Canadian law enforcement and the Canadian Security Intelligence Service (CSIS) have been working in an increasingly digital world. Most investigations now have an online or digital part due to the rise of mobile and Internet communications, messaging platforms, service resellers, cloud hosting facilities, and other technologies. Despite this, our laws related to lawful access that have not kept up with modern technology.

Modernizing our lawful access framework will allow law enforcement agencies and CSIS to obtain information they have been legally authorized to have to support their investigations and protect Canadians.

On this page

• What is the Authorized Access to Information Act
• What the act would change
• Lawful access to information
• Safeguarding digital information

What is the Authorized Access to Information Act

The Supporting Authorized Access to Information Act (SAAIA) is Part 15 of the Strong Borders Act (C-2). Under the SAAIA, select Electronic Service Providers (ESPs) will be required to ensure that they have set up systems so they can turn over information and data to law enforcement agencies and CSIS as required by a warrant or other lawful authority as part of criminal and intelligence investigations.

This means ESPs would need to develop and maintain, based on their own expertise, the ability to respond to lawful requests to start or further investigations, including investigations of child exploitation, terrorist threats, and lost or kidnapped persons.

In non-technical terms, this would be like requiring an ESP to have an organized system, like a filing cabinet, where certain types of information would be available with legal authorization. This way, there is a standard set of obligations across ESPs to provide law enforcement or CSIS with the specific information.

It would require ESPs to keep records in a way in which only the ESP can retrieve the information or data. It would not require them to give law enforcement or CSIS the "keys" to the filing cabinet or give them direct or unfettered access to all stored information.

This approach is built on the experience of other like-minded countries that already have many years of experience with similar laws.

What the act would change

Electronic service provider obligations

Electronic service provider (ESP)

An ESP is defined as a person or group that provides an electronic service, including for the purpose of digital communication. The SAAIA applies to any ESP that does all or part of their business in Canada or offers services to persons in Canada. This includes ESPs based in another country that are subject to its domestic laws and treaty obligations.

There are two ways an ESP could be required to develop and maintain capabilities (set up a `filing cabinet`):

1. An ESP is identified as a core provider
2. The Minister of Public Safety issues a Ministerial Order to a specific ESP

Core provider

If SAAIA is approved by Parliament, the regulatory process will be where it is determined which ESPs would be considered core providers. Consultations will be held during this process to decide the classes of core providers and their definitions.

They may be based on criteria such as:

• number of subscribers
• technology used
• services offered

Each category of core provider would have to follow a set of requirements specific to that class.

Ministerial order

Ministerial orders would be used on a case-by-case basis to require an ESP to follow certain direction. They would be confidential because they would be based on specific threats, and they would not be made public and potentially put Canada's national security or public safety at further risk.

Ministerial orders could be issued to any ESP, including those that are not core providers. For example, law enforcement could have information that shows the communication platform of a video game company is being used by a terrorist group to discuss plans for an attack. In this case, the company may not be considered a core provider due to the limited number of subscribers. A Ministerial Order may be issued to the company to require them to put in place a solution to provide the legally authorized information for an investigation.

Compensation

SAAIA mentions compensation twice:

• law enforcement and CSIS will pay a fee to ESPs based on the types of help provided as determined by regulations; and
• compensation may be given to ESPs that are issued a Ministerial Order to support the development or maintenance of technical capabilities.

Administration and enforcement

To promote compliance, SAAIA includes administrative monetary penalties. ESPs who do not follow the law, such as ignoring the regulations or terms of a Ministerial Order, could face fines. These fines would range from a minimum of $50,000 to a maximum of $250,000 for each violation.

Offences

In addition to fines, there would also be separate offences for violating the act on purpose, such as knowingly making false or misleading statements, or for obstruction. Any person found to have committed an offence would be subject to fines to a maximum of $500,000 per offence.

Lawful access to information

Given its ubiquity, electronic information can sometimes be as, or even more, important than physical evidence in investigating national security threats, solving crimes, and prosecuting offenders. To protect Canadians, law enforcement and national security investigators must be able to work as effectively in the digital space as they do physically on the ground.

Lawful access is an umbrella term that refers to the ability of law enforcement or intelligence agencies to obtain data or information under legal authority. It includes laws, regulations, and tools or techniques, to help them conduct investigations. SAAIA and Part 14 of C-2 fall within this term.

The Criminal Code and other statutes, such as the Canadian Security Intelligence Service Act and the Mutual Legal Assistance in Criminal Matters Act, authorize the use of these tools.

For example, investigators at a crime scene may look for physical evidence such as DNA, fingerprints or weapons that may relate to the crime. In the electronic world, investigators would also be interested in accessing electronic information about suspects related to the crime, known as digital evidence, such as online addresses (websites or IP addresses), the communication that took/taking place or the information shared/actively being shared, with whom, and for how long.

Safeguarding digital information

SAAIA has safeguards built in to protect ESPs and users' privacy and Charter rights. It also upholds the Government of Canada's national security transparency commitment.

Some of these measures include:

• ESPs are not required to implement requirements that create "backdoors" into encryption or other electronic protections
  • A "backdoor" is defined as an undocumented, private, or less-detectable way of gaining remote access to a computer, bypassing authentication measures, and obtaining access to plaintext.
• Before issuing a Ministerial Order, the Minister of Public Safety must consider a number of factors such as the benefits to the administration of justice and the potential impact on persons to whom the ESP provides services. They also must consult the Minister of Innovation, Science and Economic Development. There is also an option to seek an Judical Review.

It should be noted that SAAIA would be subject to independent reviews by the National Security Intelligence Review Agency and the National Security and Intelligence Committee of Parliamentarians.

Next Steps

SAAIA will be examined throughout the parliamentary process and may be amended by parliamentarians. If SAAIA is made into law, mandatory public consultations on a range of topics would take place during the regulatory process, which entails a prescriptive process laid out by Treasury Board Secretariat. These include:

• The definition of key terms such as core providers and systemic vulnerability;
• What should the obligations be for each class of core provider; and
• What types of assistance should be compensated and what are the fees warranted for each type.