Ottawa’s building a backdoor to slide into our personal online data

[00:00:01]This episode is brought to you by Fox 1.

[00:00:04]Watch all 104 matches of the FIFA World Cup live in 4K for just $19.99 a month with 3 days free. Build your own multi- view. Choose up to three streams and follow player spotlights. Stay on top of every moment with live stats, highlights, and instant replays. The FIFA World Cup streaming live on Fox One. Offers are subject to change. See fox.com for complete terms and conditions.

[00:00:31]Need a laptop that's built to perform and designed to last all day? Select Windows 11 PCs starting at $499.99 are now at Best Buy. Learn more at best.com.

[00:00:42]Best Buy. Imagine that.

[00:00:45]>> Adobe Firefly is the all-in-one creative studio with AI powered image and video editing for today's creative process.

[00:00:52]Built for creators of every kind, Firefly helps you generate, edit, and experiment fast. Because the asks aren't getting smaller, the budgets aren't getting bigger, and the timelines, oh yeah, still tight. With all the best creative AI models in one place, Firefly brings your ideas to life. Unlock a better way to make with Adobe Firefly.

[00:01:17]Bill C22. It is the government's attempt to give Canadian police law enforcement what they call lawful access and it's become quite political hot potato. Hi, I'm Brian Lily. Welcome to the Full Comment Podcast. I'm your host and today we're going to try and peel back a little bit about what Bill C22 attempts to do and why some people are so opposed to it. It's a complex bill.

[00:01:42]It's one that the government has tried more than once. In fact, early in Mark Carney's mandate, they introduced Bill C2. That was a bill that many felt went too far. The government took the summer last year and decided to try again. That is what brought us to Bill C22. It's an attempt to say that police are able to access data, information about you that may come from an electronic service provider, a telecom company, an internet provider, a an app that you use online.

[00:02:15]Is this a violation of your privacy?

[00:02:18]Quite possibly. Is it legitimate? Again, quite possibly. To get the pro side on why this legislation is needed, we're going to speak to Richard Fatten. He is the former director of CEUS, a former national security adviser to Prime Minister Steven Harper and to Prime Minister Justin Trudeau and a deputy minister many departments over the years and someone who understands what the government is trying to accomplish and supports it. We reached him in Ottawa.

[00:02:48]So, let me start with asking you what is the reason for Bill C22? We we we started with Bill C2. uh that went away quickly. Um the government decided that that they would put that on pause and they said, "Oh, okay. We we got this wrong. Let's redo it." But what is the the basis for why law enforcement and national uh security says we need Bill C22?

[00:03:16]I think at its very essence uh it's based on the fact that both law enforcement and uh CESUS have to deal with increasingly sophisticated adversaries, state, non-state criminal groups. They are in many ways very difficult to find. They're very difficult to get a latch on to. And with the uh increase in technology across the board, one of the things that they need, I think, to help them identify and get a a hand on people is if they have reasonable grounds to suspect. And that's an very very essential first part of all this. You can't just get up in the morning, whether you're police or ceus, and decide that Dick Fatten or Brian Lily are going to be this the the object of an investigation. You have to have reasonable grounds to suspect that a crime has been committed or that it falls within CEUS's mandate. You want to figure out more information. You want to find these people. So basically, CEUS and the uh law enforcement crew want to be able to ask telecommunications and internet providers whether Andre Pru, for example, whose reasonable grounds to suspect is a reprobate, uses that particular provider. Once they know that provider is uh a has a client, they can then go to the court go to the courts and ask for a production order asking for all sorts of information. It may seem simple, but if you think about the number of telecommunications and internet providers that are available to people, being able to narrow down as quickly as you can who is providing the service to enable a a court order request is very, very helpful.

[00:05:06]>> But does this go beyond what we currently have in terms of, you know, going before a judge asking for a warrant? um does it lessen the protections that are currently there? Um you know, my understanding is that uh um it drops it down to reasonable suspicion. Um I is is that lessening the protections that are there for individual citizens?

[00:05:35]Well, I guess it does at one level because you don't have to go in front of a judge, you know, with the usual paperwork and whatnot, the sworn deposition saying that you want access to why.

[00:05:45]I would argue that in this day and age, uh, the the information that they're seeking, whether or not a single individual is accessing a telecommunications provider, does not constitute a material violation of an individual's privacy, particularly when both law enforcement and CES have a whole range of protections built into their systems already. So technically, yes, it means the judge doesn't have to bless this initially. I personally don't believe that's a material assault on an individual's privacy.

