Bill C-33

Sure. Thanks, Chair.

You're right, I was getting a little bit off topic there.

I'll tell you, it's easy to be passionate about the billions of dollars in economic impact that my people have—the people I'm proud to represent. It's billions of dollars that they have, yet, unfortunately, the Liberals seem to disregard that. They would toss it away for some dream that certainly is more of a dream than any reality, especially when we could be supplying our partners like Ukraine with clean, green Canadian natural resources.

When it comes to Bill C-26 and its relevance here on the Bill C-33 conversation, we have this connection that exists. Why I went down the path of talking about how proud I am of Canada's energy industry is that it's not always recognized how closely connected physical infrastructure and the security associated with that are to the cyber elements of how that works.

I would provide a local example, Chair.

A pipeline company just opened up a new control centre in Hardisty. This example is very relevant to both the physical infrastructure that Bill C-33 represents and the reference that it has to cybersecurity, which is referenced in Bill C-26. There's this close connection that exists. We cannot dismiss that. It goes further when it comes to our rail systems. It's not out of the realm of possibility to see how there's that close connection that exists between the cyber and physical security side of things.

If we don't see Bill C-26 addressing those things appropriately, if it's not responsive to the economic needs, if it doesn't take into account the privacy concerns of Canadians, if it gives too much power to a few individuals in our nation's capital who may not be responsive, or if, likewise, when it comes to Bill C-33 there's not this appropriate delegation of authority that takes into account.... I often refer to the word “tension” or what could be referred to as the Aristotelian mean. We have to find that correct tension or that mean place where we have that balance. I'm fearful that we simply don't get it when it comes to Bill C-26 and some of the elements that we have discussed at length, although most of the clauses have in fact passed.

There's been a change in who is in charge of the public safety file. I won't get into the host of criticisms that have been levelled by Conservatives against the ministers of public safety. They seem to come and go at an alarming rate.

I would, however, like to read from the Canadian Civil Liberties Association when it comes to some of the concerns surrounding Bill C-26. Then I will be happy to cede the floor to my colleagues, who I know have a tremendous amount to add to this conversation as well.

Although this letter is dated September 28, 2022, there's particular relevance to what we're discussing here today. It's written to the former minister and the leaders of the opposition parties, including Ms. May as the parliamentary leader of the Green Party. I think she's now co-leader of the Green Party.

It is titled, “Joint Letter of Concern regarding Bill C-26”, and I'll read it directly into the record, Mr. Chair:

Dear Minister,

We, the undersigned organizations, are writing to express our serious concerns regarding Bill C-26: An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts.

In your press release announcing this legislation, you were quoted as stating “In the 21st century, cyber security is national security.” We agree, and we share your goal of helping both the public and private sector better protect themselves against cyber attacks.

Isn't this very agreeable up until this point?

The Canadian Civil Liberties Association goes on to say:

However, in its current form, Bill C-26 is deeply problematic and needs fixing.

I would note—because the stickers on my iPad triggered certain members of this committee, I won't show you—that it's actually bolded. Those previous words are bolded because the CCLA wanted to make sure they were emphasized in the context of this conversation.

It says:

As drafted, it risks undermining our privacy rights, and the principles of accountable governance and judicial due process which are the fabric of Canadian democracy. The legislation needs to be substantively amended to ensure it delivers effective cybersecurity protections while safeguarding these essential democratic principles.

As you know, Bill C-26 grants the government sweeping new powers over vast swathes of the Canadian economy. We believe these powers need to be strictly delimited and accompanied by meaningful safeguards and reporting requirements to ensure Canadians can hold their government and security agencies to account.

Next, this is in bold again, Mr. Chair, and I reference that because it's obvious that the CCLA wanted to ensure that this was emphasized:

Put simply, with great power must come great accountability.

With a view to improving this legislation, we share with you the following specific areas of concern:

Opens the door to new surveillance obligations: Bill C-26 empowers the government to secretly order telecom providers “to do anything or refrain from doing anything.” This opens the door to imposing surveillance obligations on private companies, and to other risks such as weakened encryption standards—something the public has long rejected as inconsistent with our privacy rights.

Termination of essential services: Under Bill C-26, the government can bar a person or company from being able to receive specific services, and bar any company from offering these services to others, by secret government order. This opens the door to Canadian companies or individuals being cut off from essential services without explanation. Bill C-26 fails to set out any explicit regime, such as an independent regulator with robust powers, for dealing with the collateral impacts of government Security Orders.

It goes on to mention that it:

Undermines privacy: Bill C-26 empowers the government to collect broad categories of information from designated operators, within any time and subject to any conditions. This may enable the government to obtain identifiable and de-identified personal information and subsequently distribute it to domestic, and perhaps foreign, organizations.

I would just note, Chair, that when it comes to the de-identified side of things, that's often an excuse that gets used. I know from my role on the ethics committee that we had a study that was undertaken when it was learned that the government had purchased a huge amount of data on movements during the COVID-19 pandemic. Although it was claimed to be de-identified, there were massive question marks associated with the amount of data the government received. I know that there was an overwhelming amount of concern that I certainly heard.

A number of people reached out to us when they did not hear back from Liberal members of the committee who didn't echo some of the concerns about how much information was being gathered: things like people knowing that the government could determine when people were going to the grocery store and liquor stores and other things. Certainly, in a free and democratic society, there were concerns about it. It was unclear. Canadians are pretty trusting, but they want to be respected. I talk about that tension or that Aristotelian mean that needs to be found, and I fear that this government has pulled that tension totally out of whack.

However, I digress. I will get back to what the CCLA has to say.

It goes on to say that there are “No guardrails to constrain abuse”.

Bill C-26 lacks mandatory proportionality, privacy, or equity assessments, or other guardrails, to constrain abuse of the new powers it grants the government — powers accompanied by steep fines or even imprisonment for non-compliance. These orders apply both to telecommunications companies, and to a wide range of other federally-regulated companies and agencies designated under the Critical Cyber Systems Protection Act.... Prosecutions can be launched in respect of alleged violations of Security Orders which happened up to three years in the past.

I would just note that in a late show that I was a part of yesterday—and I know that my colleague was actually there, too—I was shocked that the parliamentary secretary from Winnipeg North talked in support of a policy that actually sent farmers to prison. Now, I wouldn't want to go off topic here, so I won't get into the conversation around the Wheat Board, but my goodness, how concerning is it that the government would support policies that threw farmers into prison for wanting to sell their grain without the government controlling it? It is unbelievable that that's the point that these Liberals would go to, and that they still support it even after it was very clear that Canadians and farmers wanted the ability to sell their grain without the government controlling them. Truly it was an unbelievable level of control, which was specifically targeted at the west. It's quite something to have heard, and I'm sure my colleague here would agree with me that it was unbelievable to hear that be brought up in conversation in the House of Commons yesterday, that they would prefer to throw farmers in prison than to have a legitimate conversation around the impacts of, in that case, the carbon tax.

