Bill C-26

The amassing of data in any database brings with it attendant security risks. The extent of them I cannot comment on.

I would indicate that your concerns are connected to amendments that we have raised in our brief regarding the handling of data. Right now, the information-sharing powers within the Canadian government that would be enabled by Bill C-26, if passed unamended, are extremely broad.

One limit that we recommended, for example, is that the use of the information being shared should be constrained to cybersecurity objectives, and not piggybacked objectives that are layered on after the fact. Retention limits should be strictly defined to address the very concern that you're raising.

In that way, while there is understandably a need for some examination of critical information to enable that mandate to be fulfilled, it should be very strictly defined within the legislation itself.

Hi there. I'm Matt Hatfield, and I'm the executive director of OpenMedia, a grassroots community of 230,000 people in Canada who work together for an open, accessible and surveillance-free Internet. I'm joining you from the unceded territory of the Sto:lo, Tsleil-Waututh, Squamish and Musqueam nations.

I’d like to ask us all a question: What does cybersecurity mean to you as an individual, as a family member and as a citizen? For me, and for many people across Canada, our cybersecurity is inseparable from our privacy, as so much of our everyday lives is conducted online—much more so since COVID—and none of us feel secure with the thought of being spied on in our everyday lives, whether by hackers, hostile states or our own government. For most Canadians, our cybersecurity is very much about that sense of personal security.

The draft of Bill C-26 you have in front of you threatens that security. It poses enormous risks to our personal privacy, without basic accountability and oversight to ensure that the people given these powers don't abuse them against us. You must fix this.

Exhibit A is proposed section 15.2 of the Telecommunications Act, which grants the government the power to order telcos “to do anything or refrain from doing anything”. There are no limits here, no tests for necessity, proportionality and reasonableness, and no requirement for consultation. The government could use these powers to order telcos to break the encryption we need to keep ourselves safe from hackers, fraudsters and thieves. They could even use these powers to disconnect ordinary people indefinitely from the Internet, maybe because our smart toaster or an old phone we gave our kids gets hijacked by a hostile botnet. Without a requirement that these orders be proportional or time-limited, these are real risks.

It gets worse. The government would be allowed to keep even the existence of these orders—never mind their content—top secret indefinitely, and even if these orders are challenged by judicial review, the minister could bring secret evidence before secret hearings, which flies in the face of basic judicial transparency.

There's no excuse for this. Our close allies in Australia and the U.K. have shown how cybersecurity can be strengthened without compromising fundamental rights. Why do Canadians deserve lesser protections?

All this comes when Parliament is working on strengthening our privacy laws through Bill C-27. I have to ask, does one hand of our government even know what the other is working on?

We recognize that there are very real problems, though, that Bill C-26 is trying to solve. When we read the government's stated objectives, we're on board. Should we protect the digital infrastructure? Sure. Should we remove risky equipment from hostile states? Of course. Should we force big banks and telcos to better protect their customers? Of course. However, we can fulfill these objectives without sacrificing our rights or balanced, effective governance. Let's talk about how.

First, the government's new powers must be constrained. Robust necessity, proportionality and reasonableness tests are an absolute must. An unbreakable encryption is the fundamental baseline that all of our personal privacy depends on, so there must be an absolute prohibition on the government using these powers to break encryption.

Second, privacy rights must be entrenched. Personal information must be clearly defined as confidential and forbidden from being shared with foreign states, which are not subject to Bill C-26's checks and balances.

Third, the government must not be allowed to conceal the use of its new powers under a permanent veil of secrecy.

Fourth, when the use of those powers is challenged in court, there must be no secret evidence. Special advocates should be appointed to ensure all evidence is duly tested.

Fifth, any information the Canadian Security Establishment obtains about Canadians under Bill C-26 should be used exclusively for the defensive cybersecurity part of their mandate. I hope you all remember that NSIRA, the body explicitly established by Parliament to oversee CSE, has complained for years about CSE not being accountable to them. Knowing how difficult it's proved to keep them accountable for their existing powers, please don't grant them broad new powers without tight and clear use and reporting mechanisms.

As other people have said, when cybersecurity works, it's a team sport. It requires buy-in from all of us. We all have to be on team Canada, and we all have to trust in the regulatory framework that governs it. There's zero chance of that happening with Bill C-26 as is. Adequate transparency, proportionality and independent verification are the necessary baseline that this bill has to earn for it to work.

We're going to be delivering a petition signed by nearly 10,000 Canadians to you shortly, folks who are calling for that baseline protection. We urge you to listen to these voters and adopt the amendments package that civil society has suggested to you to get this legislation where it needs to be.

Thanks. I look forward to your questions.

Good afternoon.

My name is Kate Robertson. I am a researcher at the Citizen Lab, which is based at the University of Toronto's Munk School.

My comments today draw on the Citizen Lab's research on cybersecurity and telecommunications policy, data security, and transparency and accountability mechanisms that are applicable to the relationship between governments and telecommunications providers. My brief, which was submitted to this committee, was written with Lina Li of McGill Law and provides a charter analysis of Bill C-26. Part three of our brief sets out our recommended amendments, building on a report on Bill C-26 written by my former colleague Dr. Christopher Parsons.

There are key recommended amendments that would act as constitutional safeguards in the legislation. This is not to state that they're exhaustively read here.

To protect the rule of law and free expression, orders issued under the legislation must be published in the Canada Gazette. Any exceptional circumstances that might justify confidentiality of those orders should be expressly and strictly defined in the legislation, and should be time-limited.

For privacy rights, the legislation needs explicit protections for personal information, notice requirements, and tighter controls surrounding the sharing and use of personal and confidential information. You'll find proposed terms for those amendments under recommendations 13, 14, 16, 19, 28 and 29 in our brief.