[00:06:19]So finding out that I am you know having a conversation with you online via signal or WhatsApp or you know what whatever encrypted technology is there uh you know the police being able to access that that's not a violation of my privacy.

[00:06:43]>> Yeah it is. I agree it is. We could do it before with a judge. Now the only difference is you don't have to go to a judge. You still have to have reasonable suspicions that a crime has been committed or that you're following within ceases ambit of investigation. I don't think given the environment and I think this you know a lot of people you know privacy organizations people who worry about the charter I think raise entirely legitimate issues but on the other hand you have increasingly sophisticated adversaries who can hide very effectively from law enforcement and ceases. This is just one small way of giving them a bit of an advantage in dealing with all these adversaries. If there is a reduction in privacy and I think there is in a micro I think it's microscopic. I think on balance it's sufficient support to law enforcement and national security to be warranted.

[00:07:32]>> So is it more of a national security issue? Is it more of a crime issue?

[00:07:37]What? Like what what crime um what you know violation of the law is this trying to solve that doesn't already exist in in terms of what police and uh investigators are are able to accomplish? What what can't they do now that this law is trying to fix? What it enables them to do at one level is to on the basis of their own internal procedures and police and CEUS would have different procedures. They can request they can demand from a tele telecommunications company a yes and no answer to the question is X your client.

[00:08:20]It's enabling them to do that without going through the full paniply of judicial authorization. Another part of the bill uh which you may or may not want to talk about basically says that telecommunications and internet providers have to organize themselves to be able to respond to these requests which is not the case today.

[00:08:43]>> So right now they can just ignore those requests.

[00:08:46]>> They can or you can go to court get a court order and say I want access. But if that particular company is not organized in such a way that they can respond to the court order, there's nothing that can be done.

[00:09:01]>> One section of >> What do you mean by that? I'm I'm I'm not sure I understand that.

[00:09:05]>> Well, I'm not a as you know, I'm not an engineer, but basically it means that various telecommunications and internet providers organize themselves in different ways. Uh some keep data for, you know, a fairly lengthy period of time. Some don't keep information at all. It's all a question of how they organize the information that they have about their clients. And if they aren't organized in such a way as to be able to respond right away, then the the official answer is I'm sorry, we can't help this legislation or a part of this legislation says this is all very well and fine. Law enforcement and national security is sufficiently important. You have to organize yourselves in such a way that you can respond to production orders. Now, there's a provision in there that says that they cannot be required to do anything in a technical sense that would endanger uh the security of their system in the sense that it would make it easier for people to access privacy information outside of the framework set out in the law.

[00:10:06]A and yet that is one of the uh claims that all of the tech companies, all of the telecom companies are making is that if you require them to hold this information that it will obviously in their view make it easier for uh for some u you know for a criminal element let's say organized crime to go in and say ah aha we know they have this information now let's go find it there.

[00:10:36]>> Well, I I acknowledge that that's one of the things that they're arguing, and I suppose at a purely logical level, that's true. But no criminal or national security threat with two brains to rub together is unaware that these companies have significantly or wellorganized databases with consumer information, with client information. All this is doing, I guess, is flagging a little bit more directly the fact that this exists.

[00:11:03]I understand I guess at one level that the companies don't want an additional burden imposed on them. It means they're going to have to worry about this in a slightly different way. I come back to the view and this may be by professional malfformation in national security that privacy and national security has to be balanced. Both are important. I think this bill sets out a standard that's entirely reasonable since the core objective is to enable law enforcement and CEUS to protect you and I and Canadians generally. Uh I think aside from the fact that this bill provides for a variety of protections, court orders, the intelligence commissioner has to do a variety of things. We have the full paniply of review. I call it the fog of review in Canada. You know, you have parliamentarians, the court, the minister, the intelligence commissioner. All of these people are going to be monitoring what CEUS in particular is doing in this in this area. So I think the increased risk to individuals is not material. I appreciate people some people feel otherwise. I just would not agree.

[00:12:11]>> I I mean we are all online. We all live our lives online. And to a degree, I think a lot of us just assume that well, the companies and the government already have all of this information.

[00:12:25]>> Yeah.

[00:12:26]>> Is it difficult though for law enforcement to to get this information currently?

[00:12:33]>> Well, it is. You they they could ask. I mean, one of the things another part of this bill does is it confirms in law that CEUS and and law enforcement can ask these companies to provide the information.

[00:12:45]uh it was actually in some doubt given a Supreme Court ruling. So it's not confirmed they could ask for this information. It goes one step further.

