​​Bill C-26: Cybersecurity Hero or Privacy Villain?

Everything you need to know about cybersecurity Bill C-26

Ransomware, hacking attacks, cybercrime — today, we all need to be conscious of our cybersecurity. Enter Bill C-26, formally known as “An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts”, a cybersecurity bill aimed at protecting Canadians against digital threats and hostile actors. 

Sounds too good to be true? Right now, it is. Bill C-26 is supposed to be our cybersecurity hero, but the way it's written makes it far more of a privacy villain. 

This draft legislation, while intended to shield us from online dangers, lacks essential safeguards to protect our personal privacy and other basic rights. Passing it in its current form would be like handing the keys to a personal data-filled candy shop to government security agencies, who already have a deeply problematic track record of evading democratic oversight. The near-total absence of checks and balances in Bill C-26 raises obvious concerns about the potential misuse of power by the government, the spy agencies under its control, and spy agencies in allied nations Canada shares information with. 

Here’s a breakdown of some of the biggest problems with Bill C-26: 

It opens the door to privatized surveillance.

• Instead of straightforward legislation to protect Canadians online, C-26 amounts to a thinly disguised wishlist from Canada’s spy agency, the Communications Security Establishment (CSE). Bill C-26 gives the government the astonishing power to order telecom providers “to do anything or refrain from doing anything.”  Does that sound well-defined and appropriately limited to you?

• The worry here is that the government could wield this broad brushstroke to turn private companies into unwilling spies on their own customers. Imagine your telecom provider being compelled to snoop on your digital life, potentially sharing sensitive information with the authorities. That's a blatant invasion of privacy rights that gets alarm bells ringing.

• But it doesn't stop there. The real kicker is the potential impact on our encryption standards. Strong encryption is like the guardian of our digital secrets – it keeps our personal messages, online transactions, and sensitive information locked away from prying eyes. Bill C-26, however, seems to be waving a green flag for the government to lean on telecom providers and weaken these encryption standards. It's like giving them the power to poke holes in the virtual locks we rely on to keep our online world safe from cyber threats. This not only jeopardizes our privacy vis a vis our government; it also opens the door for potential breaches and unauthorized access to our personal information by hackers, criminals, foreign governments and more. Encryption is an all-or-nothing affair; it is truly secure, or it is fundamentally broken, a damaged lock that many digital actors will figure out how to pick. 

• Setting us up for that kind of vulnerability is a gross violation of the trust we place in both our telecom providers and the government, shaking the very foundation of our digital security. The fine balance between national security measures and individual privacy rights seems to be tilting against the average Canadian, and that's a cause for serious concern.

C-26 could cut you off from the Internet.

• Under Bill C-26, Canadian companies or individuals risk being cut off from essential Internet connectivity by secret government order, without explanation – indefinitely.

• It's like having the rug pulled out from under you without knowing why. What makes it even more concerning is that right now there's no independent watchdog to keep an eye on these government orders. If someone innocent gets misidentified as a criminal actor, there's no safety net or way to appeal. 

• Internet access is more than just a luxury — your OpenMedia team fought long and hard to get it defined as an essential service. That means recognizing it is a fundamental part of our daily lives, and the thought of being disconnected without a clear reason or a chance to make things right is downright troubling. 

• Giving the government the power to flip the off-switch on something as essential as the Internet is certainly not something we should take lightly. They could use these powers to disconnect ordinary people indefinitely from the Internet — from our ‘smart’ toaster oven, or an old phone we gave our kids, gets hijacked by a hostile botnet. If these powers exist at all, they must be used rarely, proportionally, and with a clear plan to get ordinary people unknowingly caught up in cybercrimes reconnected as soon as possible.

Unchecked government powers, open to abuse.

• In its current form, Bill C-26 plays fast and loose with our privacy and leaves us without much protection – making it FAR too easy for the government to order themselves up access to our sensitive, private info. A 2014 Supreme Court – R. v. Spencer –  ruling found that law enforcement agencies needed to obtain a court order to compel private companies to disclose subscriber information. Despite this, time and time again the Liberals and Conservatives have been trying to regularly introduce legislation to expand the government's power to “lawfully” access this data. C-26 is no different. As noted above, the sweeping new powers Bill C-26 hands the government amount to a surveillance toolkit to be used any time they choose, and these powers could easily be misused to pry into the personal lives of regular Canadians.

• There are no meaningful safeguards or accountability mechanisms to constrain government abuse of these sweeping powers, such as mandatory proportionality, privacy, or equity assessments to keep the government in check. 

• These new government powers come with steep fines or even imprisonment for non-compliance. The consequences of being wrongfully targeted by them are very serious.

• Right now, it's like they've been given a blank cheque with no accountability. If we're going to trust them with these new powers — and, after all, public trust is essential for any cybersecurity framework to be effective — we need strong safeguards and reporting requirements to ensure we can hold our government and our spy agencies accountable.

Who cares about privacy under C-26? No one.

• It's a known fact that certain communities in Canada, particularly Indigenous, marginalized, and equity-seeking groups, have borne the brunt of decades of disproportionate targeting by government surveillance and unchecked abuses of power. 

• These communities have long grappled with a history of disproportionate and unaccountable targeting, surveillance and abuse of power. Now, with the introduction of Bill C-26, there is a risk – a big one – that the situation for these communities could get a whole lot worse. More power with fewer checks on it = worse surveillance of vulnerable populations than ever. Should we really be granting the government extensive new secret surveillance powers against this backdrop?

• The potential consequences of this bill extend beyond just collecting data in Canada, for use by Canadian spooks. It raises the spectre of unchecked information sharing with many more of Canada’s intelligence ‘partners’, including foreign entities like the US National Security Agency, the CSE's Five Eyes partner, and equivalent organizations in the UK, Australia, and New Zealand.  By permitting the government to disclose sensitive information to a wide range of domestic and foreign entities, the legislation places even greater risk on communities that have historically faced discrimination and surveillance. This isn't a hypothetical concern; it has real-world implications for the individuals within these communities. 

Here’s something frustrating: when we look at how other countries, like Australia and the UK, are handling cybersecurity, it's clear that Canada is taking a far riskier approach to our privacy and civil liberties. Australian and British cybersecurity legislation strikes a much better balance between security and privacy, whereas, in Canada, we’ve got a poorly-drafted bill without basic protections that amounts to a spy agency power-grab. Privacy and security should go hand-in-hand rather than having to choose between the two. 

But if the government won’t do this critical fix-up work, we’ll get it done. That’s why several civil society organisations and leading privacy experts (including OpenMedia) worked together to create a comprehensive list of amendments that can finally turn Bill C-26 into the cybersecurity hero we know and love. We’ve handed the government everything they need on a silver platter and it's up to them to put these amendments to work. At the end of the day, rights and cybersecurity are both non-partisan public goods. Our Members of Parliament must work together, put aside their differences, and fix the issues with this legislation to create a framework that works for everyone. 

Just last week OpenMedia testified at the Standing Committee on Public Safety and National Security (SECU) to share these concerns with MPs. Our own Matt Hatfield took the opportunity to present MPs with a petition signed by nearly 6,000 OpenMedia community members. But it's gonna take a whole lot more if we want them to hear us LOUD and CLEAR, and make the changes people in Canada need. OpenMedia recently launched a new campaign calling for MPs to fix key issues in Bill C-26.  We all need MPs on the SECU committee and in Parliament as a whole to step up, fix this legislation, and deliver a cybersecurity framework for the next 10 years which we can all get behind. Will you add your voice?