Opinion: Bill C-22 Will Be a Hacker's Dream, Warn Critics
Bill C-22 Will Be a Hacker's Dream, Warn Critics

Parliament is fast-tracking Bill C-22, the so-called Lawful Access Act, which critics say would make Canada more susceptible to targeted surveillance by requiring telecom companies to collect everyone's metadata for six months and mandating the breaking of encryption. The bill aims to give law enforcement better tools to investigate serious crime, but the risks of this approach outweigh the potential benefits, according to an opinion piece by David Clement and Sabine Benoit, published in the Financial Post.

The Pegasus Spyware Precedent

Omar Abdulaziz left Saudi Arabia in 2014, built a new life in Montreal and became one of the most prominent Saudi opposition voices outside the kingdom, as well as a close confidant of journalist Jamal Khashoggi. In 2018 his phone was infected with Pegasus spyware, which was traced to a Saudi-linked operator and likely played a role in the chain of events that led to Khashoggi's murder. Despite Abdulaziz seeking safety in Canada, his persecutors found him anyway.

No government can mandate "access only for the good guys," the authors argue. There is no such thing as a vulnerability only the right people can exploit.

Wide Pickt banner — collaborative shopping lists app for Telegram, phone mockup with grocery list

Backdoors Create Systemic Risks

The centrepiece of Bill C-22 is a provision allowing the minister of public safety to order companies to build access mechanisms into their encrypted services so they can access Canadians' metadata — provided doing so doesn't create a "systemic vulnerability." But how can companies comply with this idea of avoiding "systemic vulnerability"? Creating a backdoor for Ottawa creates a backdoor for nefarious actors.

In its parliamentary testimony, Apple accused Ottawa of inserting such backdoors into its products. Google went further, warning that the bill could facilitate foreign interference and weaken global user privacy precisely because a backdoor built for Ottawa doesn't remain exclusive to Ottawa. Rather, it would be a massive green light for hostile foreign intelligence services, criminal hackers and any government willing to coerce, compromise or even legally compel companies to hand over information they want.

Metadata Retention: A Treasure Trove for Hackers

On metadata specifically, the bill wants service providers to record and retain that information on all Canadians for six months, which is enough to know almost everything about most of us. The coverage is not just suspects or people under investigation but every person who sends a message or makes a call. Do you know anyone who doesn't do so on a daily, if not hourly basis?

The Bloc Québécois described the six-month data stores as a "treasure trove" for hackers. But that undersells the specific danger for people like Abdulaziz, or Sheng Xue, a Chinese dissident who fled to Canada and believes Chinese agents have tracked her movements and threatened her life.

For a dissident from an authoritarian state, metadata alone can be a death sentence. Months of retained records reveal who someone contacts, when, how often and from where. It maps attendance at community meetings and protests and exposes any contact with people still living inside the home country.

Industry and Expert Opposition

No government can mandate "access only for the good guys." This naive idea was debunked by every major cryptographer and technology company that testified regarding Bill C-22. There is no such thing as a vulnerability only the right people can exploit.

Shopify's policy chief has said Bill C-22 could handicap Canadian tech companies, and an opinion piece by the same authors previously called for protecting kids' privacy while also doing the same for adults. The bill, if passed, would represent a significant shift in Canadian surveillance law, with implications for privacy, security, and the tech industry.

Pickt after-article banner — collaborative shopping lists app with family illustration