing history or social media activities.
Bill C-22 has a confidentiality clause that prohibits an electronic service provider from disclosing various types of information including whether it is the subject of a ministerial order for its implementation.
Privacy Concerns
With Bill C-22 only tabled on March 12 and the House of Commons not sitting this week, from March 16 to 20, reactions to the legislation have been limited so far.Some civil liberties group like the Justice Centre for Constitutional Freedoms (JCCF) have begun raising concerns. The JCCF warns that Ottawa could be first establishing the infrastructure in order to access people’s data at a later time.
“This legislation will establish significant federal government control over internet platforms (like Google or X), over telecommunications and internet providers (like Telus or Rogers), and over anyone else providing an electronic service in Canada.”
A similar issue was raised by Ottawa law professor Michael Geist, who said “serious privacy concerns” remain in Bill C-22 regarding how it would compel electronic service providers to store information on the communications of all their users, “regardless of whether those users are suspected of anything.”
Government’s Stance
Meanwhile, Public Safety Minister Gary Anandasangaree says his government has been responsive to concerns expressed about Bill C-2 and that Bill C-22 “balances the needs of law enforcement with the privacy and civil rights that Canadians demand.”“It is not about surveillance of Canadians going on about their daily lives. It is about keeping Canadians safe in the online space,” the minister said on March 12 when announcing his new piece of legislation.
Justice Minister Fraser also said at the time that privacy rights will be protected and that the new tools are “necessary to address crimes that are taking place in the modern world.”
Ottawa’s push to create a lawful access regime has received the backing of various police forces.
Nick Milinovich, deputy chief with Peel Regional Police, said lawful access is key to investigating crimes like extortion.
“It begins with a threat that’s delivered digitally, and our ability to identify the people that are responsible for that, and do it in a way that is expedient, is absolutely centred on our ability to access information lawfully, judicially, and with the guardrails that protect people’s privacy interests,” he said following comments by Larkin.
