Good afternoon.
My name is Kate Robertson. I am a researcher at the Citizen Lab, which is based at the University of Toronto's Munk School.
My comments today draw on the Citizen Lab's research on cybersecurity and telecommunications policy, data security, and transparency and accountability mechanisms that are applicable to the relationship between governments and telecommunications providers. My brief, which was submitted to this committee, was written with Lina Li of McGill Law and provides a charter analysis of Bill C-26. Part three of our brief sets out our recommended amendments, building on a report on Bill C-26 written by my former colleague Dr. Christopher Parsons.
There are key recommended amendments that would act as constitutional safeguards in the legislation. This is not to state that they're exhaustively read here.
To protect the rule of law and free expression, orders issued under the legislation must be published in the Canada Gazette. Any exceptional circumstances that might justify confidentiality of those orders should be expressly and strictly defined in the legislation, and should be time-limited.
For privacy rights, the legislation needs explicit protections for personal information, notice requirements, and tighter controls surrounding the sharing and use of personal and confidential information. You'll find proposed terms for those amendments under recommendations 13, 14, 16, 19, 28 and 29 in our brief.
We also reiterate, as others have, that orders issued must be proportionate and reasonable. In particular, the legislation should make explicit that an order compelling the adoption of particular standards cannot be used to compromise the integrity of a telecommunications service, such as by compromising encryption standards. The terms for those amendments are in recommendations one and five of our brief.
It is notable that these amendments are compatible with the government's objective to play an assertive role in protecting Canada's networks. This is not a tug-of-war between competing public interests. This is important, because the courts do not tend to find it reasonable if constitutional rights are infringed upon in a way that is unnecessary. The desire for expediency through Parliament is understandable, but if these issues aren't fixed now by legislators, then the legislation may well be held up in court litigation for years, which ultimately requires additional legislative time to fix.
Amendments to limit secrecy and to require proportionality also reinforce the government's objective of protecting our networks. I agree that, as was said last week, cybersecurity is a team sport, and I agree with Mr. Warnell's comments on the same subject. Effective cybersecurity integrates expertise from across a range of sources, including regulators, industry, civil society, academic and security researchers, and data journalists.
Dr. Parsons' report on Bill C-26 last year, as well as this committee process itself, illustrates how industry and independent expertise can provide a path forward for improving the legislation without detracting from the bill's core mandate. Public transparency will be an effective way to garner expertise from these sources as the legislation is implemented over time.
The Citizen Lab's recent report, “Finding You”, which is appendix C to our brief, underscores how secrecy at the regulatory level has led to serious “geolocation-related threats associated with contemporary networks”. The report documents persistent vulnerabilities at the heart of the world's mobile communications networks. It notes, “The failure of effective regulation, accountability, and transparency has been a boon for network-based geolocation surveillance.” In other words, when network standards and regulations are shrouded in unnecessary secrecy, this enables network insecurity to fester.
Similarly, without proportionality and transparency, Bill C-26, unamended, could enable successive governments to actually undermine network security, and ultimately human security, through orders that would drill holes in encryption standards in telecommunications networks.