Skip to main content

Canada Wants Software Backdoors, Mandatory Decryption Capability And Records Storage

The new Canadian government is looking to further expand its surveillance powers by requiring decryption capabilities for all services, mandatory storage of both internet and phone records for service providers, backdoors that allow interception, and warrantless access to basic subscriber information.

Bill C-51

Last year, under the previous conservative government, Canada passed a controversial “anti-terrorism” law, called Bill C-51, which gave new powers to the country’s police and intelligence agencies with little oversight.

The bill has been criticized for allowing the country’s domestic spy agency, the Canadian Security Intelligence Service (CSIS), to become a “secret police” by extending its powers beyond simple information gathering. It also allows 17 agencies to share a wide range of information about Canadian citizens, including medical and financial records, with the Canadian intelligence agencies.

Mandatory Decryption

After mandatory decryption and encryption backdoors failed to pick up steam in the United States, but succeeded in the UK with the passing of the “Snoopers’ Charter,” Canada is looking to give this idea a try, too. The government is now asking for feedback on whether it should legally force individuals and organizations to decrypt material.

This implies that either companies would have to forgo using end-to-end encryption that allows users to encrypt communications with their own keys, or they would need to have some kind of backdoor that would allow them to bypass the end-to-end encryption.

Software Backdoors

The government also complained about not being able to intercept some communications, and that it should be allowed to use intercept capability against some service providers. Unlike the phone networks, which have had built-in intercept capabilities for decades, many of the chat or email applications don’t (with some exceptions). That’s even more true for end-to-end encrypted services, where the companies themselves can’t see the private communications between users, which means law enforcement can’t either.

If the government can’t outlaw end-to-end encryption and can’t require companies to use only encryption that can be decrypted, the next best thing is going to be some kind of software backdoor that disables and bypasses an application’s end-to-end encryption. Then the communications could pass through the company’s servers, where law enforcement could intercept it. The government could even get direct access to the backdoor, and then it could use it whenever it wants, with or without a warrant.

However, if something like this passes as law, then it would become public, and more people may start avoiding services that have to abide by this Canadian law. This may be the reason why so many of the western democratic countries are trying to pass such laws almost in unison lately, to make it feel as if the people have no choice but to continue to use the backdoored services.

Security experts have almost unanimously come out against the idea of software backdoors, because they represent a grave security risk. Once there’s a way to bypass encryption, it’s not just governments that can use it, but also other bad actors.

Mandatory Records Storage

The Canadian government is complaining that some services don’t store records long enough, asserting that this is a problem for law enforcement. It also complained that some internet services that are used by Canadians “operate beyond the reach of Canadian law” simply because they have no local headquarters or servers, and thus Canadian law enforcement can’t legally request data from them.

The government seems to be targeting privacy services companies such as VPN providers. Some VPN service providers keep no logs whatsoever, and they may not even have servers in Canada. That means the Canadian government can’t request user data or force them to install backdoors.

The Canadian government seems to be considering a law where it could both mandate that all service providers, including VPN services, store customer records for a longer period of time, and that it should be able to request that data when needed.

Basic Subscriber information

The government argues that it should be allowed to get access to basic subscriber information without a warrant. It gives examples of situations such as as when a person is missing, when there is suspicion of a crime, to further investigate a lead, and so on.

However, these situations could be addressed by a judge assigned for emergency cases. It’s also not clear which agencies would be able to access this information, but presumably the Canadian government would want to eliminate any sort of restrictions for any agency when it comes to accessing basic subscriber information.

Updated, 12/31/2016, 1:04pm PT: The Canadian government seems to have taken down the public comment page for this issue.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.