On June 14, 2022, Bill C-26, an Act respecting cybersecurity, amending the Telecommunications Act and making consequential amendments to other Acts, was introduced into Parliament for the first reading by Canada’s Minister of Public Safety, Marco Mendicino. Hearings on Bill C-26 are scheduled to begin in SECU (the Parliament’s Standing Committee on Public Safety and National Security) on December 4, 2023. Kate Robertson, Senior Research Associate and Lina Li made a written submission to the Standing Committee on Public Safety and National Security (SECU) regarding Bill C-26.

With an emphasis on privacy in particular, this submission tackles the issues Bill C-26 brings up regarding civil liberties and human rights. The fundamental tenets of accountable governance, due process, and our right to privacy are all at risk of being compromised by Bill C-26 in its current form. In order to better protect people’s right to privacy, this submission offers recommendations for how Bill C-26 can be implemented in terms of how the government and telecom companies define, manage, and safeguard people’s personal information. The submission suggests that safeguards for the new government powers that the Bill establishes be included in order to address general shortcomings, such as issues with secrecy and transparency.

There is evidence that signaling protocols used by telecom companies for facilitating roaming services also enable networks to obtain incredibly detailed user data. Such extent of access with the telecom service providers poses an unprecedented risk to the privacy of individuals. Owing to the extent of data available with the telecommunications providers, the telecom sector has become a primal target for surveillance actors. In an attempt to address the concerns in the telecom ecosystem, this submission to the Standing Committee on Public Safety and National Security provides a critical response to the federal government’s Charter statement on Bill C-26.

The Citizen Lab welcomes the opportunity to submit to the Standing Committee on Public Safety and National Security. Our submission highlights how Bill-26 will impact equality rights and freedom of expression while providing recommendations  to address a series of thematic deficiencies identified in Bill C-26. To ensure that its actions adhere to Canada’s democratic values as well as the standards of accountability and transparency, the government must make changes to its legislation.

Below is the Citizen Lab’s full submission to SECU regarding Bill C-26.

Part 1. Introduction and Summary

1. Citizen Lab researchers routinely produce reports concerning technical analyses of information and communications technologies (ICTs), the human rights and policy implications surrounding government surveillance that occurs using ICTs, as well as the cybersecurity threats and digital espionage targeting civil society. Citizen Lab research has also examined the openness and transparency of government and organizations, including telecommunications providers, with respect to the collection, use, or disclosure of personal information and other activities that can infringe upon human rights.
2. This month, the Citizen Lab published Finding You: The Network Effect of Telecommunications Vulnerabilities for Location Disclosure (“Finding You”), authored by Gary Miller and Christopher Parsons.¹ The report provides a high-level overview of geolocation-related threats sourced from 3G, 4G, and 5G network operators. Evidence of the proliferation of these threats shows how the signalling protocols used by telecommunications providers to facilitate roaming also allow networks to retrieve extraordinarily detailed information about users. These protocols are being constantly targeted and exploited by surveillance actors, “with the effect of exposing our phones to numerous methods of location disclosure.”² Risks and secrecy surrounding mobile geolocation surveillance are heightened by layers of commercial agreements and sub-agreements between network operators, network intermediaries, and third-party service providers. Ultimately, vulnerabilities in the signalling protocols have “enabled the development of commercial surveillance products that provide their operators with anonymity, multiple access points and attack vectors, a ubiquitous and globally-accessible network with an unlimited list of targets, and virtually no financial or legal risks.”³
3. Finding You highlights the importance of developing a cybersecurity strategy that mandates the adoption of network-wide security standards, including a requirement that network operators adopt the full array of security features that are available in 5G standards and equipment. The report’s findings also underscore the importance of public transparency and accountability in the regulation of telecommunications providers. As the authors note, “[d]ecades of poor accountability and transparency have contributed to the current environment where extensive geolocation surveillance attacks are not reported.”⁴
4. In short, it is long overdue for regulators to step in at national and international levels to secure our network services. However, Canada’s approach to the regulation of telecommunications and cybersecurity also needs to be transparent, accountable, and compliant with applicable human rights standards. One year ago, Citizen Lab published Cybersecurity Will Not Thrive in Darkness: A Critical Analysis of Proposed Amendments in Bill C-26 to the Telecommunications Act (“Cybersecurity Will Not Thrive in Darkness”).⁵ The report was authored by Dr. Christopher Parsons.⁶ Dr. Parsons critically examined the proposed draft legislation under Bill C-26, including identified deficiencies. In doing so, Dr. Parsons provided necessary historical and international context surrounding the federal government’s proposed telecommunications sector reform. Canada is not the first of its allies to introduce new government powers as a result of heightened concern and awareness surrounding real and pressing risks to critical infrastructure. However, Dr. Parsons identified that although the draft legislation may advance important goals, its current iteration contained thematic deficiencies that risked undermining its effectiveness. This report is set out in Appendix B, and is the focus of this brief.
5. The main submissions in this brief are set out in two parts:
   1. Part 2: Bill C-26 and the Canadian Charter of Rights and Freedoms (“Charter”): Part 2 of this Brief discusses the nexus between Bill C-26 and the Charter. It focuses, in particular, on how Bill C-26 may impact equality rights (Section 15), freedom of expression (Section 2(b)), and privacy (Section 8). The Charter implications of the proposed legislation should be a central consideration for this Committee, and throughout the Parliamentary process ahead.
   2. Part 3: Recommendations for amendment to Bill C-26: Cybersecurity Will Not Thrive in Darkness provides substantive analysis and recommendations to address a series of thematic deficiencies identified in Bill C-26. We agree that these recommendations are appropriate in the spirit of addressing overarching deficiencies, including secrecy and transparency issues, and the need to incorporate guardrails for the new government powers that the Bill creates. As a result, Part 3 provides a summary of Dr. Parsons’ recommendation, as well as comments and supplementary recommendations flowing from the Charter analysis in Part 2.