[00:12:52]But to your broader point, you know, I don't think today we all have as much privacy as we think we do. And I sometimes think the private sector is a greater threat to our privacy than the government is because the government has a whole raft of protections written into the way they access this kind of information rather less so from the private sector side. So from from my perspective I tend to assume that any privacy that I have is always at risk. I think in this day and age if you don't make that assumption you're probably putting yourself as an individual at risk.

[00:13:30]Let's back out for a moment and talk about what what are the main crimes that we're looking to to deal with here. Is this about human trafficking? Is this about um the scammers that are constantly going around uh you know trying to get you to you know hand over your credit card information? Is this organized crime? What are they trying to accomplish here?

[00:13:54]>> Well, I think there are two sets of answers to your question. On the CESUS side, it's crimes relating to national security, you know, sedition, terrorism, nuclear proliferation, that sort of thing. Whatever CEUS is authorized to do under the CEUS Act, broadly speaking, these C and they're defined fairly precisely in the CESUS Act, it has to fall within one of the one of the uh categories that CEUS is mandated to deal with. They're all fairly serious. On the law enforcement side, basically, if I understand the legislation correctly, it does not specify which category of crime is to be dealt with. It says that if there's a criminal if there's a criminal offense set out in the criminal code or another statute that creates a criminal offense, then the police are authorized to use this legislation. So it could be something as terrible as child pornography as money laundering uh or something as mundane as a international criminal group trying to access our bank accounts and everything in the middle. The law does not specify in any detail what kind of crimes it's meant to deal with.

[00:15:06]We've seen the uh you know there's been some push back on this and you know when the government still had a minority um they walked away from C2 the original iteration of this then they brought in C22 still while they had a minority uh the conservatives are saying well we'll help you pass it quickly if you split the bill in two and there's a lot of talk from the the tech sector about part one and part too. Do you see, you know, what h how do you view that in terms of because I think most Canadians are looking at this and saying, "I'm not quite sure what part one and part two are. I'm not quite sure uh what the fight is about." Do you see a difference between part one and part two the way that the politicians do? Well, I think part one basically sets out the regime whereby um the police and CESUS is allowed for lawful access. They can ask for they can demand information. You know, there are details, but that's fundamentally what part one is doing. Part two deals with the telecommunications and the internet internet providers and it's the one that says they have to organize themselves in such a way that they can execute production orders. it sets in place a number of review mechanisms, judicial review and whatnot. I think the two are related.

[00:16:32]Um I understand that a number of telecommunication companies have expressed real concern and the concern is really about part two because it's the part that requires them to organize themselves to be able to comply with the production order. And this is the part where uh Apple says if this goes through they they will not comply or they may not offer all of their services going forward. U Meta has said the same thing.

[00:16:57]>> Yeah, I don't quite understand what the from their perspective what the concern is. Uh this particular approach to the law is not unique to Canada. I mean all of our close allies have something similar. They may or may not call it lawful access. But there are means of accessing information. Sometimes just the yes or no whether a service is provided.

[00:17:21]Sometimes a great deal more. You know, if Apple is trying to argue that in the United States the FBI can't gain access to the kind of information we're talking about here, I think they're being disingenuous.

[00:17:35]>> I mean, the Americans have said that this bill is problematic. They have said that um this is you know a couple of members of Congress have said this is an assault on uh American companies. But you you know and you know I I I trust you Dick. I mean you you know this stuff better than I do. Uh you you say that the FBI would be able to access similar information.

[00:18:00]>> That's certainly my understanding. I mean, if you think about it in a uh, you know, sort of a holistic sort of way, the information that we're talking about is, I don't think, particularly a great threat to privacy and asking large telecommunications companies to organize themselves in order to comply with court orders.

[00:18:22]Uh, in this case, I don't see the problem. Now in various countries sometimes the the the institution can ask for the information without a court order. In some cases there is a court order. Procedures vary a great deal between say the five eyes or NATO. But broadly speaking our allies have provisions in their legislation that allow for access.

[00:18:44]Uh I think it varies in respect of the extent to which they can require companies to organize themselves. You know to be honest I don't remember the details. I've been out of this life for a while, but I have difficulty understanding how a country like the United States so concerned about national security legitimately would say that the FBI, which is sort of our our equivalent of ceases, cannot talk to companies and so to say, look, you got to organize yourselves to provide us with information that we seek in pursuit of our national security or our criminal law mandates.

[00:19:20]>> All right. Uh, thanks very much for the time today.

[00:19:24]>> My pleasure. I hope I made a little bit of sense. It's a complex area to be honest and I think Parliament and the various organizations are right to push it through. But I come back to my initial point. The adversaries that these organizations have to deal with are very sophisticated. And I think sometimes we forget how sophisticated they are when we look at the tools that our law enforcement and CEUS organizations require. When we come back, the opposite view. Why are people opposed to the bill? We'll speak to Natalie Campbell from the Internet Society about that.

