The Government of Canada has historically opposed the calls of its western allies to undermine the encryption protocols and associated applications that secure Canadians’ communications and devices from criminal and illicit activities. In particular, over the past two years the Minister of Public Safety, Ralph Goodale, has communicated to Canada’s Five Eyes allies that Canada will neither adopt or advance an irresponsible encryption policy that would compel private companies to deliberately inject weaknesses into cryptographic algorithms or the applications that facilitate encrypted communications. This year, however, the tide may have turned, with the Minister apparently deciding to adopt the very irresponsible encryption policy position he had previously steadfastly opposed. To be clear, should the Government of Canada, along with its allies, compel private companies to deliberately sabotage strong and robust encryption protocols and systems, then basic rights and freedoms, cybersecurity, economic development, and foreign policy goals will all be jeopardized.

This article begins by briefly outlining the history and recent developments in the Canadian government’s thinking about strong encryption. Next, the article showcases how government agencies have failed to produce reliable information which supports the Minister’s position that encryption is significantly contributing to public safety risks. After outlining the government’s deficient rationales for calling for the weakening of strong encryption, the article shifts to discuss the rights which are enabled and secured as private companies integrate strong encryption into their devices and services, as well as why deliberately weakening encryption will lead to a series of deeply problematic policy outcomes. The article concludes by summarizing why it is important that the Canadian government walk back from its newly adopted irresponsible encryption policy.

1. Background and Recent Developments in Canadian Policy Thinking

Western governments have debated cryptography policy through at least four discrete moments. These can be defined as:

The pre-1990s, when states exercised strict control over the availability, development, and use of cryptography and products which integrated cryptography; The first ‘Crypto Wars,’ which took place between 1990-2000, and saw civil rights and security advocates successfully rebuff western governments’ efforts to advance key escrow policies (which focused on injecting backdoors into cryptographic protocols and products which integrated cryptography) and ultimately led to the liberalization of cryptography policy; A respite period, between 2000-2010, during which governments and government agencies enjoyed near-ubiquitous access to unencrypted data and focused on deliberately exploiting weak security protocols and device and system insecurities rather than focusing on improving the state of cybersecurity; The current Cryptography Cold War, which is rapidly turning ‘hot’, as western governments advance arguments that strong encryption should be replaced with escrowed or backdoored cryptographic protocols or implementations of strong encryption algorithms.

Since the late 1990s, the Canadian government has publicly affirmed its support for Canadians and Canadian businesses to have access to the strongest forms of cryptography.1 Indeed, in past meetings with the Five Country Ministers of Public Safety, Canada’s Public Safety Minister was provided with speaking notes which affirmed the government’s resolute commitment to Canadians’ access to strong encryption. Notably, Minister Goodale’s briefing notes for the 2017 Five Country Ministerial read:

In Canada’s view, while encryption poses challenges for Canadian law enforcement investigators, it also safeguards our cybersecurity and our fundamental rights and freedoms. Canada has no intention of undermining the security of the internet by impeding the use of encryption.2

Against this backdrop of the Canadian government’s historical support for strong encryption, Canada’s Minister of Public Safety, along with his colleagues in Australia, New Zealand, the United Kingdom, and the United States of America, issued a communique from a ministerial meeting in July 2019. In addressing the topic of encryption, the Ministers collectively acknowledged that they:

…are committed to strong encryption, which enables commerce, improves cyber security, and protects the privacy of our citizens’ data. We are committed to protecting our citizens from harm. We note the commitments made by tech companies to protect their users’ data, their efforts to create a positive environment for their users and their support to properly authorised law enforcement operations. Security enhancements to the virtual world should not make us more vulnerable in the physical world.3

This communique defined “strong encryption” as associated with particular activities: commerce, generally improving security, and generally working to protect privacy and citizens’ data. The limitations of this definition of “strong encryption” come into relief later in the communique, which goes on to read that the Ministers:

…are concerned where companies deliberately design their systems in a way that precludes any form of access to content, even in cases of the most serious crimes. This approach puts citizens and society at risk by severely eroding a company’s ability to identify and respond to the most harmful illegal content, such as child sexual exploitation and abuse, terrorist and extremist material and foreign adversaries’ attempts to undermine democratic values and institutions, as well as law enforcement agencies’ ability to investigate serious crime. Tech companies should include mechanisms in the design of their encrypted products and services whereby governments, acting with appropriate legal authority, can obtain access to data in a readable and usable format. Those companies should also embed the safety of their users in their system designs, enabling them to take action against illegal content. As part of this, companies and Governments must work together to ensure that the implications of changes to their services are well understood and that those changes do not compromise public safety.4

In effect, for the Canadian government and its closest allies, strong encryption in fact means “encryption which cannot be used to prevent the government from accessing or surveilling communications.” The Canadian government is, in effect, recanting its earlier position and formally calling for companies to inject communications insecurities into their applications.