Part 2. Bill C-26 and the Charter: Towards a Human Security Approach to Cybersecurity

6. In analyzing the proposed amendments to Canada’s Telecommunications Act in Bill C-26, Dr. Parsons identified the following thematic deficiencies in the proposed legislation:
   • The breadth of what the government might order a telecommunication provider to do is not sufficiently bounded.
   • Excessive secrecy and confidentiality provisions in the bill threaten to establish a class of secret law and regulation.
   • Significant potential exists for excessive information sharing within the federal government as well as with international partners.
   • Costs associated with compliance with reforms may endanger the viability of smaller providers.
   • Vague drafting language means that the full contour of the legislation cannot be assessed.
   • There is no recognition of privacy or other Charter-protected rights in Bill C-26 as a counterbalance to the proposed security requirements, nor are appropriate accountability or transparency requirements imposed on the government.⁷

7. These thematic deficiencies relate to the effectiveness of the government’s cybersecurity strategy as well as to potential risks to Charter-protected rights. Like the Canadian Radio-television and Telecommunications Commission (“CRTC”), the federal government must act in a manner that is consistent with the Charter when regulating in respect of telecommunication services and cybersecurity.
8. Following the publication of Dr. Parsons’ report in October 2022 (including his recommendation that the federal government table a Charter statement in relation to Bill C-26), the federal government tabled its Charter Statement in the House of Commons on December 14, 2022. The “non-exhaustive” statement identifies areas where Charter-protected rights are engaged by Bill C-26. The statement, however, does not fully address relevant Charter-related issues linked to Bill C-26. In the following paragraphs (9-27) we raise additional Charter issues to, first, inform the appropriateness of amendments recommended by Dr. Parsons and, second, to underscore the importance of bringing a human rights and human security approach to cybersecurity and the regulation of telecommunications services.

Equality Rights and Section 15 of the Charter

9. This section identifies examples of equality-related issues that could foreseeably arise during the government’s implementation of Bill C-26. We raise the potential for adverse impacts in the implementation of orders and regulations under Bill C-26 in order to provide guidance to this Committee about the importance of ensuring that the transparency and accountability mechanisms surrounding Bill C-26 are fit-for-purpose to guard against foreseeable risks. As noted in paragraph 6, accountability and transparency gaps are a thematic deficiency in Bill C-26, which are the subject of recommendations throughout Part 3 of this brief.
10. In 2019, the federal government passed the Accessible Canada Act (S.C. 2019, c. 10). The Act recognizes the importance of the economic, social and civic participation of all persons in Canada, and to allow all individuals to fully exercise their rights and responsibilities in a barrier-free Canada. The Act notes equality and non-discrimination rights protected under the Canadian Charter of Rights and Freedoms, and the Canadian Human Rights Act, which are implicated by laws and public policies affecting the accessibility of telecommunications services.
11. Access to affordable, high-quality telecommunications services is unevenly available in Canada.⁸ Government measures that have the effect of exacerbating the “digital divide” for Charter-protected groups may result in discrimination under section 15 of the Charter. If Orders in Council, Ministerial orders, or regulations issued under Bill C-26 are implemented in a manner such that disadvantaged communities are disproportionately exposed to security vulnerabilities, or disproportionately unable to access network services, it perpetuates the disadvantage experienced by Charter-protected groups, thus engaging section 15 of the Charter.
12. The following are examples of equality-related issues that are foreseeable when considering the types of orders or regulations that may be imposed under the broad powers proposed in Bill C-26:
    1. Firstly, barriers to affordable telecommunications services place a particularly heavy toll on low-income communities in Canada. There is a close connection between poverty and the historical disadvantage that is experienced by groups protected by s. 15 of the Charter.⁹ As a result, government orders or regulations that impose material costs on telecommunications services may result in heightened barriers to access, which would disproportionately affect historically disadvantaged communities.
    2. Secondly, government orders or regulations that hinder efforts to redress regional disparities in access to telecommunications services in Canada, such as disparities between Indigenous communities and the rest of Canada when it comes to accessing high-speed internet services,¹⁰ can also disproportionately affect Charter-protected groups under s. 15.
    3. Thirdly, persons living with disabilities may also be impacted in unintended but foreseeable ways by orders and regulations issued under Bill C-26. For example, measures that slow the availability of secure network services may slow or impede secure access to assistive technologies enabled by connected homes or communities.¹¹ As another example, orders or regulations that mandate the deployment of certain cybersecurity measures could bind companies to cybersecurity tools that are not accessible. While physical environments are more traditionally integrated into accessibility and inclusivity frameworks, cybersecurity tools often assume “that users are fully abled (e.g. can see the CAPTCHA), cognitively unimpaired (e.g. can create and retain passwords), have the necessary resources (e.g. time, appropriate technology and internet access in a distraction-free environment), and have the required dexterity to interact with the security system (e.g. can use the mouse and keyboard with ease).”¹²
    4. Fourthly, network insecurity and privacy risks also expose certain groups to heightened threats. Civil society, including dissidents, journalists, opposition politicians, lawyers, and family members are routinely exposed to targeted threats, hacks, and digital espionage.¹³ If governments and regulators fail to address persistent vulnerabilities in our network services–including the widespread abuse of telecommunications networks described in Finding You–certain groups (including communities protected by section 15) may be disproportionately left in harm’s way. As an alternative hypothetical, cybersecurity measures mandated through orders or regulations could lead to the unintended creation of new or worsening security flaws. Dr. Parsons provides the example that “in the process of prohibiting an upgrade, known-good security patches, hardware upgrades, or service offerings in the same update package might also be blocked.”¹⁴
13. Ultimately, these tensions highlight the overarching importance of inclusivity in setting security standards, and the corresponding importance of regulating telecommunications in a transparent and accountable way that enables the government’s cybersecurity approach to be fully integrated into a healthy democratic system. Without public transparency, accountability, and proportionate limits, the government runs the risk that “Canada’s telecommunications networks might be secured at the cost of disproportionately affecting the very individuals and communities that are most reliant on those networks.”¹⁵

