Experts, Scholars Sign Open Letter Raising Concerns About Warrantless Wiretapping

Experts and scholars are raising the alarm about Bill C-22, Canada’s latest warrantless wiretapping bill.

The Canadian government is, once again, trying to push through warrantless wiretapping under the name “lawful access”. The Canadian government has been pushing this for more than 20 years now, both under the Conservative and Liberal watch. It’s one of those bills that no one wants, but the government is hellbent on pushing anyway because human rights just won’t crack down on themselves.

The bill itself isn’t the only thing making a return in all of this. The government is also rolling out the “greatest hits” of talking points as well. Those tired nonsense talking points include “technology has changed”, “it’s only metadata akin to looking it up on the phone book”, “police are being bogged down by paperwork”, and “crime is moving quickly”. Yes, the talking points are so old and tired, they are still referencing phone books. Those talking points have long been shot down over the last two decades as well and people like us are booing them and calling the government to get new material. The government, however, doesn’t seem to care and appear to be more “going through the motions” at this point without a care how the public perceives this madness.

The last we touched on this stupid debate, the government was ramming this through the legislative process by shutting down debate. This bill is massively controversial for reasons that should be obvious, so, much like the clusterfucks that were the Online News Act, Online Streaming Act, and the Digital Services Tax, the government isn’t exactly keen on having people point out what a horrible idea warrantless wiretapping legislation is. For a fourth time, we are witnessing the government adopt a legislative process of “shut up and take it, bitch”.

Still, that isn’t stopping experts and scholars from speaking out. In an open letter, those scholars and experts are raising several serious concerns about Bill C-22. From the open letter:

First, the new production order for subscriber information, to be added to the Criminal Code as section 487.0142, retains a legal threshold that is too low and a scope of disclosure that is too broad. As affirmed by the Supreme Court of Canada’s decision in R v Spencer, Canadians have had a strong privacy interest in anonymity online. The existing general production order — available since 2004 and readily obtained by telewarrant — already gives police an effective tool to link an IP address or phone number to a named subscriber, and requires them to establish reasonable grounds to believe that an offence has been committed. Bill C-22 creates a new, dedicated subscriber information order that reduces that standard to reasonable grounds to suspect. The courts have held that this distinction is not semantic: in R v West, the Ontario Court of Appeal excluded evidence obtained through a production order precisely because the officer had established only grounds to suspect rather than grounds to believe.

The scope of disclosure under the new order is a further concern. Although the definition of subscriber information has been narrowed compared to Bill C-2, the order still allows for production of a broad scope of information, including the types of services provided and the identifiers of every device associated with the account. This goes well beyond what is needed to connect a name to an IP address. It can be directed to a physician, a cable company, or a platform like iCloud, requiring disclosure of what cable packages a person subscribes to, what medical services they receive, or what devices they use. Much of this information carries a high privacy interest and calls for a higher legal standard. If Parliament seeks to create a subscriber information order that can withstand scrutiny under section 8 of the Charter, it should narrow the scope to basic identifying information — name, address, and the specific account identifier in question — and raise the threshold to reasonable grounds to believe.

Including analogous powers in the Canadian Security Intelligence Service Act (CSIS Act) raises even greater issues. Unlike criminal defendants, “persons of interest” to CSIS are never given an opportunity in court to challenge the intrusion of state power into their private lives. The Charter concerns are more acute with CSIS, and the Service should have to satisfy a “reasonable grounds to believe” threshold for all of these authorities.

Second, we are concerned that Bill C-22 introduces mandatory metadata retention without the constitutional basis to support it. Section 5(2)(d) of the Supporting Authorized Access to Information Act (SAAIA) in Part 2 of the Bill would authorize regulations requiring “core providers” to retain categories of metadata, including transmission data capturing the date, time, duration, type, and location of every communication, for up to one year. This amounts to a blanket obligation to preserve a detailed record of the movements and associations of every Canadian who uses a regulated service, with no requirement for individualized suspicion.

