Canada’s Lawful Access Act is a backdoor by another name

 · Hamilton Spectator
Canada’s Lawful Access Act is a backdoor by another name

The new police powers bill tabled by Public Safety Minister Anandasangaree is slimmer and more targeted than the first go-around, but it’s every bit as fraught as the last time.

Bill C-2 was removed last fall after civil liberties groups, the opposition, and privacy experts flagged it as an unprecedented surveillance overreach. In the standalone bill revealed last week, the core problems remain unresolved and even expanded.

The new version of the Lawful Access Act would still break encryption, grant CSIS surveillance powers exceeding those available to police with less judicial accountability, and legally prohibit companies from disclosing when the government demands access to their systems.

Start with encryption. Part 2 requires electronic service providers to build and maintain “operational and technical capabilities” enabling government access to communications. A carve-out exists for “systemic vulnerabilities,” but it is legally hollow — covering only vulnerabilities that enable unauthorized access. A government-mandated interception capability is, by definition, authorized. 

Encrypted messaging platforms like Apple’s iMessage and Signal have made it clear there is no technically feasible way to build “lawful” access into encrypted services without breaking encryption for everyone. There is no backdoor that admits only the right people while keeping the bad guys out.

The EU’s chat control proposal made the same argument for years, maintaining that mandatory scanning of encrypted communications could somehow be surgical and limited. The UK tried its hand at a similar encryption-breaking law last year to a similar outcry. Security researchers, cryptographers, and data protection authorities have consistently rejected the “limited encryption” argument because it is just demonstrably false.

We know this for a fact in the wake of the Salt Typhoon attack. Chinese state-sponsored hackers spent years inside the networks of at least nine major American telecom companies, accessing metadata from over a million users and recording calls of senior officials. 

Their entry point was the government-mandated wiretapping infrastructure built into American networks under a 1994 law that the hackers were easily able to exploit. US Senator Mark Warner called it the worst telecom hack in U.S. history, and it even spread here: a still-unnamed Canadian telecom was breached by the same group in February 2025. What Parliament is now proposing is to make every Canadian device just as vulnerable, which would impact ordinary citizens, businesses, and even the government itself. 

The CSIS provisions raise separate concerns. The intelligence service would be allowed to forcibly request “confirmation-of-service demands” of telecom and tech companies without judicial warrants or due process, giving them extra powers beyond equivalent Criminal Code tools available to police. 

Emergency powers exist for good reason, but they carry time limits and judicial review for a reason. Expanding CSIS’ abilities and tools beyond those of police, without equivalent procedural safeguards, warrants serious parliamentary scrutiny and more public attention.

The bill’s confidentiality provisions are equally troubling. Tech companies and telecoms served with a ministerial order cannot inform their users, investors, or the public when they receive these requests. Anonymized transparency reporting, which is the gold standard used by most global tech companies, would be prohibited in Canada. This is a secrecy regime that has no precedent in Canada. Consumers cannot make informed choices about their digital services when the legal obligations on those services are classified.

Parliament should return to the drawing board by explicitly protecting end-to-end encryption. Every agency requesting information on our data should be required to get judicial authorization before emergency access powers are invoked. Companies should also be allowed to continue publishing anonymized transparency reports showing Canadians how much data their government is requesting from service providers.

The tools for lawful, targeted, court-supervised access already exist in Canada like in other western parliamentary democracies, and law enforcement should be empowered to use them within the guardrails of our Charter and Constitution. 

This would give the government the authority it needs to fight crime while still protecting the technology every Canadian relies on. 

But expanding state authority at the direct expense of the security it claims to provide is not a solution that Canadians deserve or should tolerate.

Yaël Ossowski is deputy director of the Consumer Choice Center.

Originally published in the Hamilton Spectator (archive #1)