Just a moment...
thehub.ca

Archived link

Over the past week, a growing number of tech companies have warned that they may be forced to leave Canada if Bill C-22, the lawful access bill, remains unchanged. The government’s response to warnings from Signal, Windscribe, NordVPN, Apple, and Meta is that the companies are misreading the bill. But the prospect of a tech exodus from Canada rests on clear-cut privacy and security risks that do not apply in the U.S. or Europe.

The Act’s definition of “electronic service provider” captures any service involving the creation, recording, storage, processing, transmission, or reception of information, provided either to persons in Canada or by an entity carrying on business activities in Canada.

The breadth intentionally covers far more than just telecom companies and internet providers, extending to platforms, messaging applications, VPN services, and device manufacturers. Every ESP is subject to a general assistance obligation under section 7 and to a secrecy obligation that bars disclosure of the existence of requests.

[Signal’s Vice President of Strategy and Global Affairs Udbhav] Tiwari put the point bluntly in his statement to the Globe: “End-to-end encryption is incompatible with exceptional access, no matter how creative the route taken to achieve it.”

What places the Canadian tech sector at risk of an exodus is that U.S. law imposes neither obligation. There is no federal mandatory data retention law in the United States, as the Electronic Frontier Foundation has documented across more than a decade of failed legislative proposals. The closest analog, the preservation provision in 18 U.S.C. § 2703(f) of the Stored Communications Act, allows the government to compel a provider to preserve existing records for up to 90 days while it obtains a court order, with a single 90-day extension available. It is a reactive, targeted mechanism tied to a specific account, not a forward-looking retention mandate covering every user of the service.

A U.S.-based VPN or messaging service can therefore lawfully maintain a no-log approach, which is precisely how the no-log policies are built. Given the choice, VPNs and other services will surely leave Canada rather than architect their systems to retain metadata on every single user for a year.

In Europe, the Court of Justice of the European Union struck down general data retention regimes in Digital Rights Ireland in 2014 and Tele2 Sverige in 2016, and has continued to constrain them in later rulings. Germany’s Federal Constitutional Court has imposed similar limits, and general retention obligations on email providers remain unlawful there. The jurisdictions that have moved in C-22’s direction are precisely the ones where major services have begun to exit or restrict features.

The United Kingdom’s Investigatory Powers Act sparked Apple’s withdrawal of its Advanced Data Protection feature from the U.K. market rather than comply with a Technical Capability Notice ordering it to create access to encrypted iCloud data, and Apple is now litigating that order before the Investigatory Powers Tribunal.

Switzerland’s recent attempt to extend its surveillance ordinance to VPN providers and encrypted messaging services prompted Proton to begin moving infrastructure out of the country to Germany before the Swiss Federal Council paused the amendment pending an impact study. Where jurisdictions impose obligations of the kind Bill C-22 contains, privacy-protective services have either left, scaled back, or restricted features.

The compliance obligations on Canadian electronic service providers under Bill C-22 do not apply to a U.S.-based competitor, are limited or unconstitutional in much of Europe, and have led to exits or feature withdrawals in jurisdictions that have imposed them.

The companies aren’t bluffing, and they aren’t misreading the bill. Rather, they are responding to an outlier approach that threatens the Canadian tech landscape with obligations that place the privacy and security of millions at risk.

  • wampus@lemmy.caEnglish
    3·
    5 hours ago

    Meh, the intentions of the legislation aren’t bad, and the main thing that needs a minor tweak is some of the phrasing in part 2.

    And yea, I say a minor tweak, in part because the legislation has very explicit statements that it does not require service providers to create systemic vulnerabilities, they re-iterate this in both part 1 and part 2 of the bill. And while there’s explicit verbiage of that nature, opponents are busy saying, essentially, “You may say that, but if you interpret these three other parts of the bill in a specific way, and ignore those explicit notes about not introducing systemic vulnerabilities, then it could maybe translate into a backdoor!”.

    The retention requirements primarily target meta data. There’s nothing in the bill saying companies need to hold on to content for 1 year. The meta data retention is generally tied to situations like asking Telus “Hey, we have this IP address that hit this child porn site a few months ago. It’s in your DHCP range for your customers. Can you tell us who it was assigned to?” (right now, Telus doesn’t retain dhcp logs for long at all, cause storing logs costs money). Or, “Hey, Canadians keep getting scam called via your service, can you tell us who was using your service to make those scam calls?”. One reason some of those issues persist/are difficult to hold people accountable for, is because tech companies facilitate it.

    Part 2’s assistance stuff, is mostly about giving the govt permission to ask companies to verify they can comply with the legislation, and to provide evidence of such on request, without publicly disclosing their communications of such with the govt. There’s some verbiage that’s a bit wobbly in terms of the scope of data included in that part that needs shoring up, potentially, but the re-iteration of the no-systemic risk clause in part 2 basically means you don’t need to redesign anything, so long as you’re meeting part 1’s meta data logging requirement.

    Someone stores an encrypted blob online, where your system is designed so that you as a business never see the private keys/data? That seems totally fine in terms of the legislation. But you gotta record the meta data identifiers of who accesses that blob. Because if an investigation later finds out its a blob of kiddie porn, they want to be able to follow up.

    And it’s probably also worth highlighting how much assistance the cops/govt really needs in Canada. Our Auditor General just recently released a report about Student Visa frauds, where the govt had been getting around 75k reports per year, but were only able to action/investigate about 2k per year – with half of those being non-investigations because the students just didn’t bother picking up the phone, and Canada’s govt gave up. I’ve heard in the past that the RCMP division for investigating things like cyber crimes / financial frauds was absurdly understaffed – about a decade ago, I’d heard from one of their industry liason officers that they had a department of 20 people, though half the positions were unstaffed due to resource shortages. Guy was telling industry to start reporting incidents more aggressively, so that they could try and get some funding to support their mandate. The thought that Canada could realistically enact this legislation, and then crack down on all the service providers, is sorta laughable to me. It just gives their tiny state apparatus the ability to tread water longer, and to try and pressure big US tech oligarchs into “some kind” of regulated space. Tech Oligarchs that have more lawyers, and more PR professionals, than the Canadian government.