The lawful access bill would compromise the privacy of Signal’s users, but could also create vulnerabilities hackers could exploit, Udbhav Tiwari, Signal’s vice-president of strategy and global affairs, said.Kiichiro Sato/The Associated Press
A senior executive at secure messaging service Signal told MPs Tuesday that the federal lawful access bill includes “chilling” proposals that could force his company to rewrite its code, dismantle robust privacy architectures and design surveillance into its systems.
Appearing via videolink before the Commons public safety committee, Udbhav Tiwari, Signal’s vice-president of strategy and global affairs, said the company would withdraw from Canada rather than comply with the bill.
Mr. Tiwari warned that the lawful access bill would compromise the privacy of Signal’s users, but could also create vulnerabilities hackers could exploit. As currently worded, the bill would force the tech company to collect metadata about its customers that it does not currently possess.
Search engine DuckDuckGo would withdraw VPN from Canada if lawful-access bill passes
“C-22 creates an open-ended power to compel a company to re-engineer its own service to enable government access,” he said. “Once you build a mechanism to break your own protections, that mechanism exists, and it can be identified and exploited by anyone with the time and resources to do so.”
“As security experts have warned for over 30 years, there is no back door that only the good guys can walk through.”
The bill would require telecoms, internet companies and other electronic service providers to make changes to their systems, thus giving surveillance capabilities to police and the Canadian Security Intelligence Service to combat threats and criminal activity.
Signal runs on its own centralized servers. The company says the only user data it stores are phone numbers, users’ last login information and the date they joined the service. Users’ own contacts, chats and other information are stored on their individual phones.
But Bill C-22 could lead to electronic service providers being directed by the Public Safety Minister through a secret order to retain their customers’ metadata for up to a year.
Signal was asked to send a representative to testify before the committee after The Globe and Mail reported last month that the secure messaging service, which uses end-to-end encryption, would withdraw from Canada if asked to compromise its users’ privacy under Bill C-22.
Mr. Tiwari confirmed to MPs that is still Signal’s plan, unless the government amends the bill to make clear that companies would not have to collect data about customers beyond what they currently do, while introducing an explicit protection for encryption.
What to know about Bill C-22, Canada’s proposed lawful-access legislation
Public Safety Minister Gary Anandasangaree has indicated he is willing to accept amendments to the bill, including to protect encryption. But he has suggested he will not budge on the metadata collection requirement.
Mr. Tiwari told the Commons committee that, through the bill, the Canadian government would “compel us to construct the very surveillance apparatus we have refused to build.”
“Do not let the word ‘metadata’ reassure you. Metadata is the 2 a.m. phone call, the clinic you contacted, the lawyer you retained, the organizer you met and the journalist you trusted,” he told MPs.
“A mandate to retain it would build a gold mine of intimate data when none exist today, sitting ready for any foreign adversary or criminal who breaches it. A back door built for the good guys is simply a vulnerability waiting for the bad guys to find it.”
At the committee meeting, Conservative public safety critic Frank Caputo argued for more time to examine witnesses, before MPs move to discuss amendments Thursday. He complained that briefing papers, submitted to the committee, including with proposed amendments, had not been given to members to consider before moving on to amend the bill.
The committee’s chair, Liberal Jean-Yves Duclos, said several briefings had been held up by a logjam in Parliament’s translation services.
The missing papers included a written briefing from the Canadian Bar Association, which also sent a representative to testify in-person on Tuesday. Christiane Saad, who chairs the association’s privacy and access law section, expressed concern that the bill could expand state surveillance powers without evidence of necessity, adequate safeguards or sufficient judicial oversight.
Alexander Surgenor, counsel at the Canadian Constitution Foundation, also expressed misgivings about the retention of metadata relating to “entirely innocuous and inherently private comings and goings of ordinary citizens.”
“Up to a year’s worth of movement, communication, work in ordinary life would be preserved for review, while the private citizen, of course, is kept completely oblivious as to this occurring or not,” he said.
Matt Hatfield, executive director of OpenMedia, a non-profit that advocates for widespread and affordable internet access, told the committee that “the government wants to have a filing cabinet of every Canadian’s metadata ready for law enforcement when they need it.”
Conservative MP Rhonda Kirkland asked Mr. Hatfield about Mr. Anandasangaree’s assurance last month to the committee of MPs that the bill is “encryption neutral.”
“There is no such thing as encryption neutral,” Mr. Hatfield replied, adding that the bill “would damage encryption’s purpose very severely.”
Khaled Alqazzaz, executive director of the Canadian Muslim Public Affairs Council, warned that refugees who have fled repressive regimes, and who are “under extreme pressure and surveillance by foreign state agencies,” could be affected by the bill’s new powers. He said it could lead to foreign states seeking information about people who have found a safe haven here.