Lawful access
Lawful access refers to the ability of law enforcement agencies or the Canadian Security Intelligence Service (CSIS) to legally obtain certain information or intercept communications.
On this page
- What lawful access includes
- Understanding lawful access
- What the legislation would do
- What the legislation wouldn't do
- How Bill C-22 would help investigations
- Your privacy
- Lawful access in Canada
What lawful access includes
Lawful access is used to investigate crimes and threats, such as:
- drug trafficking
- money laundering
- extortion
- smuggling
- child sexual exploitation, and
- murder
- terrorism
- espionage, and
- foreign interference
Lawful access includes two things:
- The legal authorities to obtain information and data, such as warrants, or productions orders. These authorities are set out in federal statutes, including the Criminal Code and the CSIS Act.
- That Electronic Service Providers (ESPs) establish and maintain the technical capabilities to provide law enforcement and CSIS with the information they are legally authorized to obtain under these authorities. There is currently no regulatory framework in Canada to facilitate or standardize these technical capabilities. This is discussed below under the heading "Lawful access in Canada".
There are strict rules for requesting information about an individual in the course of an investigation, out of respect for privacy and Charter rights.
Understanding lawful access
Law enforcement and CSIS use many investigative tools, including lawful access. Lawful access is when communications are legally (e.g., with warrant or production order) intercepted or information is seized or when data is obtained from electronic service providers, like telecommunications companies. Just as law enforcement will get a warrant to search a house for drugs, they also need legal authorization to look for information that ESPs should have access to, e.g., meta data of a suspected drug dealer.
In Canada, lawful access is notably used, among others, by:
- federal law enforcement and intelligence agencies, including the Royal Canadian Mounted Police (RCMP) and CSIS
- provincial and municipal police forces
- the Competition Bureau
Communications and information may be legally obtained from:
- Wired technologies, such as landline telephones
- Wireless technologies, such as smartphones and satellite communications
- Internet technology, such as e-mail and web-based services
Lawful access can only be used when authorized by the law, usually though a warrant, a production order, or a wiretap authorization issued by a judge, which is granted under specific circumstances. A warrant authorizes law enforcement to do something, while a production order orders someone, like a Canadian telecommunications company, to provide information or data in their possession. A wiretap authorization is a very specific type of warrant that allows law enforcement and CSIS to intercept private communications exchanged in real-time.
A warrant, an authorization to intercept private communications, or a production order will only be granted if a judge is satisfied that specific legal requirements are met.
To obtain a warrant or production order to access communications stored on a device, for example such as an email or text messages, law enforcement and CSIS must provide the court with reasonable grounds to believe that an offence has been or will be committed and that the information will afford evidence of that offence. To obtain a warrant or production order for narrow information like IP addresses or a call log, law enforcement and CSIS must provide the court with reasonable grounds to suspect that an offence has been or will be committed and that the information will assist in the investigation of the offence.
Key components of a warrant or production order include:
- the facts supporting law enforcement to believe a crime has been or will be committed
- the person reasonably believed to be in the possession or control of the information sought
- where known, the specific places or devices where evidence related to the crime exists
- clearly defined limits on what can be searched, or seized (i.e., IP addresses, the content and/or types of communications that took place, with whom and for how long, etc.)
- terms and conditions imposed by the judge to ensure that the rights of the persons affected by the warrant or production order are taken into account
- a specific duration or time limit where the continuous collection of IP addresses, phone numbers or the tracking of a person is permitted
For example, intelligence indicates that members of an organized crime group are directing an individual to commit criminal acts, such as extortion and drug trafficking, through messages on cellphones. In this scenario, law enforcement could apply for a production order to order a Canadian telecommunications company to provide the messages exchanged on one of the individuals' cellphones as the evidence suggests this to be the method of communication used to plan or carry out the crimes.
Part 2 - Supporting Access to Authorized Information Act
Part two of Bill C-22, the Supporting Access to Authorized Information Act (SAAIA), is designed to modernize a 30-year-old government policy, which will provide law enforcement and the Canadian Security Intelligence Service (CSIS) with the tools they need to combat crime and protect national security in the digital age.
