A new bill tabled by the Liberal government would give the police and Canada’s spy agency new powers to compel telecoms to provide identifying information about subscribers.

It would also create a system to require service providers to keep user-specific information but who is captured would be flushed out in subsequent regulations.

The government says changes to Canada’s lawful access regime are needed to better respond to online threats and keep pace with new technologies.

It comes after privacy advocates and opposition parties objected to more expansive changes laid out in Bill C-2, the government’s first attempt at border security legislation that has since been supplanted.

The new bill, dubbed C-22, would require telecoms to confirm information such as phone numbers and give the authorities the ability to seek a production order from the courts to obtain subscriber details.

With the powers, police and CSIS could demand a telecom to confirm they provide service for a specific phone number but any further information would require a court order. That information is restricted to names, physical and email addresses and phone numbers.

The deadline to apply for a judicial review of these production orders has also been changed from five days to 10 business days.

The only threshold the authorities would need to make for a warrantless request is that they have reasonable grounds to suspect that there may be some criminal activity transpiring. However, this only applies to confirmation requests, meaning the response from the telecoms is limited to a yes or no answer.

Under C-2, police would have the power to obtain subscriber information without a warrant and there was no language limiting its scope to just telecom providers.

That bill would have also given Canada Post an expanded authority to open mail.

But a senior government source told reporters in a technical briefing on Thursday that no changes to Canada Post’s powers are found in the revised legislation.

The name and department of the source must be kept anonymous as per the terms of the briefing with reporters.

The bill creates a new authority for policing agencies and CSIS to request information from foreign electronic service providers, including social media firms such as OpenAI.

But a government source clarified in the briefing that it was not a “compulsion power” and would only allow the authorities to access “subscriber information [and] transmission data.”

The regime would allow police to go before a Canadian court and request authorization for a warrant to have a foreign entity to “lawfully provide the information being requested,” the source said.

There would also be a new international cooperation tool to allow for the court-order production of information at the request of Canada’s partners.

The second part of Bill C-22 spells out plans for new requirements for electronic service providers to keep user-specific information. A similar provision in C-2 faced criticism for its broad wording and expansive scope, raising the potential that internet providers would have to keep browser history or social media platforms would need to keep tabs on user profiles.

The government said the new bill clarifies the only information that has to be retained is metadata — not web browsing or social media history — and providers would be required to keep it for no more than one year.

It would require providers to “develop and maintain location tracking capabilities” but that can only be accessed with a court order, a government source explained.

The government said these requirements would only come into effect for so-called core providers. Who those are would be determined by a separate regulatory process.

Under the bill, the public safety minister is permitted to issue ministerial orders compelling electronic service providers to develop and maintain specific capabilities. Failing to do so could result in fines or other regulatory offences.

The orders would be subject to approval by the intelligence commissioner, and the bill clarifies that privacy and cybersecurity are factors for consideration.

A public annual report on these orders will also be required.

More to come…