Tucows’ Perspective on Bill C-26
Bill C-26—“an Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts,”—is a draft cybersecurity law currently making its way through the Canadian legislative process. If adopted, it would update the Telecommunications Act and create a new Critical Cyber Systems Protection Act (CCSPA).
At Tucows, we are deeply committed to the Free and Open Internet. We also know—as Internet OGs—that the Free and Open Internet depends on legislation that balances due process and the protection of personal data with the very real issue of cybersecurity.
While the intent of this legislation is described as improving the online safety of Canadian citizens, in effect it instead expands state surveillance powers and would inevitably lead to infringements of our Charter rights.
While the legislation is vague as to whether we as a domain name registrar and provider of related services would be subject to this new law, we expect that the law will be a cudgel for those that prefer “security”, whether real or imagined, to privacy. We will always advocate on behalf of privacy and data protection for Canadians and the need for due process, governed by thoughtful, well-informed legislation; security interests tend to be narrowly-focused, while privacy is broad and, therefore, underrepresented.
Today we’re sharing some information about Bill C-26, why we as Internet services innovators and experts are concerned, and what you might want to be aware of as the legislative review process continues.
Highlights and areas of concern in Bill C-26
Updates to the Telecommunications Act
Bill C-26’s updates to the Telecommunications Act would give various government departments, Ministers, and other individuals broad and unprecedented powers. We reviewed the Bill and the Library of Parliament’s legislative summary and are concerned about the far-reaching and unchecked nature of these new powers.
Tucows’ primary concerns with the proposed updates to the Telecommunications Act are lack of due process, excessive government control over telecommunications companies, and risk to personal privacy.
Due process:
If passed, these amendments to current law would empower governmental entities to issue orders to telecommunications providers without due process, including:
- To provide any information that they believe may be relevant, without a warrant or other due process beyond the Minister of Industry’s review;
- To “do anything or refrain from doing anything” that they deem necessary for the security of the Canadian telecommunications system; and
- To stop providing services, temporarily or permanently, to a specific person or another telecommunications service provider. Launch a detailed consultation, ensuring that those working on combatting online harms play a key part in assisting to modify this draft legislation
Government involvement with telecommunications companies:
It is especially dangerous to grant governments this level of control given that access to telecommunication services can be essential for personal safety; wielding the ability to order telecommunication providers to take action—or to not take action—without any limitations is wildly excessive.
Even worse, orders made under this Act could remain classified, circumventing the existing standard that orders are to be published in the Canada Gazette within 90 days. This does a significant disservice to Canadians and our rights.
Personal privacy:
The privacy of personal data is also a concern in how Bill C-26 is drafted. Under this Bill, data provided to the Minister of Industry may be designated as confidential (under protection of the Privacy Act, which limits how the government can use our personal data). However, the proposed process leaves much room for error. If the entity providing the data is not aware of this opportunity—or simply makes an error—they may neglect to identify the data as requiring confidentiality. If this were to happen, personal information could easily be disclosed along with other non-confidential data.
Either way, confidential or not, under these changes the government would be able to share that data—the personal data of Canadian citizens—both internally among departments as well as externally to other countries or international organizations, again without judicial oversight.
New Critical Cyber Systems Protection Act
Bill C-26 would also introduce a new Critical Cyber Systems Protection Act (CCSPA). The stated purpose of this Act is to identify and mitigate risks to Canada’s critical digital systems, protect those systems, and detect relevant incidents and minimize their impacts.
The Governor in Council (GiC) can direct any designated operator—or class of operators—to do anything, if commanded, to protect a “critical cyber system”. The GiC should consider operational and financial impacts to the operator and the effect on public safety but, notably, not due process.
Domain name registrars and registries may not be included in the CCSPA’s initial definition of a vital service, but the Governor in Council would have the ability to change these designations as they see fit. This raises myriad concerns, stemming directly from the unchecked ability to designate a “vital” service and then to remove that title at will without due process or oversight. These “vital” and “non-vital” designations come with significant responsibilities and obligations for system operators, so changing this classification presents a number of risks and challenges for businesses.
Finally, these designated operators must report any identified cyber incidents to the Communications Security Establishment as well as “the appropriate regulator” within 72 hours of detection.
(Note—if you’re interested in reading more on Tucows’ position on cyber incident reporting requirements, you can read our recent submission to the US Department of Homeland Security here.)
C-26: Bad news for privacy
The broad powers given to the government and regulators, coupled with a significant lack of oversight, are concerning to us as industry experts. While it is heartening to see some data protection measures considered in this draft legislation, the elimination of due process as currently proposed in Bill C-26 is inappropriate, unnecessary, and un-Canadian.
The Privacy Act remains in effect and personal data which is disclosed to the government under this Act would still benefit from the protections in place under that law—but only if it’s appropriately flagged by the service operator.
“Reasonableness” is referenced throughout Bill C-26: there must be reasonable grounds to make an order or reasonable grounds to believe the Act is likely to be contravened. Only then may an order be issued to a designated operator to do (or not do) something.
The way “reasonableness” is framed within this Bill is vague enough that Canadians must trust that those in power will be conservative in how they exercise those powers; orders issued should tie the nature of the security threat to the level of action taken in response but with the lack of oversight and transparency, we will not know. We can only hope for balanced and appropriate implementation, and we urge our lawmakers to reassess the Bill and include appropriate guardrails.
Further, C-26 requires that, before making an order, the government must consider various factors: operational and financial impacts on the affected telecommunications service provider, potential effects on how telecommunications services are provided overall in Canada, and any other factors that may seem relevant. Regrettably, the drafters did not consider that due process or data privacy were relevant enough to include in the text (beyond stating that the Privacy Act is not affected—but this mere statement does not make it so).
And finally, there are some requirements for transparent disclosure to the Canadian public. As mentioned above, the standard is for orders of this type to be published in the Canada Gazette, but this Bill allows the Ministry to keep acts taken classified, ultimately leaving Canadians in the dark.
What can I do?
The Free and Open Internet requires good functional reporting and enforcement against cybercrime, but cannot sacrifice the protection of privacy and personal data for Canadians and Internet users worldwide.
We appreciate the Issue Sheet provided by the Office of the Privacy Commissioner of Canada, which highlights concerns around warrantless access or seizure of information, the potential for excessive collection of data, and the lack of both transparency and independent oversight for the orders made under the Act.
We echo these concerns and encourage everyone to read the Issue Sheet, read the draft legislation itself, and contact your MP to tell them what you think.
We’re not just voicing our concerns here. We will also be reaching out to our Government to urge them to either vote against the passage of this Bill or offer amendments to it that would provide effective oversight and respect for due process. It is possible to allow governmental officials to obtain the data necessary to maintain the safety and security of the Canadian public without throwing due process and our Charter rights out the window.
The legislation misses the point
As the first and largest domain name services wholesaler in the world, we have been right in the middle of cybersecurity since the dawn of the Internet. Cybercrime is unlike other crime in that law enforcement does not generally know how to deal with it, particularly because it is multi-jurisdictional in nature. With cybercrime, we often know who the perpetrators are but typically make absolutely no efforts to enforce any laws. This is because neither law enforcement nor governments want to deal with the fact that the biggest threats to cybersecurity are nation-state actors like China and Russia. There will be no real mitigation of cybercrime unless we and the rest of the world are prepared to engage on that basis. Until then, we are in a losing race where the bad guys benefit while regular, law abiding citizens are subject to more and more limits on their due process and privacy.
Canada should dare to be a world leader.