Technology

This is a general catch-all category for all topics that relate to technology.

Cybersecurity Will Not Thrive in Darkness: A Critical Analysis of Proposed Amendments in Bill C-26 to the Telecommunications Act

/ Christopher Parsons

Last month I published a report, “Cybersecurity Will Not Thrive in Darkness: A Critical Analysis of Proposed Amendments in Bill C-26 to the Telecommunications Act.” The report undertakes a critical analysis of Bill C-26 which would empower the government to compel critical infrastructure companies to undertake (or refrain from taking) activities the government was of the opinion would enhance the security of Canada’ critical infrastructure. The report begins by offering a background to why this legislation is seen as necessary by the government and, then, proceeds to assess the elements of the legislation which would modify the Telecommunications Act. Specifically, it focuses on issues associated with:

  • Compelling or directing modifications to organizations’ technical or business activities
  • Secrecy and absence of transparency or accountability provisions
  • Deficient judicial review processes
  • Extensive information sharing within and beyond Canadian agencies
  • Costs associated with security compliance
  • Vague drafting language

30 different recommendations are offered that, if adopted, would leave the government able to compel telecommunications companies to modify their practices while, simultaneously, imbuing the legislation with additional nuance, restraint, and accountability provisions. As drafted, today, the legislation prioritises secrecy at the expense of democratic accountability and would establish law that empowered actions which were unpredictable to private organizations and residents of Canada alike. The effect would be to empower the government to undertake lawful, if democratically illegible, activities. Cybersecurity requires a high degree of transparency and dialogue to be successfully implemented. Security can be and must be aligned with Canada’s democratic principles. It is now up to the government to amend its legislation in accordance with them.

Executive Summary

On June 14, 2022, the Government of Canada introduced “Bill C-26: An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts.” If passed into law, it will significantly reform the Telecommunications Act as well as impose new requirements on federally regulated critical infrastructure providers. This report, “Cybersecurity Will Not Thrive in Darkness: A Critical Analysis of Proposed Amendments in Bill C-26 to the Telecommunications Act,” offers 30 recommendations to the draft legislation in an effort to correct its secrecy and accountability deficiencies, while suggesting amendments that would impose some restrictions on the range of powers that the government would be able to wield. These amendments must be seriously taken up because of the sweeping nature of the legislation.

As drafted at time of writing, Bill C-26 would empower the Minister of Industry to compel telecommunications providers to do or refrain from doing anything in the service of securing Canadian telecommunications networks against the threats of interference, manipulation, or disruption. The legislation would authorize the Minister to compel providers to disclose confidential information and then enable the Minister to circulate it widely within the federal government; this information could potentially include either identifiable or de-identified personal information. Moreover, the Minister could share non-confidential information internationally even when doing so could result in regulatory processes or private right of actions against an individual or organization. Should the Minister or other party to whom the Minister shares information unintentionally lose control of the information, there would be no liability attached to the government for the accident.

Where orders or regulations are issued, they would not need to be published in the Canadian Gazette and gags could be attached to the recipients of such orders. There may even be situations where the government could issue an order or regulation, with the aforementioned publication ban and gag, that runs counter to a decision by the Canadian Radio-television and Telecommunications Commission (CRTC) and that overrides aspects of that decision. And in any cases where a telecommunications provider seeks judicial review, it might never see the evidence used to justify an order or regulation. However, if a telecommunications provider is found to have deliberately ignored or failed to adhere to an order, then either the individuals who directed the action or the telecommunications provider could suffer administrative monetary penalties.

This report, in summary, identifies and analyzes a series of deficiencies in Bill C-26 as it is presently drafted:

  • The breadth of what the government might order a telecommunications provider to do is not sufficiently bounded.
  • The excessive secrecy and confidentiality provisions imposed on telecommunications providers threaten to establish a class of secret law and regulations.
  • Significant potential exists for excessive information sharing within the federal government as well as with international partners.
  • Costs associated with compliance with reforms may endanger the viability of smaller providers.
  • Vague drafting language means that the full contours of the legislation cannot be assessed.
  • No recognition of privacy or other Charter-protected rights exists as a counterbalance to proposed security requirements nor are appropriate accountability or transparency requirements imposed on the government.
  • Even if it is presumed that the government does need the ability to encourage or compel telecommunications providers to modify their technical or business operations to enhance the security of their services and facilities, it is readily apparent that more transparency and accountability should be required of the government. All of the recommendations in this report are meant to address some of the existent problems in the legislation.

