Just as Bill C-22, the Lawful Access Act, is under study at the House Standing Committee on Public Safety and National Security (I review my appearance yesterday in this post) U.S. Congressional leaders have written to Public Safety Minister Gary Anandasangaree warning that the bill threatens to harm “U.S. national security and economic interests by undermining trust in American technology and inviting reciprocal demands from other nations.” The message is clear: U.S. leaders are concerned that lawful access demands go so far as to compromise the privacy not only of Canadians, but of Americans too.
It is a safe bet that co-authors Jim Jordan, the chair of the House Judiciary Committee, and Brian Mast, the chair of the House Foreign Affairs Committee, did not suddenly become concerned about Canadian privacy. But when a Canadian bill would “drastically expand Canada’s surveillance and data access powers in ways that create significant cross-border risks to the security and data privacy of Americans,” that is bound to draw attention. Their core concern is that the bill could compel U.S. technology companies to build backdoors into their encrypted systems, introducing systemic vulnerabilities for users in both countries.
As I’ve previously posted, the provisions in question are part of the Supporting Authorized Access to Information Act (SAAIA), the second half of Bill C-22. Providers would be required to develop, implement, assess, test, and maintain operational and technical capabilities to allow authorized persons to access encrypted data and information. The bill includes a non-compliance caveat where compliance would introduce a “systemic vulnerability,” but the letter correctly notes that the term is “vague and ultimately subject to a future regulatory process.” They also flag the secret ministerial order power in clause 7(1), under which the Minister can issue targeted demands to providers that are subject only to Intelligence Commissioner review and kept confidential by design.
The chairs are not pulling punches on what those obligations mean in practice. They warn that “providers offering end-to-end encryption services will inevitably face directives to create backdoors and architectural changes that bypass or weaken encryption to enable ‘lawful’ interception or data extraction.” They invoke the UK’s secret 2025 Technical Capability Notice to Apple, which led the company to disable Advanced Data Protection for UK users rather than build a global backdoor. Their concern is that “a backdoor built to satisfy one government’s demands inevitably becomes a target for adversaries.”
I raised similar thoughts yesterday, warning that U.S. providers may withdraw privacy enhancing services from Canada or exit the Canadian market altogether rather than re-engineer their global products to satisfy Canadian capability orders.
The letter makes the same point in plainer terms: “American companies operating in Canada would face a difficult choice: compromising the security of their entire user base – including U.S. citizens – or risking exclusion from the Canadian market.”
Canadian officials have insisted that Bill C-22 does not undermine encryption and that it brings us into line with our five eyes partners. But it is clear that many, now including U.S. congressional leaders, disagree. Bill C-22’s privacy and security risks have been the subject of many posts over the past few months but this latest warning suggests that the possibility of a U.S. response to opposition to Canada’s lawful access plans is another risk to consider.
The post U.S. Congressional Leaders Warn Canadian Lawful Access Plans Harm U.S. National Security and Economic Interests appeared first on Michael Geist.