Michael Geist explains why the “it’s just phone book information” hand-waving by politicians and government officials is worse than misleading: it’s deliberate mendacity.

en telefonbog (a Danish telephone directory)
Photo by Tomasz Sienicki via Wikimedia Commons

If this sounds familiar, it is because the same tired claims have been used for years. In September 2011, then-Public Safety Minister Vic Toews defended the Harper government’s lawful access proposals by claiming “linking an internet address to subscriber information is on par with the phone book linking phone numbers to an address”. Christopher Parsons, then a researcher at the Citizen Lab, responded with a detailed anatomy of what a lawful access “phone record” actually contained, showing that the three-field directory entry the government was invoking was being used to describe an eleven-field record including IP addresses, IMEI and IMSI numbers, SIM serials, device identifiers, and account information from multiple providers, any one of which could be cross-referenced to build a comprehensive profile of a person’s online life.

The Supreme Court of Canada put the issue to rest in the Spencer decision, holding unanimously in 2014 that there is a reasonable expectation of privacy in subscriber information precisely because the disclosure of such information “will often amount to the identification of a user with intimate or sensitive activities being carried out online, usually on the understanding that these activities would be anonymous”. It returned to the same terrain in Bykovets in 2024, extending Charter protection to IP addresses on the reasoning that an IP address is the “first digital breadcrumb that can lead the state on the trail of an individual’s Internet activity”.

Bill C-22’s new subscriber information production order applies a low evidentiary standard but covers name, pseudonym, address, telephone number, email address, account identifiers, types of services provided to the subscriber, the period during which they were provided, and information that identifies the devices, equipment, or things used by the subscriber in relation to those services. In short, a modern subscriber record is not a phone book entry but rather an index of a person’s digital life and the government is proposing to reduce the standard needed to gain access to that information.

Moreover, the same phony framing is now being stretched beyond subscriber data to mandatory metadata retention. As Conservative MP Andrew Lawton noted to Fraser at committee, the government and its officials have been telling Canadians that requiring electronic service providers to retain metadata for up to a year is “no different than just having a copy of the phone book that someone could leaf through”. That is a laughable comparison, given that metadata includes the date, time, duration, and type of a communication, the identifiers of the devices involved, and information identifying the location of the device. It is as if the phone book would include the details of every call made including location, call recipient, and device. And given retention for up to a year, the plan poses a disproportionate privacy risk that is likely to be struck down as unconstitutional by the Supreme Court, should it survive in its current form.

And in a follow-up post, he writes:

On encryption, Anandasangaree said the bill “was never meant to breach encryption” and promised to “clarify it in the Bill”. Language clarification is welcome but structural problems remain. The safeguards in Bill C-22 at ss. 5(5) and 7(5), which state that a provider is not required to comply if compliance would create a systemic vulnerability, are incompatible with s. 12, which unconditionally requires compliance with orders, and with s. 13, which specifies that orders prevail over regulations when inconsistencies arise. The term “systemic vulnerability” is not defined in the statute, and the Governor in Council has the power to make regulations “respecting the meaning of any term or expression for the purposes of this Act”. None of this is fixed by promising clearer language. It is fixed by the kind of amendment the Privacy Commissioner proposed this week, namely adopting Australia’s definition, which expressly covers actions that render encryption less effective, together with an explicit prohibition on regulations or orders that require the introduction of, or prevent the rectification of, a systemic vulnerability.

Moreover, Anandasangaree’s defence of the bill’s privacy implications was a deflection rather than an answer, as he tried to turn the attention to the privacy practices in the private sector, stating, “I drive a vehicle where every single point that I drive to is tracked. And that data is not with me.” Commercial data practices are indeed a real concern and Canada needs stronger laws to address them. However, the bill’s surveillance map of every Canadian is not justified by pointing to the absence of meaningful constraints on data collection and to the failure of his own government to address long-overdue private-sector privacy reform.

That brings the press conference back to the Privacy Commissioner. Asked directly whether he would accept Commissioner Philippe Dufresne’s amendments, the Minister said he would “be looking at” them and “looking to see what he has to offer”. Dufresne tabled eight concrete amendments at committee on Tuesday: narrowing subscriber information to a closed list (name, address, telephone number, IP address), restricting who can be compelled to telecommunications service providers, defining “publicly available information” to exclude information in which a person has a reasonable expectation of privacy, an overarching requirement that SAAIA obligations be necessary and proportionate, an Australian-style amendment to “systemic vulnerability”, an explicit prohibition on orders requiring vulnerability introduction or preventing rectification, an exemption to the SAAIA’s confidentiality rules to allow disclosure to regulatory bodies such as the OPC, and allowing his office to investigate if data breaches result from application of the new powers. Anandasangaree’s comments, coming a day after the Dufresne’s committee appearance, noted that “we have until like five o’clock today” for amendments. That window does not leave room to seriously consider the Commissioner’s recommendations. The “I will be looking at” claim, delivered hours before the deadline, amounted to a rejection of the recommendations.