Actual strong encryption involves building algorithms, applications, and communications systems which are properly designed to keep information secure, even from government agencies or other well resourced or highly competent adversaries. The Canadian House of Commons Standing Committee on Public Safety and National Security endorsed a definition of strong encryption as constituting:

… encryption algorithms for which no weaknesses or vulnerabilities are known or have been injected, as well as computer applications that do not deliberately contain weaknesses designed to undermine the effectiveness of the aforementioned algorithms.5

Box 1: Encryption At Rest vs In Transit Encryption may be applied to data at rest (i.e., when the data is stored on a particular device or system) or data in transit (i.e., when data is being transmitted between different applications or systems or across the Internet). When data is being stored at rest on another party’s device(s) or system(s), such as in the case of cloud computing, encrypted data may be solely accessible to the owner of the data or by the owner of the data as well as the cloud provider. When data is transmitted between applications, systems, or across the Internet then it may have the property of being end-to-end encrypted. In such situations, only devices at either end of the communication (e.g., clients involved in a chat application) can decrypt the data: an intermediary responsible for transiting the information cannot obtain access to the plaintext of the communication.

In calling for companies to design their services such that data can be obtained by government, the signatories to the ministerial communique are asserting their opposition to strong encryption that ensures that only the owners, or intended recipients, of data or communications can decipher or decrypt the communications. In a Canadian context, this means that the Government of Canada has formally asserted its opposition to the strong encryption relied upon by government employees, politicians, business persons, and citizens and residents of Canada in the course of all of their daily and routine activities. Significantly, Canadians informed the government as part of a national security consultation in 2017 that they did not want encryption to be weakened;6 while the government at the time seemed to respect this position, apparently the Minister no longer sees a need to so-respect the public.

2. Failure of Government to Justify Weakening Encryption

Following the publication of the 2019 ministerial communique, Minister Goodale stated that “[w]e need to work with internet companies and the service providers to achieve two objectives simultaneously. The objective of the privacy values that flow from strong new technologies and encryption, but at the same time making sure that our platforms and services and systems are not harbouring the kind of behaviour that would exploit children and create victims…The privacy commissioner and others would not, I’m sure, make the argument that the system should be designed in such a way that it becomes the secret preserve of those who would exploit children, for example.”7 These comments insufficiently communicate the baseline failures within the Government of Canada to adequately use, and manage, available information to conduct or facilitate child abuse investigations. Instead, the Minister is seeking to paint all parties who support civil liberties and strong encryption as supportive of child abusers; this is the same kind of language that was used by the former Harper-era Public Safety Minister, Vic Toews, when he asserted that the Liberal public safety critic (and, by extension, privacy and security advocates) could either “[s]tand with us or with the child pornographers.”8

Currently, the RCMP sometimes receives large volumes of information pertaining to child abuse imagery. Either the RCMP itself obtains the logged server information as part of a domestic investigation or they receive it from friendly law enforcement agencies. In either case, these volumes of data are typically obtained after law enforcement agencies seize servers and information technology infrastructure associated with the making available, and distribution, of child abuse imagery.

Once in possession of information derived from the aforementioned information technology infrastructure, such as server logs, the RCMP’s National Child Exploitation Coordination Centre (NCECC) is often challenged in their ability to subsequently conduct investigations based on the information that they have obtained. There are several reasons behind this deficiency. First, the data may be so dated by the time it is assessed that it is impossible to correlate the metadata identifiers that have been obtained with specific persons in Canada. As an example, server logs might disclose the IP addresses of persons who visited a now-seized abuse imagery site. Those IP addresses, however, may have been assigned months or years earlier. Canadian businesses are obliged to delete information that lacks a business purpose under Canadian commercial privacy law.9 As a result, these businesses may be unable to link an IP address assigned months or years ago to a particular subscriber account because they were legally required to delete this information to conform with privacy law and business best practices.