Part 2 of the Bill seeks to address gaps in Canada's lawful access frameworks by ensuring Electronic Service Providers (ESP) have the technical capability to provide information to law enforcement and CSIS when they are legally authorized to request it to keep Canadians safe, while upholding the Charter and protecting privacy.
What the legislation would do
Establish a regulatory technical capability framework
Canada's current public safety mechanism with ESPs, has not been updated since the mid-nineties and applies only to wireless voice telephony (such as, talking over a phone line). It has not kept pace with the commonly-used technologies that criminals and terrorists rely on (text messaging, email, online data, etc.).
The Criminal Code and the CSIS Act give criminal and intelligence investigators the authorities (or legal powers) to obtain electronic information, more often service providers are unwilling/unable to produce the information to advance their investigations.
A new law would ensure law enforcement and CSIS have the tools they need to work effectively for the victims and overall security of Canada in our highly technology-driven world.
Set a standardized regulatory framework for select ESPs
Law enforcement and CSIS depend on ad-hoc arrangements that vary between companies. Bill C-22 would enable the development of transparent regulations for ESPs designated as "core providers", standardizing expectations, reducing ad-hoc requirements, strengthening overall capabilities and reliability of access to legally authorized information.
Align our capabilities with like-minded partners
All G7, Five Eye partners and most other European countries have lawful access frameworks that include technical obligations for ESP.
Bill C-22 would align Canada with its allies to better cooperate on transnational investigations and make our country more safe and secure.
Safeguard against systemic vulnerabilities
Bill C-22 includes a clear safeguard that would allow ESPs to refuse to implement a lawful access capability obligation if it creates a systemic vulnerability in their system, including weakening electronic protections such as encryption.
What the legislation wouldn't do
Bill C-22 would not create "backdoors" and weakening of cybersecurity
The Canadian Centre for Cyber Security defines a "back door" as a hidden mechanism that bypasses security controls. Bill C-22 does not require ESPs to create "backdoors" to their systems or the weaken electronic protections, including encryption.
Bill C-22 does not alter the existing responsibility of ESPs to protect their networks from hacking or other unauthorized access. The Government of Canada will be required, by law, to consult impacted ESPs, both in the making of regulations and the issuance of Ministerial Orders, and take into account the potential impact on cost, cybersecurity and privacy protections.
Bill C-22 would not allow for direct access
Bill C-22 would not permit law enforcement and CSIS to directly access information from an ESP's system. ESPs would remain in control of their own systems, and they would only provide information to investigators in a secure manner, upon receiving legal authorization.
Bill C-22 would not authorize government mass surveillance and/or tracking
Nothing in Bill C-22 would authorize surveillance of any kind.
ESPs, like telecommunication service providers already generate the data to locate cellphones that connect to their network.
Bill C-22 would ensure that ESPs, upon receiving a request that has been legally authorized can provide the information quickly, in a format that is usable to law enforcement and CSIS (pursuant to Criminal Code and CSIS Act).
Bill C-22 would not keep all forms of metadata like history of personal web and social media activity or the content of an exchange
Bill C-22 explicitly prohibits regulations requiring ESPs to retain a person's web-browsing history, data that would reveal the content of their electronic communications, telephone conversation and social media activities. Law enforcement and CSIS would only be able to obtain essential metadata. To obtain that information, law enforcement and CSIS would need judicial authorization from the Federal Court.
Metadata is information that does not include the content of an exchange. It includes information such as the type, date, time, duration, origin or termination of an exchange. For example, providing police access to when and where a call took place, and who was on the call can help police identify individuals involved in organized crime groups.
ESPs already generate metadata in their systems, but the retention periods vary greatly. The absence of a legislated data retention regime creates a very uneven playing field across ESPs.
This has significant implications, particularly in the case of complex investigations which may start months after the data was initially created. Bill C-22 would establish limits and safeguards around the scope of data retention, and the types of metadata and timeline.