Thank you very much, Mr. Chair.

I hope everybody was able to have a good short break. I know that was seven or eight minutes of freedom that people had, but I'm sure they're thrilled to get back to the important conversation that we have here before us.

Mr. Chair, specifically due to the two-hour time change, of course, back in Alberta and the riding I'm proud to represent, I would note that my wife has probably just finished putting my kids to bed. To my boys, I love you guys; hopefully you're listening to your mama as she puts you to bed. I look forward to connecting with my wife post 11:30, after this committee wraps. That's one of the big things, when our families are back home holding down the proverbial fort.

Mr. Chair, I left off talking a bit about the wide-sweeping powers associated with Parliament when we live in a democracy where the idea of parliamentary supremacy is absolutely paramount. I believe I unpacked it adequately in the context and certainly I have a whole host of other things to say about that but wouldn't want to dive too deep into that in the short time that we have here.

However, I want to make sure that I get to the recommendations that this article references in terms of Bill C-26. It goes on to say...and I'll summarize this and then have a few other important interjections that I look forward being able to make.

The article said: “Given that the Bill has just been introduced,”—this article is a bit dated, but nonetheless very relevant—“its passage is not guaranteed, and additional changes to the draft law”—or in the Canadian context, bill—“may occur. However, and in the interim, if you are a provider of vital services”—which speaks to that vital connection that we have with Bill C-33 here before us—“and systems as described in the Bill, we recommend that you consider taking the following steps to improve your cyber resilience:

The first is:

Preemptively improve your security posture and processes to conform with the CSE’s best practices and guidance, or industry practices, and ensure that your contracts contain sufficient cybersecurity provisions to protect all parties in the supply chain; and

given the secrecy and potential immediacy of Government orders and directives, Telcos and Designated Operators should draft contracts to flow down potential cyber security risks appropriately.

That's almost unique in terms of some of the recommendations that have been made in the context of this bill. The authors go on to talk about how, if you are a supplier of products and services related to critical systems of designated operators as described in the bill, we recommend that you take the following steps:

Preemptively improve your security posture and processes as described immediately above in anticipation of more strenuous cybersecurity requirements requested by Designated Operators; and

I'll make a final point on this one, and then I'll look forward to getting into a few other aspects of debate here. The final point is:

anticipate shouldering more risk when contracting with Designated Operators and consult with your insurance provider accordingly.

A big thank you to Lisa R. Lifshitz—I believe I'm saying that appropriately—and Cameron McMaster, the authors of this. I believe it provides a good summary and a few very relevant recommendations in terms of the context.

I would note here as well, we're talking about critical infrastructure and, I know, specifically some of the larger conversations surrounding Bill C-33. We have the need for resiliency throughout every aspect of that, whether it's in relation to security, which is very important, or some of the challenges associated with climate. There has to be that security that does exist there, and we have to be mindful of that in the larger context of everything that we are discussing and how relevant that is.

On that note, Michael Den Tandt, if I'm correct on this—and I'm certainly happy to stand corrected—in an opinion piece to the Ottawa Citizen, which I believe is relevant especially for the Bill C-26 aspect here.... Michael Den Tandt ran for the Liberal Party in the 2019 election, if memory serves. He entered on December 4, so it seems like it's been more than a couple of weeks. Just last week, a column by him was published in the Ottawa Citizen.

Although it seems as if it's been more than a couple of weeks, he published this column in the Ottawa Citizen last week. I believe it would be very valuable to this conversation.

Den Tandt said the following in his column, “Canadian government must take the time needed to get its cyber security bill right”:

Bill C-26, the federal government's stab at shoring up the country's cyber readiness, passed first reading in the House of Commons on June 14, 2022. The legislation has two thrusts: first, to keep hardware from adversarial states out of Canada's telecom networks; second, to ensure our critical infrastructure is hardened against a plethora of new digital threats.

Nearly a year later, in late March of 2023, C-26 limped through second reading. The bill now rests with the Standing Committee on Public Safety and National Security, for review and possible amendment.

That this law continues to languish at committee, 16 months after it first saw the light of day, encapsulates one of its core failings which, in fairness, is not unique to this piece of lawmaking: Despite showing signs of having been written in a hurry, presumably in hopes of keeping pace with technological change, it's emerging too slowly.

By the time it passes third reading, then meanders its way through the Senate to Royal Assent, C-26 may well have been overtaken by events. The threats it is intended to counter are multiplying far more quickly than the glacial pace of the legislative process appears able to match.

What are these threats? The latest National Cyber Threat Assessment from the Canadian Centre for Cyber Security encapsulates them in language that, for a government document, is remarkably direct.

Cyber-criminals are rapidly scaling up, evolving ransomware and other attacks into a trans-national enterprise, while state actors—specifically China, Russia, Iran and North Korea—are deploying vast resources to attack and undermine open economies and societies by eroding trust in public institutions and the factual foundation on which their credibility rests. “You may be tempted to stop reading halfway through,” writes CCSE Head Sami Khouri in the foreword, “disconnect all your devices and throw them in the nearest dumpster.”

As a note, Mr. Chair, I had the opportunity to serve on the public safety committee for a short time in the 43rd Parliament. Hearing briefings from experts was eye-opening, to say the least, when we had examples. I believe it was CSIS, in their public report, that said there are 4 billion attempted attacks on Canadian cyber infrastructure in the course of a year. That's absolutely mind-boggling—the growing sophistication of the enemies of freedom and Canada, and the steps they will take to attack us and our infrastructure.

Den Tandt goes on to say the following:

To counter this, the draft bill offers two pillars: first, a revamp of the Telecommunications Act, giving the federal minister of Innovation, Science and Industry sweeping powers to order companies to ban certain products, clients or service providers, with possible daily penalties of up to $15 million a day if they don't comply; and second, the Critical Cyber Systems Protection Act (CCSPA), which would allow the minister and an appointed official to order cyber measures in federally regulated parts of the private sector considered essential to national security.

These include telecom, energy and power infrastructure such as pipelines, nuclear plants, federally regulated transportation, banking, clearing and settlement.

For all those questioning the relevance of this conversation, Den Tandt himself speaks about how closely connected this is to the conversation surrounding Bill C-33.

Seen from 10,000 ft. up, the broad scope of the legislation will appear justified to some; after all, don't significant threats justify dramatic action? But there's a difference between action that is on point, and action so riddled with gaps that it'll need a reboot the day it becomes law.

Christopher Parsons, in a dissection for The Citizen Lab, outlines six major concerns, any of which should be grounds for disqualification. These include an excess of arbitrary power, too much secrecy, inadequate controls on information-sharing within government, potentially prohibitive costs for smaller firms (the legislation draws no distinctions based on scale, or industry sector), vague language, and no recognition of Charter or privacy rights.

