The federal government’s proposed lawful access bill is raising concerns about the potential lengthy retention of Canadians’ metadata that could then be accessed by law enforcement, which privacy experts warn is risky and “unprecedented.”
Concerns about the legislation have already spurred multiple service providers, including VPN operators, to say they would pull out of Canada rather than comply with the controversial proposals that seek to give investigators access to company-held data.
Bill C-22 includes a new provision that would allow the government to make regulations for “core” telecommunications providers to retain certain types metadata — including transmission and location data — “for reasonable periods of time not exceeding one year.”
The bill would then allow the minister of public safety to order other electronic service providers to comply with that regulation, subject to approval of the federal intelligence commissioner, for the purposes of a criminal or national security investigation.
While government officials insist the data that would be collected does not include actual online content like search histories or emails, and that the metadata itself can only be collected by investigators through a judicial warrant, experts warn the retention policy alone is concerning.
“The government’s building this massive haystack of data with the thought that they might need to find the needle every once in a while,” said Michael Geist, a professor at the University of Ottawa and the Canada research chair in internet and e-commerce law.
“But in doing so, they’re creating huge privacy risks for Canadians.”
Metadata is broadly defined as “data about data,” or what Geist calls “the information around” something like an online communication rather than the content itself.
This includes dates, times and locations those messages were sent, the IP addresses used to send them, and broad identifiers like the names of senders and receivers and what type of file or message it was.
It also involves tracking data and transmission data that is collected every time a cellphone connects to a cell tower, Geist explained, “which is all the time” because most people’s phones remain turned on even when not in use.
“Anytime you communicate with someone, what device did you use? Where were you located? When did you communicate? All of those things about your activities. That’s what metadata is,” he said.
Robert Diab, a law professor at Thompson Rivers University in Kamloops, B.C., who focuses on online privacy, said courts have recognized for decades that “the mosaic of information that you can assemble through metadata can really reveal quite a lot about a person’s life.”
“What it is they’re doing, their movements, their communications — it connects you with people and places in time, and from that you can draw a number of inferences about a person.”
Both experts noted the metadata provision was “quietly” added to Bill C-22, which stripped out and updated the lawful access section of the more broad Bill C-2, after that earlier legislation raised widespread privacy concerns.
Police and intelligence officials have said while speaking about Bill C-22 that metadata can be useful to investigators when trying to, for instance, link a kidnapping suspect to multiple locations where they may have taken a victim.
Get breaking National news
Get breaking Canada news delivered to your inbox as it happens so you won’t miss a trending story.
Richard Burchill, director-general of technical investigative services for the RCMP, told the House of Commons public safety committee this month that internet transmission data and cell tower signalling data would be of particular interest.
He said the reason for the one-year time limit was to create a “consistent” data retention standard for major telecommunications providers that investigators could rely upon.
“If they keep it for three days, but you’re one week into a kidnapping investigation, that data is gone whether you are judicially authorized or not, whereas some companies have it readily available,” he said.
Liberal MP Sima Acan noted during the same hearing that historical metadata could be “essential for establishing timelines and connections that are not immediately obvious,” particularly when offences are reported long after they occur.
Government officials told the committee that regulations on what specific metadata must be retained and for how long — as well as what a “core” provider is — will be developed after the legislation becomes law, through consultations with law enforcement and security agencies as well as the telecommunications sector.
Those regulations could then be redrafted as needed in the future without having to introduce new legislation.
“This is heavily based in technology, and using terms (that) could be obsolete within a number of years … would render the whole bill actually useless,” said Shannon Hiegel, the national security policy director general at Public Safety Canada.
Simon Lafortune, a spokesperson for Public Safety Minister Gary Anandasangaree’s office, told Global News the bill “only allows for limited retention requirements strictly for metadata” and “does not permit the retention of content, web browsing history, or social media activity.”
Some police chiefs, however, have called for even broader and lengthier data retention, though government officials insisted they are not currently looking to further expand lawful access authorities beyond Bill C-22.
Thunder Bay Police Chief Darcy Fleury told the committee at a separate hearing this month that the one-year limit for metadata retention was “a good start” but that two or even three years “would be ideal.”
Diab noted that under existing Canadian law, police must seek a warrant asking a telecommunications provider to retain a specific person’s metadata for only a limited amount of time, such as a month or 90 days, for an investigative purpose.
“The reason Parliament has done that … is that it recognizes that the creation of a record is itself an interference” of privacy, he said.
“In this case, the minister tells Telus, ‘go and save it for a year.’ … The idea is the same: if you create a record, if you order a third party to preserve a citizen’s records of their communications, you are interfering with their privacy because you’re conducting a form of surveillance. You are creating a situation in which their movements, their communications are being watched or are being made watchable in a sense. And that’s what matters.”
He said the law, if passed as currently written, could be challenged in court for running afoul of Section 8 of the Charter of Rights and Freedoms, which protects Canadians against “unreasonable search or seizure.”
The metadata retention provision is not mentioned in the government’s Charter statement on the bill, which outlines how it is consistent with Charter rights and freedoms.
A Department of Justice spokesperson told Global News this is because the provision “does not itself require metadata retention” and only creates a regulation-making authority.
“Any future regulation made under that authority would have to comply with the Charter, including Section 8 protections,” and be subject to a separate Charter statement and other safeguards, Ian McLeod said.
“It would also need to be assessed based on what data is covered, who must retain it, for how long, for what purpose, and what safeguards apply.”
Hiegel told the House of Commons committee that the government does not equate a company’s retention of data with a “seizure” as defined by the Charter because there is no production order involved until a judicial warrant is approved.
Experts noted the broad retention of data also poses cybersecurity risks, particularly if hackers exploit regulations created under Bill C-22 for providers to give law enforcement access to information — a provision critics have called a “backdoor” into online platforms, which the government has denied.
The government and police chiefs have repeatedly said Canada is lagging behind its Five Eyes and G7 allies that already have lawful access powers in place.
Those countries differ in their metadata retention polices, however.
While Australia mandates companies retain metadata for up to two years, the United States has no broad retention timeline in law and has sought to limit the scope of such abilities in recent years.
The European Union also doesn’t have a standard data retention timeline for member nations, and some that have their own lawful access regimes, like Germany, have seen their metadata provisions struck down by the courts as unconstitutional.
“We have choices, and we don’t really face any particular requirements to make these changes,” Geist said.
Diab said the disparity points to the trouble governments face when trying to justify broad data retention to the public.
“If you were told that the government is going to tell Telus and Freedom and Fido and whoever to keep a record of when and where you made calls, and where you used your cellphone for a year, for a potentially prosecutorial purpose — how would you feel?” he asked. “Would you feel you were being surveilled? Would you feel that your privacy is interfered with?
“I think most reasonable Canadians would say, yeah, that would feel kind of creepy. I don’t want to know that that’s happening.”