Law Library Stacks

Back to Government Access to Encrypted Communications

Summary

In Canada, the term “lawful access” is used to describe the government’s surveillance powers, and primarily involves the interception of communications, the search and seizure of information, and the issuance of production and preservation orders. Part VI of Canada’s Criminal Code regulates the powers of the police to engage in electronic surveillance or interception of private communications. With some exceptions, these powers require judicial authorization or a warrant before they can be exercised. Canada’s existing legal framework for interception, search and seizure, and production of data also applies to encrypted data. However, there does not appear to be a specific provision that imposes requirements on telecommunications providers to decrypt data.

Since 1995, the Solicitor General’s Enforcement Standards (SGES) have been in force. The SGES outline twenty-three technical surveillance standards that must be followed as a condition of obtaining a wireless spectrum license in Canada. Standard 12 establishes an obligation that any type of encryption algorithm initiated by a service provider must be provided to a requesting law enforcement agency. This excludes end-to-end encryption.

I. Introduction

In Canada, the term “lawful access” is used to describe the government’s surveillance powers, and primarily involves the interception of communications, the search and seizure of information, and the issuance of production orders.[1] With some exceptions, these powers require judicial authorization or a warrant before they can be exercised.

Lawful access powers of the police are regulated by the Criminal Code,[2] while the surveillance powers of the Canadian Security Intelligence Service (CSIS) are governed by the Canadian Security Intelligence Service Act. [3] These powers are subject to the Canadian Charter of Rights and Freedoms and Canada’s other privacy laws. On December 9, 2014, Bill C-13,[4] the most recent amending legislation that contains “lawful access” provisions, was passed. The law includes “new investigative powers (preservation demands, preservation orders and production orders) for law enforcement officers for the conduct of their investigation.”[5]

Back to Top

II. Encryption

A. Criminal Code’s Lawful Access Powers

Part VI of Canada’s Criminal Code regulates the powers of the police to engage in electronic surveillance or interception of private communications, including real-time communications, while conducting criminal investigations. Apart from certain exceptions outlined in the Code, judicial authorization is required for the interception of private communications, but in comparison to ordinary search warrants “[t]he requirements for obtaining such an authorization are more onerous.”[6]

Police officials have the power to make demands to preserve computer data.[7] Subject to certain exceptions, searches and seizures[8] of computer data are also subject to judicial warrants. On application, courts may also issue preservation orders to preserve computer data[9] and production orders for the production of transmission[10] or tracking data.[11] In order to disclose the substance of a communication the police must apply for a general production order, which requires a higher evidentiary standard. [12] According to an RCMP statement reported in the news, “wiretap authorization, a search warrant and a general warrant can also be accompanied by an assistance order issued by a court, which compels a third party to provide assistance where that assistance may reasonably be considered as required to give effect to the authorization or warrant.”[13]

Canada’s existing legal framework for interception, search and seizure, preservation and production of data, appears to apply to encrypted data or communications.[14] However, there does not appear to be a specific provision in the Criminal Code that imposes requirements on telecommunications providers to decrypt or establishes backdoor access. According to a recent statement by the Royal Canadian Mounted Police (RCMP) quoted in an investigative report by Motherboard, “there is no specific power in the Criminal Code to compel a third party to decrypt or develop decryption tools, nor is there any requirement for telecommunications services to provide these services,”[15] but courts may “compel” third parties like BlackBerry to assist with investigations. [16]

In the same Motherboard report defense lawyer Michael Lacy is quoted as saying that the RCMP’s statement “is ‘an overstatement of the law,’ and that even though there is no explicit power relating to encryption backdoors in the Criminal Code, there may still be legal means to order a company to assist the police with decryption.”[17]

According to another news report, which quotes Christopher Parsons, a security researcher and postdoctoral fellow at the University of Toronto’s Citizen Lab, “[w]e don’t actually understand how the RCMP is using the laws that are developed for them.”[18] One critic notes that the Canadian government has been successful “at keeping their abilities regarding encryption quiet.” [19]

Canada’s previous Conservative government introduced lawful access legislation, Bill C-30, which included specific sections that would have imposed decryption requirements on telecommunications service providers, but the Bill was not adopted. Section 6(3) & (4) of the Bill stipulated as follows:

  • (3) If an intercepted communication is encoded, compressed, encrypted or otherwise treated by a telecommunications service provider, the service provider must use the means in its control to provide the intercepted communication in the same form as it was before the communication was treated by the service provider.