Brenda McPhail, in an October, 2022 analysis for the Canadian Civil Liberties Association, echoes many of Parsons’ criticisms, noting wryly that the law joins “an increasingly long line of legislation that would fill a clear need, if only it were better.”

If the goal, broadly, is governance that promotes prosperity, security, accountability, diversity and equity in a democratic society—then C-26, as drafted, should not pass.

Is legislation urgently needed? Absolutely. But have its drafters gotten it right? No. Given the blitzkrieg pace of growth in cyber threat vectors, it makes sense to continue to manage these threats on an ad hoc basis, as the minister has been doing, with assistance from The Communications Security Establishment (CSE) and the CCCS, and take the time needed to get the legislation right.

Thank you, Chair, for indulging me in that, because it's important context, and I would just note that the specificity of the criticisms that Den Tandt brings forward and the fact that he ran for the Liberal Party a short four years ago speak to two things I'd like to reference. I'm sure there's more, which maybe my colleagues would be interested in following up on, that references indirectly, first, that disconnect that exists between Parliament and executive government.

I would just note—and I know my colleague Mr. Strahl referenced this in a different context a number of times—that we had the conversation surrounding Huawei. Parliament, in fact, spoke up a host of times, telling the government that it needed to act. It wasn't a recommendation. It wasn't a suggestion; it was demanding action, yet we see still, in relation to the security of essential cyber networks in our country, that lack of action. The unwillingness for that action to take place sets Canada back what would be a... The pace that technology advances has set Canada back very significantly.

I know that it is key to ensuring that government is responsive not only to the demands of what Parliament is in terms of institution.... There's no other place in the country—and this is something that I think bears special emphasis—that every part of Canada is truly represented. I find it interesting that there seem to be a plethora of advisory boards and consultations, some of which have more legitimacy than others, but it's truly Parliament that is that voice for Canadians.

I'm always a bit hesitant, and maybe more than just a bit, when an advisory panel is set up. Specifically, I know that there are other bills that are before Parliament that set up some of these advisory panels, and this speaks to the disconnect that exists between Parliament and executive government. They set up these panels that sometimes are so disconnected from those who are impacted, and again, fearing that I would venture into something that would not be relevant, when it comes to critical infrastructure and specifically when you look at rail.... I have three main line rail lines that run through my constituency, and I represent about 53,000 square kilometres of what I refer to as God's country. It is a beautiful area in east central Alberta. It's a large area; in fact, it's about the same size as the province of Nova Scotia, just for context for those around the table.

I always find it very concerning when these advisory panels get set up, and they certainly don't often have the best interests of my constituents in mind, and we saw that and are seeing that played out in the so-called just transition.

Truly, there's no justice for my constituents, including the thousands and thousands who work in the energy industry. We saw that this was very directly the case when it came to the coal phase-out. The federal government promised to be there, and yet they were not. They failed my constituents. They failed the people who were told the federal government would have their backs.

I think that speaks to a disconnect between the role that Parliament should be playing—that ability to represent the people of our country—and the fact that quite often these so-called advisory panels end up being nothing more than a platform for the government to spout its same talking points. That's a deeply, deeply concerning trend that we have. One doesn't have to look any further than the appointments of these so-called independent panels.

Chair, there's a reason I bring this up. There's a specificity in relation to this. If we want to ensure that we are passing legislation, when it comes to Bill C-33 or some of the criticisms we've levelled at Bill C-26 and how the government clearly references both here....

They're expecting both to pass, although Den Tandt certainly has a host of criticisms to level at Bill C-26. I'm hopeful that my colleagues in the public safety committee will be fully engaged when this debate comes forward, but I would suggest that one needs to take very, very seriously the role that we have to play here.

That's part one of the criticisms I would suggest when it comes to where some of these things are. The second part here comes to how, as we develop an infrastructure, we have to take seriously our responsibility to ensure that this is done not only in terms of the demands of today, which is key, but also in building that for tomorrow.

I would actually reference something that I am quite familiar with. There are two industries that I am very, very proud to represent—and a pretty significant portion of it. Had we had the opportunity to debate the motion that I was so unfortunately shut down on, I would have talked at length about the impact agriculture has in the close to 5,000 farms, most of which are family-owned small operations or small businesses, not the big successful ones that the Prime Minister referenced in question period today. I'm not quite sure what metric he uses for that when they're paying the carbon tax, but certainly it's small operations.

We see how there is this demand for that infrastructure to be secure. That includes the cyber element of that. We've seen attacks that have shut down significant portions and left critical infrastructure in our country at risk.

I believe I was in junior high at the time, so this is going back a little while, when a power outage took place in the northwestern United States. It was deemed to be an accident, but it shut down New York City in terms of the power. It shut down a host of other jurisdictions, including some in Quebec and Ontario. It spoke to some of the interconnectedness that existed in our infrastructure.

More recently, a cyber-attack shut down the pipeline system on the eastern seaboard of the United States. Certainly, I mentioned agriculture before, but I also represent another significant portion: 87% of Canada's crude oil transits through Battle River-Crowfoot. Some of it is produced there, but 87% of Canada's crude transits through Battle River-Crowfoot.

When my colleagues wonder why I'm so passionate about our energy industry, it's because I get it. Unfortunately, we seem to have what my father would suggest is “city ignorance”. I won't venture too far down that path, but it's unfortunate that sometimes there's not a better understanding of how important some of this critical infrastructure is. That's not only in terms of our economy and the billions of dollars. In fact, if I look at the community of Hardisty, for those from Hardisty....

Who knows? They might be watching this right now. I know they're passionate about educating Canadians on the importance of energy infrastructure and how it is so unfortunate that—

Thank you very much, Chair. I certainly look forward to hearing what Dr. Lewis has to say about this. I know she has a great familiarity with this subject matter.

Chair, perhaps I could continue, because I do want to ensure that this is added to the record. I just mentioned how telcos will not be compensated, and I believe I provided a brief interjection about some of the commentary that has been provided at other committees in relation to compensation for financial losses.

Certainly, in the highly regulated telecom environment that Canada finds itself in, that would be a massive conversation that we could have at some point, but that would be venturing into the territory of not being relevant, so I wouldn't want to go there.

I will, however, continue with this summary, which talks about how:

The Amendments introduce new enforcement powers for the Minister of Industry to monitor the Telcos' compliance with the orders or future regulations, including investigatory powers and issuing AMPs of up to $25,000...per day for individuals (such as directors and officers)....

Chair, that summary relates to a significant ability and discretion, and this summarizes from a legal perspective some of the commentary that was in the brief Mr. Strahl provided. I want to ensure this is part of the record, because they're endeavouring not to take a specific position but rather to ensure theirs is non-partisan. As hard as that is for certain members of the committee to believe, if they have seen my debates in the House, it's important and valuable that such a perspective be included.

