OTTAWA -- A new research report says federal cybersecurity legislation is so flawed it would allow authoritarian governments around the world to justify their own repressive laws.
The report by makes 29 recommendations to bolster transparency and accountability of the proposed measures introduced in June by the Liberal government.
The government wants to establish a framework to better shield systems vital to national security and give authorities new tools to respond to emerging dangers in cyberspace.
Under Bill C-26, key enterprises in the banking and telecommunications industries would be required to improve cybersecurity and report digital attacks, or possibly face penalties.
The bill proposes giving authorities the ability to enforce measures through audit powers and fines, and would allow for criminal penalties in cases of non-compliance.
The report says the powers being sought by Ottawa are insufficiently bounded, come with overly broad secrecy clauses, and would potentially limit the ability of private companies to dispute demands, orders or regulations issued by the government.
The report describes a scenario where the federal broadcast regulator could draft one set of public law through its decisions while "a kind of secret law" that unfolds through orders and regulations would actually guide telecommunications providers' cybersecurity behaviour.
It says the proposed authorities in Bill C-26 need to be pared back in some places, essential clauses and terminology defined, and accountability and transparency requirements "sprinkled liberally" in an amended version of the legislation.
"If the government declines to meaningfully amend its legislation and make itself both more accountable and transparent to telecommunications providers and the public alike, it will have passed a bad law," the report says.
"Authoritarian governments would be able to point to a non-amended Bill C-26 in the course of justifying their own unaccountable, secretive and repressive 'security' legislation."
Parsons, a senior research associate at the Citizen Lab, which focuses on communication technologies, human rights, and global security, was among several individuals and groups who wrote a joint open letter to Public Safety Minister Marco Mendicino last month expressing concern about the bill.
He argues the government owes it to citizens and businesses alike to justify why it is seeking the new powers and the underlying rationales driving introduction of the cybersecurity legislation.
Among his report's recommendations:
- Orders-in-council and ministerial orders made to secure the telecommunications system must be necessary, proportionate and reasonable;
- orders must be published in the Canada Gazette within 180 days of issue, or within 90 days of an order being implemented;
- the minister should be compelled to table an annual report about orders issued;
- the government should explain how it will use information from telecommunications providers and indicate the agencies to whom the information may be disclosed;
- relief should be available if the government mishandles confidential or personal information; and
- there should be defined periods for how long government can keep telecommunications providers' data.
The costs associated with compliance with government orders might materially affect telecommunications providers, up to and including the risk that some companies may be unable to continue providing service to all of their customers, the report warns.
To enhance independent oversight, the government should make clear what roles the federal privacy commissioner, the National Security and Intelligence Committee of Parliamentarians and the National Security and Intelligence Review Agency would have at different stages of the order- or regulation-making process, the report adds.
"Security can be, and must be, aligned with Canada's democratic principles," Parsons writes. "It is now up to the government to amend its legislation in accordance with them."
This report by The Canadian Press was first published Oct. 18, 2022.