An Analysis of Bill C-8 – Canada’s “Cyber Security” Bill

Leave a Comment / By /

There’s a lot going on in the world of tech these days and Bill C-8 is one bill being proposed. This is what we found.

There’s a lot going on these days. There’s the question on whether or not Canada’s failed Online News Act and dangerous Online Streaming Act can survive court challenges and trade challenges from the US, the warrantless wiretapping being unexpectedly rammed through under the guise of “border security”, age verification tearing free speech apart, and, of course, a whole host of things going on south of the border that is worrying for very obvious reasons. Reporting on things felt like a case of picking and choosing which insane thing is going to get some attention around here.

Today, however, I decided to try and get to something that I’ve been meaning to get to for quite a while. That is discussing Bill C-8, Canada’s cyber security bill. Admittedly, I’m a bit less familiar with what this bill represents, so I wanted to change that and offer my thoughts on the provisions on this bill. This through a nice thorough analysis of this, well, rather lengthy bill. So, here it finally is! Freezenet’s analysis of Bill C-8.

For this analysis, we will use the most recent version of the legislation. That is, of course, the first reading of the bill. This can be found here, so you can read along with me as I go through this bill clause by clause. Obviously, I won’t be re-posting the entire bill, but I will be posting the notable sections I found interesting that’s related to digital rights and discussing what I found. So, let’s begin.

Removal of a Person

Early on, we found this:

Security of Canadian telecommunications system — Order in Council

15.‍1 (1) If the Governor in Council believes on reasonable grounds that it is necessary to do so to secure the Canadian telecommunications system against any threat, including that of interference, manipulation, disruption or degradation, the Governor in Council may, by order and after consultation with the persons the Governor in Council considers appropriate,

(a) prohibit a telecommunications service provider from using all products and services provided by a specified person in, or in relation to, its telecommunications network or telecommunications facilities, or any part of those networks or facilities; or

(b) direct a telecommunications service provider to remove all products provided by a specified person from its telecommunications networks or telecommunications facilities, or any part of those networks or facilities.

There is some vagueness with this provision, but generally speaking, this appears to target those doing things like DDOS (Distributed Denial of Service) attacks, hacking infrastructure, and other related activities. The funny thing about this is that, generally speaking, such activities are already violations of the terms and conditions of the Internet Service Provider (ISP) anyway, so contractual violations would basically do the same thing anyway. This is further cemented by this provision a little later on:

Factors

(4) Before making the order, the Governor in Council must consider

(a) its operational impact on the affected telecommunications service providers;

(b) its financial impact on the affected telecommunications service providers;

(c) its effect on the provision of telecommunications services in Canada; and

(d) any other factor that the Governor in Council considers relevant.

So, nothing to really get worked up over on these provisions that I can tell.

When reading through 15.2, I had to go back and forth to determine the differences between the two sections. It appears that 15.1 is what the Governor in Council can order while 15.2 is what a Minister can order.

I’m aware of some sources freaking out about the prospect of the government basically kicking people off the internet through these provisions. If these two sections were worded to say something along the lines of “if there is reason to believe that a contravention of an Act of Parliament” as opposed to “reasonable grounds that it is necessary to do so to secure the Canadian telecommunications system”, then I would be up in arms over these two provisions, but the way it’s worded now, I’m struggling to get worked up over it.

Duty to Report a Security Incident

Moving into Part II, I saw the following:

Report — cyber security incident
17 A designated operator must, within a period prescribed by the regulations, not to exceed 72 hours, report a cyber security incident in respect of any of its critical cyber systems to the Communications Security Establishment in accordance with the regulations, for the purpose of enabling the Communications Security Establishment to exercise its powers or perform its duties and functions.

Notify

18 Immediately after reporting a cyber security incident, the designated operator must

(a) notify the appropriate regulator, in the form and manner prescribed by the regulations that the report was made; and

(b) give a copy of the report to the appropriate regulator.

Communications Security Establishment — provision of incident report

19 The Communications Security Establishment must, without delay, at the request of a regulator, give that regulator a copy of any incident report or any portion of it that relates to a designated operator in respect of which that regulator is the appropriate regulator, for the purpose of verifying compliance or preventing non-compliance with any provision of this Act or the regulations.

