A big brother bill

If Prime Minister Mark Carney's election was meant to be a rejection of authoritarian trends south of the Canadian border, things are not off to a good start.

That’s Robert Diab’s conclusion given what’s been rolled into Bill C-2, the government’s Strong Borders Act, tabled in June.

While past governments have unsuccessfully attempted to make it easier for police to access Canadians' private data, specifically the subscriber information attached to an internet service provider account or an internet protocol address, he says the current government’s kick at the legal access can is in a league of its own.

“(The provisions) do more to expand the state’s power to access private data in Canada than any law in the past decade,” Diab, a professor of law at Thompson Rivers University, specializing in law and technology, and constitutional rights, wrote in a piece for Tech Policy.

In an interview with National, he says he was surprised by how many new search powers have been rolled into the omnibus bill, how extensive they are and how many are unrelated to border security.

Among the lawful access provisions buried among border security measures, the bill proposes expanding the legal definition of subscriber information. While there’s currently no definition in the Criminal Code, in 2014, the Supreme Court of Canada in R v Spencer defined it as “the name, address, and telephone number” of a customer associated with an internet protocol (IP) address. 

Last year, in R v Bykovets, the Court went a bit further, defining subscriber information as “the name, address, and contact information” associated with an individual IP address.

The definition proposed in C-2 includes “information that the subscriber or client provided to the person in order to receive the services,” “identifiers assigned,” and “information relating to the services provided to the client.” This would capture types of services, information that identifies devices and equipment, account numbers and pseudonyms.

‘Astonishing breadth of demand’

The definition isn’t restricted to information associated with an IP address, nor is it just aimed at internet service providers. The bill empowers police and Canada’s spy agency to make an information demand to any “person who provides services to the public, or any subscriber to the services of such person.” That could include everything from a hospital, a women’s shelter, a psychiatrist or a financial institution. 

Of particular concern is that these demands can be made of a service provider without a warrant or any judicial authorization as long as there are reasonable grounds to suspect a federal offence has been or will be committed, which the sought information will help investigate.

“I think it’s quite astonishing the breadth of the demand here,” says Michael Geist, the Canada Research Chair in Internet and E-Commerce Law at the University of Ottawa’s Faculty of Law. 

“The problem is that there are really an unlimited number of potential uses.”

He wonders about physicians and lawyers, who have ethical and legal obligations to keep that kind of information secret, as it’s either privileged or subject to intense privacy rules.

“Are we expecting lawyers to have to go to court to maintain solicitor-client privilege every time there’s a request? 

The irony is the suggestion that there’s some significant problem with the status quo that requires law enforcement to get a warrant for this information, given the large number of requests made yearly through the existing system. According to Rogers’ annual transparency report, in 2023, the company received nearly 169,000 requests from a court order/warrant for customer information. Shaw received more than 1,100 such requests. Customer information was shared by Rogers in more than 160,000 cases, and by Shaw in 1,425 instances.

As the Supreme Court noted in Bykovets, requiring police to get judicial authorization before obtaining an IP address “is not an onerous investigative step.”

READ MORE: Following the digital breadcrumbs

In light of this, Geist isn’t sure why Bill C-2’s lawful access rules are needed, but he says the floodgates will open if the ability to access subscriber information without a warrant is granted. 

He points to the fact that in 2011, the Office of the Privacy Commissioner of Canada asked Canadian telecom and internet providers for data on the number of requests for subscriber information they’d received from law enforcement. What was provided by just nine providers showed that in the year prior, more than a million requests had been made, many of which were generally restricted to child abuse investigations.

This was before the Supreme Court’s decision in Spencer, which challenged the practice and found that a reasonable expectation of privacy attaches to subscriber information. The Court said this could only be done based on exigent circumstances, ie, an emergency, or pursuant to a reasonable law.

‘A dramatically low standard’

David Fraser, a partner at McInnes Cooper in Halifax who specializes in privacy and technology, says law enforcement officers can access this information every day through general production orders, which require reasonable grounds to believe an offence has been committed.