[00:19:59]>> Choice Hotels get you more of what you value. Here's a little tune to help you remember. Same drive, different day.

[00:20:07]Don't you wish you were getting away?

[00:20:09]Pack your bags and come on through.

[00:20:12]Texas, Ohio, Alaska, we're up there, too. Comfort in, it's calling your name.

[00:20:19]Save on the stay. Oh, and free waffles are yours to claim. Well, I hope you like my little song book direct at choice hotels.com.

[00:20:30]>> Starting a business can seem like a daunting task. Unless you have a partner like Shopify, they have the tools you need to start and grow your business.

[00:20:38]From designing a website to marketing to selling and beyond, Shopify can help with everything you need. There's a reason millions of companies like Mattel, Heints, and Allirds continue to trust and use them. With Shopify on your side, turn your big business idea into Sign up for your $1 per month trial at shopify.com/special offer.

[00:20:59]>> This episode is brought to you by Starbucks.

[00:21:01]>> That is fire. Wo, that's good.

[00:21:05]>> This might be the drink of the summer.

[00:21:06]>> Okay, I like this one, too. I'm rocking with it. Okay, >> try it for yourself. Starbucks refreshers concentrates are coming home.

[00:21:12]Find them in the coffee aisle and make it yours.

[00:21:18]>> There were so many missed opportunities to catch this before the devastating thing happened.

[00:21:24]>> A third of them we found literally in the phone book. These people were not afraid. They knew that nobody was effectively hunting them. They knew they had escaped justice, that they were going to die in their beds.

[00:21:37]>> When I give talks at law schools is that the charter ultimately is empowering a minority. And it's empowering a minority. That's a guild across the country. And it's a fairly elite guild.

[00:21:45]And the guild is lawyers.

[00:21:46]>> Families who were split by referendum and uh brothers and sisters who never talked to each other for years after the referendum because they were so angry at each other because of emotions on both sides. The reason he was assassinated was not because he was trying to put a satellite into space, but because the gun that he was creating had other applications that made him and the gun very dangerous.

[00:22:14]>> It's finally here. A new season of Canada Did What? Post Media podcast that revisits the big Canadian political events you might think you remember and tells you the real story you never knew.

[00:22:26]I'm Tristan Hopper. The voices you just heard are from our brand new season 2.

[00:22:32]We will unpack some of the pivotal moments that help define our country.

[00:22:35]Often without a vote, usually without a plan, and sometimes without anyone admitting what they've done. We'll find out how Canada became a welcoming paradise for untold numbers of Nazi war criminals after the Second World War. We let them build monuments to their wartime exploits and even ended up honoring a Nazi fighter in the House of Commons. And I'm sorry to say that none of that happened by accident. We'll bring you the little known story of a troubled Canadian rocket scientist who turned to a sinister life of selling giant guns to terrible people. And if that sounds like a spy novel, it ends like one, too. You'll hear the behind-the-scenes story of Quebec's attempted secession from Canada and how very close we came to a political crisis that would have made Brexit look like a picnic. You'll hear about how the much celebrated Charter of Rights and Freedoms turned into something its creators never wanted, and how many of the most extravagant warnings about the document were all quickly proven true.

[00:23:35]And you'll even hear about how authorities bungled multiple chances to stop the deadliest terrorist attack in our country's history and then proceeded to pretend it never happened. These aren't dusty history lessons. There are stories about power, ambition, madness, and the things about Canada that a lot of people would rather ignore. But not you. You won't want to miss an episode.

[00:23:58]Subscribe to make sure you get all of season 2 starting March 2026 anywhere you get your podcasts.

[00:24:06]There is, of course, a great deal of opposition to Bill C22, including from those who say it goes too far in invading your privacy. There's a great deal of concern around encryption and end-to-end communications that are supposed to be private. Well, to understand that point of view, we reached out to Natalie Campbell. She is the director of government relations for the Internet Society and we reached her just outside of Ottawa at her home. So, Natalie, let me start here. The government initially introduced Bill C2 and then faced a lot of push back. They backed off of that. They brought in Bill C22. Not that those two names aren't confusing in and of themselves, but did they they promised that they would listen to critics of C2 and and get things right? In your view, did they?

