Liberal cybersecurity bill is ‘bad law’, report warns


A new research report indicates that federal cybersecurity legislation is so flawed that it would allow authoritarian governments around the world to justify their own repressive laws.

The report by Christopher Parsons of the Citizen Lab at the University of Toronto makes 29 recommendations to strengthen the transparency and accountability of the proposed measures introduced in June by the Liberal government.

The government wants to establish a framework to better protect systems vital to national security and give authorities new tools to respond to emerging dangers in cyberspace.

Under Bill C-26, key companies in the banking and telecommunications sectors would be required to improve cybersecurity and report digital attacks, or face penalties.

The bill proposes to give authorities the ability to enforce measures through audit powers and fines, and would allow for criminal penalties for non-compliance.

The report says the powers sought by Ottawa are not sufficiently limited, come with overly broad confidentiality clauses and would potentially limit the ability of private companies to challenge requests, orders or regulations issued by the government.

The report outlines a scenario in which the federal broadcast regulator could write a set of public laws through its rulings, while a “sort of secret law” that unfolds through ordinances and regulations would guide in fact the behavior of telecommunications providers with regard to cybersecurity.

It says the powers proposed in Bill C-26 need to be reduced in places, key clauses and terminology defined, and accountability and transparency requirements “heavily sprinkled” in an amended version of the legislation.

“If the government refuses to make meaningful changes to its legislation and to make itself both more accountable and transparent to telecommunications providers and the public, it will have passed a bad law,” the report said.

“Authoritarian governments could point to an unamended Bill C-26 to justify their own irresponsible, secretive and repressive ‘security’ legislation.”

Parsons, a senior research associate at Citizen Lab, which focuses on communications technology, human rights and global security, was among several individuals and groups who wrote a joint open letter to the Minister of Public Safety. Marco Mendicino last month expressing concern over the bill.

He argues that the government owes it to citizens and businesses to justify why it is seeking the new powers and the rationales behind the introduction of cybersecurity legislation.

Among the recommendations of his report:

  • The decrees and ministerial orders taken to secure the telecommunications system must be necessary, proportionate and reasonable;
  • orders must be published in the Canada Gazette within 180 days of their issuance or within 90 days of the implementation of an order;
  • the minister should be required to file an annual report on orders issued;
  • the government should explain how it will use information from telecommunications providers and indicate the agencies to which the information may be disclosed;
  • help should be available if the government mishandles confidential or personal information; and
  • there should be defined periods for which the government can retain data from telecommunications providers.

The costs associated with complying with government orders could significantly affect telecommunications providers, including the risk that some companies may not be able to continue to provide services to all their customers, the report warns.

To improve independent oversight, the government should clarify the roles of the Federal Privacy Commissioner, the National Security and Intelligence Committee of Parliamentarians, and the National Security and information at different stages of the process of developing orders or regulations, according to the report adds.

“Security can and should be aligned with Canada’s democratic principles,” writes Parsons. “It is now up to the government to amend its legislation accordingly.”

This report from The Canadian Press was first published on October 18, 2022.