The Corrosive Cost of Cybersecurity
Senator Joe McCarthy
The quest to protect national security has been an ongoing journey for Five Eyes nations and other governments bent on protecting their citizenry. In Canada, the effort is under the auspices of Bill C-26, which amends the existing Telecommunications Act and creates a new law, the Critical Cyber Systems Protection Act. The Bill is one of several introduced recently that, alone and together, conspire to undermine individuals’ privacy, freedom, and security.
Bill C‑26 narrows existing gaps, with the intention of promoting the security of the Canadian telecommunications system and “critical cyber systems of services and systems that are vital to national security or public safety”. The mechanisms for accomplishing that, and the vague language in the Bill, offer flexibility to address developing situations, but are problematic from other perspectives.
To start with, Bill C-26 applies to telecommunications, pipeline and power line systems, nuclear energy, banking and clearing, and transportation under Parliamentary authority.
But that’s just the start.
The Bill also allows the government to designate any service, system, and classes of operators as a vital services or vital systems. Once so designated, they can be required to “establish and implement cyber security programs, mitigate supply-chain and third-party risks, report cyber security incidents and comply with cyber security directions.”
Bill C-26, which echoes “chat control” legislation in the EU and the UK’s Online Safety Bill that calls for scanning encrypted messages, allows government to direct telecommunications service providers to "do anything or refrain from doing anything” they are ordered to do. That opens the door to entire populations being put under surveillance or live facial recognition scrutiny under the guise of public safety, child protection, anti-terrorism, national security, or whatever other justification authorities allege.
As a way to encourage voluntary compliance, the penalty for individuals failing to comply is $25,000 for a first offense, and $50,000 for subsequent contraventions. For everyone else, fines start at $10 Million, and increase to $15 Million. Incentives like that can be a strong motivator for people and companies eager to retain their hard-earned money and avoid monetary fines to simply doing as instructed, even if that includes routinely and proactively breaching privacy.
Given the government’s propensity to issue secret orders in council it is hardly surprising that, under Bill C‑26, merely disclosing the existence of an order made under its provisions would be illegal. Allowing secret orders and secret laws is not the stuff of democracy, but it does threaten Canadians’ privacy, and will ensure nothing stands in the way between the people in power and the power they hold.
Equally undemocratic are Bill C-26 provisions that allow anonymous allegations and spurious evidence to be enough to justify ordering telcos and service providers to break encryption and monitor all transmissions, ensnaring all Canadians and threatening their privacy, freedom, and security. The law invites the same sort of baseless accusations seen in the McCarthy era, and foretells of all personal, business, journalistic, and political communications being scrutinized, fair comment being characterized as threats — therefore subject to censoring — and everyone who questions government policy facing actions and consequences that harken back to Eastern European regimes of the early 20th Century.
For every government that has expressed concern about losing the public’s trust, it’s easy to think of better ways of accomplishing that than Bill C-26.
If the objective is to prevent products from certain nations being used in Canada, Bill C-26 should use clear and definitive language to say so. The law should not use vague language that implicates the entire population and provides endless opportunity for all communications to be characterized as threats, worthy of whatever silencing, sanctions, or secretive scrutiny a Minister might conceive.
Allowing elected representatives or unelected, unaccountable bureaucrats the sweeping powers that Bill C-26 and its EU, UK and USA counterparts provide is an assault on democracy, and a clear and present danger to freedom, privacy, individual autonomy.