It then goes on to say, in regard to information sharing and secrecy:

The CCSPA and the Amendments require Designated Operators, Telcos, and any other person to share confidential information with the Appropriate Regulators, and Governor-in-Council and Minister, respectively, in furtherance of the objectives of the Bill. This confidential information may be shared with multiple federal government organizations, provincial and foreign counterparts, as well as international organizations, to pursue the objectives of the CCSPA and the Amendments. While these information exchanges will be governed by agreements and memorandums of understanding between the parties, the Minister may disclose the information if [it] is necessary in the Minister's opinion to secure the telecom system.

Given the national security purpose underlying this Bill, the secrecy of the orders is paramount. The orders from the Governor-in-Council and Minister may be subject to non-disclosure requirements. Moreover, for the sake of secrecy and expediency, the orders and directions of the Governor-in-Council and Minister do not follow the complete process outlined in the Statutory Instruments Act, and thus, are not registered, published, or debated in an open manner.

Certainly when it comes to that relationship, it's important to acknowledge—I know we've had a number of discussions, including on one of the clauses we passed here when I think there was a desire for further debate, but it ended up being moved forward—that a tremendous amount of latitude is being given to executive government when it comes to some of the powers that are associated with Bill C-26 as it relates to Bill C-33, and one has to be aware of the granting of power to executive government. That is certainly something that Parliament is able to do under our Westminster system.

However, it's important to keep in mind the larger tension that needs to exist to ensure that we do not forget at the very foundation—and this is incredibly relevant, not only to this but to everything we do here—that the government is only a function of Parliament.

I know that's something that can be a bit lost in the midst of conversation. I know that this very statement has even been deemed controversial at different points in time. Earlier this week we celebrated the Statute of Westminster, the point at which we brought home the Constitution, and I would note that it was an incredibly significant moment in Canadian history. That is relevant to the conversation here today, because it's Parliament that enacts laws that give the government its authority.

I would just note how we have seen various instances throughout our recent history—in particular the last eight years—where there has been more latitude given than I would suggest is appropriate. There are times when we could ensure that Parliament is able to better fulfill its job by a government that respects the fact that whether it's committees, or whether it's the role that the House of Commons and the Senate play in terms of our bicameral Parliament in ensuring that it is the ultimate arbiter of the land....

In fact, our Constitution and the Charter of Rights and Freedoms actually ensure that that is, in fact, the case with the notwithstanding clause, which I know the Liberals have.... In fact, I believe it was Paul Martin in a previous election—I was getting back to that. I couldn't even vote at the time, if members around the committee table can believe that. It was Paul Martin who, during a press conference, announced that he was looking at getting rid of that. I'm not sure that he understood the consequences, both in terms of the constitutionality or the amending ability of Parliament to be able to do that.

However, when it comes to the relationship to the issue before us, we have these wide-sweeping powers being given to executive government. If there is not the appropriate accountability, as the American Bar Association, in this article, is highlighting, it would be the.... We need to have clear direction to every element of what government is, to ensure that there is that check on executive government.

I do find it interesting. I'll get right back into the ABA. This article has a number of recommendations. I would just note that there are two quite distinguished lawyers who put together this article, which gives this overview of Bill C-26, and how it applies in the context of where Bill C-33 is.

Specifically, Chair, one can never assume that one will be in power forever, whether that's the Liberal Party or the Conservative Party. If we have the honour—and I certainly hope we do—we look forward to those days when we'll have the opportunity to govern on behalf of Canadians.

However, I find one always needs to look in the mirror. In fact, I've asked in the House quite a number of times about what the government would think, if they were in the opposition benches, about something that they were doing. It would not necessarily be the policy, because policy is one thing. You can disagree with policy. However, you need to be very mindful about how you approach the ability for a parliament to function in a manner that respects the very basis of what our democratic system is meant to be.

Chair, when it comes to the wide-ranging powers that are given to executive government, we do have to be very mindful that there's certainly a role that executive government needs to play in the administration of infrastructure, the administration of security and intelligence, and all of the aspects of what we're talking about here. However, when it comes down to it, Parliament is supreme in our country. We cannot forget that.

To ensure that I don't venture off into an area that would be deemed not relevant, I certainly won't spend time talking about a few examples of that, but there are some very pressing issues—one of which would be the designation of the IRGC as a terrorist entity.

Parliament spoke on that, yet we have an executive government that refuses to acknowledge.... I use that as an emphasis, not to get into the details of that issue, although it's certainly one that dominates a lot of our time in light of the atrocities that took place against Israel, and how Iran, and the IRGC specifically, funded and supports Hamas as a terrorist entity.... The fact that there's that disconnect is the point I'm making here. That speaks very closely to why we need to be very circumspect in the way we approach the role of executive government. There's that understanding. It has to come back to respecting Parliament.

If I had had the opportunity to talk about Bill C-234, I certainly would have, at length, talked about how that bill saw a great deal of support, including Liberal support by a few brave Liberals who were willing to support that bill.

Unfortunately, it was not able to get the support that it, I believe, should have received from the other place. Again, I wouldn't want to go into the area of not being relevant. When it comes to recommendations, I would—

Thank you, Chair.

I'm happy to address the point of order that was just raised. You know, it was not Conservatives who wrote this bill. When the Liberals did so, they did it with a reference to Bill C-26. If that member has concerns about the wider application of this bill, I would suggest he has an opportunity to get on the speaking list to ask those very questions. When it comes to the way in which there is that cross-application, certainly it bears relevance to it. Because of the way it was written, it provides that very application.

I will continue with regard to Bill C-26, Mr. Chair, as follows:

report cybersecurity incidents to the Canadian Security Establishment (the “CSE”);

comply with and maintain the confidentiality of directions from the Governor-in-Council; and

keep records related to the above.

To enforce these new obligations, the CCSPA grants to the Appropriate Regulators investigatory, auditing, and order-making powers, including issuing administrative monetary penalties (“AMPs”) of up to $1 million per day for individuals (such as directors and officers), and $15 million per day for other persons. Additionally, Designated Operators, and their directors and officers, may also be fined—or imprisoned if a director or officer—if either contravene specific provisions of the CCSPA; the amount of a fine is at the discretion of the federal court.

Now, that's the critical cyber systems protection act, but this article goes on to reference, in its summary of Bill C-26, the Telecommunications Act amendments. I found it very valuable in terms of that conversation and how, of course, when we talk about the application to Bill C-33, there is a tremendous amount of overlap when it comes to telecommunications and the critical infrastructure that our country depends on.

