The lawful access debate in Canada has to date focused on privacy concerns such as access to subscriber information, mandatory metadata retention, and international production orders. But there is another dimension to Bill C-22 that has received less attention and may matter even more to the daily security of Canadians: the risk that the bill’s surveillance-capability requirements and lack of clarity about systemic vulnerabilities will make Canadians less secure. The international experience with similar laws is not reassuring, as it points to risks of hacking, removal of security features that protect users, and reduced investment and innovation. Bill C-22 heads in much the same direction.
Post Tagged with: "lawful access"
Scoping in the Tech Giants: Bill C-22’s International Production Order and the Shift to a Less Privacy-Protective Cross-Border Disclosure System
While much of the focus on lawful access and subscriber information has centred on the reduced standards for obtaining an order for such information from Canadian telecom and Internet providers, there is another new production order deserving of attention (see earlier posts on domestic subscriber information standards and mandatory metadata retention). Bill C-22 introduces a new mechanism for Canadian courts to authorize police to request subscriber information and transmission data held outside the country directly from foreign platforms such as Google, Meta, and other services that provide communications services to the public. The provision is presented as a tool to modernize cross-border investigations, but in practice, it is likely to reduce privacy safeguards.
The Law Bytes Podcast, Episode 263: The Lawful Access Act Roundtable With David Fraser and Robert Diab
Lawful access is back. The decades-long battle has entered a new phase with the introduction of Bill C-22, the Lawful Access Act. This bill follows last spring’s attempt to bury lawful access provisions in Bill C-2, a border measures bill. The latest bill covers the two main aspects of lawful access: law enforcement access to personal information held by communication service providers such as ISPs and wireless providers, and the development of surveillance and monitoring capabilities within Canadian networks.
To discuss the latest iteration of lawful access, I’m joined on the Law Bytes podcast by David Fraser and Robert Diab for a roundtable discussion of the key elements of the proposed legislation. David is one of Canada’s leading privacy lawyers and a partner with McInness Cooper in Halifax, and Robert is a law professor at Thompson Rivers University in BC and the co-author of a book on search and seizure law.
The Hidden Lawful Access Tradeoff: How Bill C-22 Lowers the Evidentiary Standards for Police Access to Subscriber Information
The return of lawful access in Bill C-22 has unsurprisingly focused on the government’s significant shift on warrantless access to subscriber information, which was the headline concern with Bill C-2, the previous lawful access proposal. As noted in my initial summary of the bill, Bill C-22 establishes court oversight for subscriber information with the warrantless access piece limited to requiring telecom companies to confirm whether they provide service to a given individual. That is a positive step, but there is a tradeoff, namely that the evidentiary standard needed to obtain an order for access to subscriber information is actually being lowered.
The Lawful Access Privacy Risks: Unpacking Bill C-22’s Expansive Metadata Retention Requirements
Much of the discussion around the new lawful access bill (Bill C-22) has focused on provisions that improved upon Bill C-2, notably the decision to scrap the warrantless information demand power by requiring judicial oversight for access to subscriber information. Yet despite that improvement, there remain serious privacy concerns with the government’s latest iteration of lawful access. Buried in the second half of Bill C-22 is a provision granting the government the power to require “core providers” to retain categories of metadata, including transmission data, for up to one year. This is mandatory metadata retention that would require telecom and electronic service providers to store information about the communications of all their users, regardless of whether those users are suspected of anything. It is one of the most privacy invasive tools a government can deploy and the international experience suggests that there are major privacy risks.
Recent Posts
Heads They Win, Tails We Lose: What Lies Behind the U.S. Trade Battle For Control over Data 
Still Not a Privacy Law: Bill C-25’s Political Party Privacy Provisions Fall Short Again 
Could Bill C-22 Make Canadians Less Safe? The Systemic Vulnerability Gap in Canada’s New Surveillance Law 
Why the Verdict on Social Media Defective Design Harming Children Gets the Instinct Right But the Law Wrong 
Scoping in the Tech Giants: Bill C-22’s International Production Order and the Shift to a Less Privacy-Protective Cross-Border Disclosure System