Should these recommendations or ones derived from them not be taken up, then the government will be creating legislation of the worst kind insofar as it will require the public—and telecommunications providers—to simply trust that the government knows what it is doing, is reaching the right decisions, and that no need exists for a broader public discussion concerning the kinds of protections that should be put in place to protect the cybersecurity of Canada’s telecommunications networks. Cybersecurity cannot thrive on secretive and shadowy government edicts. The government must amend its legislation to ensure its activities comport with Canada’s democratic values and the norms of transparency and accountability.

Download a .pdf Version of “Cybersecurity Will Not Thrive in Darkness”

The Policy and Political Implications of ‘Securing Canada’s Telecommunications Systems’

/ Christopher Parsons
silhouette photo of transmission tower on hill
Photo by Troy Squillaci on Pexels.com

Many of Canada’s closest allies have either firmly or softly blocked Huawei and ZTE from selling telecommunications equipment to Internet service providers in their countries over the past several years. After repeated statements from Canadian government officials that a review of Huawei equipment was ongoing, on May 19, 2022 the government announced its own bans on Huawei and ZTE equipment. The government published an accompanying policy statement from Innovation, Science, and Economic Development (ISED) Canada on the same day.

This post begins by summarizing the possible risks that Chinese vendors might pose to Canadian networks. Next, it moves to discuss the current positions of Canada’s closest allies as well as Canada’s actions and statements pertaining to Chinese telecommunications vendors leading up to the May 2022 announcement. It then proceeds to unpack the government’s “Securing Canada’s Telecommunications System” policy statement. Some highlight findings include:

  • The government is unclear when it refers to “supply chain breaches”;
  • The government may be banning Huawei and ZTE principally on the basis of American export restrictions placed on Chinese vendors and, thus, be following the same model as the United Kingdom which was forced to ban Huawei following American actions; and
  • Establishing the security and protection of telecommunications systems as an “overriding objective” of Canadian telecommunications policy could have long-term implications for Canadians’ privacy interests.

The post concludes by discussing the policy and political implications of the policy statement, why any telecommunications security reforms must not be accompanied by broader national security and law enforcement reforms, and why the Canadian government should work with allied and friendly countries to collectively assess telecommunications equipment.

Continue reading

Findings and Absences in Canada’s (Draft) International Cybersecurity Strategy

/ Christopher Parsons
low angle photography of high rise building
Photo by Andre Furtado on Pexels.com

For several years there have been repeated calls by academics and other experts for the Government of Canada to develop and publish a foreign policy strategy. There have also been recent warnings about the implications of lacking such a strategy. Broadly, a foreign policy strategy is needed for Canada to promote and defend its interests effectively.

Not only has the Government of Canada failed to produce a foreign policy strategy but, also, it has failed to produce even a more limited strategy that expresses how Canada will develop or implement the cyber dimensions of its foreign policy. The government itself has been aware of the need to develop a cyber foreign policy since at least 2010.1

As I have previously written with colleagues, an articulation of such a cybersecurity strategy is necessary because it is “inherently a discussion of political philosophy; not all actors share the same understanding of what is, or should be, the object of security, nor is there necessarily a shared understanding of what constitutes a threat.” To clearly and explicitly assert its underlying political values Canada needs to produce a coherent and holistic cyber foreign policy strategy.

On May 18, 2021 the Chief of the Communications Security Establishment, Shelly Bruce, stated that Global Affairs Canada (GAC) was leading the development of “Canada’s International Cybersecurity Strategy and our Diplomacy Initiative.” I subsequently filed an ATIP for it and received the relevant documents on March 31, 2022.2 GAC’s response included successive drafts of “Canada’s International Cybersecurity Strategy and our Diplomacy Initiative” (hereafter the ‘Strategy’ or ‘CICSDI’) from January 2021 to May 2021.

Some of my key findings from the CICSDI include:

  1. The May 2021 draft links the scope of the Strategy to order and prosperity as opposed to advancing human rights or Canadian values.
  2. The May 2021 draft struck language that Canadians and Canadian organisations “should not be expected to independently defend themselves against state or state-backed actors. There are steps only government can take to reduce cyber threats from state actors”. The effect may be to reduce the explicit expectation or requirement of government organisations to assist in mitigating nation-state operations towards private individuals and organisations.
  3. The May 2021 draft struck language that GAC would create a cyber stakeholder engagement action plan as well as language that GAC would leverage its expertise to assist other government departments and agencies on engagement priorities and to coordinate international outreach.
  4. None of the drafts include explicit reference to pressing international issues, including: availability of strong encryption, proliferation of cyber mercenaries, availability and use of dual-use technologies, online harms and disinformation, authoritarian governments’ attempts to lead and influence standards bodies, establishing a unit in GAC dealing with cyber issues that would be equivalent to the US State Department’s Bureau of Cyberspace and Digital Policy, or cyber operations and international law.
  5. None of the drafts make a positive case for what would entail an appropriate or responsible use of malware for cyber operations.

