Chapter 4: Government Response — The Government’s Response to Lawful Access Challenges — 44th Parliament (2021 to 2024)
Special Report on the Lawful Access to Communications by Security and Intelligence Organizations
The Government’s Response to Lawful Access Challenges
44th Parliament (2021 to 2024)
154. In June 2022, the government’s response to a written question on the Order Paper about electronic surveillance informed the House of Commons about the RCMP's previously unknown use of ODITs, prompting a study by ETHI. In November 2022, the Committee tabled its report entitled Device Investigative Tools used by the Royal Canadian Mounted Police and related issues. ETHI made several recommendations, including that the government amend the Privacy Act to require government institutions to conduct a privacy impact assessment before using high-risk technological tools and submit them to the Office of the Privacy Commissioner for assessment. The government responded that it was currently leading a review of the Privacy Act. Footnote 352
155. ETHI also recommended the government establish an independent advisory body composed of relevant stakeholders from the legal community, government, police and national security, civil society and relevant regulatory bodies to review new technologies used by law enforcement and to establish national standards for their use. The government responded that the RCMP's has established the National Technology Onboarding Program to implement an internal, centralized process to assess new technological investigative tools that includes evaluating privacy and legal considerations. ETHI also recommended the government create a list of banned spyware vendors. The government’s response recognized the need to have clear rules over surveillance technology, but did not respond specifically to the recommendation for a list outside of the regular export regime.
156. In March 2023, Public Safety “renewed” the lawful access policy discussions with a presentation to DMNS. According to Public Safety, there was no particular impetus that prompted the renewal of discussions at this table. Officials noted that “policy work on lawful access at the working level never stopped,” and acknowledged that “growing concerns of gaps in the investigative tool kit *** played a part.” Footnote 353 Public Safety’s presentation took stock of the challenges and sought views on a strategic plan to address them. The challenges were access to BSI, access to metadata, interception, computer network exploitation, and international cooperation. Public Safety proposed three elements as the potential way ahead: build conditions for success by addressing transparency, credibility, and coordination gaps; introduce legislative proposals which could include capability requirements for CSPs; and *** ratifying the Council of Europe’s 2nd Additional Protocol to the Budapest Convention on Cybercrime. Footnote 354
157. Unlike the 2016 green paper, the renewed lawful access policy discussion did not include data retention. According to Public Safety, it has been “monitoring the development of data retention policy in other international jurisdictions since 2016” and it states that “data retention is still part of the lawful access policy conversation today,” with policy work focused on “potential legislative reforms ***.” Footnote 355
158. In May 2023, the National Security Transparency Advisory Group (NS-TAG) Footnote 356 held a meeting with civil society, academia, and national security departments and agencies on “Emerging Technologies and Digital Tools in the Protection of National Security.” According to the summary report, Public Safety experts briefed the members of NS-TAG on the development of a transparency framework for digital investigative capabilities (i.e., the ability by security organizations to access information of targets being held by CSPs). Footnote 357 The summary of the meeting does not include any recommendations on a way forward.
159. In June 2023, Canada signed the Council of Europe’s 2nd Additional Protocol to the Budapest Convention on Cybercrime, which provides “a legal basis for disclosure of domain name registration information and for direct co-operation with service providers for BSI, effective means to obtain BSI and traffic data, immediate co-operation in emergencies, mutual assistance tools, as well as personal protection safeguards.” Footnote 358 After Canada signed the 2nd Additional Protocol, DoJ conducted stakeholder consultations, including with provinces, territories, and privacy commissioners. Footnote 359 The consultation asked “what type of authorization (e.g., judicial or other) Canada should require” for foreign investigators to obtain various types of data from Canadian CSPs, and “whether Canada should opt out of permitting direct access” by foreign investigators “to subscriber information held by Canadian [CSPs].” The Office of the Privacy Commissioner believes Canada should opt out, and that Canada’s implementation of the 2nd Additional Protocol should require a Canadian court order for all foreign requests. Footnote 360
160. As noted in Chapter 2, in March 2024 a majority of the Supreme Court found in R v Bykovets that there is also a reasonable expectation of privacy associated with a person’s IP address. Footnote 361 In response to this decision, Department of Justice officials revisited “the issue of lawful access to subscriber information and [examined] possible solutions to address some lawful access challenges in the short-to-medium term.” Footnote 362 The Minister of Justice indicated that he was open to examining the possibility of a reasonable grounds to suspect threshold for BSI. Footnote 363
161. In July 2024, NS-TAG released a report entitled “The Digitization of National Security: Technology, Transparency & Trust.” Footnote 364 The report noted its concerns about the national security and intelligence community’s lack of transparency on data management and its use of metadata. It also flagged concerns about the government’s position on encryption, noting that “if national security require[s] that encryption must indeed be weakened, either by making it ‘breakable’ or through back doors, a number of safeguards will have to be prepared, including the rapid, if not automatic diffusion of information to the public about breaches and the close oversight and reporting of law enforcement use….” Footnote 365 The report calls on the government to engage with Canadians on “the needs and the risk of police or security intelligence decryption capabilities,” and provide “fully intelligible justifications for policy decisions regarding cryptography…[including] complete information on the actual impact of encryption on national security, well beyond buzzwords such as ‘going dark.’” Footnote 366
162. As of November 2024, Canada and the U.S. continue negotiations for a Canada-U.S. Data Access Agreement, *** Footnote 367 *** Footnote 368 *** Footnote 369 In July 2024, the Minister of Public Safety and the Minister of Justice met their U.S. counterparts in Washington, D.C. The U.S. Attorney General acknowledged consensus on most of the agreement with a few important issues to be resolved, and the Minister of Justice reiterated Canada’s interest in concluding the agreement, noting that he believed the remaining issues were surmountable. Footnote 370 *** Footnote 371
163. In October 2024, ETHI tabled a report about the Federal Government’s Use of Technological Tools Capable of Extracting Personal Data From Mobile Devices and Computers, which focused on government-issued devices. While not expressly focused on lawful access per se, the report reiterated five recommendations ETHI had made in its 2022 study of the RCMP's use of ODITs, including the recommendation that the government amend the Privacy Act to require government institutions to conduct privacy impact assessments before using high-risk technological tools and submit them to the Office of the Privacy Commissioner for review. Footnote 372