Freedom of Expression and Section 2(b) of the Charter

14. The current draft of Bill C-26’s excessive secrecy and confidentiality provisions jeopardizes the right to freedom of expression under section 2(b) of the Charter. The government’s Charter statement focuses on the speech of the commercial entities who will be directly regulated under Bill C-26. The Charter statement posits that because restrictions on commercial speech do not tend to implicate the core values of section 2(b), restrictions can be more easily justified.¹⁶ However, this analysis fails to account for how individuals’ Charter rights may be impeded under the current drafting of the legislation. The excessive secrecy and confidentiality provisions in the bill also restrict the public’s and media’s expressive freedom in Canada.
15. The principles of open courts and open government are derivative components of section 2(b) of the Charter (the freedom of expression). The open court principle requires that court proceedings, including judicial reviews in federal court, presumptively be open and accessible to the public and to the media. Access to information about government actions can also arise as a derivative right to section 2(b), if a denial of access to government information effectively precludes meaningful public discussion on a matter of public interest. Where restrictions on access substantially impede meaningful discussion and criticism about matters of public interest, the government must reasonably justify its infringement of the freedom of expression.^17″
16. Telecommunications and cybersecurity law and policy is undoubtedly a matter of public interest. There is a close nexus between human rights and public policy concerning the regulation of telecommunication services. Canada’s telecommunications policy is intimately linked with the “social and economic fabric” of Canada and its regions.¹⁸ Equitable access to telecommunication services is sometimes described as a mechanism for “digital self-determination”, which speaks to the need to protect the potential for human flourishing in the digital era.¹⁹
17. The recent Citizen Lab report, Finding You, highlights several ways in which excessive secrecy surrounding telecommunications oversight has itself endangered the public. The authors note historical deficiencies in oversight and accountability of network security, which have led to geolocation-related threats associated with contemporary networks. Excessive secrecy has contributed to the persistence of the “low-hanging geolocation threat” identified in Finding You:
    

    Decades of poor accountability and transparency have contributed to the current environment where extensive geolocation surveillance attacks are not reported. This status quo has effectively created a thriving geolocation surveillance market while also ensuring that some telecommunications providers have benefitted from turning a blind eye to the availability of their network interconnections to the surveillance industry.²⁰

18. The geolocation surveillance threats discussed in Finding You disproportionately jeopardize human rights defenders and other individuals who face heightened risks of targeted security threats (e.g., corporate executives, military personnel, politicians and their staff, senior bureaucrats, etc). Industry has historically charged large amounts of money to receive information about well-known industry threats, with the effect of impeding non-industry groups such as security researchers and civil society from obtaining and disseminating information about the nature of the threats faced by at-risk individuals, or from advocating for the remedies that would benefit the security and privacy of civil society. The authors note that, in many instances, individuals cannot determine whether their own telecommunication provider has “deployed and configured security firewalls to ensure that signaling messages associated with geolocation attacks, identity attacks, or other malicious activity are not directed towards their phones.”²¹
19. Citizen Lab’s research highlights the substantial public interest in enabling the media, security researchers, civil society, and the public (including individuals facing heightened security risks) to access information about telecommunications policies and regulations, and the nature of the security risks that persist in whole or in part. As security researchers have noted, “the most promising route to full accessibility [in cybersecurity] lies in collaboration between vendors, advocacy groups, and the government.”²² This collaboration is facilitated by “discourse involving cyber security professionals, human-centred security academics, disability charities and other stakeholders.”²³ Civil society and the broader business community can press “regulators, policy makers, and politicians to actively compel telecommunications providers to adopt appropriate security postures to mitigate the pernicious and silent threats associated with geolocation surveillance,”²⁴ and other similar security risks.

