Public Safety Committee on Feb. 1st, 2024

Thank you, Mr. Chair.

Members of the standing committee, ladies and gentlemen, I thought what I could do with my brief time today is offer you a little bit of advice and make you a good faith offer. What I'm going to do is maybe make a general observation.

I think the bill is pretty good as it stands and a pretty good step forward. Obviously there is a lot of advice in terms of what has been provided to this committee, and most of it's really good. I'm not going to do a clause-by-clause take of the bill, but I'm going to use a quote from former U.S. defense secretary Robert McNamara, which is “Never answer the question that is asked of you. Answer the question that you wished had been asked of you.”

I wish I was asked the question that the honourable member from Saint-Jeanasked earlier this week, actually, concerning incentives around cybersecurity. The advice I'm going to offer to you is that I think you can make a change to this bill that will do a lot of good. It's to create a tax incentive for small and medium-sized enterprises to implement something called the baseline controls, or the cyber-safe standard. Why this matters is that SMEs are 98% of our economy, and they appear nowhere in this bill.

Also, the cyber-safe standard that was put in place by the CSE is pretty good. If most SMEs put in place those controls, chances are they'd be just fine, because what I can tell you about cybercriminals is that they're lazy, and that there's another sucker just down the street. If we harden our SMEs through these controls, chances are they'll be just fine.

If we put in place a tax incentive to encourage cybersecurity compliance rather than a hammer to punish non-compliance, I think that would get us far away toward doing so. Obviously the reason behind this is that it can promote participation. It can strengthen national security and create tons of economic advantages, because fewer companies in our supply chain would be down, so the taxable revenue would likely be up at the end of the year.

Now, I appreciate that this bill has to get through the House of Commons, and while I'm non-partisan, I appreciate you all have a job to do. I think partisan politics are a healthy part of our democracy, so I encourage the types of discussions that you're all having. However, I am thinking through the politics of it. The Liberal Party would see it aligned with their innovation and economic development agenda. The Conservative Party would see the fiscal responsibility and the national security aspects of what I'm talking about, I think, to be favourable. The New Democratic Party would appreciate the support for our core communities, which are built on SMEs. The Bloc would recognize the protection that this extends to Quebec's economic interests; and the Green Party, I think, would endorse this sustainable approach to securing our digital future.

That's my advice—put a tax credit in for SMEs to put in place the cyber-safe standard.

My offer to you is this: I work at one of the best think tanks in the world. If it's of service to this committee, I'm happy to provide draft language of what I think that could look like. Then I'm happy to convene some of our experts to offer further advice or answer any questions that you have. I think you all have a tough job to do.

The last think I'll say, and then I'll be quiet, Mr. Chair, is probably something you all don't hear enough—thank you for your work. Being a member of Parliament is a tough job. It's demanding, and I don't think most people appreciate how hard you all work.

Notwithstanding the politics, my job is to provide advice on policy without politics, and I hope I've done so. Thank you, Mr. Chair.

Thank you very much.

Thank you for inviting me to appear on behalf of the Privacy and Access Council of Canada, an independent, non-profit, non-partisan organization that is not funded by government or industry.

Our members, like everybody in this room and the rest of us who use the Internet, can thank Sir Tim Berners-Lee, whose brainchild became the web we know and love—or love to hate. It's a source of news and views, ones that might be at odds with our own, where we can freely find and share information. It is that very freedom that is now under threat, with democratic governments leading the charge.

Canada's government has said that controlling Internet content is vital to protect democracy and social cohesion and has pointed to the January 6 insurrection in Washington, D.C., which by all accounts was organized online. It has crafted several laws to protect us from potential danger.

Of course, Bill C-26, which is one of them, is to provide a framework for the protection of the critical cyber-systems that really are vital to national security and public safety. Bill C-26 allows Canada to take strong action against threats to the security of its telecommunications sector, but also so very much more. To start, it applies to six critical infrastructure sectors, but that is just the start.

As referenced by Ms. Baron, any service, system and class of operator can be designated as a vital service or system. Every company is at risk of falling under the bill's sweeping powers, and being required to do, or refrain from doing, anything they are ordered to do, such as create back doors and break encryption or go on a fishing expedition to find whatever information the government wants—including what's in your emails and your texts, your cellphone and vehicle locations, purchaser or purchasing information, or donor details—so that it can make an order. The order will be secret until the target realizes something is up, because just disclosing the existence of orders made under this bill will be illegal.

