Opinion: Parliament must not allow Bill C-22 to break encryption

Photo by Gabby Jones/Bloomberg

Article content

The Canadian government is right to pursue lawful access reform under Bill C-22. But a key mistake remains in the proposed legislation: it leaves open a backdoor for government to access encrypted data. That door must be closed in order to protect Canadians’ privacy, as well as our relationship with our largest trading partner.

Article content

Lawful access allows police and intelligence agencies to use clear, reviewable mechanisms to obtain information that they are already legally entitled to seek, but to do so in a more timely manner. It means being able to confirm whether a digital service exists, identify the customer and provider, obtain limited subscriber information and ensure companies can efficiently comply with valid warrants.

Article content

Article content

Article content

It’s essential for Canada’s security agencies to have these powers. We cannot credibly ask to be treated as a trusted ally while lagging behind our G7 and Five Eyes partners. Nor will violent crime be blunted solely through bail reform and mandatory minimums — measures that target the foot soldiers of increasingly state-influenced transnational organized crime, not those who are actually in charge.

Article content

Article content

But Canada’s allies — particularly the United States — also expect us to have the necessary safeguards in place to protect commercial interests. That’s why Ottawa must take industry concerns seriously about C-22 providing backdoors to encrypted devices and information. In doing so, we’ll be protecting our national security, while strengthening our economic position by gaining leverage in upcoming trade negotiations.

Article content

Apple, Meta,NordVPN and Signal have all raised concerns about what the legislation means for their clients’ data privacy and security.

Article content

At present, the text of the bill does not live up to some of the more alarmist concerns that its opponents have raised, such as warrantless access to digital platforms. However, the bill’s key terms are broadly worded, leaving them vulnerable to regulatory amendments that could create such problems. C-22’s broad definitions, coupled with its special ministerial powers, validate these concerns.

Article content

Article content

As does recent experience. The Salt Typhoon breach, which compromised U.S. telecom networks, shows how surveillance infrastructure can become a target for hostile states. And in the United Kingdom, a ministerial demand for access to encrypted iCloud data prompted Apple to remove its advanced data protection for British users.

Article content

Article content

Canadian lawmakers must understand that any measures that pose a security risk or threaten the competitive advantage of digital giants will land on the White House’s radar, and draw attention from legislators on both sides of the congressional aisle. Indeed, last month the U.S. House committees on the judiciary and foreign affairs sent a stern warning to Public Safety Minister Gary Anandasangare about the threat posed by Bill C-22.

Article content

To address these concerns, Parliament must build safeguards directly into the legislation, not leave them to regulation or ministerial discretion. The law should clearly state that no regulation, compliance order or penalty may require a provider to weaken, or prevent, the use of end-to-end encryption — a term that should be defined as exhaustively as necessary to eliminate any loopholes. It should also declare that ministerial orders cannot override these statutory protections.