Fix C-26: Cybersecurity Bill is Short on Rights Protections and Accountability

Bill C-26 is yet another example, in an increasingly long list, of legislation that would fill a clear need if only it were better. C-11 (Broadcasting Act amendments), C-27 (private sector privacy and AI governance), S-7 (device searches at the border) and C-20 (long awaited provisions for RCMP and CBSA oversight), are all also on that list.   

Having a clear legal framework for cybersecurity expectations and responsibilities for operators of federal critical infrastructure is a good thing, probably long overdue. And Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, attempts to put such a framework into place.   

It amends the Telecommunications Act and gives the Governor in Council and Minister of Industry power to give directions to telecommunications service providers to require them to do, or stop doing, anything they think is necessary for infrastructure security. It also creates an administrative monetary penalty scheme to ensure providers comply with those directions and provides for judicial review of those orders. C-26 further creates a new Critical Cyber Systems Protection Act to create a framework for protecting “critical cyber systems of services and systems that are vital to national security or public safety”. Those are systems in federally-regulated sectors like banking, telecom, nuclear energy and infrastructure including transportation systems. The new Act allows the Governor in Council to designate a service as vital and require operators of designed vital services to create cybersecurity plans and programs, share information with designated bodies, and imposes consequences for non-compliance—with fines up to $15,000,000 and potential imprisonment.  In other words, Bill c-26 has an ambitious scope. 

The problems with the Bill lie in the fact that the new and discretionary powers introduced by C-26 are largely unconstrained by safeguards to ensure those powers are used, when necessary, in ways that are proportionate, with due consideration for privacy and other rights. The lack of provisions around accountability and transparency make it all more troubling still. 

For example, section 15 of the amendments to the Telecommunications Act give the Minister of Industry, after consulting with the Minister of Public Safety, is given the discretion (the language in the bill refers to “the Minister’s opinion”) to prohibit a telecom service provider from providing any service to any specified person (including another telecom provider), or require a telecom provider to suspend service for any amount of time to anyone (again, including another telecom provider). So, in simpler terms, services can be cut off from anyone at any time, if the Minister thinks it’s necessary to prevent a list of threats that includes, but isn’t limited to, interference, manipulation or disruption of a network. So, for example, if a ransomware incident is correctly traced to an IP, the person at that address could be cut off from the internet. But, if a ransomware incident is incorrectly traced, the person mis-identified could also be cut off. And because orders can be made in secret if the Minister chooses, it might not be allowable for the ISP to tell the individual why they’ve been cut off, which of course will make it hard for that person to make a case for correcting the error. Another example would be the potential to have modems cut off a network if they’ve been copromised by something like a bot net, which would have the effect of disconnecting consumers who may not even know their devices had been compromised. 

Also concerning are the very broad provisions around expanding information sharing with a long list of potential recipients including Ministers of Foreign Affairs and National Defence, the Canadian Security Intelligence Service (CSIS), and also, once an agreement is signed, with provincial governments, foreign governments, or international state organisations, again, at the Minister’s discretion. The Communications Security Establishment (CSE), Canada’s signals intelligence agency is also a key recipient of information.  

The CSE’s role requires careful consideration. Of course it makes sense that the CSE are given a core role within the Bill, as it has an explicit duty within its multi-pronged mandate regarding domestic cybersecurity and information assurance. However, cybersecurity isn’t CSE’s only mandate; under their own governing act their mandate includes active and defensive cyber attacks—in other words, hacking others for intelligence or defense purposes and protecting Canada from such attacks. All of the information Bill C-26 will require CSE to be given regarding security incidents across Canada is very likely to expose previously unknown vulnerabilities in programs that companies, and we as ordinary computer users, use, and we’d expect that when such information is revealed in the course of acting to protect cybersecurity the priority would be ensuring it is fixed. But there’s a potential conflict, because the CSE might also have good reason to want to stockpile vulnerabilities and exploit them under other aspects of their mandate. There should be, but is not, a provision in the Bill to require that information received as a consequence of information sharing mandated within the new Act only be used strictly within CSE’s cybersecurity responsibilities. 

One safeguard the Bill does provide are provisions for a judicial review of a cyber security direction which provides an avenue to challenge orders the subject of those orders believes are unreasonable or ungrounded. However, the rules around those judicial reviews allow secret evidence to be kept from applicants and their counsel and allows judges to use information not even provided to the applicant in a sanitized summary form for their decisions. This is reminiscent of other kinds of trials where information injurious to national security may emerge,  but in national security certificate cases under the Immigration and Refugee Protection Act (IRPA) there is provision for an amicus, a special security-cleared lawyer, to hear secret evidence and represent the interests of the subject of the order. While having an amicus is an incomplete remedy, the Supreme Court in R v. Harkat has said it meets the requirements of a fair process. In contrast, under C-26, there is no such nod to a fair process. Of course, there is a difference in consequences between possibly being deported from Canada under the IRPA and the fines and online access implications under C-26, but as a matter of principle, the right to make full and informed defence is a very important component of due process. And this is even more the case given the recent string of cases where Canada’s national security agencies have been warned by the Court for failing in their duty of candour, or in other words, failing to tell the Court everything it should know to make a good decision. 

This is a long article, and could be longer, but even this incomplete listing of the flaws in Bill C-26 suggests the need for sober second thought and significant amendment if this proposed legislation is to provide the cybersecurity protections Canada needs, with the protections for human rights and overreach of security agencies that we deserve. Security vs freedom is a false dichotomy. Genuine security and safety require individuals to be safe from malicious actors and safe from unreasonable intrusion by the state, and while it’s a tough balance, it’s the balance democracy requires.  Bill C-26 is one to watch for everyone concerned with privacy, surveillance, and accountability and CCLA will advocate for the reforms necessary to turn this into the kind of cybersecurity law people across Canada need. 

Listen to our Privacy Director Brenda McPhail talking about C-26 with Michael Geist on the LawBytes Podcast.

Read the joint letter CCLA co-signed calling for reform of Bill C-26.