Privacy Impacts and Section 8 of the Charter

20. Bill C-26 proposes several new information collection and sharing powers, and may include the collection or sharing of personal information. Many of these powers are insufficiently bounded or defined. The potential privacy risks posed by the powers are heightened by the absence of key accountability and oversight mechanisms. The breadth of the unsupervised information collection and sharing powers heightens the risk that the legislation, if passed as drafted, could unreasonably interfere with section 8 of the Charter in at least three four ways.
21. First, the federal government’s Charter statement posits that Bill C-26 does not interfere with section 8, in part, as a result of the fact that the “the information being gathered and shared in this context relates to the technical operations of TSPs, which are commercial entities”, as opposed to “personal biographical information that attracts a heightened privacy interest”.²⁵ However, Bill C-26 does not explicitly draw this distinction between technical information or other forms of personal information when defining collection or information sharing powers in the bill.
22. Instead, Bill C-26 provides authority to compel a broad array of information-holders to disclose a broad array of information. While the Charter statement for Bill C-26 emphasizes the regulatory nature of the scheme in Bill C-26, unlike other statutory inspection powers that have been subject to Charter challenges historically, there is no reason to interpret the statutory powers in Bill C-26 as applying only to information in which there is a low expectation of privacy. Rather, section 15.4 would provide authority to compel “any person” to provide “any information” under “any conditions that the Minister may specify,” so long as the Minister believes it is relevant to its order making powers. The persons and entities subject to this provision in many circumstances play an integral role in the lives of people in Canada, and may well be information-holders in respect of highly sensitive or personal information.
23. Second, while some aspects of Bill C-26 are regulatory in nature, Bill C-26 also creates criminal offences punishable by imprisonment for non-compliance with specified orders or regulations. Statutory powers authorize collecting and sharing information for the purposes of “verifying compliance or preventing non-compliance” with those orders or regulations. The legislation therefore creates risks that information will be compelled or shared during investigations pertaining to the criminal offences created by Bill C-26, or other offences. Furthermore, the breadth of the order making powers under Bill C-26 mean that the collection of information for the purposes of making such orders may cause serious consequences that are separate and apart from any regulatory or criminal prosecution.
24. Third, section 8 also protects privacy by requiring adequate accountability and review mechanisms to accompany information collection powers, even in administrative or regulatory contexts. The Supreme Court states that “[w]hile less exacting review may be sufficient in a regulatory context, the availability and adequacy of review is nonetheless relevant to reasonableness under s. 8.”²⁶ Canadian constitutional law has long recognized that without clearly defined safeguards (often including prior judicial oversight), legislation that authorizes intrusions on reasonably held expectations of privacy is inconsistent with s. 8 of the Charter. In some circumstances involving searches that are not subject to warrant requirements, the Court still expects that additional safeguards will be established to ensure the requisite level of transparency and accountability, and to help ensure that such powers are not abused. For example, requiring notice to the persons whose information is affected allows the affected individuals to identify and challenge invasions of their privacy, as well as seek a meaningful remedy.²⁷ Appellate courts have recognized a range of accountability measures when assessing the reasonableness of search and seizure powers, such as: notice requirements (including after-the-fact notice); reporting obligations (to independent institutions or Parliament); the availability of clear mechanisms for review of the exercise of collection powers; clear rules limiting collection powers to what is necessary, reasonable, and proportionate; and record-keeping requirements.²⁸
25. Part 3 of this brief will identify several mechanisms that are necessary to improve accountability surrounding the proposed powers in Bill C-26. For example, the draft legislation proposes broad information sharing powers with no notice requirements. This would mean that individuals and organizations whose information has been collected would have no way of knowing of the fact that information has been shared, thus thwarting review and challenge. Individuals who have private information held by, and collected from, third-party organizations would also not be aware that their information has been collected in the first place, let alone shared with other government entities.
26. Fourth, the extensive confidentiality provisions in Bill C-26 may actually further undermine accountability mechanisms surrounding the bill’s proposed information collection powers in ways that would be difficult to reasonably justify under s. 8. Section 15.4 of the proposed Telecommunications Act authorizes the Minister to require “any person” to provide “any information” under “any conditions that the Minister may specify.” These conditions would foreseeably include conditions to extend confidentiality obligations to the Minister’s use of collection powers. The secrecy provisions in Bill C-26, and the authority to extend those secrecy obligations through further “conditions”, could effectively chill or silence individuals or entities from notifying other persons that their personal information has been collected, or from challenging the exercise of government power. Furthermore, excessive secrecy surrounding existing orders or regulations would further undermine accountability, as courts or oversight bodies wouldn’t be able to assess whether collection or sharing of information was reasonably necessary and proportionate in furtherance of those secret orders or regulations. In short, it is unclear how the proposed confidentiality and secrecy provisions align with the need for accountability measures to ensure there is not an inappropriate intrusion into s. 8 Charter rights.
27. The Charter statement notes various information sharing agreements that are contained in the legislation. However, there are broad information sharing powers in Bill C-26 that are not subject to any information sharing agreements, or limitations on how the information may be used once shared. Furthermore, the majority of the Supreme Court has previously noted (in the context of other information disclosure powers accompanying supervised warrant provisions in the Criminal Code), that information sharing agreements are not “a panacea”, given that there is “always a risk that a foreign law enforcement agency may misuse the information disclosed.”²⁹

