New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Bill C-22 and Canadian Providers
I just found about Bill C-22 in canada through this article: https://www.techradar.com/vpn/vpn-privacy-security/windscribe-joins-signal-in-threatening-canada-exit-over-controversial-surveillance-bill
How would this affect VPS providers who are Canadian such as @namecrane @servarica_hani or even OVH's dedis? I know that BuyVM for example offers slightly more "bulletproof" hosting and from what I understand with this bill maybe that's no longer possible for Canadian companies if this passes?
Comments
Thankfully, as we all know Lawful Backdoors were never used by bad actors to gain unauthorized access to systems on a large scale. Oh, wait...
https://badcyber.com/the-great-greek-wiretapping-affair/
https://theintercept.com/2014/12/13/belgacom-hack-gchq-inside-story/
https://www.securityweek.com/lawmakers-ask-nsa-about-its-role-juniper-backdoor-discovered-2015/
https://mjtsai.com/blog/2024/10/09/china-possibly-hacking-us-lawful-access-backdoor/
BuyVM isn't Canadian anymore, its UAE.
Francisco
Oh that's good to know! What about Namecrane? I do have a namecrane email lifetime, how would this affect me were this law to pass?
NameCrane is a US LLC
Francisco
Some great links, thanks. Hadn't heard of all these stories
To me this new bill is unclear if the responsibility would fall on a VPS provider or if this would fall on me if I have a VPS in canada..
Haha, wow, ok problem solved then! Until the US starts implementing similar laws...
OK I am having trouble understanding the original bill from source
it has too much legal information and details that are hard to follow
The first thing worth saying is that compelling a hosting provider to hand over customer data through a judicially reviewed process is already standard practice in Canada.
We respond to production orders today, and we have always required a court order before disclosing customer information. Bill C-22 does not change that
production orders signed by a judge remain a requirement to handle over customer data.
But it layers a set of new requirements for providers on top of that, in my view,add nothing new to the legal system while creating a significant amount of work, cost, and risk for providers.
The new things in this bill are
1- The new requirement of collecting meta about users for up to 1 year
2- the new backdoor requirement for core providers or providers the minister can ask to implement
the question will the meta data means the data about the client when they interact to their client area (like access log to their client area )
or we have to save the connections to and from with timestamp from the user vps
if it is the latter that is big deal breaker
Also the whole idea of implementing backdoor even if access to it is judicially reviewed is stupid and does not add anything , just huge amount of work for nothing
I will send a message to my MP representative and see what they will answer
Hopefully she will vote against it or at least ask for modifications to it
Not to sound like defending the crazy bill C-22
but comparing it to US laws is unfair
Actually the US patriot act is way way worst than the worst interpenetration of Bill c22
it uses what is called National Security Letters which are issued by law enforcement agencies with zero judicial approval and the hosts have to surrender data based on it
Also even if they ask for judge order they only have to proof that the information is relevant to some investigation they do while under Canadian law the it falls under the criminal code laws of canada which is much more higher standard
I really hope this doesn't pass because it sounds like a bill that wasn't thought out that could cost businesses huge headaches. I was also reading that the definition of encryption was unclear and large companies like Apple would have to pull out of offering end to end encryption for Canadian clients as it is in its current state...I'm hoping the MPs can listen to this because it sounds awful for everyone!
I don't have any idea of how things would even look if this was passed, say I had a VPS with a custom LUKS install how would you backdoor that? You could dump the VM with the encryption key and as you said I'm sure the US patriot act would probably do the same thing if asked but it would be crazy if they were asking for SSH access somehow on custom installs
There are also things I don't understand, say I offered a Matrix or XMPP server for my friends that had encryption, is the VPS provider or me liable for disallowing this?
Honestly I would rather leave Canada as a company than messing with clients VMs
But from my understanding it does not include that
But just in case I sent a lengthy email to our MP asking here for technical details of what included and what is not , I asked to meet with her to escalate the issue
They cannot pass vague laws and then we will be under the mercy of how these law are interpreted later
That is really cool, I hope the MP will meet with you to explain further or at least it helps them understand the issue better. I'm really hoping this will just stay a bill as it seems like it could just decimate the tech industry in general in Canada. If it stays so vague certain industries will probably err on the side of caution like Apple, pulling out all encryption etc, or placing the backdoors just so they can say they did everything to comply.
This is where you're wrong -- they can, and have many times in the past. They like to keep things intentionally vague for that purpose. America has had a similar but not identical law since 2018, the CLOUD Act: "The USA CLOUD Act (Clarifying Lawful Overseas Use of Data Act) is a 2018 federal law that allows United States law enforcement to compel U.S.-based technology companies to produce electronic data and communications, regardless of whether that data is stored inside or outside the United States".
He said it like a call to arms (hence, meeting with MP for technical clarification), not saying it can't happen.
Sure, but I don't think it'll help much. The Liberal party, ironically, once opposed this type of legislation years ago, and is now trying to push it through with their stolen majority.
This is just the start. idiot carney has already signaled through his heritage minister that lawful content on the internet will be regulated. they've actually been trying this for 10 + years since little fidel took power.
A good video here form the US side describes how all ID verification for adults is sold as age verification for kids and goes through all these bullshit bills that sound like they are protecting kids but is actually surveillance and monitoring for adults. Same shit on the CD side but with more censorship and control.
Signal and Nord said they will stop services in canada if it becomes law. I'm sure hundreds of other companies will go as well, they just don't want to say it ahead of time so they don't start losing customers right away.
Can't you just tell them you're a provider for vulnerable MMIWG2SLGBTQQIA+ folk and get a pass?
Approved by the Government of Canalibs
Canada is not the US.
I see this more as technical incompetence than malice. I'm sure they're all getting new technical briefings on the technical challenges and privacy implications they didn't think about with their blinders on.
Plus, there's always the Charter challenge which tend to shoot down shitty bills that violate our rights.
For those that are having a hard time understanding what's going in.. This is the classical liberal scam. It will be like MAID, just get it passed and then it's endless amendments and changes until they get what they want. Here is a cut and paste from the Sun and the flaw in the bill.
"The key word in that first sentence is intent.
A bureaucrat like Bilodeau may believe that his intent with the law leads in one direction, but if the words in the legislation lead in another then that means nothing. This is a piece of legislation that grants cabinet the ability to change regulations and who those regulations apply to without going back to a vote in the legislature"
https://torontosun.com/opinion/columnists/on-bill-c-22-apple-meta-warn-that-carney-will-compromise-your-data
Not quite, Judges will look at Hansard for the debating and intent when the law was being introduced into law and helps them understand in cases of ambiguity how they should rule.