It goes on to say the following:

The amendments to the Telecommunications Act (the “Amendments”) establish new order-making powers for the Governor-in-Council and the Minister of Industry (the “Minister”) to direct Telcos to take specific actions to secure the Canadian telecommunications system. Specifically, the Governor-in-Council may, by order,

prohibit a Telco from using all the products and services offered by a specified person; and

direct a Telco to remove all products provided by a specified person.

The Minister, after consultation with the Minister of Public Safety and Emergency Preparedness, may, by order,

prohibit a Telco from providing services to a specified person; and

direct a Telco to suspend any service to a specified person.

Additionally, the Amendments grant the Minister the power to direct Telcos to do anything or refrain from doing anything that is, in the Minister’s opinion, necessary to secure the Canadian telecommunications system, including the following:

It then includes a number of points there.

I would just note and make the connection to some of the evidence that Mr. Strahl brought into the conversation, and some of the briefs entered into the committee, in the context of some of the concerns, especially from civil liberty and privacy groups. I know that there's been a host of experts. Again, as a member of the ethics committee, which deals with privacy, I know there's been a host of concerns brought forward. We have a great deal of them, especially because of the tech industry that has found its home both in my province of Alberta, where there's a huge boom in the high-tech sector, and in other areas across the country. In fact, I stand to be corrected here, but I believe the Ottawa area was known as “Silicon Valley north” at one point in time.

There's certainly the privacy and also the security related to that. There's a specific tension there. Some of the evidence that Mr. Strahl read into the record I think bears specific relevance to this larger conversation and how that applies to the transportation infrastructure of our nation.

The summary goes on to talk about Bill C-26, and it includes a number of summaries here that really succinctly identify some of what Bill C-26 talks about.

It starts off by saying:

prohibiting Telcos from using any specified product in or in relation to Telcos’ network or facilities, or part thereof;

prohibiting Telcos from entering service agreements for any product or service;

requiring Telcos to terminate a service agreement;

prohibiting the upgrade of any specified product or service; and

subjecting the Telcos’ procurement plans to a review process.

Mr. Chair, it goes on to say:

Interestingly, Telcos will not be compensated for any financial losses resulting from these orders.

As was noted, I believe, in the debate surrounding Bill C-26, they wouldn't anticipate there to be a large number, unless it started getting into the firms.... That's certainly an open question that I trust will be answered as Bill C-26 is further studied at their committee, but I wouldn't want to venture off the topic that we have before us.

It goes on to say:

The Amendments introduce new enforcement powers for the Minister of Industry to monitor the Telcos’ compliance with the orders or future regulations, including investigatory powers and issuing AMPs of up to $25,000–$50,000 per day for individuals (such as directors and officers), and up to $10–$15 million per day for other persons. Moreover, contravention of orders or regulations may result in prosecution whereby the Telcos, and their directors and officers, may have to pay fines (whose amount is at the discretion of the court) or face imprisonment.

I am having trouble connecting what my colleague is saying with Bill C‑33. Would it be possible for my colleague to enlighten us about the connection between the two, or else to shorten his preamble, in the interests of the efficiency of the committee?

Certainly, it's not only Conservatives who don't have confidence in those Liberals, but also an increasing number of Canadians who don't have confidence in the Liberals' ability to manage the country. I hear that on a regular basis. Again, if that member wants to be serious, I'm happy to have that conversation.

When it comes to Bill C-26, I'm glad to have the opportunity, after that member's push towards talking in circles, to get back to the matter at hand.

I have an article from the business law section of the American Bar Association that I think bears particular relevance to the conversation we are having. Chair, if you would indulge me, I believe it has context that is important to the discussions we are having. In particular, I find it interesting—and I'll jump into this article in a moment—how this provides important context.

The way the Liberals wrote the legislation does provide a great deal of latitude. There are two separate bills before Parliament, and certainly, they're taking great liberties when it comes to the assumption that things will pass, especially in a minority Parliament. That issue aside, the way the legislation was written, in particular, speaks to the larger conversation and especially to how it's different committees that study different aspects of these bills.

With Bill C-26, there was certainly some concern brought forward. I am a regular member of the ethics committee. There are some challenges in relation to this, and Mr. Strahl, in some of his interventions, referenced this. There are some specific noteworthy impacts. When it comes to the critical infrastructure being addressed in the context of Bill C-33, and the way the Liberals have taken liberty in writing the bill, which has a wide swath of expectations through to another bill, it certainly creates that context as to why this is so relevant.

This article that I will be referencing, Chair, and that I look forward to making part of this discussion, talks about the critical cyber systems protection act. It goes as follows:

The CCSPA introduces a new cybersecurity compliance regime for designated operators of critical cyber systems related to vital services and systems (“Designated Operators”). A critical cyber system is defined as a cyber system that, if its confidentiality, integrity, or availability were compromised, could affect the continuity or security of a vital service or system. Currently, the list of vital services and systems is comprised of the Canadian telecommunications system, the banking systems, and other federally regulated industries, such as energy and transportation. However, the Governor-in-Council may add new vital services and systems, and such Designated Operators will be governed by the CCSPA.

I would just take a brief pause there. I think the introductory paragraph of this article, which I am entering into the conversation, speaks to that direct relevance to the larger conversation related to Bill C-33.

The article goes on to say:

Under the CCSPA, Designated Operators must:

establish a cybersecurity program (details of which are more fully provided in the CCSPA and its regulations) within ninety days of an order being made by the Governor-in-Council;

implement and maintain a cybersecurity program, as well as annually review it;

mitigate cybersecurity threats arising from their supply chains, or products and services offered by third parties;

share their cybersecurity programs and notify appropriate regulators (namely, the Superintendent of Financial Institutions, the Minister of Industry, the Bank of Canada, the Canadian Nuclear Safety Commission, the Canadian Energy Regulator, and the Minister of Transportation) (the “Appropriate Regulators”) of material changes related to the business of Designated Operators and their cybersecurity programs—

Could we focus on Bill C‑33? I don't understand how the member's comments relate to it. He is going around in circles and we are wasting time.

Thank you very much, Chair.

I appreciate the remarks that my colleague Mr. Strahl made, especially in light of the interconnectedness of Bill C-33 and Bill C-26 and how, in light of those connections, it becomes incredibly relevant.

To address a few of Mr. Badawey's previous points, I find it perplexing myself how the Liberals seem to have this tendency to find concern with anyone who is unable to buy what they're selling hook, line and sinker.

Certainly when I hear from constituents, which I do on a very regular basis, they encourage me to do everything I can to ensure I am being their voice in the nation's capital. When it comes to some of the legislation that may not always garner the headlines it deserves—and certainly Mr. Strahl mentioned it in the brief he presented before this committee—I think it is important for Canadians to know how, with the discussions we have, whether before the transport committee or the various other duties that all of us undertake on a regular basis in the nation's capital, there are important connections that do in fact take place.

