Good afternoon.
I'm Matt Hatfield. I'm the executive director of OpenMedia, a grassroots community of 230,000 people in Canada who work together for an open, accessible and surveillance-free Internet. I'm joining you from the unceded land of the Tsawout on Salt Spring Island in B.C.
Do not let the public safety minister convince you that limited amendments will fix Bill C-22. They will not. Nothing short of striking the majority of part 2 will protect Canadian privacy.
The government's current approach is an enormous own goal against our economy and our security, and you are the only people who can stop it. I won't repeat the facts you've heard from Professors Diab and Geist and Apple, Meta and others. I'll use my time to explain why light amendments cannot do the job of making this bill safe.
In recent weeks, the minister has said the government will amend Bill C-22 to bring it in line with our allies' lawful access like America's CALEA, so let's compare. Bill C-22 can require telecom companies, online services and even hardware manufacturers to let the government install surveillance equipment on their platforms and to retain a year of metadata on every person in Canada. That isn't catching us up to CALEA. The two aren't even in the same league.
CALEA covers only telecom companies and requires no metadata retention: nothing approaching a year's data on everyone by default. Of the Five Eyes, only Australia mandates metadata retention, and there it's deeply controversial and is being reformed. I think we need to bear in mind, taking a step back, that in this threat environment we're entering, CALEA is not a success. CALEA has been in effect since the 1990s, but in recent years, the back doors required by CALEA are increasingly a key entry point for foreign hackers to compromise U.S. privacy.
In 2024, Chinese state hackers used it to compromise the systems of America's largest telecoms, affecting more than a million people. Just this February, the FBI found that CALEA's back doors had led to breaches in their systems and reported it to Congress as a major security failure.
We aren't catching up to a working global standard here. We're leapfrogging well beyond what any of our allies have done, creating a more vulnerable version of a system that's failing other governments.
What about the minister's promise that selective amendments can fix the bill?
The security and legal experts you've heard from have been clear: This bill will not protect encryption in any way that matters. The government's promise is to provide a narrow technical protection that Bill C-22 won't force a company to break encryption, but breaking encryption as a standard and defeating it are not the same thing.
A working lock is no protection if you're required by law to leave the door open. Bill C-22's capability orders can compel a provider to build in access to information before it's encrypted or while it's temporarily decrypted: at the device level, within the software or as data is being handled. None of that breaks encryption as a standard. All of it circumvents the protection that encryption is supposed to provide. That's a foundational problem of Bill C-22, not a simple definitional problem to fix.
In fact, this bill, as written, makes sure that none of its definitions can actually protect Canadian rights. Much is made of the difference between an electronic service provider and a core electronic service provider, with the strongest default obligations on core providers, although the government of course will decide who a core provider is later by regulation, but proposed subsection 7(1) lets the minister impose any obligation that a core provider faces on any service provider.
Because these orders have no gazetting requirement, counterintuitively every invasive requirement a core provider faces can be applied to any provider with less public scrutiny. In that same logic, maximal flexibility—ineffective-by-design safeguards—governs the definition of systemic vulnerability. That definition today isn't good enough, but even a strengthened good-faith version won't fix Bill C-22, because proposed paragraph 47(1)(c) explicitly grants cabinet the regulatory power to reinterpret any term in the bill.
As the case for Bill C-22 has crumbled, the minister has claimed that opposition is driven by foreign big-tech firms attacking Canadian sovereignty. That's plainly not true. Canadian tech success stories like Windscribe and Shopify have rallied against this broken bill as strongly as anyone.
OpenMedia's community has sent nearly 25,000 messages to MPs opposing Bill C-22 and Bill C-2 before it and has helped to rally more than 300 organizations against Bill C-2's privacy provisions. We don't take a dollar from big tech. Our budget comes from small donations from ordinary Canadians. The truth is that big-tech firms were late to this conversation, and it was ordinary Canadians who sounded the alarm from day one.
Now, the minister has said the government wants to have a filing cabinet of every Canadians' metadata ready for law enforcement when they need it. To that, I say that democracies do not keep a filing cabinet of every citizen's sensitive information in case it's useful to spies or police.
This process has been pushed so quickly that the system is not keeping up. We submitted our brief more than two weeks ago, on May 15, yet due to the sheer volume of input you've received, I learned today that committee members have not yet received it.
This is the symptom of a rushed, under-resourced process for a bill that has massive stakes. On behalf of our community, I urge you to take the time to receive and review all public evidence and to thoroughly reform or abandon part 2 of Bill C-22 before it moves forward.
Thank you. I look forward to your questions.