Parliament must limit government powers over the private sector in the proposed Canadian cybersecurity legislation, say several civil rights groups, arguing the current version risks eroding civil liberties, privacy, and democratic freedoms.
The call came today from the Canadian Civil Liberties Association, the Canadian Constitution Foundation, the International Civil Liberties Monitoring Group, Ligue des Droits et Libertés, the National Council of Canadian Muslims, OpenMedia, and the Privacy and Access Council of Canada.
“We can address Canada’s cybersecurity needs, while upholding our rights and freedoms,” the group said in a statement accompanying detailed recommendations for fixing the Liberal government’s proposed cybersecurity legislation, Bill C-26.
The proposed bill has been referred to the House of Commons Public Safety Committee for testimony from witnesses, but a start date hasn’t been set yet.
In an email, Daniel Konikoff, director of the Canadian Civil Liberties Association’s privacy, technology, and surveillance program, said that “our hope is that the remedy package gives MPs some food for thought over the next few months, before the Committee begins reviewing Bill C-26 after the [summer] recess.”
As it stands, the proposed legislation opens to the door new surveillance obligations telcos would have to follow, gives the Communications Security Establishment (CSE) — the government’s electronic spy agency — power without accountability, and allows secret evidence to be heard in courts, the rights groups say.
“Allowing elected representatives or unelected, unaccountable bureaucrats the degree of power that Bill C-26 does is an assault on democracy and a clear and present danger to Canadians’ freedom, privacy, and autonomy,” Sharon Polsky, president of the Privacy and Access Council of Canada, said in the statement.
Formally known as An Act Respecting Cyber Security, C-26 has two parts:
— amendments to the Telecommunications Act, which oversees telecom and internet providers. If passed unchanged, it would allow the government to create regulations directing providers to do anything necessary to secure their systems against anything, including the threat by an attacker of interference, manipulation or disruption.
Without narrowing the grounds “this opens the door to imposing surveillance obligations on private companies, and to other risks such as weakened encryption standards — something the public has long rejected as inconsistent with our privacy rights,” say the rights groups;
— the Critical Cyber Systems Protection Act (CCSPA), which provides a framework for the protection of critical cyber systems vital to national security or public safety that are under federal jurisdiction. If passed unchanged, it would require designated operators to, among other things, establish and implement cyber security programs if they haven’t already done so, mitigate supply-chain and third-party risks, report cyber security incidents and comply with cyber security directions; and exchange of information with government agencies.
In response, the rights groups say Bill C-26 “lacks mandatory proportionality, privacy, or equity assessments, or other guardrails, to constrain abuse of the new powers it grants
the government — powers accompanied by steep fines or even imprisonment for non-compliance. These orders apply both to telecommunications companies and to a wide range of other federally-regulated companies and agencies designated under the Critical Cyber System Protection Act. Prosecutions can be launched in respect of alleged violations of Security Orders which happened up to three years in the past.”
The proposed narrowing of the legislation made by the rights groups largely mirrors recommendations made last October by Christopher Parsons, a senior research associate at the Citizen Lab, part of the University of Toronto’s Munk School of Global Affairs and Public Policy.
So, for example, the rights groups would limit the Industry Minister’s ability under the Telecommunications Act to issue an action order to a telco only if there is evidence of a threat of interference, manipulation or disruption to their systems. The current wording says the Minister could issue an order for any reason, including interference threats or disruption of their systems.
Similarly, the cabinet would be limited under the CCSPA to direct any designated operator or class of operators of a federally-regulated sector to take action to protect a critical cyber system only if there is a material threat. The current wording leaves the cabinet free to make an order for any reason.
In addition to wanting changes to restrain the powers of cabinet, the rights groups want amendments to protect confidential personal and business information from being accessed by Ottawa, to allow special advocates to be appointed to protect the public interest and to enhance the accountability of the Communications Security Establishment.