Just to note, if you would permit me, Mr. Chair, I endeavoured to have a discussion—and I even had an object lesson—on 2019 rural Alberta special areas wheat. I looked forward to discussing that in the context of Bill C-234. Now, I wouldn't want to be off topic from the conversation around the bill we have before us today, but certainly I would express my disappointment that we didn't have the opportunity to discuss that common-sense Conservative bill that would have brought needed relief to families and support to our great farmers from coast to coast.

I want to ensure that I stick to the conversation we have before us when it comes to the way that the bill this committee is studying and the impact that some of the.... As Mr. Strahl stated, when you have a bill that references a previously passed bill, one of the concerns that were highlighted—and certainly it's not limited to this one—is that when briefs are submitted, sometimes they don't get the due opportunity to be engaged in. The fact that Bill C-26 is currently being studied at committee, I think, speaks to this interconnectedness. I know that Conservatives have endeavoured to—

I am just getting started, Mr. Chair.

I will read this document to the end. Then I will probably have some other briefs that are very important and give some great insight into Bill C-26, which is extremely relevant. I will speak until I believe my point has been made. Evidently, I still have some work to do to convince some members of the committee that we should be concerned about this bill and its link to Bill C-33.

I'll continue reading this document until it ends. At the end of every brief that I submit to the committee and read into the record, I kind of take stock then and determine whether I believe the point has been received or whether there is further relevant information.

I'm sorry, but I can't give a more specific answer. I know we're eight minutes away from Mr. Iacono's next break. I will continue reading this particular document, because I know many of my colleagues are interested in my picking that back up.

The next section of this brief talks about privacy impacts and section 8 of the charter.

20. Bill C-26 proposes several new information collection and sharing powers, and may include the collection or sharing of personal information. Many of these powers are insufficiently bounded or defined. The potential privacy risks posed by the powers are heightened by the absence of key accountability and oversight mechanisms. The breadth of the unsupervised information collection and sharing powers heightens the risk that the legislation, if passed as drafted, could unreasonably interfere with section 8 of the Charter in at least three [or] four ways.

21. First, the federal government's Charter statement posits that Bill C-26 does not interfere with section 8, in part, as a result of the fact that the “the information being gathered and shared in this context relates to the technical operations of TSPs, which are commercial entities”, as opposed to “personal biographical information that attracts a heightened privacy interest”. However, Bill C-26 does not explicitly draw this distinction between technical information or other forms of personal information when defining collection or information sharing powers in the bill.

22. Instead, Bill C-26 provides authority to compel a broad array of information-holders to disclose a broad array of information. While the Charter statement for Bill C-26 emphasizes the regulatory nature of the scheme in Bill C-26, unlike other statutory inspection powers that have been subject to Charter challenges historically, there is no reason to interpret the statutory powers in Bill C-26 as applying only to information in which there is a low expectation of privacy. Rather, section 15.4 would provide authority to compel “any person” to provide “any information” under “any conditions that the Minister may specify,” so long as the Minister believes it is relevant to its order making powers. The persons and entities subject to this provision in many circumstances play an integral role in the lives of people in Canada, and may well be information-holders in respect of highly sensitive or personal information.

23. Second, while some aspects of Bill C-26 are regulatory in nature, Bill C-26 also creates criminal offences punishable by imprisonment for non-compliance with specified orders or regulations. Statutory powers authorize collecting and sharing information for the purposes of “verifying compliance or preventing non-compliance” with those orders or regulations. The legislation therefore creates risks that information will be compelled or shared during investigations pertaining to the criminal offences created by Bill C-26, or other offences. Furthermore, the breadth of the order making powers under Bill C-26 mean that the collection of information for the purposes of making such orders may cause serious consequences that are separate and apart from any regulatory or criminal prosecution.

24. Third, section 8 also protects privacy by requiring adequate accountability and review mechanisms to accompany information collection powers, even in administrative or regulatory contexts. The Supreme Court states that “[w]hile less exacting review may be sufficient in a regulatory context, the availability and adequacy of review is nonetheless relevant to reasonableness under s. 8.” Canadian constitutional law has long recognized that without clearly defined safeguards (often including prior judicial oversight), legislation that authorizes intrusions on reasonably held expectations of privacy is inconsistent with s. 8 of the Charter. In some circumstances involving searches that are not subject to warrant requirements, the Court still expects that additional safeguards will be established to ensure the requisite level of transparency and accountability, and to help ensure that such powers are not abused. For example, requiring notice to the persons whose information is affected allows the affected individuals to identify and challenge invasions of their privacy, as well as seek a meaningful remedy. Appellate courts have recognized a range of accountability measures when assessing the reasonableness of search and seizure powers, such as: notice requirements (including after-the-fact notice); reporting obligations (to independent institutions or Parliament); the availability of clear mechanisms for review of the exercise of collection powers; clear rules limiting collection powers to what is necessary, reasonable, and proportionate; and record-keeping requirements.

25. Part 3 of this brief will identify several mechanisms that are necessary to improve accountability surrounding the proposed powers in Bill C-26. For example, the draft legislation proposes broad information sharing powers with no notice requirements. This would mean that individuals and organizations whose information has been collected would have no way of knowing of the fact that information has been shared, thus thwarting review and challenge. Individuals who have private information held by, and collected from, third-party organizations would also not be aware that their information has been collected in the first place, let alone shared with other government entities.

26. Fourth, the extensive confidentiality provisions in Bill C-26 may actually further undermine accountability mechanisms surrounding the bill's proposed information collection powers in ways that would be difficult to reasonably justify under s. 8. Section 15.4 of the proposed Telecommunications Act authorizes the Minister to require “any person” to provide “any information” under “any conditions that the Minister may specify.” These conditions would foreseeably include conditions to extend confidentiality obligations to the Minister's use of collection powers. The secrecy provisions in Bill C-26, and the authority to extend those secrecy obligations through further “conditions”, could effectively chill or silence individuals or entities from notifying other persons that their personal information has been collected, or from challenging the exercise of government power. Furthermore, excessive secrecy surrounding existing—

Thank you, Chair.

Whether or not people are paying attention, I certainly have been riveted by the information that Mr. Strahl has been sharing, and I think he outlined very specifically after the previous intervention how this does in fact have relevance.

Of note, it was not Conservatives who wrote this bill: It was the government. It is a fact that the principles of relevance speak to some latitude that can be given, but I would suggest that is not even necessary in this case, because Mr. Strahl has been very articulately bringing forward a series of points that had been presented related to a bill that Bill C-33 refers to in its widespread application.

Chair, I would urge that this is not only relevant but very prescient of the larger conversation that we have here before us.

Thank you, Mr. Chair.