We also reiterate, as others have, that orders issued must be proportionate and reasonable. In particular, the legislation should make explicit that an order compelling the adoption of particular standards cannot be used to compromise the integrity of a telecommunications service, such as by compromising encryption standards. The terms for those amendments are in recommendations one and five of our brief.

It is notable that these amendments are compatible with the government's objective to play an assertive role in protecting Canada's networks. This is not a tug-of-war between competing public interests. This is important, because the courts do not tend to find it reasonable if constitutional rights are infringed upon in a way that is unnecessary. The desire for expediency through Parliament is understandable, but if these issues aren't fixed now by legislators, then the legislation may well be held up in court litigation for years, which ultimately requires additional legislative time to fix.

Amendments to limit secrecy and to require proportionality also reinforce the government's objective of protecting our networks. I agree that, as was said last week, cybersecurity is a team sport, and I agree with Mr. Warnell's comments on the same subject. Effective cybersecurity integrates expertise from across a range of sources, including regulators, industry, civil society, academic and security researchers, and data journalists.

Dr. Parsons' report on Bill C-26 last year, as well as this committee process itself, illustrates how industry and independent expertise can provide a path forward for improving the legislation without detracting from the bill's core mandate. Public transparency will be an effective way to garner expertise from these sources as the legislation is implemented over time.

The Citizen Lab's recent report, “Finding You”, which is appendix C to our brief, underscores how secrecy at the regulatory level has led to serious “geolocation-related threats associated with contemporary networks”. The report documents persistent vulnerabilities at the heart of the world's mobile communications networks. It notes, “The failure of effective regulation, accountability, and transparency has been a boon for network-based geolocation surveillance.” In other words, when network standards and regulations are shrouded in unnecessary secrecy, this enables network insecurity to fester.

Similarly, without proportionality and transparency, Bill C-26, unamended, could enable successive governments to actually undermine network security, and ultimately human security, through orders that would drill holes in encryption standards in telecommunications networks.

Thank you, Mr. Chair and members of the committee.

My name is Todd Warnell and I am the chief information security officer at Bruce Power.

Established in 2001, Bruce Power is Canada's only private sector nuclear generator, annually producing about one-third of Ontario's power, as well as life-saving medical isotopes used around the globe to fight cancer and sterilize medical equipment.

I'm grateful for the invitation to participate in your review of Bill C-26. Today, I will focus my comments on part 2 of the bill, namely, the critical cyber systems protection act.

I'm here before the committee to provide a perspective that proceeding with the implementation of Bill C-26 is of vital importance to the safety and security of all Canadians. Canada has prospered over the last four decades through a period of relatively stable and predictable global relations. However, that period of stability and predictability is changing amidst a backdrop of global geopolitical tensions and changing global dynamics. Ensuring the safe and reliable delivery of critical services that Canadians depend upon every day is not, and cannot be, a political issue.

Within Canada's nuclear industry, we have seen and demonstrated that through collaboration with governments, regulators, industry, academia, and individual Canadians, we can be successful in establishing and regulating cyber systems that are important to the safe and reliable operation of critical services.

The critical cyber systems protection act would introduce a broad framework from which all critical sectors, in collaboration with government and regulators, can develop and implement risk-informed and performance-based regulation to enhance the reliability and resilience of critical services. The committee should consider ways of ensuring that appropriate checks and balances are in place for any directives issued to address a risk or threat to Canada's critical cyber systems.

Harmonizing Canada's cybersecurity framework across critical sectors through Bill C-26 would also align our approach with our closest allies and avoid our being left behind as our allies move forward with enhancing their respective national cyber resilience programs and driving innovation that can enhance our collective capabilities in protecting ourselves and detecting and responding to a changing threat landscape.

In conjunction with Bill C-26, we urge lawmakers to review and consider the amendments to the CSIS Act, to enable Canada's intelligence community to exchange and co-operate on cyber-threat intelligence with Canada's public and private sector operators in both a proactive and preventative manner.

Thank you for the opportunity to address the committee today.

I look forward to your questions.

Thank you for the question.

To bring both of your questions together, wherein you were asking about the risk of not acting, in IBM we operate with, partner with and strategically advise over 1,700 organizations. Admittedly, they're not all in the direct scope of this, but they would be impacted through the passing of Bill C-26. Many of those organizations struggle. Many of those organizations are focused on Canada. Many of them are focused on multinational. By not acting within Canada, we are, in effect, encouraging those organizations to pause on Canada.

We don't have the regulations. We don't have the definitions. We don't have the laws in place for them to understand the arena they're playing in within Canada. This bill languishing is causing that pause to get larger.

From a collective individual perspective, it also shifts into the mindset of our resources, our teams and our neighbours. Our graduates—our children coming up through education —challenge what Canada's position is on cyber risk and cybersecurity, not just for the critical infrastructure that we need to run and operate, but for the employment opportunities that we have and that our organizations have.

It is very critical. That's a definite “yes” that we should act in a timely manner.

I would also like to emphasize that we need to get it right and not rush through it in a way that.... I'm a little hesitant to name a time frame because the focus should be on all the challenges we pointed out and addressing these properly.

Comments were made as well on national cybersecurity strategies and plans in other countries and so forth. We don't have our national cybersecurity strategy yet launched. We greatly look forward to what the Canadian Chamber has fed into the submission, because for me and our members it would provide the broader, overarching picture of cybersecurity per se. Bill C-26 would be one part of that strategy. It's a holistic view and a comprehensive approach there.

Lastly, I wanted to make one comment in terms of time and I lost my train of thought there. You had another follow-up question to Mr. Shipley, I think. Could you please remind me what it was?