[00:24:56]>> That's a really good question. And I'll start by saying that I think it's a good thing um that people are thinking about how we can make sure people can have safe and secure experiences online. And that's part of what the Internet Society works towards. Our mission is to connect the unconnected and to make sure we protect the connected. Um that's one of the reasons that we've been following this bill. when it was introduced as C2 as part of a broader um border security package um we were concerned that the lawful access um to data part of that bill had some pretty significant threats to the foundation of security online which is um our ability to use encryption technologies. Um so the main threat that was in C2 and that remains in C-22 um that we're concerned about is that it creates powers um that would allow the government to order any service in Canada um to um to create back doors to uh information in order to allow law enforcement um to access that information for their purposes. Can you expand on what that is? Because I think a lot of people aren't quite sure about that. I I have a decent understanding of what they're asking from talking to various people in tech companies, you know, be it Meta or or Google or that the different telecoms, Rogers and Bell, which everyone in Canada loves to hate them. Um, but yet they're they're going to be required by these laws to do certain things. explain what you mean by creating backdoors.

[00:26:38]>> Sure. So the as I said the law allows for the government to issue secret orders um that would force services to have to weaken their security to assist law enforcement with investigations to get access to certain information.

[00:26:58]the means that they want to um be able to um force these services to have to comply with um could entail having to circumvent or not use at all in tools like encryption um which essentially ensure that the things that we share online or the communications that we have um are only accessible to those who are intended to have access. Um so we do know that you know from C2 there was an attempt to kind of make sure that there these orders could not create any kind of systemic vulnerability. Um but the problem is that the way systemic vulnerability is defined in C22 doesn't fully protect um against um some of the ways some of the orders that companies might get um that could in fact create systemic vulnerability. And I'll give you an example because we track these kinds of laws all around the world because we know that that's usually where um we tend to spot things that could threaten um people and companies abilities to use encryption.

[00:28:11]Um and we heard a lot of the um a lot of cases where some folks don't um think that there should be a technological way to be able to get access to encrypted information um just for law enforcement.

[00:28:30]Um but the fact is that there's no way to provide access to encrypted information uh in a way that's just for law enforcement. So when we talk about encrypted information, we're talking about everything from using WhatsApp to Signal. Um some of the uh messaging options offered by Apple because they've been quite outspoken about this.

[00:28:55]Are those the general platforms that we're talking about that people might say, "Oh yeah, I use that app." What what what are you talking about in terms of the apps that people are using that might become vulnerable to their private messages or personal data being released to law enforcement without them even knowing and you know perhaps without good reason.

[00:29:21]So this these secret orders could be issued to electronic service providers and the way that isi defined um is uh and the way the government has described who this would apply to is has to be taken in the broadest sense possible um and they've said this could apply to businesses online or apps um that use secure messaging. It could basically apply to anyone. could apply to medical um services, uh video conferencing services, >> my account.

[00:29:53]>> Precisely. And so each and every one of these services um if they're offering private messaging, if they are um having to secure any kind of sensitive data, you can't do that without encryption because encryption is a technology that basically ensures that um the things that we do, the websites that we go to, the communications that we're sharing if encrypted or the data that we're storing um in a lot especially those uh who have those kinds of services that are speaking out against this bill, encryption is core to their service offering. If they're guaranteeing that you know um your information is going to be protected and only you have access, that's because of tools like encryption.

[00:30:36]Encryption scrambles information whether it's internet traffic or personal communications, private communications, it scramles it so that only those with intended access have access. So if I'm sending you a message over Signal, for example, I know that that message can only be understood by myself and the intended recipient, which would be you.

[00:30:57]And that even if Signal tried to get access to uh that transmission, all they would see is scrambled gibberish. Um that is core to their surface service offering. I'm a little surprised by this because Prime Minister Mark Carney was on the board of Stripe prior to entering politics. And for folks that don't know Stripe, it is one of the it is the preeminent I would say uh payment transaction uh provider for online. Um and they use rigorous encryption, they use tokenization, they use all kinds of measures to ensure as you say that you know the transaction that you make with me is not picked up by somebody else and your payment data isn't stolen. So, uh, a company like Stripe that we all rely on to accept payments or to make payments is suddenly going to have to, uh, build in back doors so that police can see things if they want. They're going to have to keep this information for years. I mean th this you know most of us I mean pretty much anyone listening to a podcast if you're I if you're so much of a lite that you're not ever doing an online transaction you're probably not listening to a podcast. So I I'm I feel comfortable in saying those of us involved in this or listening are doing online transactions. Are you saying that those are at risk through this legislation?