Part 3. Towards More Secure, Transparent, Accountable Governments and Telecommunications Networks in Bill C-26

28. This Part 3 summarizes recommendations identified in Cybersecurity Will Not Thrive in Darkness, as well as supplementary comments and recommendations flowing from the Charter analysis set out in Part 2. The report, including its specific textual recommendations, is enclosed as Appendix B. Where recommendations are identified in this brief for the first time, they are numbered with letters (i.e., Recommendation 1A) to maintain the original numbering of the report.

I. Limiting powers to order modifications to organizations’ technical or business activities

29. To include appropriate safeguards surrounding compulsion powers under Bill C-26, Cybersecurity Will Not Thrive in Darkness makes the following recommendations:
    1. Recommendation 1: Orders in Council and Ministerial Orders Must be Necessary, Proportionate, and Reasonable. Currently, the legislation allows the government to issue an order when necessary to secure the Canadian telecommunications system. However, necessity is an insufficient curb on the government’s power; Bill C-26 should impose more conditions regarding the specific circumstances under which the government can exercise its power.
    2. Recommendation 2: Orders Should Include a Reference to Timelines. The draft legislation should be amended to include a requirement that telecommunications providers must implement cybersecurity demands or orders within a reasonable period of time in situations where compliance with a demand or order would require significant or material changes to the recipients’ business or technical operations.
    3. Recommendation 3: Government Should Undertake Impact Assessments Prior to Issuing Orders. Government assessments of its orders should identify secondary- or tertiary impacts that would have the effect of worsening an organization’s cybersecurity practices or stance. These assessments should be presented to telecommunications providers along with any demands or orders or regulations that are based upon these assessments. Such assessments should be included in any and all proportionality analyses of government demands or orders.
    4. Recommendation 4: Forbearance or Cost/Cost-Minus Clauses Should Be Inserted. The government may issue a direction that could severely alter how a telecommunications provider is able to offer a service to customers. The legislation should be amended such that telecommunications providers can seek forbearance of certain orders where implementing them would have a material impact on the providers’ economic viability. Alternatively, if an order or regulation would have a deleterious effect on a telecommunications provider’s economic viability and the government demands that the order be fulfilled regardless, the provider should be compensated on either a cost or cost-minus basis.
    5. Recommendation 5: The Standards That Can Be Imposed Must Be Defined. Without a clear definition of what a “standard” in the draft legislation entails, it becomes difficult to assess what kinds of standards the government is seeking to implement and whether it is adopting them safely. The legislation should be amended such that it is clear what kinds of standards are within and outside of the scope of the legislation. The evidence and analysis in Finding You underscore that urgent action is needed to establish mandatory security and privacy standards for telecommunications providers to require security postures that address the vulnerabilities in signalling protocols that enable mobile geolocation surveillance threats.It should also be made explicit that an order or regulation compelling the adoption of particular standards cannot be used to deliberately or incidentally compromise the confidentiality, integrity, or availability of a telecommunications facility, telecommunications service, or transmission facility. The intent of this recommendation is to prevent the government from ordering or demanding that telecommunications service providers deploy or enable lawful access-related capabilities or powers in the service of ‘securing’ infrastructure by way of adopting a standard.

II. Secrecy and Absence of Transparency or Accountability Provisions

30. As noted above, Bill C-26 has “extensive and overly onerous secrecy and confidentiality requirements.”³⁰ Laws that impose meaningful limits on the freedom of expression must be balanced and reasonably justified. While some confidentiality will be appropriate to ensure that unresolved security vulnerabilities are effectively brought into control, certain powers in Bill C-26 go further than what is required to accomplish cybersecurity and national security objectives. Furthermore, certain powers proposed are unaccompanied by reasonably available measures to protect the public’s interest in access to information concerning an important area of government action. In light of identified deficits concerning excessive secrecy or the absence of accountability provisions, we reiterate the following recommendations from Cybersecurity Will Not Thrive in Darkness:
    1. Recommendation 6: Orders Should Appear in The Canadian Gazette. In Bill C-26, orders are required to be published in the Canadian Gazette, but the Minister has the authority to “direct otherwise in the order.” As such, “the result is that the government might issue orders that never appear in the Canadian Gazette, and there is no requirement for the order to ever be published in a complete and non-redacted format.”³¹ The potential effect could unjustifiably restrict meaningful public debate on a matter of public importance and, as a consequence, the freedom of expression. The legislation should be amended such that orders must be published within 180 days of issuing them or within 90 days of an order being implemented, based on whichever condition is met first. The legislation should also expressly define circumstances that justify secrecy.
    2. Recommendation 7: The Minister Should Be Compelled To Table Reports Pertaining to Orders and Regulations. To better safeguard the public interest, privacy, and the freedom of expression, the legislation should further be amended such that the Minister of Industry is required to annually table a listing of:
       • the number of orders and regulations that have been issued
       • the kinds of orders or regulations that have been issued
       • the number of telecommunications providers that have received the orders
       • the number of telecommunications providers that have partially complied with the orders
       • the number of telecommunications providers that have completely complied with the orders
       • a narrative discussion of the necessity, proportionality, reasonableness, and utility of the order-making power