With a nod to eastern European regimes 100 years ago, this bill lets the minister compel any person, under threat of punitive fines, to provide any information, within any time, subject to any conditions that might be specified, or authorize anyone to enter and seize any information and systems, but without the checks and balances that are a mainstay of democracy.

Notably, there is no requirement for those timelines or conditions to even be achievable. The bill does not limit compelled information to corporate or operational. There is reason for that, but it provides a dragnet for unsupervised collection, use, and broad disclosure of personal information, threatening individuals' privacy and making it impossible for organizations to comply with privacy laws or provide accurate responses to access to information requests.

Sadly, the bill makes no mention of consulting the Privacy Commissioner to ensure that personal information is adequately safeguarded. While the bill specifies that corporate information may be designated as confidential, it offers no such consideration for personal information. The bill's vague language opens the door to telcos and ISPs being given unreasonable orders to spy on or deny service to any person, company or group whose conduct or commentary the government deems a threat to the security of Canada.

To encourage voluntary compliance, the penalties are steep and unaffordable by all but the largest of organizations. In the manner of the Salem witch hunts, anyone who fails to pay the penalty or dispute the notice, and anyone who does pay, is “deemed to have committed the violation”. Either way, businesses pass their costs and fines along to consumers, so penalties will reduce competition by eliminating organizations that can't afford the fines. Consumers will end up covering the penalties paid by those that are large enough to afford them.

Incentives like that can be a strong motivator. Some would call it coercive, since companies and people eager to retain their hard-earned money and avoid fines are easily nudged to simply do as they're told, while the government will be shielded from claims of overreach, since it won't be the government but the organizations voluntarily complying with orders that will be the ones violating charter-protected freedoms.

In our view, allowing Bill C-26 to become law in its current form, and granting elected representatives and unelected bureaucrats overly broad and unaccountable authority, will further undermine public trust in the government, public service and federal institutions, and further foster a technocracy built on Sir Tim Berners-Lee's brainchild. Canadians deserve better.

We would be happy to help by providing additional information and suggested amendments.

I really appreciate that.

What I wanted to mention is that I think it's important that the bill be amended to allow procedure for special security-cleared advocates, which are used of course in the immigration context. We've actually suggested they should be allowed in the Emergencies Act context, just to follow up on a conversation today.

A provision for security-cleared advocates is an imperfect solution for due process, but they would be allowed to test the evidence brought forward in these secret hearings. These advocates would have top secret clearance to allow a minimal check procedurally on applicants' rights.

Since the bill allows the minister to do anything or to prevent a person from doing anything, the understanding is that this could allow the government to issue an order to a telecom provider to cut off the Internet service of companies or of private individuals if, for example, they believed or even had evidence that their service was compromised or was being used to target a government website or was being used for some other improper procedure.

Yes.

Again, the bill empowers the government to secretly order telecoms to do anything or refrain from doing anything, which raises the clear spectre of imposing surveillance obligations on private companies as well as possibly weakened encryption standards.

Certainly.

From our understanding, the legislation allows for anybody to be appointed as an inspector. That person would have the power to enter any premises, short of a residence, without a warrant. They can seize anything. There is no limit. There's no requirement that it be related to a certain complaint or concern. It's open-ended.

There are two or three different reasons.

The first is that it allows CSE or the Cyber Centre to take action.

The problem is that many of the critical sectors are targeted by state-level actors, and I've got news for you: If someone swipes in with a military badge on the other side and goes after a civilian structure, they're going to get in.

You can take a briefing from CSE on this: Adversarial states are loading up our critical infrastructure with malware. They are pre-positioning in the case of a conflict. That's bad. To the extent that we can increase the efficacy of government agencies on those networks, we should, against when something bad happens.

The second point is that it increases visibility across the network.

Third, it allows for the spreading of best practices. If there's an exploit that's used, let's make sure it only gets used once.

The short answer is yes. It needs to be there.

Yes—given that it's a normal, robust reasonableness standard, absolutely.

To suggest “do a thing that is specified in the order”, we could hope that this would limit it. Unfortunately, in my experience and in discussions with law enforcement, with members of the bar and bench and, frankly, some of your colleagues, they admit they don't get it. They don't understand it. I'm talking about technology and artificial intelligence and the implications and unintended consequences of some of the legislation that is being promoted now.

To say “limit it” when the judges don't have to have any education about these matters.... They can be presented with whatever you want and be bamboozled, really and truly.