[00:32:29]I think that those services could be at risk. Any service could be at risk. It's not This bill doesn't mandate that back doors be created. It gives it gives the government new powers to be able to issue secret orders that could involve forcing companies to weaken security um to either circumvent encryption or to create back doors um to provide access to information that would otherwise be encrypted. So yes, that that could involve um a service that is a service that is um that is securing the banking industry that could that could involve anyone. Um and you know to your point about Stripe and and banking services online I am of a certain age where um when I first started using the internet online banking was not a thing. I've been able to see the internet's development over the decades and to see an online banking um service uh be created, right? Like this this capability didn't exist when I was younger. The only reason that we're able to offer these kinds of service online or do things like online shopping or be able to like store really personal information online is because of technology tools like encryption.

[00:33:48]without it. Like I can't think of a single bank that would um offer this kind of service if they weren't able to trust that there were technology tools that allowed them to guarantee that um customer data and their own private data um could be controlled in terms of access both when it's at rest and storage or when it's being transmit transmitted over the internet. So, I don't think that um you know there's been a lot of broad push back on C-22 because of that very threat to encryption. Um >> it's not just me sending naughty messages to someone on WhatsApp or Signal. It's everything that we do online.

[00:34:33]>> Everything.

[00:34:35]When I think about these, >> by the way, I'm not sending naughty messages. That's just an example.

[00:34:40]>> And I'm not judging if you are. The way that I think about these things, and I'm a mom of two kids, 11 and 13. I am hyper aware of the amount of sensitive information that I rely on the internet to be able to send about my kids, whether it's to their teachers or to healthc care providers or um any range of uh services that I interact with that involve >> email with my doctor.

[00:35:08]>> Exactly.

[00:35:10]Now, >> email is not the the most secure I know.

[00:35:14]>> Yes, that's right. Um, but I couldn't imagine um feeling comfortable sharing any of that kind of information without the guarantee of encryption to give me some amount of control over um who has access to that kind of information.

[00:35:32]>> Let let me ask you this though. You raise valid concerns and I I have some sympathy towards your arguments, but to average people care. I mean, we just went through a pandemic a few years ago where the government decided they could control every part of your life and people said, "Yes, give me more of that." Um, are you a voice in the wilderness in saying, "Hey, look, your stuff could be at risk." And meanwhile, you've got people saying, "Well, I don't care if the government has everything I've got. Um, what do I have to hide?"

[00:36:07]Or, "Well, I thought they had it all anyway, so what does it matter?" What do you say to those people?

[00:36:14]>> Yeah, it's a really good question. And I think regardless of what people feel about what access their government has um can what kind of information their government can have access to, I think the question is is not what kind of government uh what kind of information government should have access to, but who else will have access to this because there's no backdoor that is only ever going to be available to government or law enforcement. A back door is available for anyone in the world to walk through and we know that attackers are finding these quicker than ever. We're at the start of a new era of cyber security where the threats are scarier than ever.

[00:36:57]We've seen how AI tools can not only spot and detect these vulnerabilities.

[00:37:04]Um, you know, it used to be a matter of months, but now they can do so in a matter of minutes and then create code to exploit those vulnerabilities.

[00:37:13]That is downright scary because it only takes one slip up, one back door for an attacker to get in um, and have access to all kinds of information that they could use for nefarious reasons.

[00:37:26]encryption helps protect us against those um attacks. And so um I have a lot of sympathy for the efforts of law enforcement to want to help prevent crime online. I am a mom. I am a citizen who also wants to prevent crime online.

[00:37:44]Um, but what scares me is the thought of creating more back doors and forcing companies who are already struggling to um keep their own system secure without even being forced to engineer vulnerabilities. What scares me is the risk that they're going to have to carry if they are forced to carry additional vulnerability. Um, and I think the exposure that it will create for them is is just it's reckless and it's dangerous and it's going to hurt. It's going to hurt a lot of people.

[00:38:17]>> So, I've spent a lot of time over the years dealing with issues. I'm going to jump to something completely unrelated but then bring it back. So, bear with me, Natalie. Um, issues around gun control. And people will say, "Well, if you're going to have guns, then everyone should keep their guns at the gun range and no one should have their guns at home and then the guns will be secure at the gun range." And I just look and I, you know, cuz I do go target shooting now and again. And I look and I say, "These people have no idea where these gun ranges are. They're out in the middle of nowhere. They're completely remote. And it is basically inviting the criminals to go and raid them in the dark of night and get all kinds of guns very easily. And I look at what we're talking about with the storage of metadata in this bill and the weakening of encryption and it's like, "Hey criminals, come over here. Get all the stuff that you can sell on the dark web at this location."

[00:39:19]Would you say that's an accurate depiction of what could be happening?

