There has been a firestorm over Bill C-22, and it has rightly included objections by a number of significant tech firms like Signal, Apple, NordVPN, and others.
Of course the noisy worthless contenders also need to pipe up, including Meta — Meta is an anti-democracy cancer on society and should be ejected from Canada, and absolutely nothing will be lost1 — along with various partisan voices who just want to start howling like monkeys about corrupt governments and tax rates in a hysteria that obliterates any credibility.
Part I is fine and mostly just modernizes and centralizes some activities of government when investigating crimes. Part II is the problem, and it isn’t that it directly prescribes specific actions, but that it broadly provides the umbrella for some terrible regulations to be enacted if this bill achieves royal assent. Which is even worse because it’s easy to wave away concerns by noting that this bill doesn’t prescribe them, it merely allows future regulations to do that so save your objections until then…when it’s too late and they are basically rubber-stamped.
Ostensibly the major items only apply to a thus-far-undefined schedule of “core providers”, but elsewhere in the act it also broadly allows the same broad regulations to enlist any electronic service provider into these same requirements whenever demanded.
Who is an electronic service provider? By the definition of this bill, every business and service. The criteria are so broad that simply having an electronic record of an interaction makes you subject to it.
This bill, if it passes all guards and becomes an act of parliament, allows the government to make regulations that can possibly require a backdoor into encryption products via Part II 5(2)(a), along with potential regulations for the retention of up to a year of all metadata and its transmission data (which isn’t the actual contents of the data, but rather the routing, addressing, etc). Importantly they are not saying up to a year of metadata for someone subject to a lawful order, but the bill is saying it allows regulations to be passed that require the retention for up to a year of metadata for everyone.
The bill includes language that these requirements cannot impose a “systemic vulnerability”, but this is left undefined, and functionally at odds with 5(2)(a) which cannot be implemented without, for instance, allowing for the injection of secondary keys into encryption products. And the retention of all metadata itself is defacto a vulnerability that will be exploited2.
Governments over the world have been trying to enact these sorts of laws for years — many successfully — and invariably it requires some sort of backdoor or circumvention.
It’s a bill that needs a lot of changes, and is rightly seeing concerns. This bill doesn’t even directly create the vulnerabilities, but instead it paves the way for them to be introduced in the future which might even be worse.
Footnotes
-
Michael Geist has a piece on this bill, and he notes that after bill C-18 — the Online News Act — Meta blocked news links in Canada, punching themselves in the face and beginning the rapid decline of Meta’s relevance in Canada. Personally I’d consider that a win, really, so odd to include it like a counterpoint.
Absolutely no one should be looking for information or news on any of Meta’s disinformation, democracy-hostile shithole properties. Google actually folded, by the way, and pays into the news fund. Strangely Geist doesn’t mention that.
“Oh but what about WhatsApp?” Firstly, Meta should never have been allowed to buy that product, and really does anyone actually trust that product under that firm’s tutelage? Insanity. Meta is the least trustworthy firm in tech and if it blinked out of existence the world would be a better place ↩
-
Though in fairness, most tech firms already hoard every bit of metadata they can about every user, selling it and abusing it in every way possible. But the act can force this condition on those that don’t want the burden of doing so, along with products like VPNs that explicitly don’t log such metadata ↩