I think this is important. Again, the title in Bill C-33 says “Coordinating Amendment”, and then the subtitle is “Bill C-26”. If Bill C-26, which was introduced in the first session of the 44th Parliament and is entitled “An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments other Acts”, receives royal assent, that is what I am talking about. The title does not say, “if clause 18 of that act receives royal assent”, but it talks about the bill, and clause 18 cannot be considered in isolation from the rest of the bill.

I'm sorry. Perhaps, Mr. Bachrach, when he gets the floor in a more extended way, can indicate why he thinks we should focus solely on a certain section. It's very clear in my reading of Bill C-33 that we are discussing whether or not we believe there should be coordinating amendments with a piece of legislation, Bill C-26, which, as the witness just said, is about cybersecurity. Clause 18 is about cybersecurity and it's about how we deal with threats to cybersecurity in the transportation space.

I've highlighted numerous briefings that referenced the transportation sector as being one of the key sectors that are impacted by Bill C-26. Certainly, I don't think we can consider one section of a bill. It's not a private member's bill that amends one section of a bill that we're considering here; this is the entire bill, as is said in the title, “Bill C-26”. If Bill C-26 receives royal assent, then these following issues happen.

I'm expressing, and putting on the record, some very serious concerns about Bill C-26. I remain hopeful as I continue to read these things from people who are very concerned about things like the implications on the rights of Canadians under the charter.

I know Mr. Bachrach is a fan of the charter. Certainly he would want to ensure, in any clause he voted on, that the concerns of individuals who spend their lifetimes defending charter rights are considered. He would want to have knowledge of the impact that this bill, which is referenced directly—the entire bill, not just one section, but the entire bill—could have on the charter rights of Canadians.

I will continue to talk about Bill C-26 in its entirety, because that is a piece of legislation that includes the relevant section that he's talking about. It's not a stand-alone clause that has been introduced by the government. This does not specifically indicate that if clause 18 remains unamended or if it's taken on its own, it could receive royal assent. It talks about Bill C-26 receiving royal assent.

I appreciate the latitude given to members of Parliament to raise their concerns and to share the concerns of Canadians when we're considering a piece of legislation as important as Bill C-33, which cross-references specifically, purposely, Bill C-26, which is also currently before the House.

I appreciate the spirit in which Mr. Bachrach's comments were made. However, I simply don't believe that you can consider clause 18 in isolation when considering Bill C-26. We would do Bill C-26 and what it means to Canadians a disservice if we simply talked about clause 18. I will get to that part when we break down the detailed analysis of the clause, but this is the information that I believe is relevant when considering whether or not we can support clause 124.

I will continue, because I know that it would be extremely out of order to rule that we weren't allowed to talk about a bill in our deliberations here that is specifically referenced by title in the first part of this clause,.

I will hopefully not omit any of the information that I had here. If so, I apologize to Citizen Lab for not getting all of their words in there.

I'll start back again at the text under Freedom of Expression and Section 2(b) of the Charter”, which states that:

14. The current draft of Bill C-26's excessive secrecy and confidentiality provisions jeopardizes the right to freedom of expression under section 2(b) of the Charter. The government's Charter statement focuses on the speech of the commercial entities who will be directly regulated under Bill C-26. The Charter statement posits that because restrictions on commercial speech do not tend to implicate the core values of section 2(b), restrictions can be more easily justified. However, this analysis fails to account for how individuals' Charter rights may be impeded under the current drafting of the legislation. The excessive secrecy and confidentiality provisions in the bill also restrict the public's and media's expressive freedom in Canada.

15. The principles of open courts and open government are derivative components of section 2(b) of the Charter (the freedom of expression). The open court principle requires that court proceedings, including judicial reviews in federal court, presumptively be open and accessible to the public and to the media. Access to information about government actions can also arise as a derivative right to section 2(b), if a denial of access to government information effectively precludes meaningful public discussion on a matter of public interest. Where restrictions on access substantially impede meaningful discussion and criticism about matters of public interest, the government must reasonably justify its infringement of the freedom of expression.

16. Telecommunications and cybersecurity law and policy is undoubtedly a matter of public interest. There is a close nexus between human rights and public policy concerning the regulation of telecommunication services. Canada's telecommunications policy is intimately linked with the “social and economic fabric” of Canada and its regions. Equitable access to telecommunication services is sometimes described as a mechanism for “digital self-determination”, which speaks to the need to protect the potential for human flourishing in the digital era.

17. The recent Citizen Lab report, “Finding You”, highlights several ways in which excessive secrecy surrounding telecommunications oversight has itself endangered the public. The authors note historical deficiencies in oversight and accountability of network security, which have led to geolocation-related threats associated with contemporary networks. Excessive secrecy has contributed to the persistence of the “low-hanging geolocation threat” identified in “Finding You”:

Decades of poor accountability and transparency have contributed to the current environment where extensive geolocation surveillance attacks are not reported. This status quo has effectively created a thriving geolocation surveillance market while also ensuring that some telecommunications providers have benefitted from turning a blind eye to the availability of their network interconnections to the surveillance industry.

18. The geolocation surveillance threats discussed in “Finding You” disproportionately jeopardize human rights defenders and other individuals who face heightened risks of targeted security threats (e.g. corporate executives, military personnel, politicians and their staff, senior bureaucrats, etc). Industry has historically charged large amounts of money to receive information about well-known industry threats, with the effect of impeding non-industry groups such as security researchers and civil society from obtaining and disseminating information about the nature of the threats faced by at-risk individuals, or from advocating for the remedies that would benefit the security and privacy of civil society. The authors note that, in many instances, individuals cannot determine whether their own telecommunication provider has “deployed and configured security firewalls to ensure that signalling messages associated with geolocation attacks, identity attacks or other malicious activity are not directed towards their phones.”

19. Citizen Lab's research highlights the substantial public interest—

I know. Bear with me.

It seems like he's reading references to the act that don't pertain to clause 18.

Man, it's hard for me to maintain my train of thought here.

I'm quite fixated on clause18 of Bill C-26. I wonder if the witnesses could help us understand what is in clause 18 so that the chair may determine whether what Mr. Strahl is contributing is relevant to that clause, seeing that Bill C-26 is referenced in clause 124 in Bill C-33.

I'm really struggling, Mr. Chair, to follow what my colleague Mr. Strahl is talking about.

I'm looking at clause 124 in Bill C-33, which we're debating tonight. It reads:

If Bill C-26, introduced in the 1st session of the 44th Parliament and entitled An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, receives royal assent, then, on the first day on which both section 18 of that Act and section 123 of this Act are in force, subsection 2(3) of the Transportation Appeal Tribunal of Canada Act is replaced by the following:

To this committee and to all Canadians, Mr. Chair, we're grateful for that service. I'm just going to make sure I don't miss any of this important article here.

