Warrantless Wiretapping Bill Draws Fire… from the US?

Probably one of the more surprising sources of opposition to warrantless wiretapping is US lawmakers.

One of the more consistent opponents to privacy in Canada has been the US government. Over the years, the US government has pushed to have Canada adopt things like anti-encryption legislation as well as warrantless wiretapping. The push for Canada to be more like a police state generally can be sourced to the spy agencies of the five eyes who view privacy rights and privacy protecting tools as obstacles that need to be done away with. With the close ties to the US, the US government became a megaphone for these anti-privacy voices.

Indeed, when Canada’s warrantless wiretapping legislation was slipped into Bill C-2, the so-called “border security” bill, I don’t recall any opposition coming from the US. For whatever reason, the US was demanding that Canada secure the southern border, probably in part because of geographically impaired politicians south of the border. Either way, there wasn’t really any objections that I can recall about the warrantless wiretapping provisions from the US as the American’s seemingly supported and even pressured Canada to pass this legislation more quickly.

So, when the Liberal government doubled down on their human rights crackdown by tabling Bill C-22 as the current latest attempt to end privacy rights in Canada, my suspicion was that the US wouldn’t really raise a stink given that the spy agencies have long endorsed the privacy busting legislation.

So, you can imagine my surprise when US lawmakers are now objecting to warrantless wiretapping, saying that it is a threat to privacy rights. Wait, what? Well, apparently, that is also a thing. From Michael Geist:

Just as Bill C-22, the Lawful Access Act, is under study at the House Standing Committee on Public Safety and National Security (I review my appearance yesterday in this post) U.S. Congressional leaders have written to Public Safety Minister Gary Anandasangaree warning that the bill threatens to harm “U.S. national security and economic interests by undermining trust in American technology and inviting reciprocal demands from other nations.” The message is clear: U.S. leaders are concerned that lawful access demands go so far as to compromise the privacy not only of Canadians, but of Americans too.

It is a safe bet that co-authors Jim Jordan, the chair of the House Judiciary Committee, and Brian Mast, the chair of the House Foreign Affairs Committee, did not suddenly become concerned about Canadian privacy. But when a Canadian bill would “drastically expand Canada’s surveillance and data access powers in ways that create significant cross-border risks to the security and data privacy of Americans,” that is bound to draw attention. Their core concern is that the bill could compel U.S. technology companies to build backdoors into their encrypted systems, introducing systemic vulnerabilities for users in both countries.

As I’ve previously posted, the provisions in question are part of the Supporting Authorized Access to Information Act (SAAIA), the second half of Bill C-22. Providers would be required to develop, implement, assess, test, and maintain operational and technical capabilities to allow authorized persons to access encrypted data and information. The bill includes a non-compliance caveat where compliance would introduce a “systemic vulnerability,” but the letter correctly notes that the term is “vague and ultimately subject to a future regulatory process.” They also flag the secret ministerial order power in clause 7(1), under which the Minister can issue targeted demands to providers that are subject only to Intelligence Commissioner review and kept confidential by design.

The chairs are not pulling punches on what those obligations mean in practice. They warn that “providers offering end-to-end encryption services will inevitably face directives to create backdoors and architectural changes that bypass or weaken encryption to enable ‘lawful’ interception or data extraction.” They invoke the UK’s secret 2025 Technical Capability Notice to Apple, which led the company to disable Advanced Data Protection for UK users rather than build a global backdoor. Their concern is that “a backdoor built to satisfy one government’s demands inevitably becomes a target for adversaries.”

This development is certainly a welcome one, even if it is a bit surprising. For the longest time, the international surveillance state had developed a system where the surveillance regimes would largely target non-domestic traffic for surveillance, but ignore portions of domestic traffic. When the spy agencies want information on someone domestically, they then just do a little “information sharing” with a foreign entity to obtain that information afterwards. In short, they shuffle the privacy busting efforts to dodge constitutional protections of civilians while spying on people en-mass anyway.

The above comments is definitely a break from this, countering the idea that Canadian spy agencies can very easily break into the ordinary every day lives of Americans should this legislation pass. You can read the letter yourself here (PDF), but the concerns expressed in the letter are all very valid. Here’s part of that letter:

If a U.S. based provider is forced to redesign its system to facilitate Canadian authorized access to content that is currently inaccessible even to the provider itself, the resulting capability cannot be geographically limited. This directly threatens the privacy of U.S. persons who expect and depend upon robust encryption to protect sensitive communications, health data, financial records, and personal correspondence from unwarranted intrusion. A backdoor built to satisfy one government’s demands inevitably becomes a target for adversaries, as demonstrated by the
2024 Salt Typhoon intrusion into U.S. Communications Assistance for Law Enforcement Act-compliant wiretap infrastructure. The Salt Typhoon intrusion shows that once such access points exist, they do not remain exclusive to lawful authorities—they become persistent, high value targets for our foreign adversaries.

Bill C-22 sets a dangerous precedent that could erode the mutual benefits of strong encryption standards. American companies operating in Canada would face a difficult choice: compromising the security of their entire user base—including U.S. citizens—or risking exclusion from the Canadian market. Either outcome harms U.S. national security and economic interests by undermining trust in American technology and inviting reciprocal demands from other nations. Over time, these pressures will fracture global cybersecurity norms and weaken our collective defenses against malicious actors who exploit inconsistent standards.

If there are flaws in this letter, I’m not seeing it. The points being made are very valid, even if it’s being done out of the slightly more selfish reasons of protecting the data of American interests. Indeed, I wouldn’t blame an American provider from looking towards Canada and saying, “yeah, not worth the risk” and blocking Canada altogether. Canada is a comparatively small market and blocking the market to protect the privacy of the rest of the users would be a very viable option. While I’m no fan of the idea of the internet becoming increasingly fragmented, it would be an understandable reaction.

How effective this push might end up being remains to be seen, though. After all, when it came to the Online News Act, Online Streaming Act, and the Digital Services Act, the US sent numerous warnings and letters, urging the Canadian government not to pass those laws. The US got completely ignored and it took Trump ending trade talks for the US to finally get the Canadian governments attention on that matter. The Digital Services Tax, at the very least, got mercifully rescinded, but the Online News Act and Online Streaming Act still remains to be a point of contention with the Americans (something us “Big Tech shills” predicted would happen).

So, it’s entirely possible this welcome pressure from the US could get Canadian lawmakers to rethink their privacy busting bill, but it’s also possible that they will just respond with their usual deer in the headlights look, then just try and pretend that this pressure didn’t happen before passing it. When asked, they’ll probably once again respond by saying something like, “Oh, they are just asking questions because they are interested in the process, but nothing to be concerned about.” It’s an entirely possible thing because that was the exact excuse used in passing the other deeply unpopular internet bills.

At any rate, the move by US lawmakers is, indeed, surprising, but quite welcome. We can only hope that the Canadian government, for once, will heed those warnings.

Drew Wilson on Mastodon, Bluesky and Facebook.