Executives from Apple and Google urged the federal government to tighten rules in its proposed lawful access legislation to avoid creating vulnerabilities in their products, arguing so-called “backdoors” into encrypted data systems could be exploited by cyber criminals.
Bill C-22 would lead to the creation of regulations requiring “core” telecommunications providers to create “capabilities” for law enforcement to access information, and for the retention of user metadata for up to one year. Ministerial orders could then be given to other providers without judicial oversight.
Although the government has said the bill is “encryption neutral” and that it won’t push providers to create a “systemic vulnerability,” the companies added to the growing chorus of concerns that the current language in the legislation — including the definition of a “systemic vulnerability” — is broad enough that encryption could still be at risk.
“Speaking as an engineer, we do not know of a way to deploy encryption technology that provides access only for the good guys without creating new ways for the bad guys to break in,” Erik Neuenchwander, Apple’s senior director of user privacy and child safety, told the House of Commons public safety committee.
“In other words, when you build a backdoor into an encrypted device, anyone can walk through.”
He pointed to the 2024 Salt Typhoon cyberattack on U.S. government systems that exploited access points created under that country’s own lawful access bill.
“That law was narrower than Bill C-22,” he said. “So imagine what could happen if more companies were required to create these vulnerabilities.”
Neuenchwander wouldn’t say if Apple would consider leaving Canada if the current legislation passes, or if it would be forced to end encryption services in Canada like it did in the United Kingdom last year, after a British government demand for access to encrypted cloud-stored data.
Jeanette Patell, the director of government affairs and public policy at Google Canada, also wouldn’t say how Google would respond, but noted the legislation may force it to break its own precedent by allowing law enforcement to circumvent end-to-end encryption for its products.
She said the bill as written “goes well beyond lawful access regimes in other G7 democracies, and risks creating new surveillance infrastructure that would introduce serious security vulnerabilities, undermine user trust and hinder our ability to innovate and offer pro-privacy technologies.”
The proposed ministerial powers under the bill “could give the government the power to secretly force companies to redesign products, to include invasive surveillance capabilities, and to do so without sufficient safeguards or oversight,” Patell added.
“Ministerial orders are not only alarming, but also unnecessary,” she said. “Canada already has an effective, transparent system where law enforcement can apply to the courts for reasonable assistance orders subject to judicial oversight.”
Get breaking National news
Get breaking Canada news delivered to your inbox as it happens so you won’t miss a trending story.
Katherine Charlet, Google’s senior director of privacy, safety and security, noted the potentially “boundless” powers granted under C-22 could have implications beyond Canada.
“Google and other companies are global companies,” she said. “Canadians interact with people all over the world, and so there are global impacts of a proposal such as this one.”
The executives said protections around encryption and more specific definitions were necessary for the bill itself, rather than waiting for future regulations to provide that clarity.
Neuenchwander added the government’s stated intentions of not seeking to create “backdoors” or weaken encryption “aren’t coming through clearly in the language from our perspective” and need to be made more explicit.
Public Safety Minister Gary Anandasangaree, who sponsored the bill, has not explicitly committed to any specific amendments around encryption protections, saying instead this month he welcomed any amendments that come from the committee.
Tuesday’s testimony comes after multiple service providers, including VPN operators, have said they would pull out of Canada rather than comply with the legislation if passed as written.
Companies including Meta have raised similar concerns as Apple and Google in testimony to the committee’s study of the bill earlier this month.
Privacy experts have also raised concerns about potential regulations that would require the retention of metadata — including transmission and location data — saying it raised “unprecedented” privacy and cybersecurity issues.
Those concerns were echoed by federal privacy commissioner Philippe Dufresne and legal experts during Tuesday’s marathon committee hearing prior to the testimony from Apple and Google.
“The longer you keep information, the more there is a risk of a privacy breach, and the more there is an impact if there’s a privacy breach,” Dufresne said, while echoing calls for more specific guidelines in the legislation.
“One of the principles we put forward is not to retain information longer than is necessary. That’s why necessity and proportionality is so important. There will be cases where you need to keep it longer, but that should be tested in every case.”
Luc Lefebvre, a privacy expert and co-founder of Crypto Quebec, told the committee that data has yet to show a correlation between lawful access and a decrease in crime.
“In fact, what we have seen is that criminals tend to go dark,” he said in French. “They use other methods and other tools.
“Meanwhile, the government is collecting more and more information about the average person.”
Under existing Canadian law, police must seek a warrant asking a telecommunications provider to retain a specific person’s metadata for only a limited amount of time, such as a month or 90 days, for an investigative purpose.
Government, police and national security officials have said the lawful access powers are necessary for investigators as criminals move increasingly online.
They say metadata stored by companies would only be allowed to be accessed through a judicial warrant, and would be limited to things like location data and IP addresses, rather than actual online content like search histories and emails.
But Michel Marchand, a member of the criminal law expert group at Barreau du Québec, told the committee in French that the legal threshold of reasonable suspicion to access that data under the bill is “too low a threshold.”
Courts have repeatedly affirmed that “the scale of what you can access through an IP address, with an IP address, you can get access to everything,” he said.
“Just because there is a suspicion, it doesn’t mean that an offence is being committed,” he added. “It just means that there’s information out there that could be useful for an investigation. So we believe that the threshold of ‘reasonable grounds to suspect’ could cast too wide a net.”
Throughout the hearing Tuesday, Conservatives frequently complained about the rushed nature of the committee’s study of the bill, while Liberals at times chastised witnesses for opposing measures intended to keep Canadians safe.
“The government is here to go after the bad guys,” Liberal MP Jacques Ramsay said. “We’re not trying to get people’s medical records or anything like that.”
Dufresne noted in response that the law as written could potentially see medical service providers face the same kind of demands as other public electronic service providers.
“It’s too broad,” he said.
“Adding clarity would reassure some people who are concerned.”