3. Recommendation 8: Non-Disclosure Orders Should Be Time Limited. Bill C-26 also proposes gag provisions with respect to Orders in Council or Ministerial Orders, which are not limited either temporally (i.e., how long is secrecy necessary?) or substantively (i.e., what circumstances justify secrecy?). As noted at paragraph 15, non-disclosure orders affect not only the recipient of the gag order but, also, the public’s right to information that informs democratic debate. The legislation should be amended to include time constraints surrounding non-disclosure orders.
4. Recommendation 8A: The Circumstances Purporting to Justify Confidentiality in a Non-Disclosure Order Should Be Defined In The Legislation.
5. Recommendation 9: The CRTC Should Indicate When Orders Override Parts of CRTC Decisions. The legislation should be amended to, at a minimum, require that the CRTC post a public notice attached to any of its decisions where there is a contradiction between its decision and an Order in Council or Ministerial Order or regulation that has prevailed over part of a CRTC decision.
6. Recommendation 10: An Annual Report Should Include the Number of Times Government Orders or Regulations Prevail Over CRTC Decisions. The legislation should be amended to require the government to annually disclose the number of times it has issued orders or regulations that prevailed in the case of an inconsistency between a given order or regulation and a CRTC decision, as well as denote which CRTC decision(s) were affected.
7. Recommendation 11: All Regulations Under the Telecommunications Act Should Be Accessible to The Standing Joint Committee for the Scrutiny of Regulations. The legislation should be amended such that the Standing Joint Committee for the Scrutiny of Regulations is able to obtain, assess, and render a public verdict on any regulations that are promulgated under the proposed draft reforms to the Telecommunications Act, as well as on regulations pertaining to the Telecommunications Act and that are modified pursuant to s. 18 of the Statutory Instruments Act.

III. Deficient Judicial Review Process

31. Bill C-26 contemplates that telecommunication providers may initiate judicial review proceedings in respect of orders or regulations issued under the proposed legislation. In pages 22-24 of his report, Dr. Parson identified problems that would arise if Bill C-26 is passed without amending section 15.9. As drafted, section 15.9 would permit a series of mandatory limits on open court principles, which would prevent judges from exercising judicial discretion in balancing the need for secrecy or confidentiality with the public’s interest in disclosure. As noted at paragraph 15 in this submission, the Charter protects open court principles that apply in the context of judicial review, including Charter protections for the freedom of expression.
32. Cybersecurity Will Not Thrive in Darkness recommends (Recommendation 12) that Bill C-26 should explicitly enable appointment of amicus curiae or a special advocate during judicial review. The legislation should be amended such that, at the Court’s pleasure, amicus curiae or a special advocate can be appointed to contest and respond to information provided by the government in support of an Order in Council, Ministerial Order, or regulation under s. 15.8 in when evidence is sufficiently sensitive to bar a telecommunications provider’s counsel from hearing it.
33. We also recommend:
    1. Recommendation 12A: Section 15.9 Should Be Amended To Ensure The Judge Retains Authority To Balance The Public Interest In Disclosure Against The Interest In Confidentiality: In general, mandatory limits on open courts (which prevent the judge from balancing the public interests at stake), are generally viewed as excessive infringements on section 2(b) rights.³² For example, even in analogous provisions of the Canada Evidence Act (permitting secrecy in judicial proceedings for matters injurious to international relations, national defence or national security or endanger the safety of any person), the judge retains the authority to determine that “the public interest in disclosure outweighs in importance the public interest in non-disclosure”. The same safety valve should be incorporated into section 15.9 of Bill C-26, in order to ensure that any limits to openness minimally impair freedom of expression.
    2. Recommendation 12B: Where Summaries Are Provided Of Evidence And Information Received By The Court, Pursuant To Section 15.9(1)(C), These Summaries Must Also Be Available To The “Applicant and the Public”. As noted at paragraph 15, the open court principle protects the public’s and the media’s interest in the openness of court proceedings. Practically speaking, the public’s right of access to judicial summaries of this nature is typically accomplished by marking such summaries as an exhibit to the proceedings. The public’s right of access to exhibits is a corollary of the open court principle.
    3. Recommendation 12C: The Triggering Threshold Justifying Limits On The Openness Of The Proceedings Should Not Be Higher Than That Which Is Already Contained Under Analogous Provisions Of The Canada Evidence Act.³³ In that regard, we recommend mirroring the language from the Canada Evidence Act through the following amendment:
       

       Section 15.9(1)(a) “…if, in the judge’s opinion, the disclosure of the evidence or other information could would be injurious to international relations, national defence or national security or endanger the safety of any person”.