Second, the RCMP’s NCECC generally cannot conduct investigations of all the data which they receive concerning child abuse and imagery cases. This inability arises because of the sheer volumes of data, along with the RCMP not necessarily having jurisdiction to conduct these investigations where there are provincial or municipal forces which are responsible for investigating criminal activities that have allegedly taken place in their respective jurisdictions. In the past, the RCMP could warrantlessly obtain subscriber information to, in part, identify which provincial or municipal agencies should be given custody of relevant data derived from seized servers. Such kind of behaviours were found unconstitutional by the Supreme Court of Canada in Spencer, with this information now accessible following judicial approval.10 Notably, both pre- and post-Spencer, the NCECC has struggled to determine which law enforcement agencies should receive the server-related data.

Furthermore, Public Safety’s efforts to convince Canadians that they are ‘going dark’, or increasingly unable to obtain information in pursuit of criminal investigations due to encryption, are contrary to the facts presented by the Minister of Justice, case anecdotes from the RCMP itself, and positions advanced by the Public Safety Committee. The Attorney General of Canada, as well as their provincial counterparts, is obliged to table electronic interception reports on an annual basis. Academic research has showcased that none of these reports, from 2005 – 2014/16, have indicated that encryption has prevented interceptions from taking place.11

In 2016, the RCMP provided reporters with the CBC12 and Toronto Star13 with privileged, and partial, access to case reports which the RCMP asserted showcased that encryption was hindering their investigations. Assessment of the cases, as presented to the journalists, revealed that the RCMP in fact was not substantially prevented in conducting their investigations.14 While some investigations may have been more challenging to carry out—encryption may have added friction without posing an insurmountable barrier—there was no evidence that the lawful course of investigations had been irreparably prevented from continuing. In fact, the anecdotes revealed the breadth of resourcing available to the RCMP to conduct cases in the face of investigative challenges.

Finally, the Public Safety Committee in 2019 issued a report on cybersecurity in the financial sector. As part of the report, they provided a series of recommendations. First, that digital products and services that Canadians rely upon should be “secure by design”; second, that the government support “research and development of quantum technologies and encryption standards that will ensure Canada’s electronic information and information systems remain secure in a post-quantum world”; and third, that “the Government of Canada reject approaches to lawful access that would weaken cybersecurity.”15 With regards to this third point, the committee explicitly agreed that it was important that Canadians have access to strong encryption despite the fact that this will create some challenges for law enforcement agencies which cannot seek assistance from the Communications Security Establishment (CSE).

In summary, while the Minister of Public Safety has asserted that encryption enables child predators and abusers to conduct crimes with impertinence, this position is not supported by the facts on the ground. But instead of addressing existing policy deficiencies, or gathering and presenting robust evidence to support the government’s position that encryption poses an intractable problem, the Minister has instead irresponsibly indicated support for weakening the communications of all Canadian residents, businesses, and government officials.

3. Encryption Enables the Exercise of Rights and Freedoms

Encryption enables the exercise of fundamental rights and freedoms, including freedom of thought, belief, opinion, expression, and association. It allows for greater democratic participation in the digital sphere and is integral to protecting and affirming privacy rights, dignity, and the security of persons, in particular those of persons who are most marginalized or otherwise vulnerable. All of these rights are guaranteed and protected by the Canadian Charter of Rights and Freedoms. As such, any attempts to interfere with these rights—such as by deliberately preventing citizens and residents from having access to the strong encryption technologies that enable the exercise of these rights—routinely attract Charter scrutiny.

Interfering with the availability of strong encryption may detrimentally impact fundamental freedoms under section 2 of the Charter (i.e., freedom of expression, freedom of religion, freedom of thought, freedom of belief, freedom of peaceful assembly and freedom of association), as well as the right to be secure against unreasonable search and seizure as guaranteed in section 8. Furthermore, the efforts by state actors to limit, undermine, or circumvent access to strong encryption may also have implications for other rights, including: the right to security of the person (section 7); the right to silence, the protection against self-incrimination, and the right not to be compelled as a witness against oneself (section 7, 11, and 14); or equality rights (section 15).

