Canada is about to make changes to Cyber Security legislation with the introduction of Bill C-26, Titled: An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts.
Modernizing the act and bringing it up to date, Canadian citizens would expect for it to help keep them safe online and keep their privacy and security at maximum protection including from the government but government accountability is mostly missing.
Bill C-26 has flown mostly under the radar with very little air time especially in Legacy Media.
Critics are saying the Liberal government is proposing to grant itself a whole new set of sweeping powers with Bill C-26 if it were to pass into law in its current draft.
Civil rights groups are sounding the alarms about concerns posed by Bill C-26. Last September in an open letter the Canadian Civil Liberties Association (CCLA) said it risks undermining privacy rights and the principles of accountable governance and judicial due process, which is supposed to be “the fabric of Canadian democracy”.
In a report titled “Under Surveillance: (Mis)use of Technologies in Emergency Responses, Global lessons from the Covid-19 pandemic,” the CCLA outlines five overarching trends of concern.
Trend 1: The repurposing of existing security measures
Trend 2: The silencing of civil society
Trend 3: The risk of abuse of personal data
Trend 4: The influential role of private companies
Trend 5: The normalization of surveillance beyond the pandemic
During an interview with Michael Geist on the podcast LawBytes, Brenda McPhail, the Director of the Privacy, Technology and Surveillance Program at the Canadian Civil Liberties Association, she spoke about the potential privacy and security issues for Canadian citizens and the weakening of online encryption putting them at risk.
The Canadian Civil Liberties Association (CCLA) said the government has taken a “hardcore National Security approach” to this bill which has very little focus on privacy while also stepping away from any oversight and accountability. There is absolutely zero obligation for the government to report to the public about their operations leaving the government to shroud its orders in secrecy.
The new legislation will require government surveillance programs to collect and monitor vast amounts of data including confidential information.
The CCLA has noted a large flaw of the Act is that the Privacy Commissioner of Canada has no role within Bill C-26 and should immediately be added said McPhail.
The Minister and Governor in Council are empowered to designate any cyber system it wants as a “Critical Cyber System”.
Bill C-26 empowers the government to impose surveillance obligations on private companies.
The Act will authorize the Governor in Council and the Minister of Industry to direct telecommunications service providers “to do anything, or refrain from doing anything,” in their opinion what is “necessary” to secure the Canadian telecommunications system, according to the bills summary.
Government backdoors
The minister will have the ability to force telecommunications service providers to implement “specified standards,” which draws concern from the CCLA that it could be used by government to require Internet Service Providers to bake in backdoors “or otherwise undermine end user Security in the name of Public Safety” said McPhail.
The CCLA points out there’s no definition within the proposed Bill C-26 legislation to define a threat of “interference, manipulation or disruption” which leaves it wide open for broad and vague interpretation and abuse.
ISP de-platforming
The CCLA believes it’s too easy for the Governor in Council and Minister of Industry to dictate an Internet Service Provider to cut off services to anyone, giving the government broad power to blacklist and censor anyone they deem a threat of undefined “interference, manipulation or disruption.”
“prohibit a telecommunications service provider from providing any service to any specified person, including a telecommunications service provider”
Here are a few examples of what could be considered as interference or disruption:
- A guest or yourself have a device (computer or phone) connected to your home internet infected with a botnet participating in DDOS attacks or sending spam and phishing emails.
- A hacker discovers an exploit in your router firmware and uses your connection to cause undefined “interference, manipulation or disruption.”
- A ransomware attack is either correctly or incorrectly traced to your IP address
Will Bill C-26 end Virtual Private Network services (VPN’s) in Canada?
It’s unclear if VPN’s can be blacklisted because of “manipulation” by allowing users to bypass the CRTC censored Internet that bill C-11 will create.
The CCLA warns the Minister and Governor in Council can punish users in secret without the users knowledge why they were cut off.
“An order made under subsection (1) or (2) may also include a provision prohibiting the disclosure of its existence, or some or all of its contents, by any person.”
If a person or entity is cut off and they are impacted financially, there is no obligation for the government to compensate for wrongfully disconnecting them.
“No one is entitled to any compensation from Her Majesty in right of Canada for any financial losses resulting from the making of an order under subsection (1) or (2).”
Privacy Concerns and Personal Data Sharing
It’s unknown if the government recognizes Internet Service Providers such as Virtual Private Networks (VPN’s) under “telecommunications service provider”, but if VPN’s are included it’s unclear if they will be required to collect more data or if companies out of uncertainty will collect and store more data than what is necessary just to comply with the bill forcing them to remove their no logging privacy policies.
According to the Globe and Mail, Ron Deibert, a cybersecurity expert and the founder and director of the Citizen Lab at the University of Toronto, has slammed the federal government for refusing to provide the name of the spyware vendor employed by the Royal Canadian Mounted Police.
The government will gain sweeping powers for collecting and sharing data including confidential information with other government of Canada Ministries and “any other prescribed person or entity” domestic and foreign whether it be a Non Government Organization, foreign state government or individual.
Canadians have had their privacy violated several times over the course of the Covid-19 pandemic through contact-tracing apps, vaccine passports, ArriveCAN, and the unlawful bank account seizures.
The government also released its own weather app just before the pandemic in which it collected and spied on locations of millions of users that downloaded it.
Recently reported last week by Epoch Times, “PHAC has awarded a contract to social media intelligence collection firm Pulsar Platform to gather and analyze data on Canadians who are vaccine-hesitant.”
Pulsar Platform is said to be a British Company with a “Canada-based” research function.