A Google logo at the Vivatech fair in Paris in June, 2023. Google have joined Meta and Apple in urging the government to make changes to Bill C-22.ALAIN JOCARD/AFP/Getty Images
Google is warning that the government’s lawful-access bill would establish a “surveillance infrastructure” that risks compromising cybersecurity in ways that could facilitate foreign interference, while weakening its users’ privacy.
In a submission to the House of Commons committee scrutinizing the bill, Google said it is committed to supporting efforts by law enforcement and Canada’s intelligence agencies to protect the public against crime and terrorism.
But it said that should be done “without engineering vulnerabilities into products and services that weaken security for all users.”
Meta and Apple have already urged the government to make changes to Bill C-22, which would require “electronic service providers” in Canada to adjust their systems to give surveillance and monitoring capabilities to police services and the Canadian Security Intelligence Service.
Google disrupts effort by criminal hackers to exploit vulnerability using AI
CSIS and law enforcement have long argued that Canada is lagging behind its Five Eyes intelligence partners in not having such a lawful-access regime to aid investigations.
But the latest attempt to pass a bill in Canada has faced steep opposition, including from secure-messaging app Signal, Canadian tech companies, privacy advocates and civil liberties groups.
Google, in a brief submitted to the Commons public safety committee, said it has “significant concerns” about parts of the bill, including wording that “gives the Minister of Public Safety sweeping powers to issue secret orders” to facilitate the interception or retrieval of data.
“Secret Ministerial Orders would severely restrict companies’ ability to engage transparently with users, undermining the users’ trust and ability to hold companies accountable,” Google said in its submission.
It added that the definition of an electronic service provider is so broad in the bill that secret ministerial orders could be directed at “almost any entity operating in Canada.”
The Canadian Chamber of Commerce is among those to have warned that the bill has potential to weaken companies’ defences against cyber attacks.
Microsoft, Google and xAI to allow U.S. government to vet new AI models for security risks
Google said it has concerns the bill could compromise security, arguing for an amendment to explicitly safeguard encryption, part of suite of security mechanisms it uses to protect data.
“The lack of explicit protection for end-to-end encryption may also undermine the ability of companies to deliver best-in-practice security controls and technologies to enterprises, including governments, small businesses, and critical infrastructure,” it added.
The bill says that an electronic service provider would not be obliged to comply with ministerial orders or regulations if doing so would require the company to introduce a “systemic vulnerability.”
But Google said the bill’s definition of a systemic vulnerability is “unduly narrow, creating significant security risks.”
“Without a stronger definition of “systemic vulnerability,” the law could be used to decrease overall user security, by creating backdoors that would break end-to-end encryption and create significant cybersecurity risks, facilitating foreign interference and weakening global user privacy,” it warned.
“Google has never built a backdoor or other mechanism to circumvent end-to-end encryption in our products. If we say a product is end-to-end encrypted, it is end-to-end encrypted,” it said.
Meta warns lawful access bill would make tech companies a surveillance arm of government
The tech giant also warned the bill could undermine efforts by companies “to adopt privacy-enhancing technologies,” and could even force companies to deliver products found to have security or privacy flaws, or bugs.
“Creating new surveillance infrastructure would give rise to additional security vulnerabilities for users, would undermine user trust, and would pose potential conflict of laws issues,” Google added.
Bill C-22 could force electronic service providers – such as phone companies, messaging apps and tech companies – to retain metadata relating to its customers’ activities for up to a year.
The metadata would not include e-mails, web-browsing history, social-media activity or text messages, but it could include information about which telephone numbers have been in touch with each other, and data allowing someone’s location to be pinpointed.
Cybersecurity and tech experts have warned that storing so much metadata could create an enticing target for hackers, including those acting on behalf of malevolent foreign regimes.
In its submission, Google says the requirement “may result in the extensive retention of metadata about users who are not reasonably believed to be associated with criminal activity.”
Signal warns it would pull out of Canada if made to comply with lawful access bill
Google proposed that the government strike out the obligation to retain metadata for up to a year.
In its submission to the Commons committee, the Canadian Telecommunications Association, whose members include Bell, Rogers, SaskTel and Nokia Canada, called for a number of “improvements” to the bill.
The association expressed particular concern about the requirement to significantly expand the “volume and sensitivity of data held by private sector entities about individuals who are not suspected of any wrongdoing.”
It said the approach “raises important security and privacy considerations.”
The requirement to store so much data, it warned, would expand “the potential attack surface for cyber threats and increases the consequences of any breach.”
“As recent incidents across both the public and private sectors have demonstrated, no system is immune from compromise,” the association added. “The most effective way to reduce risk is therefore to limit the amount of sensitive data that is collected and retained, and to ensure that retention periods are no longer than necessary.”
The federal government has said the bill will not affect Canadians’ Charter rights, compromise privacy or lead to mass surveillance, but Google’s is the latest call to narrow its scope.
The U.S. has a lawful-access law that is not as broad as the powers proposed in Canada’s bill. It requires telecom companies and internet service providers to design their networks to facilitate government wiretapping, but it does not apply to “electronic service providers” or require metadata to be stored for up to a year.
Earlier this month, senior government officials indicated that Public Safety Minister Gary Anandasangaree is preparing to accept amendments to the bill to address concerns that have been expressed.
In an on-the-record briefing with The Globe and Mail, Shannon Hiegel, director-general of national security policy at Public Safety Canada, said: “The minister’s open for new ideas.”