Box 2: Charter Rights and Encryption For a broader, and more in-depth, assessment of how rights which are guaranteed under the Charter are impacted by government efforts to inhibit access to strong encryption, see: Shining a Light on the Encryption Debate: A Canadian Field Guide.16

As laws are passed, such as Australia’s,17 which authorize governments to secretly compel companies to undermine the cryptographic systems they integrate into their products, citizens and residents may increasingly come to believe that they are being subjected to surveillance. Whether they actually are subject to such monitoring or not is immaterial: scholars and courts have regularly recognized that persons who believe they are subject to surveillance will chill their exercise of their freedoms and rights.18 As a result, individuals may change their speech and behavioural patterns, including whom they associate with online. Notably, studies undertaken following Edward Snowden’s revelation of western governments’ surveillance have enabled researchers to demonstrably showcase the fact of individuals shying away from reading or saying certain things: the prospect of surveillance has had a direct impact on the abilities of persons to exercise Charter protected rights.19

The chilling of speech makes it more challenging for journalists to hold the government to account as prospective sources shy away from engaging in critique of the government, and this holds especially true for populations which perceive themselves as being subject to recriminations for speaking with the press. To be clear, those who limit their communications with the press extend beyond persons who believe they are targeted as a result of belonging to a marginalized group. A study by Human Rights Watch and the American Civil Liberties Union put this into relief when they found that, following the Snowden revelations, government officials were “substantially less willing to be in contact with the press, even with regard to unclassified matters or personal opinions.”20 A citizenry which is less aware of its government’s activities is less able to demand accountability, compel change, or engage in the democratic process writ large.

Finally, encryption is essential for enabling human rights more broadly, and the work of human rights defenders around the world specifically. Human rights defenders engage in political work to hold governments to account for their abusive activities. Device encryption enables these defenders to bring potentially sensitive data with them as they travel, including data which is essential to their advocacy missions. The ability to communicate securely using applications and systems which integrate strong encryption enables defenders to coordinate, collect information from contacts and sources, and disseminate their findings to journalists and other parties. The UN Human Rights Commissioner, Zeid Ra’ad Al Hussein, has stated that:

Encryption tools are widely used around the world, including by human rights defenders, civil society, journalists, whistle-blowers and political dissidents facing persecution and harassment … It is neither fanciful nor an exaggeration to say that, without encryption tools, lives may be endangered. In the worst cases, a Government’s ability to break into its citizens’ phones may lead to the persecution of individuals who are simply exercising their fundamental human rights.21

Efforts undertaken by western governments to undermine the availability of strong encryption and its integration in consumer applications thus not only implicate Charter-protected rights and freedoms, but also threaten the very lives of persons around the world who are fighting to promote human rights in dangerous and often authoritarian states. Even statements that encryption poses serious risks to public safety can be, and are, used by authoritarian governments to buttress their own arguments for why their own citizens and residents should not have access to products and services possessing strong encryption. The Canadian government must repudiate its recently assumed irresponsible position on encryption policy if it desires to credibly promote itself as being a champion and defender of human rights.

4. The Dangers of Compelling Weakened Encryption

In addition to encryption enabling the exercise of rights and freedoms, and those rights and freedoms being chilled or persons exercising them harmed as a result of irresponsible encryption policies that prevent access to strong encryption, weakening the availability of encryption also has significant cybersecurity, economic, and foreign policy implications. In this section I briefly survey some of these dangers before summarizing why it is important that the Canadian government walk back its irresponsible policy position concerning encryption.

4.1 Public Safety and Cybersecurity

Strong encryption is used to shield sensitive government data, preserves the confidentiality of law enforcements’ and intelligence agencies’ investigations, and is essential for military communications and operations. It also protects essential critical infrastructures, and the operators responsible for maintaining these infrastructures, from some threats posed by adversaries. And strong encryption enables the Government of Canada to engage in robust, and honest, internal assessments of foreign policy between members of the government with relatively little fear their communications will be decrypted and made public. While in the 1960-1980s many of these functions might have been undertaken using specialized, made-for-government, software and hardware, the era of liberalization has long-since taken hold. Politicians and government officials routinely rely on applications which have integrated strong end-to-end encryption, such as Signal or WhatsApp, to keep their communications confidential; compelling weaknesses in encryption applications used by consumers will inhibit the ability of government to keep its own communications confidential in the face of determined adversaries.