How Bill C-22 would help investigations
Scenario 1 – At-risk youth goes missing
An at-risk 16-year-old girl was reported missing. She had already been missing for 10 days when she made an emergency call.
The ESP was able to confirm the call and the closest cell tower used to make the call, but could not provide the last known location of the phone before it was disconnected since they are not required to have that capability.
This caused delays in finding the teen.
How Bill C-22 would help:
Bill C-22 would require ESPs to maintain accurate and consistent localization capabilities across the country that are standard in Europe and among all of our Five Eyes allies and share that information with law enforcement when they are legally authorized to do so. This would allow law enforcement to find the missing teen faster.
Scenario 2 – Foreign partner investigation
CSIS has received information from a foreign partner carrying out an investigation outside of Canada into several terrorism suspects with Canadian phone numbers.
The foreign partner has highlighted that, based on some of their intelligence, the threat activity may be moving to Canada.
CSIS has been able to confirm that these phone numbers were obtained through a reseller that does not maintain record of its sales or track any of its clients' activity.
CSIS is unable to help the foreign partner and risks not having sight on a threat to Canada.
How Bill C-22 would help:
Under Bill C-22, regulations could set obligations for resellers to address this barrier so that CSIS could investigate.
Scenario 3 – Drug and human trafficking investigation
A drug and human trafficking investigation in Saskatchewan revealed that a suspect was using an iPhone that was subscribed to an ESP's cellular data network.
Investigators obtained a warrant to intercept the suspect's transmission data from this phone.
Despite having the lawful authority to intercept this information, the ESP did not have the technical capability within their network to action the warrant.
Due to delay in implementing a solution, investigators were forced to abandon the investigation.
How Bill C-22 would help:
Bill C-22 will compel select ESPs to develop and maintain lawful access capabilities. In the scenario above, when the warrant was obtained for the suspect's data, the ESPs would have been able to provide it quickly and the drug and human trafficking investigation would have been able to continue.
Your privacy
Current provisions for lawful access in Canada respect privacy laws and the Canadian Charter of Rights and Freedoms.
Without legal authority, law enforcement and CSIS cannot intercept communications or request information and data. Lawful access does not allow law enforcement and intelligence investigators to monitor just anyone's Internet use, e-mail content or social media activity. It also does not require companies to store all of their customers' communications.
The Government of Canada will continue to respect the rights and freedoms of people living in Canada with any update to lawful access tools, including legislation.
Lawful access in Canada
We live in a complex digital environment with many ways to communicate. New technology and other digital tools make communication faster and more accessible but they are also often misused for illicit purposes. A wide variety criminals, extremists and other bad actors take advantage of this digital environment. They use online platforms for criminal activities like online fraud, selling illicit products and money laundering. It's also a place where threats to Canada can be planned, coordinated and financed, such as terrorist attacks or foreign interference activities.
Law enforcement and CSIS have had to work for decades with outdated laws that do not require ESPs to have the technical capability to respond to lawful access requests made by authorities. This means, even when investigators have a warrant or production order to obtain communications, the ESP may not have the ability to provide the communication or information.
This results in lost time, missing information, or investigations being abandoned.
Canada is the only country amongst its Five Eyes partners, the G7, and across the European Union without legislation requiring ESPs to develop and maintain lawful access capabilities. Our coverage is limited and there are growing blind spots in interception and location tracking, with inconsistent capabilities among ESPs. This negatively impacts all Canadian law enforcement and CSIS to investigate domestically and collaborate on international investigations, such as transnational organized crime activities or terrorist plots.
In many investigations, law enforcement or CSIS are not able to take action that people in Canada would expect them to, such as tracking a phone or intercepting a call. As Canada struggles to obtain basic capabilities and other countries are advancing their investigative tools for emerging technology, Canada risks becoming an 'intercept haven' for threat actors.
In March 2026, the Government of Canada introduced an act that will keep Canadians safe (Bill C-22). This Bill proposes to modernize lawful access to give law enforcement and CSIS the modern tools people in Canada expect them to have to keep communities safe.