Faced with growing criticism of Bill C-22, the government this week mounted a coordinated defence, with senior officials from CSIS, the RCMP, and Public Safety Canada sitting for on-the-record briefings with the Globe and Mail, the CBC, and others. While officials tried to make the case for lawful access, they failed to make the case for Bill C-22, as their use cases reveal a consistent pattern of overreach. Indeed, whether the issue is metadata retention or the technical capabilities the bill would mandate, the powers it would grant extend well beyond the targeted needs the officials describe, resulting in a disproportionate bill in need of significant amendment.

As has been widely discussed, the current bill would establish mandatory metadata retention for up to a year, potentially targeting all electronic service providers. The government emphasizes that the new requirements do not cover the content of communications, web browsing history, and social media activity. But the data that remains in scope includes logs of which numbers have been in contact with which, and information from which a person’s movements can be reconstructed. That is why I have described the requirement as a surveillance map of virtually every Canadian.

Defending the one-year timeline, the RCMP pointed to the rise in extortion cases in which victims are first contacted via voice-over-internet protocol using spoofed numbers, and investigators must trace the call through signalling data that lasts “about a week to 10 days” before providers delete it in the ordinary course of business. Nothing in this example indicates an investigative need for transmission data that is months old, let alone a year old. Requiring year-long retention for access to records measured in days is the very definition of disproportionate.

The other RCMP example is even more troubling because it does not address the proportionality concern as much as it illustrates it. An RCMP official suggested that retained metadata could help identify individuals who were “on the scene or at least individuals who were in proximity” to a shooting. Identifying everyone near a location at a given moment is a dragnet that only works because the metadata of everyone in the vicinity has been retained in advance. To be clear, this is law enforcement confirming that Bill C-22 will have the effect of tracking virtually everyone through their devices. The constitutional question is whether a scheme that retains everyone’s data is a reasonable and proportionate response to the need and “it would help us identify bystanders near a crime scene” surely does not meet the necessary standard.

Officials also repeated the mantra that Canada is the only Five Eyes country without a lawful access regime and that the bill would merely bring Canada to the “basement” of allied capability. But as discussed earlier this week, the United States imposes no general data retention mandate. In Europe, the Court of Justice struck down blanket retention in Digital Rights Ireland and narrowed it again in Tele2 Sverige. The truth is that Canada is proposing a measure that one of its closest partners does not impose and that Europe’s highest court has repeatedly found incompatible with fundamental rights.

The same pattern holds for the controversial technical capability mandates portion of the bill that would empower the government to require providers to develop, implement, test, and maintain technical and operational capabilities to assist with access to information, including capabilities to track devices and to extract and organize data. CSIS described an operation in which it had obtained a warrant to track the cellphone of a suspect linked to a terror group but was thwarted because the provider lacked the technical capability to track the device, forcing the service into costly and risky physical surveillance. In other words, it says the legal authority existed, a court had authorized the tracking, and the obstacle was simply that the provider could not technically do what the warrant contemplated. This calls for the ability to assist in tracking a single identified device under a specific warrant. However, the bill would authorize an obligation on providers to build and maintain tracking capability across their networks, in advance, as a standing feature of their systems. That capability, once built, can be breached, abused, or repurposed, which is part of the systemic security risk many have raised. This is hard to square with Public Safety’s assurance that the bill “doesn’t allow for mass surveillance or tracking in real time,” since what CSIS described is a real-time device-tracking failure.

CSIS remarkably framed these capabilities as unexceptional, something allied agencies already possess. But the capability-notice powers involving issues such as tracking and encryption have faced blowback in other countries. For example, the United Kingdom’s Investigatory Powers Act was used by the British government to demand access to Apple’s encrypted iCloud data, and Apple responded by withdrawing its Advanced Data Protection encryption from the UK (the issue is still being contested).

CSIS also recounted a request from a foreign intelligence partner whose targets were associated with Canadian phone numbers obtained through a reseller that kept no sales records and did not track its clients’ activities. The use case describes a record-keeping problem and a narrow obligation on resellers to keep basic subscriber and sales records would have answered the foreign partner’s question without requiring resellers to monitor their customers.

The briefings were meant to demonstrate that Bill C-22 is modest and misunderstood, but what they actually showed is that the bill is far more expansive than the needs the government identifies. The government says it is open to amendments. That should begin with more extensive hearings and reforms that remove or cap metadata retention at no more than thirty days and feature far greater narrowing and specificity on the issue of technical capability mandates.