Civil liberty organizations and privacy experts are decrying the extensive powers granted to Ottawa under Bill C-26, a proposed law intended to improve cybersecurity.
“Bill C-26 grants the government sweeping new powers. But there really is no accompanying regime of checks and balances to safeguard people’s rights,” said Kate Robertson, senior researcher at The Citizen Lab, a research lab at the University of Toronto.
“That ultimately risks undermining public trust, democratic norms, civil liberties and even Charter-protected rights in Canada.”
The bill proposes amendments to the Telecommunications Act and other laws to improve cybersecurity and will affect internet-connected products that Canadians rely on daily.
The powers Ottawa is granting itself are practically unlimited, says Brenda McPhail, former director of the privacy, technology and surveillance program at the Canadian Civil Liberties Association.
‘Gag or bind’
Within modern households, any product connected to the internet can be at risk of becoming a tool for hackers, including smart products, phones and laptops.
Older devices not subject to security updates — such as an old phone given to a child to watch YouTube videos — can be especially vulnerable to cyberattacks, says Matthew Hatfield, executive director at OpenMedia, a non-profit that advocates for innovative and open communication systems. ‘Smart’ household appliances, such as fridges or toasters, can also be hacked without an owner ever knowing it.
Under Bill C-26, if someone’s device were used to target a government website, for example, Ottawa could order their telecom service be shut off, says Hatfield.
This order would be kept secret from the public. And the affected person would never even know that it was the government that ordered their service disconnected. The bill also does not outline how people who lose their service could get it back.
“[T]here’s nothing about informing those people, bringing them back on eventually, once the emergency has passed,” said Hatfield.
The proposed law does not address how telecommunications providers would receive “financial relief“ when implementing mandated cybersecurity measures, says Robertson. This means these costs would likely be passed on to consumers.
Bill C-26 would also enable Ottawa to create secret laws that govern telecommunications providers and have secret judicial processes away from the public eye, says Robertson, who co-wrote a submission to the standing committee on the bill’s infringement of civil liberties and human rights.
The bill could “potentially gag or bind the telecommunications providers from disclosing those orders to the public,” she said.
Keeping information confidential can be important in some cases, Robertson acknowledges. For example, network vulnerability should not be publicly disclosed if it would enable hackers to take advantage of a compromised system before it is fixed.
There can also be legitimate reasons why a government would shut off internet access due to a cybersecurity threat, says McPhail, who is now an independent researcher at McMaster University. In a crisis or faced with a bad actor, such as a terrorist or foreign government, the government needs to act quickly to protect Canada’s infrastructure.
“But there also needs to be reasonable transparency and accountability requirements,” McPhail said.
Secret evidence, secret hearings
Bill C-26 gives Ottawa the ability to collect very broad categories of information from telecom operators, says Joanna Baron, executive director of the Canadian Constitution Foundation, a charity that defends Canadians’ constitutional rights and freedoms.
The government could collect both anonymized or identifiable data, and it does not require Ottawa to inform the person whose data is collected.
Information that is not considered confidential can be disclosed to foreign governments and foreign bodies under this bill, says McPhail.
“The definitions of confidential information in the bill include trade information, proprietary information. It doesn’t include people’s personal information that might be shared as a consequence of collecting information from a telecommunication service provider that has all of our personal information perpetually flowing along the fibers,” said McPhail.
An explanatory note about the bill on the government’s website says that Ottawa would be required to enter an agreement with any recipient of information that restricted the recipient’s use of the disclosed information to “regulatory or other non-penal purposes.”
The bill includes no mechanism for limiting what Ottawa can do with the data it collects. And it lacks measures to address situations where government is negligent with people’s data, Baron says.
Civil liberty organizations argue “there should be some mechanism for supporting individuals who have had their information negligently misused to seek relief against the government, particularly where they can prove that the loss of control… affects the individual,” said Baron.
And if the government calls for a security order to investigate a potential cybersecurity threat, the bill allows for the minister to use secret evidence in secret judicial review hearings. People whose cyber activity is under investigation would never know about the legal process.
The government’s website says that the hearing process “would only apply to those portions of the judicial review proceedings that involve sensitive information. The remainder of the hearing would be open to the public and the applicant.”
Civil liberty organizations have proposed that an independent advocate should be empowered to review the evidence to determine if the government’s case meets a certain legal threshold. The advocate would publicly post its conclusion on whether the evidence is sufficient for a review to proceed.
As the bill heads to a parliamentary standing committee in January, civil liberty groups are continuing to advocate for proposed amendments to the bill.
Hatfield is worried the proposed changes may not be enough.
“It’s just a question of, ‘Will all these gaps be patched by a committee?” said Hatfield. “Because there’s some pretty serious omissions from a proportionality perspective that absolutely need to be.”
