Justin Ling, the Star:

Yet Bill C-22 doesn’t mandate backdoors nor force companies to introduce any. It explicitly states the government cannot compel companies to introduce “systemic vulnerability” into their services. And it doesn’t give cops or spies new authority to intercept Canadians’ communications; it simply creates a process enlisting companies to help out with doing so.

Ottawa is now scrambling to correct the record. Anandasangaree will reply to the Republicans, conveying “this legislation does not provide for indiscriminate access to devices or communications and does not require companies to weaken encryption and introduce so-called ‘backdoors,’” according to a spokesperson. (The U.S. and the U.K., they also noted, already have these powers; Signal hasn’t withdrawn from either country.)

So the bill is not quite the nightmare some have made it out to be. But there are still some big issues.

Whether Signal is crying wolf or simply believes the laws in those countries are strong enough to prevent mandated backdoors is a good question. In the U.K., for instance, Ofcom is not allowed to require a backdoor, but it is empowered to tell providers to weaken encryption for some without compromising the privacy of their platforms for all when “feasible technology” exists to do so. On the one hand, that technology probably cannot exist; on the other hand, Signal is banking on a privacy-friendly interpretation of that law if it is ever tested.

Apple, meanwhile, has not returned Advanced Data Protection to the U.K. despite the U.S. Director of National Intelligence’s claim that efforts to compromise its encryption have been withdrawn. This demand was made under a different law that, I suppose, Signal must not feel is immediately threatening.

Bill C–22 does, as Ling writes, provide an exemption for instances where compliance with interception demands would “require the provider to introduce a systemic vulnerability related to that service or prevent the provider from rectifying such a vulnerability”. This is the same language as appeared in the Strong Borders Act proposed last year, though C–22 has new powers requiring the retention of metadata. It seems to me that a systemic vulnerability — one that “creates a substantial risk that secure information could be accessed by a person who does not have any right or authority to do so”, according to this bill — might not be found in something like metadata retention, which is what apparently concerns Signal.

⌥ Permalink

Marie Woolf, the Globe and Mail:

Secure messaging service Signal, which uses end-to-end encryption, is warning it would withdraw from Canada if asked to compromise its users’ privacy under Bill C-22, Ottawa’s proposed lawful access legislation.

[…]

The bill would require “core providers” — which would later be defined through regulations — to retain metadata for up to a year.

Are lawmakers capable of learning from their peers elsewhere? Do we have to do this kind of thing every year, country-by-country?

⌥ Permalink

Meredith Whittaker, president of Signal — which has recently been in the news — in an op-ed for the Financial Times:

The UK is part and parcel of a dangerous trend that threatens the cyber security of our global infrastructures. Legislators in Sweden recently proposed a law that would force communication providers to build back door vulnerabilities. France is poised to make the same mistake when it votes on the inclusion of “ghost participants” in secure conversations via back doors. “Chat control” legislation haunts Brussels.

There is some good news: French legislators ultimately rejected this provision.

⌥ Permalink