When the government introduced Bill C-2 last year, it buried the lawful access provisions at the end of an omnibus border security bill and said as little about it as possible. The strategy failed, the provisions were abandoned after widespread criticism, and the government spent months consulting stakeholders before trying again. Bill C-22, the Lawful Access Act, is the follow-up attempt. If the first day of House debate on the bill is any indication, the approach hasn’t changed, as the government is once again hoping no one notices what is actually in the bill.

The core concerns have been well documented (my posts on access to subscriber information, mandatory metadata retention, international production orders, and systemic vulnerabilities). Bill C-22’s metadata retention requirements would compel service providers to store data on all their users for up to a year, regardless of whether any user is suspected of anything. That is the architecture of a national surveillance database that would enable law enforcement to reach back in time and reconstruct the digital movements of virtually any Canadian with a connected device. Meanwhile, the bill would also require providers to permanently embed surveillance capabilities into Canadian networks through secret ministerial orders, an approach the international experience has shown doesn’t just threaten privacy, but actively makes communications infrastructure less secure for everyone. Both provisions raise serious constitutional questions, but neither received much attention on the floor of the House.

Justice Minister Sean Fraser spent most of his time on Part 1’s subscriber information regime, which is the bill’s biggest improvement over the earlier Bill C-2. The troubling metadata retention provision in Part 2 received just one paragraph as Fraser described it as focused on “large-scale networks” to understand “what messages may have been sent at what time.” Framing transmission data as a minor administrative matter rather than a comprehensive record of communications behaviour is dangerously misleading. Indeed, Fraser did not mention that the European Court of Justice struck down the EU Data Retention Directive in 2014 precisely because blanket retention of all users’ metadata is a disproportionate interference with fundamental rights. Perhaps the government’s Charter statement on the bill will address the issue, but it still hasn’t been released.

The surveillance architecture fared no better. One Conservative MP asked Fraser directly whether the bill creates a back door into encrypted communications. Fraser said no, citing Governor-in-Council regulations, ministerial orders, and the Intelligence Commissioner’s oversight as safeguards. That is a process answer, not a technical one. The concern is not simply about oversight and procedural safeguards. It is that requiring providers to build and permanently maintain intercept infrastructure risks creating systemic vulnerabilities in Canadian communications networks. Those vulnerabilities do not disappear because there have been some approvals along the way.

The Bloc identified an interesting issue: the government is expanding the powers of intelligence and law enforcement agencies while simultaneously cutting the budget of the National Security and Intelligence Review Agency by 15%, eliminating roughly eight positions, including lawyers, analysts, and investigators. NSIRA is the primary oversight body for intelligence activities in Canada and the main mechanism for retrospective review of how those powers are used. Cutting its capacity while creating new secret order-issuing authority leaves a significant gap in accountability.

The Conservatives focused on the constitutional concerns, but the lawful access concerns run deeper. The constitutionality of the law is basic table stakes. The opposition must also focus on what the law actually does, including the creation of a surveillance database covering virtually all Canadians and the risk of introducing systemic vulnerabilities that make everyone who uses a Canadian communications network less secure. Being tough on crime while preserving privacy and security are not competing objectives.

Thirty years of lawful access debate in Canada has produced one consistent pattern: the government of the day tables a bill, downplays the most invasive provisions, and hopes Canadians won’t notice. Bill C-2 broke that pattern, briefly, because the overreach was too obvious to ignore. Bill C-22’s concerns are different but no less troubling. It’s time to start paying attention.