A range of credentialed, government-backed studies have asserted the importance of supporting strong and widely available encryption. These groups include the 2013 United States President’s Review Group on Intelligence and Communications Technologies22 and a 2016 Congressional Working Group on encryption,23 as well as statements from the former leader from the Central Intelligence Agency and National Security Agency,24 Department of Homeland Security,25 the former Director of the Government Communications Headquarters (GCHQ),26 and former Director-General of the British Security Service (MI5).27 In 2016 the Dutch government officially endorsed the importance of strong encryption for Internet security,28 the German government’s 2016 National Cybersecurity Strategy affirmed the country’s long-standing support for strong encryption tools,29 and in 2016 Europol and the European Union Agency for Network and Information Security (ENISA) issued a joint statement on encryption which rejected any approach that would weaken encryption standards or the integrity of communications.30 And in Canada, in 2019, the Public Safety Committee asserted that encryption should not be weakened in the service of lawful access.31

It isn’t just governments or government officials that rely on encryption in their communications and activities, and cybersecurity concerns extend well beyond the walls of government departments. Sectors of the economy that are defined as providing critical infrastructure rely on, by definition, commercial equipment, services, and systems to maintain such infrastructure. Weakening the encryption available not just to the businesses providing, running, or supporting such infrastructure, but also the encryption available to employees in their private lives, will expose Canada’s critical infrastructure to heightened likelihood of compromise. Not only would weakened encryption increase the prospect of businesses being directly breached or threatened, but corporate employees could be targeted in their private lives by illicit actors to obtain information that could either shed insight into the operations and weakness in Canada’s critical infrastructure, or information that could be subsequently used to blackmail or compel the employees to act contrary to Canada’s national interests. As an example, a determined threat actor might compromise an employee’s private and personal WhatsApp or Signal communications to collect information about legal activities that would be embarrassing were they made public, such as information about romantic liaisons, healthcare challenges, religious activities, financial status, or sexual proclivities. In situations where the threat adversaries are foreign intelligence actors, the weakening of encryption will grossly expose Canadians writ large to meddling in Canada’s domestic affairs and recruitment of agents operating on the behalf of foreign spies.

Furthermore, communications infrastructure is essential to how citizens communicate with one another during electoral periods, and to engage in political discourse more broadly before, during, and after elections. Deliberately compelling weaknesses in these communications infrastructures will significantly increase the risk that they are successfully hacked by illicit or foreign actors, and thus enable unauthorized actors to interfere with Canadians’ abilities to elect their representatives. In short, compelling weaknesses into popular communications systems will endanger Canada’s democracy.

4.2 Economic Growth

Encryption is used to protect sensitive trade secrets, intellectual property, and strategic intentions, while simultaneously enabling secure online transactions and trust in online services. Most companies in Canada are small- and medium-sized, and any efforts to weaken the encryption provided to them (and, through them, to their customers) will undermine the ability of companies to effectively develop their businesses and maintain the trust of their customers.

Of note, online commerce is rapidly changing. While Canadians routinely purchase goods from websites today, they are also increasingly purchasing goods through chat and social media applications, services, and platforms. Attempts to prevent companies providing these types of applications, services, and platforms from integrating strong encryption will stymie what may become a major growth sector of the Canadian economy, and thus inhibit Canada’s small- and medium-sized businesses from growing their business by selling products through next-iteration online presences.

Further, any large online service provider, such as Shopify, Facebook, Google, or an equivalent global company, is obliged to operate under a global responsibility “to avoid causing or contributing to adverse human rights impacts through their own activities” per the United Nations Guiding Principles on Business and Human Rights.32 Should governments compel global international companies to deliberately adopt practices that impede or prevent persons from exercising their human rights, then these governments will, by extension, be hindering companies from meeting their human rights obligations. As such, in adopting its irresponsible encryption policy the Canadian government runs the risk of forcing private Canadian companies to make the difficult legal and ethical choice of protecting their users’ human rights and complying with international standards, or sacrificing their millions, tens of millions, or hundreds of millions of users’ human rights to facilitate ill-considered government demands for greater surveillance capabilities.