In this post I summarise the highlights in the drafts of the Strategy and, then, proceed to point to larger language and/or policy shifts across successive drafts of the CICSDI. I conclude by discussing some policy issues that were not mentioned in the drafts I obtained. While the draft has never been promulgated and consequently does not formally represent Canada’s foreign cybersecurity strategy it does present how GAC and the government more broadly conceptualised elements of such a strategy as of early- to mid-2021.

Continue reading

Public and Privacy Policy Implications of PHAC’s Use of Mobility Information

/ Christopher Parsons

Last week I appeared before the House of Commons’ Standing Committee on Access to Information, Privacy, and Ethics to testify about the public and private policy implications of PHAC’s use of mobility information since March 2020. I provided oral comments to the committee which were, substantially, a truncated version of the brief I submitted. If interested, my oral comments are available to download. What follows in this post is the content of the brief which was submitted.

Introduction

  1. I am a senior research associate at the Citizen Lab, Munk School of Global Affairs & Public Policy at the University of Toronto. My research explores the intersection of law, policy, and technology, and focuses on issues of national security, data security, and data privacy. While I submit these comments in a professional capacity they do not necessarily represent the full views of the Citizen Lab.
Continue reading

Lawful Access Returns: Online Harms and Warrantless Access to Subscriber and Transmission Data

/ Christopher Parsons
zombies behind shabby door
Photo by cottonbro on Pexels.com

For the better part of twenty years, law enforcement agencies in Canada have sought warrantless access to subscriber data that is held by telecommunications service providers and other organizations. The rationale has been that some baseline digital identifiers are needed to open investigations into alleged harms or criminal activities that have a digital nexus. Only once these identifiers are in hand can an investigation bloom. However, due to the time that it takes to obtain a relevant court order, as well as challenges in satisfying a judge or justice that there is a legitimate need to obtain these identifiers in the first place, these same agencies recurrently assert that an initial set of seed digital identifiers should be disclosed to officers absent a court order.

The Government of Canada has, once more, raised the prospect of law enforcement officers obtaining subscriber or transmission data without warrant when undertaking activities intended to “enhance efforts to curb child pornography.” This time, the argument that such information should be made available is in the context of combatting online harms. The government has heard that companies should include basic subscriber or transmission data in their child pornography-related reports to law enforcement, with the effect of law enforcement agencies getting around the need to obtain a warrant prior to receiving this information.

In this post I start by discussing the context in which this proposal to obtain information without warrant has been raised, as well as why subscriber and transmission data can be deeply revelatory. With that out of the way, I outline a series of challenges that government agencies regularly experience but which tend not to be publicly acknowledged in the warrantless access debates associated with child sexual abuse material (CSAM). It is only with this broader context and awareness of the challenges facing government agencies in mind that it becomes apparent that warrantless access to subscriber or transmission data cannot ‘solve’ the issues faced by agencies which are responsible for investigating CSAM offences. To develop appropriate policy solutions, then, we must begin by acknowledging all of the current obstacles to investigating these offences. Only then can we hope to develop proportionate policy solutions.

Continue reading

Canadian Government’s Pandemic Data Collection Reveals Serious Privacy, Transparency, and Accountability Deficits

/ Christopher Parsons
faceless multiethnic students in masks in subway train with phone
Photo by Keira Burton on Pexels.com

Just before Christmas, Swikar Oli published an article in the National Post that discussed how the Public Health Agency of Canada (PHAC) obtained aggregated and anonymized mobility data for 33 million Canadians. From the story, we learn that the contract was awarded in March to TELUS, and that PHAC used the mobility data to “understand possible links between movement of populations within Canada and spread of COVID-19.”

Around the same time as the article was published, PHAC posted a notice of tender to continue collecting aggregated and anonymized mobility data that is associated with Canadian cellular devices. The contract would remain in place for several years and be used to continue providing mobility-related intelligence to PHAC.

Separate from either of these means of collecting data, PHAC has been also purchasing mobility data “… from companies who specialize in producing anonymized and aggregated mobility data based on location-based services that are embedded into various third-party apps on personal devices.” There has, also, been little discussion of PHAC’s collection and use of data from these kinds of third-parties, which tend to be advertising and data surveillance companies that consumers have no idea are collecting, repackaging, and monetizing their personal information.

There are, at first glance, at least four major issues that arise out of how PHAC has obtained and can use the aggregated and anonymized information to which they have had, and plan to have, access.

Continue reading