Canada’s spy agency says its ability to keep pace with threats and contribute to intelligence alliances will be at risk if the government’s latest attempt to pass a lawful access bill fails — a warning that comes as momentum against the Liberals’ Bill C-22 grows.

“There is a moment that we need to meet as a country right now,” Nicole Giles, deputy director of policy and strategic partnerships at the Canadian Security Intelligence Service (CSIS) said during a recent interview. 

“Canada is the only Five Eyes country without a lawful access regime and that is hugely prohibiting our ability to keep pace with the increasing volume, velocity and variety of threats that are being thrown at us in an environment of incredibly rapid technological change and advances.”

Giles joined senior officials from Public Safety Canada and the RCMP on Wednesday for a briefing with CBC News to respond to growing concerns from civil liberty advocates, business groups, tech companies and senior U.S. lawmakers about the legislation. The same officials also spoke to other media, suggesting a concerted campaign to counter criticism. 

The bill, this government’s second attempt at passing lawful access legislation since the federal election last spring,  promises to give police and spies faster access to information on Canadians during investigations — something they’ve been pushing for since the rise of the cellphone. 

But the bill has garnered backlash from critics ranging from privacy and civil rights advocates to businesses and tech giants. 

Most of the criticism has been directed at Part 2 of Bill C-22, which would require electronic service providers — a still undefined term that likely would mean telecommunication, internet and social media companies — to adapt their systems to make it easier to hand over requested information to security and intelligence officials, provided they have a warrant.

Tech companies like Meta and Apple and messaging services including Signal have warned that this obligation would weaken privacy protections such as encryption, and would create pathways not only for police to lawfully access information, but also for hackers and foreign adversaries. 

“If you are weakening encryption, if you’re weakening the cybersecurity systems because you want to ensure that the good guys have access, the risk is that some of the bad guys can gain access as well,” Michael Geist, the University of Ottawa’s Canada Research Chair in internet and e-commerce law, said last week in an interview with CBC about the bill. 

“It’s pretty hard to shut that door to everybody else.”  

CSIS opens up about 2 hindered operations

Giles said there’s “a misunderstanding” around the bill, which already includes a provision to prevent providers from creating systemic vulnerabilities. 

“C-22 does not seek to mandate back doors or universal decryption capabilities by any stretch of the imagination,” said Giles. “Rather, it is seeking to facilitate targeted, lawful and exceptional access under very strict legal controls.” 

In a rare move, Giles partially lifted the veil of secrecy and spoke about two real-life operations hindered by what the service sees as a lawful access regime in Canada. Given the classified nature of CSIS’s work, most identifying information was left out.

WATCH | Lawful access bill faces pushback from tech companies, privacy advocates:

Lawful access bill faces pushback from tech companies, privacy advocates

A proposed federal government bill would give police faster access to information during high-stakes investigations, but tech companies and privacy advocates say they’re concerned about government overreach through the lawful access legislation.

In the first case, Giles said the service was trying to determine the movements of a terrorist group. CSIS had obtained a warrant and was trying to trail the cellphone of a person of interest, but the electronic service provider did not have the capability to track the device because it isn’t legally required to, she said. 

“And so as a result, we had to resort to very costly and very risky in-person surveillance that also maintained significant gaps in our coverage,” she said.

Under Bill C-22, the government could require electronic service providers to develop and maintain location tracking capabilities.

“These are not exceptional things,” Giles said. “It would just bring us up to the basement that our allies and that our Five Eyes partners have.”

Citing another operation, Giles said a foreign partner carrying out an investigation outside of Canada contacted CSIS for help because a few of their subjects of interest were associated with Canadian phone numbers.

The foreign player told CSIS their intelligence suggested threat activity was moving into Canadian territory, she said.

Giles said CSIS was able to confirm that the phone numbers were obtained through a reseller, “however, resellers don’t maintain records of their sales, and don’t track any of their clients activities.” 

“So we were unable to respond to the foreign partners’ request for information, which impedes our ability to ensure that we’re performing as part of that intelligence collective of like-minded democracies,” she said.  

“We’re also not able to get cited on the threat that’s actually potentially in Canada.” 

Concerns about metadata retention 

Bill C-22 would also require core providers to retain metadata for up to one year. It wouldn’t cover browsing history or the contents of messages, but it could include logs showing which telephone numbers a phone has been in contact with, and where someone carrying their device has travelled to.

Geist described the metadata requirement as “essentially a surveillance map.” 

“It’s building a massive haystack in the prospect that maybe you need to go find a needle at some point in the future,” he said in an interview with CBC last week. 

Sgt. Aaron Gilkes with the RCMP’s technical investigation services defended the retention timeline, pointing by way of example to the rise of extortion cases in which victims are often first contracted by voice-over-internet protocol (VoIP).

“Typically the bad guy is not going to use their regular telephone to make that phone call and have their own numbers show up,” he said. “It’s going to spoof a phone number.”

An investigator would try to trace the origin by going after what’s known as signalling data — essentially information between devices and locations, Gilkes said.   

“The issue with that is that that information that’s contained in that signalling data is very ephemeral, very volatile. It only lasts about a week to 10 days,” he said. 

“So for us, these are the challenges that we face where we do know that some data does exist, we do know that it is kept for business purposes, but it’s not kept long enough for us to be able to actually access it to forward our investigations.”

Possible amendments coming

Public Safety Minister Gary Anandasangaree has suggested he’s open to amendments. 

“We don’t want to make anybody less safe. That is entirely opposite of what we are trying to do,” Richard Bilodeau, Public Safety Canada’s acting assistant deputy minister for the national and cybersecurity branch, said recently.  

WATCH | Tech giants ‘misinterpreting’ lawful access safeguards: public safety minister:

Tech giants ‘misinterpreting’ lawful access safeguards: public safety minister

Public Safety Minister Gary Anandasangaree said ‘we have to better inform’ Canadians and all stakeholders about Bill C-22, Ottawa’s proposed lawful access legislation, which faces pushback from U.S. tech companies.

Bilodeau said officials are listening to concerns, especially those around end-to-end encryption. It’s a communication method where data is encrypted on the sender’s device and decrypted only on the recipient’s device. 

“It is one of those areas that we’ve taken careful note and we’re seized with that issue,” he said. “We’ll see what direction we take on bringing clarity to the act on that point or any other.”