4.3 Policy Capacity and Foreign Policy

The Canadian government’s irresponsible encryption policy may have detrimental impacts on the government’s policy capacity and foreign policy. Specifically, such policies might lead to re-headquartering, which runs the risk of undermining existing access to corporate data, as well as undermine a human rights-focused foreign policy. Each of these are discussed in turn.

Companies that provide encrypted services may re-headquarter as a result of needing to provide strong encryption in their products to retain, and attract, customers and maintain those customers’ trust. Re-headquartering may see companies move outside of countries which are demanding the weakening of encryption protocols and products. Such moves could diminish the ability of governments to directly issue lawful requests on such companies and expect the requests be responded to, and might specifically take the form of companies refusing to comply with production orders for metadata associated with encrypted data. Concerns about the effects of compelling companies to weaken the security provided in their products and services was recognized by the United States’ House Judiciary Committee and House Energy and Commerce Committee Encryption Working Group in 2016, when they wrote:

These forces might incentivize larger companies to leave the United States, and render small business and other innovators in the field obsolete. If a U.S.-based company moved operations to a country with a more favourable legal regime, the law enforcement and intelligence communities might lose access to everything in that company’s holdings—encrypted or not.33

Furthermore, as western governments call for, or compel, private companies to deliberately weaken the encryption integrated into their products and services, these same governments will lose the moral authority to call out authoritarian countries who similarly demand their citizens and residents be unable to secure their communications and data from government officials and agencies. Regardless of whether western governments call for weakening encryption at rest, encryption in transit, or how encryption is applied by devices and applications, the result is the same: the governments’ abilities to meaningfully present themselves as champions of human rights and defenders of persons and groups advocating for human rights will be seen as a facile, and false, assertion.

In a Canadian context, as a result of the Canadian government’s irresponsible encryption policy, the government’s ability to conduct foreign affairs may be significantly impeded. Specifically, Global Affairs Canada will be restricted in its abilities to hold foreign governments to account for intruding upon their residents’ communications. In short, Public Safety Canada is undermining the ability of the Canadian government writ large to challenge the dangerous anti-encryption policies advocated by strategic competitors, such as Russia and China, as well as by authoritarian governments such as Kazakhstan, Bahrain, United Arab Emirates, Azerbaijan, Iran, Saudi Arabia, and others.

5. Conclusion

The Public Safety Minister, Ralph Goodale, has framed strong encryption products as facilitating child abuse and exploitation. He has also cast the security experts and privacy advocates who defend strong encryption as supportive of pedophiles. In advancing an irresponsible encryption policy that would deny individuals and businesses access to strong encryption, he—and the Government of Canada—have failed to publicly acknowledge and present the range of serious harms that would follow should companies voluntarily, or under compulsion, adopt the government’s current policy.

While encryption poses investigative friction it does not preclude governments from conducting successful investigations or intelligence operations. The tools and legislated powers that are available to law enforcement, security services, and intelligence agencies today were the stuff of science fiction a few decades prior. Today, agencies subscribe to services that monitor social media for intelligence, collect bulk location data in tower-dumps and using IMSI catchers, deploy malware to intrude into endpoint devices and network equipment, and can avail themselves of the massive information databases which are retained by Canada’s Communications Security Establishment and the Establishment’s allies. Decades prior, these kinds of surveillance capabilities would have required deploying hundreds or thousands of agents whereas, today, they are accomplished using a mere handful of government officials. Furthermore, public reporting about these new tools and systems has not showcased that encryption is stymying investigations: no honest public reporting supports the government’s one-sided anecdotal and emotionally-driven arguments that encryption is increasing risks to public safety. Similarly, no report tabled by the Government of Canada or its legislative assembly has concluded that Charter rights, cybersecurity, economic growth, or foreign relations will be unaffected by impeding the availability of strong encryption.

The proposed rationales for weakening encryption would exchange marginal gains in limited investigative situations for significant losses with regards to Canadians’ abilities to exercise their rights and freedoms while simultaneously undermining cybersecurity, economic development, and foreign affairs. Minister Goodale should stop calling persons with well-considered policy positions on the importance of enabling the availability of strong encryption as supporters of child abusers, and get on with his job of trying to keep Canadians safe instead of endangering them with his irresponsible and dangerous encryption policy.