New cybersecurity protections are needed to protect Canada’s critical infrastructure – but must be balanced with appropriate safeguards to prevent their abuse and misuse.1 We rely on access to essential services, like the Internet, to participate in democratic life; Canada can’t afford prolonged attacks or Internet outages. While the new cybersecurity elements of Bill C-26 are designed to better safeguard essential services – like our access to the Internet – as drafted, they lack crucial provisions that promote public transparency, accountability, and oversight. To give a few examples:
- Bill C-26 empowers the executive branch of the Canadian government to permanently disconnect anyone in Canada from the Internet – in complete secrecy! This sweeping new power will allow a cabinet minister to issue a secret order to any Internet Service Provider (ISP) to permanently disconnect anyone in Canada from accessing the Internet if they believe they are connected to cybersecurity issues. The catch? Because of how modern botnets work, there’s a very real risk that any of us could be secretly and indefinitely disconnected from the Internet because, unknown to us, one of our devices has been compromised.2
- Bill C-26 forces ISPs into new information sharing arrangements with Canada’s spy agencies.3 Currently, Canada’s spy agencies are limited in how they access the sensitive, private information of people in Canada; judicial oversight is required before ISPs respond to lawful access requests for things like records related to our use of the Internet. Bill C-26 radically changes that, allowing for Canada’s spy agencies to permanently implant themselves within our telecommunications infrastructure, hoovering up as much of our sensitive data as they can, and sharing it with their five-eyes spying partners around the world.
- Power left in the dark often goes wrong.4 Unlike the hard fought for safeguards we’ve built into the rest of our justice and security system, Bill C-26 has no mandatory public disclosure requirements, and no requirement to assess whether steps taken have undue privacy or equity impacts for Canadians. While there is an understandable need for some degree of confidentiality in this sphere, the public needs to have a sense of how these powers are being exercised, how often, and to what effect – if decision-makers are to be held to account.
There’s no reason why we can’t have cybersecurity protections alongside the essential privacy and due process protections that allow us to participate in democratic life. As currently written, Bill C-26 strikes the wrong balance, granting overly broad powers to the executive branch of the Canadian government without the necessary accountability, transparency, and oversight mechanisms that are required to protect our fundamental rights. Sign the petition to fix Bill C-26!