This kind of general and indiscriminate retention of metadata about entire populations has been rejected by the Court of Justice of the European Union as a disproportionate interference with fundamental privacy rights, and similar domestic retention laws have been struck down by the constitutional courts of several EU member states. The Canadian courts are likely to reach the same conclusion. Parliament’s own judgment on this question is instructive. The current Criminal Code scheme for “preservation demands” and “preservation orders” has long proceeded on the assumption that compelling a provider to preserve personal data engages section 8 of the Charter and requires authorization — either lawful grounds or a warrant. A blanket obligation to retain the metadata of millions of Canadians for up to a year without any individualized trigger is not consistent with section 8 and will not survive a constitutional challenge.

Third, the SAAIA’s surveillance-capability framework raises serious concerns about both the security of Canadians and the rule of law. The Act imposes sweeping obligations on “core providers” and potentially on any “electronic service provider” (ESP) to develop, implement, test, and maintain technical capabilities for law enforcement access, including capabilities related to extracting and organizing information. A more balanced approach would limit the scope of these powers to preclude an obligation to (i) make changes to products or services that a business provides in the ordinary course of business, (ii) collect and retain any data beyond what the business requires for its own purposes, and (iii) make any changes that would affect the functionality (including ordering additional functionality) for any products or services offered by the business.

When initially proposed in Bill C-2, the SAAIA had also raised concerns about the meaning of “systemic vulnerability.” This is now defined in Bill C-22 and service providers are not required to comply with an order under the act if compliance would introduce a “substantial” risk of unauthorized access to “secure” information. But the definition of the term remains too narrow. It requires an excessive threshold of substantiality of risk that inherently exposes persons and data in Canada to cyber adversaries and national security threats. Moreover, the definition applies only to vulnerabilities in the electronic protections of an electronic service, meaning it may not extend to the operating systems of devices. A ministerial order could require a company like Apple or Google to build extraction capabilities into its operating system without triggering the safeguard, even if the practical effect would be to undermine end-to-end encryption or device security. The international experience under even narrower legislation — including the vulnerabilities exposed in United States telecommunications networks following the Salt Typhoon intrusion — illustrates concretely how mandated surveillance access creates security risks that adversaries can and do exploit. The legislative scheme further presumes that ESPs will all indeed object and pursue judicial review of orders that present cybersecurity and national security dangers, when international experience has taught that not all will do so.

For those that don’t know, the salt typhoon hack was something that blew up the entire warrantless wiretapping arguments clear back in 2024. I won’t re-write the whole article, but the gist of it is that AT&T had implemented a wiretap system that was supposed to be for “good guys” only. This had shades of the concept of the “safely breaking encryption” nonsense we’ve heard over the years. While the idea was that law enforcement would be the only ones having access, the predictable happened: the system was hacked by Chinese hackers. Presumably, the Chinese government also had access to the wiretap system as a result. It was a clear cut example of how all this surveillance has compromised American safety and security. At any rate, it wasn’t even clear how long the hack was in place, but what is known is that the backdoor was in place for “months or longer”, so it went completely unnoticed for a very long period of time on top of it all.

This is the very scenario that security and privacy experts had warned about, but were completely ignored. As a result, the outcome was predictable, but a belligerent government decided it was hell bent on learning this the hard way.

The completely insane thing is the fact that the Canadian government is now hell bent on repeating these exact same mistakes. The Salt Typhoon hack should be the story that ends these stupid warrantless wiretapping debates. It’s a bad idea and there is no such thing as a wiretap system that can only be used by “the good guys”. You are simply compromising the security of individuals. If foreign nationals are worried about their personal safety, just wait until the Canadian government compromises all of their communications on a stupid quest to implement warrantless wiretapping. It’s basically an open invitation for bad actors to “come on in”.

All of these warnings are things that the government should be heeding. Sadly, it looks like the government is rolling out the same old playbook of ramming bad legislation through and treating criticism as a personal attack that should be stamped out, rather than reasonable warnings that should be heeded. Still, it’s a good thing that this open letter got penned in the first place. It represents a clear record that people did speak out against this ludicrously stupid idea.

(Via @MGeist)

Drew Wilson on Mastodon, Bluesky and Facebook.