Yesterday, Senator Julie Miville-Dechêne tabled Bill S-209, An Act to restrict young persons’ online access to pornographic material. If this feels familiar, it’s because this is a reintroduction of her earlier Bill S-210, which failed to pass in the last sitting of Parliament. While there are some important improvements in S-209 over its predecessor, the fundamental problem remains: once again, this bill attempts to conscript ISPs as the enforcement layer for blocking content online.

Let’s unpack the background, the differences between S-209 and S-210, and why this approach is deeply flawed.

What’s Changed Since S-210?

Definitions

Bill S-209 narrows the scope by defining “pornographic material” as visual representations with the dominant characteristic being the depiction, for a sexual purpose, of certain body parts. It explicitly excludes child pornography, which is already covered under existing law.

Bill S-210, in contrast, leaned on the existing Criminal Code definition of “sexually explicit material,” which is broader and less precise.

This narrower definition in S-209 is a positive step: it helps avoid confusion and scope creep that might have inadvertently captured legitimate content.

Clarification on Commercial Purpose (Section 6 in S-209)

A welcome addition in S-209 is Section 6, clarifying that incidental or non-deliberate provision of services (e.g. search engines, social media platforms) does not count as making pornographic material available for commercial purposes. This is important because it should protect most platforms from unintended liability just for being a conduit.

Age-Verification Requirements

S-209’s Section 12(2) is more stringent and privacy-conscious:  

- Requires highly effective age-verification or age-estimation methods operated by independent third-party organizations.  

- Stresses privacy safeguards: personal data must only be collected for age verification and deleted immediately afterward.  

- Adds important principles like data minimization and best practices.

By contrast, S-210’s Section 11(2) was less robust: it simply required that methods be reliable and protect privacy, without the explicit “highly effective,” “third-party,” or “strictly necessary” tests.

So What’s the Problem?

Despite the improvements, the bill still puts Internet Service Providers (ISPs) on the front lines of enforcement - a deeply flawed approach. Here’s why:

👉 Expensive and Burdensome: ISPs would need to implement blocking at the IP or DNS level, which is costly and complex. Smaller ISPs might be forced to pass those costs on to customers.

👉 Easy to Evade: The two standard methods used in Canada so far for ISP-level blocking have been DNS blocking and IP blocking. DNS blocking works by intercepting requests that convert domain names (like example.com) into IP addresses and returning an error instead of the correct address. It’s a bit like trying to look up an address in a phone book that’s been tampered with. However, users can easily bypass DNS blocking by changing their device’s DNS settings to an alternative server, such as Google’s 8.8.8.8 or Cloudflare’s 1.1.1.1.

IP blocking, on the other hand, involves preventing traffic from reaching a specific IP address associated with the content—like blocking a particular street on a road map. But even this method can be easily circumvented by using a VPN, which routes the user’s traffic through a different IP address. Both techniques are easily defeated, meaning that determined users can still access the content with minimal technical effort.

👉 Collateral Damage: IP blocking risks overblocking legitimate services that share IP addresses via CDNs like Cloudflare or Akamai. For example, back in 2005, Telus blocked a website by IP address after getting a court order — but in the process, they also blocked 766 other innocent websites that happened to share the same IP address. Here’s a great write-up on that incident from The Tyee. This shows that the risk of collateral damage isn’t hypothetical — it’s real, and it’s happened before. This means entire websites could become inaccessible, impacting businesses and legitimate users alike.

👉 Privacy and Freedom at Risk: There are many groups that want ISPs to act as the “police” of the internet. We’ve already seen examples of this: the GoldTV case, where rightsholders successfully pushed for a court order forcing ISPs to block access to a pirate streaming service; the increasing push from rightsholders to block IPTV services; and other efforts where ISPs have been conscripted into enforcing copyright claims. If we create a broad framework in Canada for ISPs to be used this way, it will open the floodgates. Different parties—from copyright owners to political actors—will want to abuse the system to block all sorts of content. Once this enforcement infrastructure is in place, it’s only a matter of time before it’s used for purposes far beyond protecting minors from explicit content.

This sets a dangerous precedent that threatens both privacy and freedom of expression. Instead of letting ISPs become gatekeepers of what Canadians can see online, we should be focusing on measures that empower individuals—like parental controls, education, and platform accountability—while protecting the open, free, and innovative nature of the internet.

A Noble Goal, the Wrong Tool

Let’s be clear: protecting young people from harmful content is important. But Bill S-209 is not the right tool. Technology can play a role, but education, parental involvement, and responsible content moderation by platforms are more effective and less invasive solutions.

Instead of mandating ISPs to police the internet—a task they are neither equipped nor qualified to do—we should focus on fostering digital literacy, parental tools, and platform accountability that align with privacy and free expression.

For more on why this approach is problematic, I wrote about Bill S-210 last year: Canada’s Proposed Bill S-203: A Nightmare for Privacy and Internet Freedom

Final Thoughts

Senator Miville-Dechêne’s goal is commendable. We all want a safer online environment for young people. But conscripting ISPs as the enforcement mechanism is a costly, ineffective, and potentially dangerous route. Let’s keep talking about real solutions—ones that empower parents, protect privacy, and respect freedom of expression.