He says the proposed reasonable suspicion standard is “dramatically low” and expects it to be challenged in court.

“It’s the lowest standard in criminal law, so I would say this is vulnerable to being overturned.”

Building on Spencer, in Bykovets, the Supreme Court found that just as information attached to an IP address has a reasonable expectation of privacy, so does the IP address itself. Any request for this information from the state is a “search” under section 8 of the Charter, which guarantees the right to be secure against unreasonable search or seizure. The Court was clear that the section’s primary goal is the protection of privacy and an individual’s “right to be left alone.”

“If s. 8 of the Charter is to meaningfully protect the online privacy of Canadians in today’s overwhelmingly digital world, it must protect their IP addresses,” it said. 

“Viewed normatively, it is the key to unlocking a user’s Internet activity and, ultimately, their identity.”

However, Spencer left open the question of what would constitute a reasonable law authorizing the search of subscriber information. 

“To this day there’s uncertainty as to whether a demand for a subscriber ID should require a warrant on reasonable suspicion or probable grounds,” Diab says. 

In Bykovets, while the Court wasn’t deciding what would be a reasonable law authorizing the demand for an IP address, it did gesture at the existence of the production order in the code for transmission data, which is what police could and have used to get an IP address. That is available on reasonable suspicion.

“So if that’s appropriate for a mere IP address, one would infer that subscriber information, which seems more invasive because it more immediately ties you to a clear search history, would require something more,” Diab says. 

“That’s what I assume a court will say.”

Bill C-2 also proposes limiting the period a production order can be challenged to five days after it is issued.

“In my opinion, that’s completely deranged and designed to make it impossible to challenge a production order,” Fraser says. 

“It’s five days after the order is issued, not five days after it’s served. So you can have a cop sit on an order for five days and then deliver it, and you have no authorized recourse.”

In the production order challenges he’s been involved in, it took more than five days for the company to decide whether to take that dramatic step. 

“I’m willing to bet a Superior Court would be more than happy to get its mitts on that and say it’s completely unreasonable,” Fraser says.

Secrecy baked into bill

If passed, Bill C-2 would enact the Supporting Authorized Access to Information Act, which would create a framework for the government to mandate electronic service providers, including internet providers and platforms like Gmail, iCloud, Zoom and social media, to grant lawful access to “authorized persons” to places where data is stored or transmitted. 

Diab says this could include access to things like files, email, and chats, or installing equipment to provide direct access to intercept communications in real time.

While authorities would need a warrant in both cases, he says this gives police and intelligence agents too much power.

One possible scenario is where the minister compels a provider to install a device that gives police or intelligence agencies access to private information they don’t have a warrant for or goes beyond the scope of their authorization.

“There aren’t ready means for this to come to light,” Diab says. 

“So much of what will take place will be hidden behind the curtain of confidentiality between the authorities and providers that there will be very little oversight.”

That’s because it will be illegal for any service provider to say that they’re subject to a government order or to describe the order. 

This is not unlike the technical capability notice the UK government reportedly issued to Apple earlier this year, requiring the company to create a backdoor for accessing encrypted user data stored on iCloud.

Diab says the notion that authorities can access communications, stored files, or stored data of any Canadian in secret is “discomforting” and a step backward from the Supreme Court’s pronouncements on section 8 not only protecting a right to a reasonable expectation of privacy, but also an interest in anonymity when online.

“Those assumptions are challenged here, and not in a way that can be contested under the Charter.”

Those aren’t the only secrecy and transparency concerns baked into the bill. 

Geist says that for more than a decade, the transparency system in place in Canada has meant we’ve known something about the scope of disclosures to law enforcement from the likes of Rogers, Telus, Bell, and large internet companies. However, that won’t continue with such a broad range of actors subject to information demands. 

