September 26th, 2025
Canada Privacy Data Breaches Privacy Deficit Spy Agencies Spying Legislation Encryption Free & Open Internet

Government brings back Cybersecurity Bill without fixing dangerous loophole that leaves Canadian networks vulnerable to attack

MPs will debate Bill C-8 today including a controversial “spy clause”, despite warnings from experts and civil society groups

Ahead of a key House of Commons debate today, civil society groups and experts are warning that the government must fix fundamental constitutional flaws and a dangerous loophole in controversial cybersecurity legislation that has been reintroduced as Bill C-8 (previously Bill C-26). If this legislation fails to receive necessary consideration and amendments during the committee review process, it could permanently damage privacy rights in Canada.

Since the introduction of Bill C-26’s in 2022, this legislative proposal’s lack of privacy safeguards, its heavy reliance on secrecy, and its potential to undermine cybersecurity have been the subject of fierce controversy and criticism from a chorus of witnesses testifying about the need to amend the legislation including from the Privacy and Intelligence Commissioners of Canada. Bill C-8 replicates many of these critical flaws.

Experts and civil society have warned that the legislation would confer ministerial powers that could be used to deliberately or inadvertently compromise the security of encryption standards within telecommunications networks that people, governments, and businesses across Canada rely upon, each and every day.

The Intelligence Commissioner of Canada warned in testimony that, if passed, the bill would authorize warrantless seizure of sensitive private information, and questioned whether this approach can be constitutionally justified. His testimony further highlighted that “[t]he glaring absentee in this bill is the Canadian public. The information that is collected is Canadians’ personal information”, concluding that: 

“In light of the invasive nature of the Bill, it is important that meaningful safeguards be part of it so that Canadians have confidence in the cybersecurity system.”

The Privacy Commissioner of Canada emphasized that the legislation could result in the inappropriate collection and sharing of subscriber account information, communication data, website visits, metadata, location data and financial data. 

Despite the extraordinary scope of the powers in Bill C-8, even the bill’s minimal safeguards are not applicable to its vast new information collection powers. 

In re-introducing the bill without critical changes, the federal government is also doubling-down on encryption-breaking powers that were heavily criticized in the previous version. Civil Society and experts are now urging MPs to amend Bill C-8 to prohibit the government from issuing orders that could compromise the security of telecommunications facilities and services. Their call follows a series of warnings from cybersecurity experts in Canada and the US about the risks that a failure to address this matter would pose to Canada’s economy, and to the fundamental right to privacy of people across Canada:

  • Writing for The Globe & Mail, Citizen Lab’s Kate Robertson and Ron Deibert warn that the “secretive, encryption-breaking powers” in Bill C-8 “threaten the online security of everyone in Canada,” and that the bill “empowers government officials to secretly order telecommunications companies to install backdoors inside encrypted elements in Canada’s networks.”

  • In his testimony on Bill C-26, Eric Smith, Senior Vice-President at the Canadian Telecommunications Association, referenced the “very broad” order-making powers in the legislation, stating that “It could be requiring you not necessarily to take out equipment from your infrastructure, but to put certain equipment into your infrastructure, or to comply with certain standards. It could be weakening encryption, or it could be requiring you to intercept communications."

  • Citing the US as an example of government overreach that Canada should avoid, the Electronic Frontier Foundation stated that "the U.S. experience offers a cautionary tale of what can happen when a government grants itself broad powers to monitor and direct telecommunications networks, absent corresponding protections for human rights,” and warned that "without adequate safeguards, [Bill C-8] could open the door to similar practices and orders."

While the federal government has recently reaffirmed that it does not seek to compromise encryption in Canada, to date, the government has been loath to even acknowledge, let alone amend the encryption-breaking powers that are now being pushed forward again in Bill C-8. Bill C-8 would empower the federal government to secretly order telecom providers “to do anything or refrain from doing anything”, with no limits that would prevent such orders from being used to impose surveillance obligations on private companies, and to weaken encryption standards — something the public has long rejected as inconsistent with our privacy rights.

A series of sensible fixes to Bill C-26’s problems, inherited by Bill C-8, did not receive meaningful consideration as the bill was rushed through the Senate on the eve of Parliament’s prorogation. Yet Canadians deserve a bill that does not undermine their privacy or the very cybersecurity it is intended to address. 

Since Bill C-8 was tabled, nearly 3,000 members of OpenMedia’s community have written to their MPs to call for Bill C-8’s privacy problems to be fixed.

 

QUOTES:

“By failing to guarantee critical end-to-end encryption protocols will not be undermined, Bill C-8 risks doing more harm than good to cybersecurity. Its ongoing inclusion of warrantless data access mechanisms and use of a secrecy by default approach pose an additional threat to privacy and other civil liberties. We urge the government and parliamentarians to adopt important fixes to address these flaws.”

  • Tamir Israel, Director, CCLA’s Privacy, Surveillance & Technology program

“There is no such thing as a private intercepted message, and no backdoor that exists only for law enforcement. Our government knows it, yet their draft cybersecurity legislation Bill C-8 can be abused to surveil Canadians in secret, well beyond its legitimate purpose. We’re asking our government to fix key problems that were overlooked during Bill C-26’s deliberations, and pass legislation that protects Canadian cybersecurity and our privacy.”

  • Matt Hatfield, Executive Director at OpenMedia

“The Salt Typhoon cyber espionage campaign that exploited a mandated backdoor in US telecommunications companies is a dangerous wake up call that Canada can't afford to ignore. Locking your front doors won't stop the wrong people from coming in a backdoor you are legally required to keep open for law enforcement. C-8 could implant backdoors into virtually every aspect of our lives on and offline by preventing telecommunications networks from using the latest Internet standards and technologies like encryption. If you build it, there is no question that criminals and adversaries will come seeking to exploit, steal, sell, and replicate the backdoor - exposing people, businesses, and national security in Canada to unprecedented risk of harm.”

  • Natalie Campbell, Senior Director, North American Government and Regulatory Affairs, Internet Society

 

CONTACT:

Matt Hatfield

Executive Director, OpenMedia

[email protected]

1 (888) 441-2640 ext. 0

Natalie Campbell

Senior Director, North American Government and Regulatory Affairs, Internet Society

[email protected]

Tamir Israel

Canadian Civil Liberties Association (CCLA) 

[email protected] 

Press Contact

Matt Hatfield

Executive Director CANADA, Montreal Time Zone: 12:12 pm 1 (888) 441-2640 ext. 0

More Press Releases

OpenMedia works to keep the Internet open, affordable, and surveillance-free. We create community-driven campaigns to engage, educate, and empower people to safeguard the Internet. Take action now

View all campaigns
Take action now! Sign up to be in the loop Donate to support our work