A growing number of tech companies and internet service providers are warning they could pull their services from Canada if the federal government’s proposed lawful access legislation goes ahead, warning they could be forced to compromise users’ privacy.
The encrypted private messaging app Signal is among the most prominent platforms to make such a threat while speaking out against Bill C-22, which would allow for regulations requiring service providers to retain certain metadata for up to a year and develop capabilities in its systems for police and the Canadian Security Intelligence Service to obtain that information for investigations.
“In its current form, Bill C-22 would convert the everyday tools Canadians rely on into a sprawling, insecure surveillance apparatus,” Udbhav Tiwari, Signal’s vice-president of strategy and global affairs, told the House of Commons public safety committee Tuesday.
“If we are ever forced to choose between betraying the people who rely on us and leaving a market, we will leave.”
Signal, as well as some of the world’s most powerful and widely-used tech firms including Apple and Google, have said the bill as written could require them to build or maintain capabilities that break or weaken encryption, effectively creating “backdoors” into those products.
Such entryways could then be exploited by cybercriminals, exposing retained metadata to wide-scale breaches.
“Effectively, the government through this legislation seeks to insert itself into the networks and devices of various providers,” Michael Geist, a professor at the University of Ottawa and the Canada research chair in internet and e-commerce law, told Global News in an earlier interview.
“The concerns that many providers have is that they’ve got obligations to their customers. They’ve got basic standards they want to exercise with respect to the security of their systems, using encryption and the like. They want to be able to provide assurances about privacy, and that becomes hard to do when you’ve got the government inserting itself into these systems.”
The bill as written would introduce mandatory requirements for certain “core” providers — likely large telecommunications companies and satellite providers — to have specific capabilities for law enforcement access.
In addition, the public safety minister could issue a ministerial order to require a provider to develop a particular capability, even if they are not a core provider. The bill would prohibit a provider from disclosing the existence or content of a ministerial order, which would only require approval from the intelligence commissioner, rather than through a judicial warrant.
Geist said companies that comply with the regulations and ministerial orders could also face major additional costs for redesigning their systems and maintaining extra metadata storage capabilities, which may lead to higher prices for customers.