  • (4) Despite subsection (3), a telecommunications service provider is not required to make the form of an intercepted communication the same as it was before the communication was treated if

  • (a) the service provider would be required to develop or acquire decryption techniques or decryption tools; or

  • (b) the treatment is intended only for the purposes of generating a digital signature or for certifying a communication by a prescribed certification authority, and has not been used for any other purpose.[20]

B. Solicitor General’s Enforcement Standards

Since 1995, the Solicitor General’s Enforcement Standards (SGES) have been in force. Those Standards outline twenty-three technical surveillance standards [21] identifying “how mobile telecommunications companies must configure their networks to facilitate telecommunications interceptions.”[22] The Standards must be followed as a condition of obtaining a wireless spectrum license in Canada.[23]

Standard 12 stipulates that, “[i]f network operators/service providers initiate encoding, compression or encryption of telecommunications traffic, law enforcement agencies require the network operators/service providers to provide intercepted communications en clair.” [24] The annotation for this standard also provides

[l]aw enforcement requires that any type of encryption algorithm that is initiated by the service provider must be provided to the law enforcement agency unencrypted. This would include proprietary compression algorithms that are employed in the network. This does not include end to end encryption that can be employed without the service provider’s knowledge.[25]

Only circuit-based communications are subject to these requirements[26] as opposed to packet-based communications.[27]

These standards were reportedly updated in 2008 and only made public by The Globe & Mail, which obtained past and current versions of the documents in 2013.[28] Some critics have pointed to a lack of transparency “surrounding the government’s position and policies” with regard to encryption.[29]

C. Police–Telecommunications Provider Cooperation on Encryption

In 2012, Rogers, a Canadian telecommunications provider, and the French telecommunications equipment company Alcatel-Lucent proposed an encryption backdoor for law enforcement at a meeting of the 3rd Generation Partnership Project’s (3GPP’s) Lawful Interception Working Group.[30] The proposal was for “a next-generation voice encryption protocol, known as MIKEY-IBAKE.”[31] The protocol was designed to protect end-to-end conversations. [32] According to Parsons and Tamir Israel of the Citizen Lab this proposal was a discussion on “how to weaken communications-related encryption protocols such as MIKEY-IBAKE.”[33] The Telecom Transparency Project describes this process as follows:

Rogers and Alcatel Lucent proposed that “[i]nstead of deploying the true random number generator to create the random secret” that is used to establish an end-to-end encrypted communication, “a pseudo-random number generator (PRG) is deployed in the client application of the user device.” The Rogers/Alcatel Lucent solution would let a TSP either decrypt traffic in real time or retroactively decrypt traffic that had been encrypted using the PRG. As such, their proposal would effectively undermine the core security design decisions that were “baked” into MIKEY-IBAKE. [34]

According to an investigative report by Motherboard, Canadian police have been in possession of a BlackBerry master encryption key since 2010. The report states that the RCMP used the key in a criminal investigation into a mafia-related death that took place between 2010 and 2012 to intercept and decrypt over one million BlackBerry messages sent using its proprietary BBM service. Based on court records in the case, it is unclear how the RCMP actually obtained the key, Motherboard said.[35]

Back to Top

III. Conclusion

In conclusion, although there is no specific provision or power in Canada’s Criminal Code to compel a third-party telecommunications provider to decrypt or create decryption tools, Canada’s existing lawful access provisions in the Code may provide a legal framework for ordering companies to assist the police with decryption.

Back to Top

Prepared by Tariq Ahmad
Foreign Law Specialist
May 2016


[1] Lawful Access FAQ , Samuelson-Glusko Canadian Internet Policy & Public Interest Clinic (CIPPIC),http://www.cippic.ca/lawful-access-faq (last updated June 2, 2007), archived at https://perma.cc/MA4C-AGQU.

[2] Criminal Code, R.S.C. 1985, c. C-46, http://laws-lois.justice.gc.ca/eng/acts/C-46/, archived at https://perma.cc/ KRF2-KJFN.

[3] Canadian Security Intelligence Service Act, R.S.C. 1985, c. C-23,http://laws-lois.justice.gc.ca/eng/acts/C-23/, archived at https://perma.cc/76L5-MHBU.

[4] Act to Amend the Criminal Code, the Canada Evidence Act, the Competition Act and the Mutual Legal Assistance in Criminal Matters Act (Act) ( Protecting Canadians from Online Crime Act), S.C. 2014, c. 31 (in force Mar. 9, 2015), http://laws-lois.justice.gc.ca/eng/annualstatutes/2014_31/FullText.html , archived at https://perma.cc/ Y6ES-Q6AU.

[5] Sean Griffin, Anne-Elisabeth Simard & Marianne Bellefleur, Bill C-13: Lawful Access and the Relationship Between Organizations, Cyber-bullying and the Protection of Privacy Rights, snIP/ITs (Feb. 25, 2015), http://www. canadiantechlawblog.com/2015/02/25/bill-c-13-lawful-access-and-the-relationship-between-organizations , archived at https://perma.cc/8YH7-PEEJ.

[6] Steven Penney, National Security Surveillance in an Age of Terror: Statutory Powers & Charter Limits, 48 OSGOODE HALL L.J. 247, 284 (2010), http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1994525, archived at https://perma.cc/KN8Q-X5LK (construing Criminal Code § 184.2).

