After several days of debate in which the opposition to lawful access seemed half-hearted at best, the Conservatives woke up on Monday. MP after MP rose to argue, correctly, that Bill C-22 represents an unprecedented surveillance threat: mandated metadata retention (including location information) for up to a year, security vulnerabilities built into the interception architecture the bill requires, and a weakened legal standard for access to subscriber information. After days of debate with the government visibly struggling to defend its own legislation, this is precisely what the opposition should be targeting (coverage from day one, day two, day three).

The strongest interventions included:

• Jacob Mantle, who parsed the electronic service provider definition to show it captures far more than telecoms and big tech, and who noted that the regulatory power in proposed paragraph 5(2)(a) extends to capabilities “related to extracting and organizing information” that go well beyond the metadata the government has publicly committed to. He also flagged that both cabinet regulations for core providers and ministerial orders are exempt from the Statutory Instruments Act, meaning they would never be published in the Canada Gazette, and that providers would be prohibited from disclosing that they are subject to such orders. He closed his intervention with the 2004-2005 Vodafone Greece interception breach and the Salt Typhoon intrusions as demonstrated evidence that lawful access architecture, once built, becomes a target.
• Roman Baber, who built the Charter argument that requiring providers to retain a year of metadata on every user, absent any specific offence, effectively conscripts them as agents of the state in what amounts to a suspicionless seizure. He also took the ESP definition concern further, arguing that banks, law firms, accounting firms, and educational institutions could all qualify under the bill’s current language.
• Matt Strauss, who cited OpenMedia, the Canadian Constitution Foundation, and David Fraser directly, and quoted the bill’s secrecy provisions by section number.
• Warren Steinley, who raised scope creep and network security risk, citing my commentary in the Globe and Mail and David Pierce of the Canadian Chamber of Commerce on the risks of compromised encryption and vulnerable data.
• Dan Mazier, who invoked R. v. Bykovets to argue that the current framework already provides for court-authorized access, preservation orders, and assistance orders, and that the bill’s answer is disproportionate to the problem it claims to solve.
• Cheryl Gallant, who emphasized the fact that Schedule 1, the list of core providers subject to mandatory capabilities, is blank: cabinet defines the bill’s operational scope after the bill has passed.

The Liberal response was largely missing in action. Across four days of debate, the government’s defence now focuses on claiming that Canada is the only country in the Five Eyes and the G7 without a modern lawful access regime. This was the theme repeated by Judy Sgro, Randeep Sarai, Sima Acan, Peter Fonseca, Julie Dzerowicz, and Kevin Lamoureux. But whether Canada should have a modern lawful access regime is not the issue. Rather, the public criticism and opposition MPs are rightly focused on the legislation’s proportionality and the risk of overreach.

The bill now heads to committee with its weaknesses more visible than they were four sitting days ago. As NDP MP Jenny Kwan noted, the Privacy Commissioner was not consulted in the drafting of C-22. The Charter statement has still not been released. And NSIRA, the independent oversight body the bill relies on to review ministerial orders under Part 2, is facing a fifteen per cent cut to its budget. Secretary of State Ruby Sahota’s comment during debate is telling: Bill C-22 is a first step. The government has signalled it intends to go further, but is clearly struggling to defend this bill with the opposition finally speaking out on the riskiest aspects of lawful access.