[00:39:24]>> I would say that creating lawful access systems is a very lucrative target for cyber criminals. That is 100% guaranteed. Um if you build it, they will come. And if there's forced vulnerabilities um that allow law enforcement to have access to these systems, then those doors are going to be open to anyone that wants in. And there's a lot of criminal organizations around the world that are very well equipped and funded um to find those vulnerabilities and have access. And sometimes it doesn't even take a backdoor to get access. often it's, you know, a so social engineering attack, fishing email is enough to um to uh enough of a slip up to to let an attacker in. Um but we do know that for sure when you create uh these kinds of capabilities, it does get on the radar of these criminal organizations and it it's too juicy to try and pass up. Um, and the other point I would make on that is that, um, we've seen this happen before. There's, uh, I think it was a few months ago the FBI revealed that they had a breach to their own wiretap system. Um, and this was through >> wiretapped.

[00:40:50]This was attackers got in through a third party um to a wiretap system um that revealed potentially information of different targets um and everyone associated with those targets.

[00:41:04]>> So this is a a a real threat to the services that we get. Is it a fair tradeoff in terms of what law enforcement says they need?

[00:41:13]>> A fair trade-off to who? Well, in terms of we're we're making it easier for police to uh to catch criminals, to deal with organized crime, to deal with terrorism, is that a fair trade-off?

[00:41:27]>> That's a really good question. Um, when I think about what how law enforcement um are going about um seeking access to this information, I think about the vast amounts of information that are already available.

[00:41:46]Um, and I think it's definitely we're thinking about how can we better equip law enforcement to make use of the information that currently exists. A lot of information exists on in open text that can be really helpful to investigations.

[00:42:01]Um, I don't like the framing of well, um, is this a worthwhile trade-off?

[00:42:07]because I don't think it's fair to ask people um should they be willing to have virtually every interaction in their day-to-day lives from work to um keep in touch with family to um accessing services that we have no choice to access online and doing so in a way that could make our security and safety more vulnerable than ever. So essentially, I don't think the answer to stopping crime is making us more vulnerable to crime.

[00:42:38]There's a lot of other ways we can definitely support the efforts of law enforcement and it's really important to think about those. Um, Bill C22 is not the answer to that.

[00:42:50]>> Does C-22 weaken the protections that we have through police having to go to a judge and ask for a warrant? Because I I I think the warrant system is, you know, one that we have developed over centuries. It offers protections, also offers access for law enforcement. It is a a compromise that we've all come to live with. Does C-22 weaken that system so that you don't have as many checks and balances or that you have a lower threshold in terms of what police must provide to gain access?

[00:43:33]>> Yeah, that's uh an interesting question.

[00:43:35]And a lot of organizations have a lot of different opinions on um the thresholds reason uh I think it's reason to suspect the internet side's focus isn't necessarily on the um the procedural elements of what they need to have approval to be able to issue these orders or to get access to um certain information that exists. What we're really focused on is making sure that we're not preventing companies and people from being able to have uh make use of the strongest security tools online, which are encryption. So that's really our focus um in in this bill in part two specifically because um the giving law enforcement um the ability to issue secret orders um that could undermine encryption, create these back doors and in a way that prevents people getting these orders from even um seeking counsel from um a lawyer or um an IT specialist. on whether it does create systemic vulnerability. That's where we take uh a real issue with this bill because of the threat that has to online security.

[00:44:49]>> The Conservatives recently said that they would help the government pass bill C22 if they split it. And they said they're willing to pass part one but not part two. That part two needs more study, needs to have more hearings.

[00:45:06]That's the position that Meta took forward when they went to council. Uh, is that an acceptable compromise to you and to the internet society? Is is part one okay and part two bad? And if so, give me a like a simple quick answer as to why.

[00:45:23]>> I don't know that the answer is going to be quick, but um I'll do my best. So I think so like I said the internet society when we think about uh the kind of internet we want we think about it in terms of one that is open globally connected secure and trustworthy crucial to a secure and trustworthy internet are security which are possible because of tools like encryption but also privacy um which is two sides of the same exact coin when it comes to internet security.

[00:45:52]So while there are a lot of um you know privacy concerns from organizations um and certainly we we feel that forcing services to have to collect more information than they might already do um that is a privacy concern but from our perspective the core um the core risk in Bill C22 is is part two and um its ability to force services to create those back doors. Now, we do know that the minister has said that um they were willing to propose amendments to better um protect things like encryption and to better define systemic vulnerability. Um but that doesn't address the fact that there's a sort of loophole in the bill that could allow um any of the terms in the bill to be redefined through regulations. So, um that's where we would still have concerns. Even if we did see great amendments, um we would certainly love to see amendments that better uh and explicitly protect things um like encryption, making sure people can keep using those tools and making sure that these orders would not create systemic vulnerability and better definitions there. Um but that still does not give I think um assurances that that will continue to be the case in an enduring kind of way that um it doesn't provide legal certainty um for a lot of people if this is vulnerable to being redefined in in a regulation phase.