[7] Criminal Code § 487.012 (1).

[8] Id. § 487(1).

[9] Id. § 487.013(1).

[10] Id. § 487.016(1).

[11] Id. § 487.017(1).

[12] Id. § 487.014.

[13] Nicole Bogart, Can Law Enforcement Legally Access Data on Your Smartphone in Canada?, Global News (Feb. 24, 2016), http://globalnews.ca/news/2537715/can-law-enforcement-legally-access-data-on-your-smartphone-in-canada , archived at https://perma.cc/4GDV-RJST. “Assistance orders” are provisioned under 487.02 of the Criminal Code, which stipulates that,

[i]f an authorization is given under section 184.2, 184.3, 186 or 188 or a warrant is issued under this Act, the judge or justice who gives the authorization or issues the warrant may order a person to provide assistance, if the person’s assistance may reasonably be considered to be required to give effect to the authorization or warrant.

Criminal Code § 487.02.

[14] In October 1998 the Government of Canada announced its policy on cryptography, which stipulated that the government would “apply existing interception, search and seizure and assistance procedures to cryptographic situations and circumstances.” See 6.0 Cryptography Policies, McCarthy Tetrault,http://www.mccarthy.ca/ pubs/cicpaper06.htm (last visited Apr. 19, 2016), archived at https://perma.cc/YH7W-SRRM; see also Christopher Parsons & Tamir Israel, Canada’s Quiet History of Weakening Communications Encryption, The Citizen Lab (Aug. 11, 2015), https://citizenlab.org/2015/08/canadas-quiet-history-of-weakening-communications-encryption , archived at https://perma.cc/HMT9-B3HW.

[15] Jordan Pearson & Justin Ling, Exclusive: How Canadian Police Intercept and Read Encrypted BlackBerry Messages, Motherboard (Apr. 14, 2016), http://motherboard.vice.com/read/rcmp-blackberry-project-clemenza-global-encryption-key-canada , archived at https://perma.cc/JK2T-RDQG.

[16] Id .

[17] Id .

[18] Justin Ling & Jordan Pearson, Exclusive: Canadian Police Obtained BlackBerry’s Global Decryption Key, Vice News (Apr. 14, 2016), https://news.vice.com/article/exclusive-canada-police-obtained-blackberrys-global-decryption-key-how , archived at https://perma.cc/K9AT-E36K.

[19] Jordan Pearson, Canada Desperately Needs to Have a Public Debate About Encryption, Motherboard (Apr. 14, 2016), http://motherboard.vice.com/read/canada-desperately-needs-to-have-a-public-debate-about-encryption , archived at https://perma.cc/9TGC-FZR9.

[20] Bill C-30, An Act to Enact the Investigating and Preventing Criminal Electronic Communications Act and to Amend the Criminal Code and Other Acts (Protecting Children from Internet Predators Act), http://www.parl.gc.ca/ HousePublications/Publication.aspx?Language=E&Mode=1&DocId=5380965&File=59#10 , archived at https://perma.cc/D3BL-WNPS.

[21] Parsons & Israel, supra note 14.

[22] Telecom Transparency Project, The Governance of Telecommunications Surveillance: How Opaque and Unaccountable Practices and Policies Threaten Canadians 10 (2015), https://www.telecom transparency.org/wp-content/uploads/2015/05/Governance-of-Telecommunications-Surveillance-Final.pdf , archived at https://perma.cc/5339-EUYK.

[23] Mathew Braga, Why Canada Isn’t Having a Policy Debate Over Encryption, The Globe and Mail (Feb. 23, 2016), http://www.theglobeandmail.com/technology/why-canada-isnt-having-a-rigorous-debate-over-encryption/article28859991 , archived at https://perma.cc/YA8W-CDCR.

[24] Solicitor General’s Enforcement Standards for Lawful Interception of Telecommunications, Standard 12, https://cippic.ca/uploads/Solicitor_General_Standards_Annotaed-2008.pdf , archived at https://perma.cc/NQB9-ZHPY.

[25] Id.

[26] Telecom Transparency Project, supra note 22, at 10.

[27] Parsons & Israel, supra note 14.

[28] Id .

[29] Id .

[30] Matthew Braga, Rogers and Alcatel-Lucent Proposed an Encryption Backdoor for Police, Motherboard (Feb. 12, 2016), http://motherboard.vice.com/read/rogers-and-alcatel-lucent-proposed-an-encryption-backdoor-for-police , archived at https://perma.cc/4U75-7B5R.

[31] Id .

[32] Id .

[33] Parsons & Israel, supra note 14.

[34] Telecom Transparency Project, supra note 22, at 10 (footnote in original omitted).

[35] Pearson & Ling, supra note 15.

Back to Top

Last Updated: 10/01/2016