IV. Extensive Information Sharing Within and Beyond Canadian Agencies

34. Bill C-26 proposes to create broad information sharing powers within and beyond Canadian government agencies, without accompanying those powers with necessary limits, oversight, or accountability mechanisms. As noted at paragraph 24, the absence of reasonable procedural safeguards to review government powers that infringe upon privacy interests can render legislation invalid under section 8 of the Charter. To impose more appropriate guardrails on the proposed powers to share information within and beyond Canadian agencies, Recommendations 13-20 of Cybersecurity Will Not Thrive in Darkness are the following:
    1. Recommendation 13 and 14: Relief Should Be Available If Government Mishandles Confidential, Personal, or De-Identified Information. The legislation should be amended to enable individuals and telecommunications providers to seek relief should the government or a party to whom the government has disclosed confidential, personal, or de-identified information loses control of that information, where that loss of control has material consequences for the individual, or for a telecommunication provider’s business or technical operations.
    2. Recommendation 15: Government Should Notify Telecommunications Providers How It Will Use Collected Information, and Which Domestic Agencies Information Will Receive The Information.
    3. Recommendation 16: Information Obtained from Telecommunications Providers Should Only be Used by Government Agencies for Cybersecurity and Information Assurance Activities. Information should not be used for the purposes of signal intelligence and foreign intelligence activities, cross-department assistance unrelated to cyber-security, or active or defensive cyber operations. These restrictions should apply to all agencies.
    4. Recommendations 17 and 18: Data Retention Periods Should Be Attached to Telecommunications Providers’ Data and to Foreign Disclosures of Information. The legislation should be amended to highlight that confidential information will be retained only for as long as necessary to make, amend, or revoke an order under section 15.1 or 15.2 or a regulation under paragraph 15.8(1)(a), or to verify the compliance or prevent non-compliance with such an order or regulation. Similarly, an amendment should also require that the government attach data retention and deletion clauses in agreements or memoranda of understanding that are entered into with foreign agencies. Retention periods should be communicated to the affected telecommunications providers.
    5. Recommendation 19: Telecommunications Providers Should Be Explicitly Informed Which Foreign Parties Receive Their Information. Given that foreign parties can use information to launch investigations and bring non-penal charges against providers, the government should provide some notice when telecommunications providers’ information is being, or has been, shared for cybersecurity purposes.
    6. Recommendation 20: Legislation Should Delimit the Conditions Wherein a Private Organization’s Information Can Be Disclosed. As drafted, section 15.7(1) appears to set an excessively low threshold for disclosing information, and could enable significant sharing of private, if not confidential, information, to address unspecified threats that are not set out in the legislation. Proposed textual amendments are found on page 30 of Cybersecurity Cannot Thrive in the Darkness (Appendix A to this brief).

V. Costs Associated with Security Compliance

35. As noted above, imposing substantial costs of compliance on telecommunications providers may have the potential to impact upon the accessibility of telecommunication services, the digital divide, and Charter-protected rights or interests. To address concerns surrounding the costs associated with security compliance, Cybersecurity Will Not Thrive in Darkness makes the following recommendations:
    1. Recommendation 21: Compensation Should Be Included for Smaller Organizations. There should be a mechanism whereby smaller telecommunications providers (e.g., those with fewer than 250,000 or 500,000 subscribers or customers) that have historically been conscientious in their security arrangements can seek at least some temporary relief if they are required to undertake new, modify existing, or cease ongoing business or organizational practices as a result of a government demand or order or regulation. Such relief may be for only a portion of the costs incurred and, thus, constitute a ‘cost-minus’ expense formula.
    2. Recommendation 22: Proportionality and Equity Assessments Should Be Included in Orders or Regulations. The results of these assessments should be taken into consideration by the government prior to issuing an order or regulation, should be provided to telecommunications providers alongside associated orders or regulations, and should be included in any evidentiary packages that may be used should a telecommunications provider seek a judicial review of any given order or regulation.
    3. Recommendation 23: Government Should Encourage Cybersecurity Training. The government should commit to enhancing scholarships, grants, or other incentives to encourage individuals in Canada to pursue professional cybersecurity training.