[00:47:20]>> Natalie, I I'll I'll leave you with this. I've got a quick reaction and comment. Um going through the legislation I spotted this part which reads uh it's u section 51 it says the governor and council which means cabinet the governor and council may by regulation amend the schedule by adding amending or deleting a class of electronic service providers. That may not sound like an awful lot to people, but what this legislation does is say, "Okay, after we've passed it, cabinet can change who this law applies to, how it applies to them, and what this all really means."

[00:48:01]And to me, that is a weakness of any legislation, whether it's on privacy, um, encryption, whe it it doesn't matter what it's about. If you give cabinet the ability to change and amend everything after the fact, you're essentially we've moved from rule of law to rule by decree and that's not what our system is based on.

[00:48:26]>> Yeah. I don't know if you're looking for comment or reaction to that, but I think that's kind of the crux of um that concern when I talk about legal certainty. Um, I don't think that while this current government's intentions may be to um with the best intentions, I think that when we're creating laws and when we're um thinking about how can we contribute to an internet that is more secure, these are not things that should be rushed. Um or um >> the next government could have bad intentions. You don't know. And that's why you don't put things like that in laws. Natalie, thanks so much for your time today.

[00:49:11]>> Thank you very much. It was great to meet you and nice to speak to you.

[00:49:14]>> The debate around Bill C22 will continue long after it passes with people who have legitimate grievances and legitimate ideas on both sides going back and forth. But eventually it will pass. It will become law. And then we will have to see how it is implemented.

[00:49:31]And that is where the rubber will hit the road. You can let us know what you think. leaving a comment or sharing this on social media. Thanks for listening.

[00:49:39]Full comment is a post media podcast. My name is Brian Lily, your host. This episode was produced by Andre Pru. Theme music by Bryce Hall. Kevin Libin is the executive producer. Thanks for listening. Make sure that you hit subscribe. Share this on social media.

[00:49:53]And until next time, I'm Brian Lily.

[00:50:01]There were so many missed opportunities to catch this before the devastating thing happened.

[00:50:08]>> A third of them we found literally in the phone book. These people were not afraid. They knew that nobody was effectively hunting them. They knew they had escaped justice, that they were going to die in their beds.

[00:50:20]>> When I give talks at law schools is that the charter ultimately is empowering a minority. And it's empowering a minority that's a guild across the country. And it's a fairly elite guild and the guild is lawyers.

[00:50:29]>> Families who were split by referendum and uh brothers and sisters who never talked to each other for years after the referendum because they were so angry at each other because of the emotions on both sides. The reason he was assassinated was not because he was trying to put a satellite into space, but because the gun that he was creating had other applications that made him and the gun very dangerous.

[00:50:57]>> It's finally here. A new season of Canada Did What? Post media podcast that revisits the big Canadian political events you might think you remember and tells you the real story you never knew.

[00:51:10]I'm Tristan Hopper. The voices you just heard are from our brand new season 2.

[00:51:15]We will unpack some of the pivotal moments that help define our country, often without a vote, usually without a plan, and sometimes without anyone admitting what they've done. We'll find out how Canada became a welcoming paradise for untold numbers of Nazi war criminals after the Second World War. We let them build monuments to their wartime exploits and even ended up honoring a Nazi fighter in the House of Commons. And I'm sorry to say that none of that happened by accident. We'll bring you the little known story of a troubled Canadian rocket scientist who turned to a sinister life of selling giant guns to terrible people. And if that sounds like a spy novel, it ends like one, too. You'll hear the behind-the-scenes story of Quebec's attempted secession from Canada and how very close we came to a political crisis that would have made Brexit look like a picnic. You'll hear about how the much celebrated Charter of Rights and Freedoms turned into something its creators never wanted, and how many of the most extravagant warnings about the document were all quickly proven true.

[00:52:19]And you'll even hear about how authorities bungled multiple chances to stop the deadliest terrorist attack in our country's history and then proceeded to pretend it never happened. These aren't dusty history lessons. There are stories about power, ambition, madness, and the things about Canada that a lot of people would rather ignore. But not you. You won't want to miss an episode.

[00:52:41]Subscribe to make sure you get all of season 2 starting March 2026, anywhere you get your podcasts.