Further, if passed, the bill would allow law enforcement to force the recipient of an information demand to not disclose it for a year and grant providers legal immunity for voluntarily providing information.

“Every law firm isn’t going to provide a transparency report on how many requests they’ve faced. That’s just not going to happen,” Geist says. 

“If you open up the system in the way the government proposes, all of this will go underground.”

Opening the door to more data-sharing and abuse

Fraser says the authorized access provisions are also ripe for abuse.

While a service provider in Canada can push back against an order if it will create a systemic vulnerability related to its electronic protections, “in a whole bunch of ways this entire scheme of the bill will create systemic vulnerabilities.”

“If you require Rogers, Bell or Telus to install a particular device so that the RCMP can directly jack in, that same device can be used by Chinese hackers or other bad guys,” he says.

The bill also expands police power in Canada to allow them to compel a foreign company that provides services to the public to produce subscriber information and transmission data. Given how up in arms American politicians have been in the Apple case, with the UK government ordering the company to do something that will have consequences for American users, that's likely to go over like a lead balloon.

“It’s pretty offensive for the Canadian government to tell a non-Canadian company what to do,” Fraser says.

Diab says data-sharing is a big driver behind this ‘big brother’ bill. In a technical briefing in June, the government acknowledged that the intent of some of what’s proposed in C-2 is to help Canada implement and ratify a new data-sharing treaty, known as the “Second Additional Protocol” to the Budapest Convention. 

The Citizen Lab at the University of Toronto has raised concerns about what this legislation might mean for data-sharing with American law enforcement.

In an analysis, the group, which focuses on research, development, and high-level strategic policy and legal engagement at the intersection of information and communication technologies, human rights, and global security, points out that this comes at the same time as closed-door negotiations of a potential bilateral law enforcement data-sharing agreement under U.S. legislation — the Clarifying Lawful Overseas Use of Data Act.

“This is meant to enable Canadian law enforcement to work in coordination with law enforcement in foreign countries to help them, to kind of reciprocate,” Diab says. 

“It will just mean that the data shared in abusive circumstances can have even greater impact. Data breaches or improper access won’t be limited to police in Canada, but it will (be able to be shared) around the world, so it’s even more concerning.”

So in addition to opening the floodgates to a wide array of data-mining practices, the Citizen Lab warns the bill opens the door to information sharing with law enforcement in states like Mississippi, Idaho, or Tennessee, where abortion is illegal, by compelling warrantless access to information about whether a person has obtained services from an abortion clinic in Canada. 

Overreach at every turn

Unsurprisingly, legal experts, academics, and civil liberties groups have fiercely criticized the proposed legislation. There have been repeated calls for the government to withdraw it from more than 300 organizations and 120 experts, including the Canadian Civil Liberties Association, the International Civil Liberties Monitoring Group, the BC Civil Liberties Association, and the Citizen Lab. 

“At every turn it’s overreach,” Fraser says.

Public Safety Minister Gary Anandasangaree said in June that C-2 is Charter compliant, as did the government’s Charter statement that followed. He insisted he’d never table a bill that posed a threat to Canadians’ civil liberties.

"It needed to be in line with the values of the Canadian Charter of Rights and Freedoms," he told reporters. 

"I fundamentally believe that we can strike a balance that, while expanding powers in certain instances, does have the safeguards and the protections in place like protecting individual freedoms or rights."

While there may be a case for new police powers in the digital era, Geist says they should be in a standalone bill and debated on their merits. The fact that the government hoped this could be fast-tracked without people paying attention seems opportunistic.

“It establishes a terrible precedent, and it’s really disturbing to see the extent to which the government is burying deeply problematic privacy provisions in this bill.”

He says it all reminds him of a quote from Sun Microsystems CEO Scott McNealy, who famously said: “You have no privacy, get over it.”

“It feels like that’s the sort of position the government is taking here. If there’s any solace, it’s that I don’t think the Supreme Court of Canada is going to be prepared to take the same position.”