Skip to Content News Archives Economy Energy Oil & Gas Renewables Electric Vehicles Mining Commodities Agriculture Real Estate Mortgages Mortgage Rates Finance Banking Insurance Fintech Cryptocurrency Work Wealth Smart Money Wealth Management Investor Personal Finance Family Finance Retirement Taxes High Net Worth FP Comment Executive Women Puzzmo Newsletters Financial Times Business Essentials More Innovation Information Technology FP500 Podcasts Small Business Lives Told Tails Told Shopping Financial Post Store Obituaries Place a Notice Advertising Advertising With Us Advertising Solutions Postmedia Ad Manager Sponsorship Requests Classifieds Place a Classifieds ad Working Profile Settings My Subscriptions Saved Articles My Offers Newsletters Customer Service FAQ News Economy Energy Mining Real Estate Finance Work Wealth Investor FP Comment Executive Women Puzzmo Newsletters Financial Times Business Essentials HomeFP CommentOpinion: Bill C-22 will be a hacker's dreamLaw enforcement is a noble goal but requiring data companies store every Canadian's internet activity for six months invites disasterLast updated 7 minutes ago You can save this article by registering for free here. Or sign-in if you have an account.No government can mandate "access only for the good guys." There is no such thing as a vulnerability only the right people can exploit. Photo by Techa Tungateja/Getty ImagesOmar Abdulaziz left Saudi Arabia in 2014, built a new life in Montreal and became one of the most prominent Saudi opposition voices outside the kingdom, as well as a close confidant of journalist Jamal Khashoggi. In 2018 his phone was infected with Pegasus spyware, which was traced to a Saudi-linked operator and likely played a role in the chain of events that led to Khashoggi’s murder. Despite Abdulaziz seeking safety in Canada, his persecutors found him anyway.Subscribe now to read the latest news in your city and across Canada.Exclusive articles from Barbara Shecter, Joe O'Connor, Gabriel Friedman, and others.Daily content from Financial Times, the world's leading global business publication.Unlimited online access to read articles from Financial Post, National Post and 15 news sites across Canada with one account.National Post ePaper, an electronic replica of the print edition to view on any device, share and comment on.Daily puzzles, including the New York Times Crossword.Subscribe now to read the latest news in your city and across Canada.Exclusive articles from Barbara Shecter, Joe O'Connor, Gabriel Friedman and others.Daily content from Financial Times, the world's leading global business publication.Unlimited online access to read articles from Financial Post, National Post and 15 news sites across Canada with one account.National Post ePaper, an electronic replica of the print edition to view on any device, share and comment on.Daily puzzles, including the New York Times Crossword.Create an account or sign in to continue with your reading experience.Access articles from across Canada with one account.Share your thoughts and join the conversation in the comments.Enjoy additional articles per month.Get email updates from your favourite authors.Create an account or sign in to continue with your reading experience.Access articles from across Canada with one accountShare your thoughts and join the conversation in the commentsEnjoy additional articles per monthGet email updates from your favourite authorsSign In or Create an AccountorParliament is now moving quickly to pass Bill C-22, the so-called Lawful Access Act, which would make Canada more susceptible to exactly that kind of targeted surveillance. The bill is about giving Canadian law enforcement better tools to investigate serious crime by having telecom companies collect everyone’s metadata for six months and mandating the breaking of encryption. Despite the noble goal of empowering law enforcement to do its job, the risks of this approach outweigh the potential benefits.Get the latest headlines, breaking news and columns.By signing up you consent to receive the above newsletter from Postmedia Network Inc.A welcome email is on its way. If you don't see it, please check your junk folder.The next issue of Top Stories will soon be in your inbox.We encountered an issue signing you up. Please try againThe centrepiece of Bill C-22 is a provision allowing the minister of public safety to order companies to build access mechanisms into their encrypted services so they can access Canadians’ metadata — provided doing so doesn’t create a “systemic vulnerability.” But how can companies comply with this idea of avoiding “systemic vulnerability”? Creating a backdoor for Ottawa creates a backdoor for nefarious actors.In its parliamentary testimony, Apple accused Ottawa of inserting such backdoors into its products. Google went further, warning that the bill could facilitate foreign interference and weaken global user privacy precisely because a backdoor built for Ottawa doesn’t remain exclusive to Ottawa. Rather, it would be a massive green light for hostile foreign intelligence services, criminal hackers and any government willing to coerce, compromise or even legally compel companies to hand over information they want.No government can mandate “access only for the good guys.” This naive idea was debunked by every major cryptographer and technology company that testified regarding Bill C-22. There is no such thing as a vulnerability only the right people can exploit.On metadata specifically, the bill wants service providers to record and retain that information on all Canadians for six months, which is enough to know almost everything about most of us. The coverage is not just suspects or people under investigation but every person who sends a message or makes a call. Do you know anyone who doesn’t do so on a daily, if not hourly basis?The Bloc Québécois described the six-month data stores as a “treasure trove” for hackers. But that undersells the specific danger for people like Abdulaziz, or Sheng Xue, a Chinese dissident who fled to Canada and believes Chinese agents have tracked her movements and threatened her life.For a dissident from an authoritarian state, metadata alone can be a death sentence. Months of retained records reveal who someone contacts, when, how often and from where. It maps attendance at community meetings and protests and exposes any contact with people still living inside the home country.The intelligence services of China, Iran, Saudi Arabia and Russia do not need to hack individual phones to connect the dots, they just need the blueprint that this bill wants built and stored on behalf of everyone in Canada. That blueprint ultimately becomes exploitable by any state actor willing to hack or coerce the same access point.The market is already registering its verdict on the risks. Signal has said it would rather withdraw from Canada than compromise its privacy commitments. Toronto-based VPN provider Windscribe is already looking at relocating its headquarters because the bill would make it impossible to honour its no-data-collection policy, and NordVPN has said it is considering following suit.Canada has long presented itself as a sanctuary where people who flee surveillance states can live, speak and organize without fear of being found and watched by the governments they have escaped. Khalid Ramizy, an Afghani activist who fled the Taliban and founded the World Anti-Extremism Network, says: “Canada must remain a place where those fleeing authoritarian regimes can feel secure and protected.” Bill C-22 trades that reputation for surveillance architecture that those same governments will eventually exploit.David Clement is policy director and Sabine Benoit Canadian affairs associate at the Consumer Choice Center. Join the Conversation This website uses cookies to personalize your content (including ads), and allows us to analyze our traffic. Read more about cookies here. By continuing to use our site, you agree to our Terms of Use and Privacy Policy.