VI. Vague Drafting Language

36. The last set of recommendations pertain to ambiguities in Bill C-26. Notably, Bill C-26 does not specify the kinds of security threats that might be addressed by orders or regulations; fails to define key concepts like “interference”, manipulation”, and “disruption”; provides the Minister with unnecessarily open-ended powers; and lacks clear guidelines as to how personally identifiable information that is obtained from telecommunications providers is to be treated. As a result, Cybersecurity Will Not Thrive in Darkness makes the following recommendations:
    1. Recommendation 24: Clarity Should Exist Across Legislation. The government should clarify how the envisioned threats under the draft legislation (“including against the threat of interference, manipulation or disruption”) compare to the specific acts denoted in s. 27(2) of the CSE Act (“mischief, unauthorized use or disruption”), with the goal of explaining whether the reformed Telecommunications Act would expand, contract, or address the same classes of acts as considered in the CSE Act.
    2. Recommendations 25: Explicit Definitions for “Interference,” “Manipulation,” and “Disruption” Should Be Included in the Legislation or Else Publicly Promulgated.
    3. Recommendation 26 and 27: Ministerial Flexibility Should Be Delimited (i.e., remove open-ended language around powers such as “among other things”). In the event that a corresponding amendment is needed for Ministerial powers constrained to emergency circumstances, those powers should be subject to judicial review in Federal Court, including assessment for necessity, reasonableness, and proportionality. Decisions emergent from review should be published by the Federal Court.
    4. Recommendation 28: The Legislation Should Make Clear that Personal Information and De-Identified Information is Classified as Confidential Information. As noted above, the federal government’s Charter statement appears to conclude that it is not the intent of Bill C-26 to authorize the collection and sharing personal information. If that is the case, the legislation should expressly say so. Alternatively, personal and de-identified information should be treated as confidential.
    5. Recommendation 28A: Individuals Should Be Explicitly Informed If Their Information Has Been Collected Or Shared. If the federal government does not expressly state that personal and de-identified information should not be included in collection and sharing powers, it should ensure that notice obligations are extended to individuals whose information is impacted by the collection and sharing powers under Bill C-26.
    6. Recommendation 29: Prior Judicial Approval Should be Required for the Government to Obtain Personal or De-Identified Information from a Telecommunications Provider. The information is further to be used exclusively for the purposes of making, amending, or revoking an order under s. 15.1 or 15.2 or a regulation under paragraph 15.8(1)(a), or of verifying compliance or preventing noncompliance with such an order or regulation.
    7. Recommendation 30: The Government Cannot Disclose Personal or De-Identified Information to Foreign Organizations.

Part 4. Concluding Remarks

37. We urge this Committee to take seriously the recommendations that were identified in Cybersecurity Will Not Thrive in Darkness. We note that most of these recommendations have been either reiterated or expanded upon by the Joint Submission to this committee submitted by civil society organizations and individuals.³⁴ In detailing these recommendations for this Committee’s study, we also urge the Committee to consider the additional Charter interests that are engaged by Bill C-26, including equality, non-discrimination, freedom of expression, and privacy, as described in Part 2 of this Brief. We echo Dr. Parsons’ view that “cybersecurity efforts through Bill C-26 should seek to build trust between the government and non-government entities, including the general public,” and that independent bodies (including the Privacy Commissioner of Canada, National Security and Intelligence Committee of Parliamentarians, or National Security and Intelligence Review Agency) should be integrated into the government’s assessments of the necessity, proportionality, and reasonableness of Orders in Council, Ministerial Orders, or regulations.
38. Citizen Lab’s recent report, Finding You (enclosed as Appendix C), documents continuing vulnerabilities at the heart of the world’s mobile communications networks. The report’s findings underscore that cybersecurity has not thrived in darkness. Historical and continuing deficiencies in oversight, transparency, and accountability of network security have led to serious geolocation-related threats associated with contemporary networks. The report notes that the “failure of effective regulation, accountability, and transparency has been a boon for network-based geolocation surveillance.”³⁵
39. While Canada needs to move forward in combating threats to its telecommunications and critical infrastructure, it should not do so at the expense of democratic norms and safeguards, public transparency and accountability, or respect for the Charter and human rights. Rather, a human security and human rights approach to cybersecurity requires the recognition of the importance of accessible and inclusive cybersecurity, public accountability, and public transparency when regulating telecommunications and cybersecurity.

Part 5. Organizational Information

40. Kate Robertson is a lawyer and senior research associate at the Citizen Lab, Munk School of Global Affairs & Public Policy at the University of Toronto. Her research explores the intersection of law, policy, and technology, and focuses on transparency and accountability mechanisms relevant to the relationship between corporations and state agencies regarding personal data and other surveillance activities. I draw on former experience as a law clerk of the Supreme Court of Canada, and subsequently, as a lawyer in Canada’s justice system.
41. Lina Li is a BCL/JD student at McGill University’s Faculty of Law and a legal intern at the Citizen Lab, Munk School of GLobal Affairs & Public Policy at the University of Toronto. Her areas of interest lie at the intersection of law and technology, focusing on questions of policy, AI governance, and corporate transparency.
42. The views we have presented are our own and based on research that we and colleagues have carried out at our place of employment, the Citizen Lab. The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs and Public Policy, University of Toronto, focusing on research, development, and high-level strategic policy and legal engagement at the intersection of information and communication technologies, human rights, and global security.
43. We use a “mixed methods” approach to research combining practices from political science, law, computer science, and area studies. Our research includes: investigating digital espionage against civil society, documenting Internet filtering and other technologies and practices that impact freedom of expression online, analyzing privacy, security, and information controls of popular applications, and examining transparency and accountability mechanisms relevant to the relationship between corporations and state agencies regarding personal data and other surveillance activities.

Appendix A – Table of Recommendations

Appendix B – Enclosed Report

Christopher Parsons. “Cybersecurity Will Not Thrive in Darkness: A Critical Analysis of Proposed Amendments in Bill C-26 to the Telecommunications Act,” Citizen Lab Research Report No. 158, University of Toronto, October 18, 2022.

Appendix C – Enclosed Report

Gary Miller and Christopher Parsons. “Finding You: The Network Effect of Telecommunications Vulnerabilities for Location Disclosure,” Citizen Lab Research Report No. 171, University of Toronto, October, 2023.