To this committee and to all Canadians, Mr. Chair, we're grateful for that service. I'm just going to make sure I don't miss any of this important article here.
Following the process of the proposed legislation...and its passing, Federal Government departments will communicate with the companies impacted in the focused sectors with details on how breaches are to be reported and the required timeline for reporting. Furthermore, the companies must “keep records of how they implement their cybersecurity program, every cyber [security] incident they have to report, any step taken to mitigate any supply-chain or third-party risks and any measures taken to implement a government-ordered action.”
Let’s be very clear, although only the four key sectors—Telecommunications, Finance, Energy, and Transportation—are considered in scope by Bill C-26, sectors such as agriculture and manufacturing are likely to be included later, as is the case in the EU. The Federal Government of Canada hopes this legislation will serve as a model for provinces and territories to implement similar legislation that regulates cybersecurity requirements for entities under their purview, including hospitals, police departments, and local governments.
To help companies comply with the requirements of Bill C-26—
They're now talking about their services, and I don't need to give them that free plug, Mr. Chair. I think we have an idea of what they think the merits of Bill C-26 are, as well as some concerns about it. You will note that the transportation sector obviously is mentioned as a key part of Bill C-26, which is likely why there is a reference in Bill C-33 in clause 124 to that piece of legislation. Again, we need to fully understand whether or not Bill C-33 should be coordinating amendments with a piece of legislation on which so many concerns have been raised.
I want to raise some other concerns. Obviously any time you're dealing with cybersecurity and so on, a charter analysis is going to be done. I referred to an article by the Citizen Lab in the Munk School of Global Affairs & Public Policy at the University of Toronto, but I also want to get into the details of a submission that was made to the Standing Committee on Public Safety and National Security concerning a charter analysis of cybersecurity and telecommunications reform in Bill C-26. This again was referenced in the previous article. This is the base documentation that gave rise to that article. I want to make sure we're not just hearing an interpretation of a report but also considering it directly.
This report goes on to say that:
On June 14, 2022, Bill C-26, an Act respecting cybersecurity, amending the Telecommunications Act and making consequential amendments to other Acts, was introduced in Parliament for the first reading by Canada's [now former] Minister of Public Safety, Marco Mendicino. Hearings on Bill C-26 are scheduled to begin in SECU on December 4, 2023.
That was very recently, Mr. Chair.
Kate Robinson, a Senior Research Associate and Lina Li made a written submission to the Standing Committee on Public Safety and National Security...regarding Bill C-26.
With an emphasis on privacy in particular, this submission tackles the issues Bill C-26 brings up regarding civil liberties and human rights. The fundamental tenets of accountable governance, due process, and our right to privacy are all at risk of being compromised by Bill C-26 in its current form. In order to better protect people’s right to privacy, this submission offers recommendations for how Bill C-26 can be implemented in terms of how the government and telecom companies define, manage, and safeguard people's personal information. The submission suggests that safeguards for the new government powers that the Bill establishes be included in order to address general shortcomings, such as issues with secrecy and transparency.
There is evidence that signaling protocols used by telecom companies for facilitating roaming services also enable networks to obtain incredibly detailed user data. Such extent of access with the telecom service providers poses an unprecedented risk to the privacy of individuals. Owing to the extent of data available with the telecommunications providers, the telecom sector has become a primal target for surveillance actors. In an attempt to address the concerns in the telecom ecosystem, this submission to the Standing Committee on Public Safety and National Security provides a critical response to the federal government’s Charter statement on Bill C-26.
The Citizen Lab welcomes the opportunity to submit to the Standing Committee on Public Safety and National Security. Our submission highlights how Bill C-26 will impact equality rights and freedom of expression while providing recommendations to address a series of thematic deficiencies identified in Bill C-26. To ensure that its actions adhere to Canada’s democratic values as well as the standards of accountability and transparency, the government must make changes to its legislation.
Below is the Citizen Lab’s full submission to SECU regarding Bill C-26.
The next part is called “Part 1. Introduction and Summary”.
1. Citizen Lab researchers routinely produce reports concerning technical analyses of information and communications technologies (ICTs), the human rights and policy implications surrounding government surveillance that occurs using ICTs, as well as the cybersecurity threats and digital espionage targeting civil society. Citizen Lab research has also examined the openness and transparency of government and organizations, including telecommunications providers, with respect to the collection, use, or disclosure of personal information and other activities that can infringe upon human rights.
2. This month, the Citizen Lab published “Finding You: The Network Effect of Telecommunications Vulnerabilities for Location Disclosure”, authored by Gary Miller and Christopher Parsons. The report provides a high-level overview of geolocation-related threats sourced from 3G, 4G, and 5G network operators. Evidence of the proliferation of these threats shows how the signalling protocols used by telecommunications providers to facilitate roaming also allow networks to retrieve extraordinarily detailed information about users. These protocols are being constantly targeted and exploited by surveillance actors, “with the effect of exposing our phones to numerous methods of location disclosure.” Risks and secrecy surrounding mobile geolocation surveillance are heightened by layers of commercial agreements and sub-agreements between network operators, network intermediaries, and third-party service providers. Ultimately, vulnerabilities in the signalling protocols have “enabled the development of commercial surveillance products that provide their operators with anonymity, multiple access points and attack vectors, a ubiquitous and globally-accessible network with an unlimited list of targets, and virtually no financial or legal risks.”
3. “Finding You” highlights the importance of developing a cybersecurity strategy that mandates the adoption of network-wide security standards, including a requirement that network operators adopt the full array of security features that are available in 5G standards and equipment. The report’s findings also underscore the importance of public transparency and accountability in the regulation of telecommunications providers. As the authors note, “[d]ecades of poor accountability and transparency have contributed to the current environment where extensive geolocation surveillance attacks are not reported.”
4. In short, it is long overdue for regulators to step in at national and international levels to secure our network services. However, Canada's approach to the regulation of telecommunications and cybersecurity also needs to be transparent, accountable, and compliant with applicable human rights standards. One year ago, Citizen Lab published “Cybersecurity Will Not Thrive in Darkness: A Critical Analysis of Proposed Amendments in Bill C-26 to the Telecommunications Act”.... The report was authored by Dr. Christopher Parsons. Dr. Parsons critically examined the proposed draft legislation under Bill C-26, including identified deficiencies. In doing so, Dr. Parsons provided necessary historical and international context surrounding the federal government's proposed telecommunications sector reform. Canada is not the first of its allies to introduce new government powers as a result of heightened concern and awareness surrounding real and pressing risks to critical infrastructure. However, Dr. Parsons identified that although the draft legislation may advance important goals, its current iteration contained thematic deficiencies that risked undermining its effectiveness. This report is set out in Appendix B, and is the focus of this brief.
The main submissions in this brief are set out in two parts:
a. Part 2: Bill C-26 and the Canadian Charter of Rights and Freedoms (“Charter”):
You will be very concerned about that.
Part 2 of this Brief discusses the nexus between Bill C-26 and the Charter. It—