FIRST READING: New bill would allow police to turn personal tech into listening devices
Paywall: https://archive.is/n5nMm
“A new bill currently before the House of Commons could allow Canadian law enforcement to eavesdrop via the microphones on personal tech devices, be it a cell phone, a laptop or a smart speaker.
What’s more, under the secrecy provisions of the bill, tech companies would be required by law to deny that any such eavesdropping was taking place.
Bill C-22, a “lawful access” bill tabled in March before the House of Commons, is a package of new powers requiring Canada’s “electronic service providers” to provide police with streamlined access to everything from subscriber information to location data.
Within those powers is a requirement for providers to provide “all reasonable assistance” to investigators looking to access personal tech devices. As the bill reads, providers must “permit the assessment or testing of any device, equipment or other thing that may enable an authorized person to access information.”
In a May 7 meeting of the Standing Committee on Public Safety and National Security, MPs specifically discussed how these powers could be used to remotely turn on microphones.
The committee was hearing from Leah West, an expert in national security law based at Carleton University.
Conservative MP Dane Lloyd aked West whether C-22 would order companies to “provide the capabilities to turn on a remote microphone.”
West replied that such a thing would be called an “intercept capability,” and that it was indeed enabled by the terms of Bill C-22.
“So you could potentially have an order that would require that capability, and as long as it didn’t create a system vulnerability, then yes it could be implemented,” she said.
Bill C-22 largely functions through “ministerial orders” requiring companies to turn over electronic data if a judge finds there is “reasonable grounds to suspect” such information may be linked to criminal activity.
The bill specifies that these orders could not be used to pull data on “web browsing history,” “social media activities” or any other “content” produced by someone under investigation.
And, as indicated in West’s answer, the bill isn’t allowed to force companies to collect data in such a way that it would introduce a “systemic vulnerability.”
Lloyd’s question was in part to point out the apparent contradiction of a bill that stops police from examining the online “content” of a Canadian under investigation, but has no such barriers when it comes to turning their cell phone or smart speaker into a listening device.
“It’s kind of odd to me how (the bill) talks about how it’s not here to look at content, but that the ministerial orders can order these companies to provide the capabilities to turn on a remote microphone,” he said.
Under current Canadian law, police are already able to intercept phone calls, text messages, emails and other digital information by obtaining warrants or other judicial orders.
Bill C-22 steps this up by requiring service providers to tweak their systems to make it easier for law enforcement to access personal digital data when they need it.
As the bill states in a preamble, “the purpose of this Act is to ensure that electronic service providers can facilitate the exercise of authorities to access information that are conferred on authorized persons.”
This includes mandating that companies store user data for at least a year – even if the data isn’t something they would otherwise be keeping on hand for the purposes of their business.
As privacy lawyer David Fraser summed it up in a detailed video breakdown, Bill C-22 was intended to address police complaints that there isn’t a “consistent interface for them to plug into and get data from all the (telecommunications firms) out there.”
However, Fraser, who also testified before the Standing Committee on Public Safety and National Security, has noted that the bill is not limited to traditional telecom providers.
Rather, Bill C-22’s provisions apply to “electronic service providers,” a category that includes any firm offering an “electronic service.”
“The organizations that could be on the receiving end of these orders is anyone who provides services to the public, which includes a bank, a hospital, a grocery store, a hotel,” he told committee members.
This week, the Justice Centre for Constitutional Freedoms (JCCF) called Bill C-22 a “serious threat to Canadians’ privacy rights.”
The JCCF specifically zeroed in on the bill’s mandate “requiring electronic service providers across Canada to retain metadata, including location and transmission data, for up to one year.”
In a statement, the JCCF noted that the Court of Justice of the European Union has struck down similar metadata retention laws as a violation of the “fundamental right to the protection of personal data.”
West was in support of Canada adopting some form of update to its lawful access regime, noting that Bill C-22 was the ninth time that a such a bill had been attempted, including several tabled under the government of then prime minister Stephen Harper.
“Our laws have not kept pace with modern criminal and national security threats,” she said, adding, “I believe deeply that Canada needs lawful access reform.”
Nevertheless, she critiqued some of the broader aspects of the bill, including its mandate for companies to secretly retain metadata for at least a year.
“It does create a chilling impact and has serious implications for how people view their right to privacy in Canada,” West said”