Bill C–22 Can Be Corrected ⇥ thestar.com

Justin Ling, the Star:

Yet Bill C-22 doesn’t mandate backdoors nor force companies to introduce any. It explicitly states the government cannot compel companies to introduce “systemic vulnerability” into their services. And it doesn’t give cops or spies new authority to intercept Canadians’ communications; it simply creates a process enlisting companies to help out with doing so.

Ottawa is now scrambling to correct the record. Anandasangaree will reply to the Republicans, conveying “this legislation does not provide for indiscriminate access to devices or communications and does not require companies to weaken encryption and introduce so-called ‘backdoors,’” according to a spokesperson. (The U.S. and the U.K., they also noted, already have these powers; Signal hasn’t withdrawn from either country.)

So the bill is not quite the nightmare some have made it out to be. But there are still some big issues.

Whether Signal is crying wolf or simply believes the laws in those countries are strong enough to prevent mandated backdoors is a good question. In the U.K., for instance, Ofcom is not allowed to require a backdoor, but it is empowered to tell providers to weaken encryption for some without compromising the privacy of their platforms for all when “feasible technology” exists to do so. On the one hand, that technology probably cannot exist; on the other hand, Signal is banking on a privacy-friendly interpretation of that law if it is ever tested.

Apple, meanwhile, has not returned Advanced Data Protection to the U.K. despite the U.S. Director of National Intelligence’s claim that efforts to compromise its encryption have been withdrawn. This demand was made under a different law that, I suppose, Signal must not feel is immediately threatening.

Bill C–22 does, as Ling writes, provide an exemption for instances where compliance with interception demands would “require the provider to introduce a systemic vulnerability related to that service or prevent the provider from rectifying such a vulnerability”. This is the same language as appeared in the Strong Borders Act proposed last year, though C–22 has new powers requiring the retention of metadata. It seems to me that a systemic vulnerability — one that “creates a substantial risk that secure information could be accessed by a person who does not have any right or authority to do so”, according to this bill — might not be found in something like metadata retention, which is what apparently concerns Signal.