Following the process of the proposed legislation...and its passing, Federal Government departments will communicate with the companies impacted in the focused sectors with details on how breaches are to be reported and the required timeline for reporting. Furthermore, the companies must “keep records of how they implement their cybersecurity program, every cyber [security] incident they have to report, any step taken to mitigate any supply-chain or third-party risks and any measures taken to implement a government-ordered action.”

Let’s be very clear, although only the four key sectors—Telecommunications, Finance, Energy, and Transportation—are considered in scope by Bill C-26, sectors such as agriculture and manufacturing are likely to be included later, as is the case in the EU. The Federal Government of Canada hopes this legislation will serve as a model for provinces and territories to implement similar legislation that regulates cybersecurity requirements for entities under their purview, including hospitals, police departments, and local governments.

To help companies comply with the requirements of Bill C-26—

They're now talking about their services, and I don't need to give them that free plug, Mr. Chair. I think we have an idea of what they think the merits of Bill C-26 are, as well as some concerns about it. You will note that the transportation sector obviously is mentioned as a key part of Bill C-26, which is likely why there is a reference in Bill C-33 in clause 124 to that piece of legislation. Again, we need to fully understand whether or not Bill C-33 should be coordinating amendments with a piece of legislation on which so many concerns have been raised.

I want to raise some other concerns. Obviously any time you're dealing with cybersecurity and so on, a charter analysis is going to be done. I referred to an article by the Citizen Lab in the Munk School of Global Affairs & Public Policy at the University of Toronto, but I also want to get into the details of a submission that was made to the Standing Committee on Public Safety and National Security concerning a charter analysis of cybersecurity and telecommunications reform in Bill C-26. This again was referenced in the previous article. This is the base documentation that gave rise to that article. I want to make sure we're not just hearing an interpretation of a report but also considering it directly.

This report goes on to say that:

On June 14, 2022, Bill C-26, an Act respecting cybersecurity, amending the Telecommunications Act and making consequential amendments to other Acts, was introduced in Parliament for the first reading by Canada's [now former] Minister of Public Safety, Marco Mendicino. Hearings on Bill C-26 are scheduled to begin in SECU on December 4, 2023.

That was very recently, Mr. Chair.

Kate Robinson, a Senior Research Associate and Lina Li made a written submission to the Standing Committee on Public Safety and National Security...regarding Bill C-26.

With an emphasis on privacy in particular, this submission tackles the issues Bill C-26 brings up regarding civil liberties and human rights. The fundamental tenets of accountable governance, due process, and our right to privacy are all at risk of being compromised by Bill C-26 in its current form. In order to better protect people’s right to privacy, this submission offers recommendations for how Bill C-26 can be implemented in terms of how the government and telecom companies define, manage, and safeguard people's personal information. The submission suggests that safeguards for the new government powers that the Bill establishes be included in order to address general shortcomings, such as issues with secrecy and transparency.

There is evidence that signaling protocols used by telecom companies for facilitating roaming services also enable networks to obtain incredibly detailed user data. Such extent of access with the telecom service providers poses an unprecedented risk to the privacy of individuals. Owing to the extent of data available with the telecommunications providers, the telecom sector has become a primal target for surveillance actors. In an attempt to address the concerns in the telecom ecosystem, this submission to the Standing Committee on Public Safety and National Security provides a critical response to the federal government’s Charter statement on Bill C-26.

The Citizen Lab welcomes the opportunity to submit to the Standing Committee on Public Safety and National Security. Our submission highlights how Bill C-26 will impact equality rights and freedom of expression while providing recommendations to address a series of thematic deficiencies identified in Bill C-26. To ensure that its actions adhere to Canada’s democratic values as well as the standards of accountability and transparency, the government must make changes to its legislation.

Below is the Citizen Lab’s full submission to SECU regarding Bill C-26.

The next part is called “Part 1. Introduction and Summary”.

1. Citizen Lab researchers routinely produce reports concerning technical analyses of information and communications technologies (ICTs), the human rights and policy implications surrounding government surveillance that occurs using ICTs, as well as the cybersecurity threats and digital espionage targeting civil society. Citizen Lab research has also examined the openness and transparency of government and organizations, including telecommunications providers, with respect to the collection, use, or disclosure of personal information and other activities that can infringe upon human rights.

2. This month, the Citizen Lab published “Finding You: The Network Effect of Telecommunications Vulnerabilities for Location Disclosure”, authored by Gary Miller and Christopher Parsons. The report provides a high-level overview of geolocation-related threats sourced from 3G, 4G, and 5G network operators. Evidence of the proliferation of these threats shows how the signalling protocols used by telecommunications providers to facilitate roaming also allow networks to retrieve extraordinarily detailed information about users. These protocols are being constantly targeted and exploited by surveillance actors, “with the effect of exposing our phones to numerous methods of location disclosure.” Risks and secrecy surrounding mobile geolocation surveillance are heightened by layers of commercial agreements and sub-agreements between network operators, network intermediaries, and third-party service providers. Ultimately, vulnerabilities in the signalling protocols have “enabled the development of commercial surveillance products that provide their operators with anonymity, multiple access points and attack vectors, a ubiquitous and globally-accessible network with an unlimited list of targets, and virtually no financial or legal risks.”

3. “Finding You” highlights the importance of developing a cybersecurity strategy that mandates the adoption of network-wide security standards, including a requirement that network operators adopt the full array of security features that are available in 5G standards and equipment. The report’s findings also underscore the importance of public transparency and accountability in the regulation of telecommunications providers. As the authors note, “[d]ecades of poor accountability and transparency have contributed to the current environment where extensive geolocation surveillance attacks are not reported.”

4. In short, it is long overdue for regulators to step in at national and international levels to secure our network services. However, Canada's approach to the regulation of telecommunications and cybersecurity also needs to be transparent, accountable, and compliant with applicable human rights standards. One year ago, Citizen Lab published “Cybersecurity Will Not Thrive in Darkness: A Critical Analysis of Proposed Amendments in Bill C-26 to the Telecommunications Act”.... The report was authored by Dr. Christopher Parsons. Dr. Parsons critically examined the proposed draft legislation under Bill C-26, including identified deficiencies. In doing so, Dr. Parsons provided necessary historical and international context surrounding the federal government's proposed telecommunications sector reform. Canada is not the first of its allies to introduce new government powers as a result of heightened concern and awareness surrounding real and pressing risks to critical infrastructure. However, Dr. Parsons identified that although the draft legislation may advance important goals, its current iteration contained thematic deficiencies that risked undermining its effectiveness. This report is set out in Appendix B, and is the focus of this brief.

The main submissions in this brief are set out in two parts:

a. Part 2: Bill C-26 and the Canadian Charter of Rights and Freedoms (“Charter”):

You will be very concerned about that.

Part 2 of this Brief discusses the nexus between Bill C-26 and the Charter. It—