Google is warning the federal government that major portions of Bill C-22 could undermine cybersecurity, weaken encryption protections and grant Ottawa sweeping secret powers over digital service providers.In a submission sent Monday to the House of Commons public safety committee studying the legislation, Google said it has “significant concerns” with parts of the proposed Lawful Access Act. The company warned the legislation, as currently drafted, could allow the government to force companies to build surveillance capabilities into products and services.“We believe it is critical to find ways to support law enforcement’s important work without engineering vulnerabilities into products and services that weaken security for all users,” Google wrote. Google emphasized that it has “never built a backdoor or other mechanism to circumvent end-to-end encryption in our products.”“If we say a product is end-to-end encrypted, it is end-to-end encrypted,” the company wrote. Bill C-22 would expand lawful access powers for police and intelligence agencies, including allowing the federal government to issue regulations and “ministerial orders” requiring electronic service providers to create technical capabilities enabling authorities to access information.Google argued those proposed powers are too broad.“The scope of these potential obligations is largely boundless,” the company wrote, warning the bill “could enable the government to require providers to change their products to create surveillance capabilities.” The company added that creating such systems “would give rise to additional security vulnerabilities for users, would undermine user trust, and would pose potential conflict of laws issues.” Google specifically criticized sections allowing the federal public safety minister to issue secret ministerial orders compelling providers to maintain interception capabilities while prohibiting disclosure of those orders.“The Ministerial Order framework is unnecessary,” the company wrote. Google argued Canada already has a judicial warrant system allowing law enforcement to obtain assistance orders through the courts.“As written, C-22 would replace this effective, balanced and transparent regime with broad executive powers,” the company said. .The submission also warned the secrecy provisions could expose companies to legal risks if they are unable to disclose government-ordered changes to users. Google further raised concerns about provisions allowing mandatory retention of metadata for up to one year.The company said the bill “could be used to mandate the retention of sensitive user data for longer than would be necessary for business/operational needs.” Google also warned the legislation’s definition of “systemic vulnerability” is too narrow and does not explicitly protect encryption technologies.“Without a stronger definition of ‘systemic vulnerability’, the law could be used to decrease overall user security, by creating backdoors that would break end-to-end encryption and create significant cybersecurity risks,” the company wrote. The submission follows similar warnings issued in recent weeks by Meta, Apple and Signal.Meta previously warned Bill C-22 “could have a significant negative impact on Canadians’ privacy and cybersecurity,” while Apple said the legislation “could allow the Canadian government to force companies to break encryption by inserting backdoors into their products.”Signal has gone further, stating it “would rather pull out of the country than be compelled to compromise on the privacy promises we have made to our users.
