Citizen Lab and the Canadian Civil Liberties Association (CCLA) are urging lawmakers to withdraw key provisions of Canada's proposed lawful access legislation, Bill C-22, warning that it would create sweeping surveillance powers, undermine privacy rights, and pose significant cybersecurity risks.
Citizen Lab researchers Cynthia Khoo and Kate Robertson, together with CCLA technology and surveillance program director Tamir Israel, argued that several provisions of the legislation are likely unconstitutional and should not proceed in their current form.
Bill C-22 would expand the surveillance powers available to Canadian law enforcement and intelligence agencies while imposing new obligations on electronic service providers. The proposal has already drawn criticism from Apple, Meta, Signal, and Proton VPN, which have warned that the legislation could threaten encryption and user privacy.
The strongest criticism in the Citizen Lab report targets Part 2 of the bill, which would establish the Supporting Authorized Access to Information Act (SAAIA). The researchers say the measure would allow the government to impose broad technical requirements on service providers, potentially forcing them to modify systems or deploy surveillance capabilities to facilitate lawful access requests.
The report also raises concerns about a proposed metadata retention regime that could require providers to collect and store user metadata for up to one year. According to the researchers, the bill's broad definition of metadata could encompass records revealing communications, movements, application usage, and other sensitive information about individuals who are not suspected of any wrongdoing.
Citizen Lab further warns that surveillance capability mandates could weaken cybersecurity by creating new attack surfaces for cybercriminals and foreign intelligence agencies. The submission cites recent incidents, including the China-linked Salt Typhoon telecom intrusions, as examples of how lawful intercept systems can become attractive targets.
Beyond the surveillance provisions, the report criticizes sections of Bill C-22 that would clarify police access to publicly available information and information voluntarily disclosed by third parties. The researchers argue that those provisions conflict with existing Supreme Court of Canada rulings that recognize privacy protections can still apply even when information is publicly accessible or held by another party.
The submission also questions the government's lack of transparency regarding potential international data-sharing agreements that Bill C-22 could help facilitate, including possible arrangements under the Budapest Convention's Second Additional Protocol and a future Canada-US CLOUD Act agreement.
While Citizen Lab provided a series of amendments intended to reduce potential harms, the researchers said their primary recommendation is to withdraw the bill's most problematic sections, particularly Part 2, arguing that the proposed framework grants broad surveillance powers with insufficient safeguards or judicial oversight.
Leave a Reply