One of the things I’ve long argued for when talking about privacy reform is the idea that if a company gets hacked, then it should be law that they disclose such incidences. The reason for this is because companies are known to have a financial incentive to hide such incidences from everyone. This is because share values can drop and they could theoretically be open to litigation if they know they were negligent in storing personal information. The knock-on effect is that people will suddenly find out that their personal information was stolen and have their bank account cleaned out after. They’ll have no real means to determine how this happened in the first place. While the above provision could have been stronger, a weak provision is better than no provision.

What Others Say About Encryption

After reading through the rest of the bill, I admittedly became confused. This is because others, like Open Media, state that this law could undermine encryption:

The main problem is that Bill C-8 contains glaring flaws that could permanently break Canadian privacy. Yet it’s moving rapidly through Parliament, and could be passed without fixing its massive gaps in accountability and transparency.11

The bill gives the government power to compel companies to weaken encryption, which compromises the very foundation of securing your online activities from banking to personal communications. It also lets officials issue secret orders that never expire with no oversight, no checks, and no avenue for challenge.

It could also require ISPs, banks, and other companies to hand over huge amounts of our user data, without strong safeguards to prevent misuse for non-cybersecurity purposes. Safeguards proposed by civil society groups during C-26 were only partially adopted,12 and Bill C-8 still carries major gaps in oversight, transparency and privacy protection.

So, it appears to be a question of whether the bill does enough to prevent misuse, meaning that while the provisions about accessing infrastructure are simply about ensuring compliance with security standards, there’s not really much preventing government from using the information they get for non-compliance purposes. What’s more, provisions do allow for government to assess security infrastructure. An example provision is this:

Authority to enter place — inspector
41 (1) Subject to subsection 42(1), the inspector may, for the purpose of verifying compliance or preventing non-compliance with any provision of this Act or the regulations, enter a place, including a conveyance, in which they have reasonable grounds to believe that an activity regulated under this Act is being conducted or any document, information or thing that is relevant to that purpose is located.
Powers of entry
(2) For the purpose referred to in subsection (1), the inspector may

(a) examine anything in the place;

(b) use any cyber system, or cause it to be used, for the purpose of examining, among other things, any information contained in or available to it;

(c) prepare a document, or cause one to be prepared, based on the information;

(d) examine any record, report, data or other document and make copies of it or take extracts from it;

(e) use any copying equipment in the place or cause it to be used; and

(f) remove any document, record or cyber system, or a portion of it, from the place for the purpose of examining it or copying it.

These provisions are sprinkled throughout the bill as it relates to different industries. The reason I ended up not really flagging them in the initial reading myself was because I took it to mean in context with Section 15.1 and 15.2, or “is the security being employed sufficient?”

Another analysis by Matt Malone noted the encryption concerns, but cited something else completely:

Other order-making powers in Part I under section 15.2 have been critiqued by The Citizen Lab: “all telecom providers in Canada would be compellable through secret orders to install backdoors inside Canada’s networks by weakening encryption or network equipment.”39 They note specifically: “[T]he broad language in subsections 15.2(2)(c), (l), and (m) could be used to order Canadian telecommunications companies to install lawful-access related measures in encrypted components of Canada’s telecommunication networks.”40 Measures in Bill C-2, An Act respecting certain measures relating to the security of the border between Canada and the United States and respecting other related security measures, exacerbate the concerns about legitimizing access to sensitive personal information.

With respect to the latter, I’m not sure I really follow. This is because the language of 15.2 specifies that this is all in relation “to secure the Canadian telecommunications system”, not contraventions to any law that is passed as an Act of parliament or specifically Bill C-2. So, I’m personally not really following that argument.

With respect to the former point, 15.2(2)(c), (l), and (m) reads as follows:

Order

(2) If the Minister believes on reasonable grounds that it is necessary to do so to secure the Canadian telecommunications system against any threat, including that of interference, manipulation, disruption or degradation, the Minister may, by order,

[…]

(c) impose conditions on a telecommunications service provider’s use of any product or service, or any product or service provided by a specified person, including a telecommunications service provider;

[…]

(l) require that a telecommunications service provider implement specified standards in relation to its telecommunications services, telecommunications networks or telecommunications facilities;

(m) direct a telecommunications service provider to do a specified thing or refrain from doing a specified thing, other than a thing specified in subsection (1) or 15.‍1(1); or

You can probably see why I ended up more or less glossing over these provisions. I had to read over these provisions multiple times to try and figure out how one could get “could be used to order Canadian telecommunications companies to install lawful-access related measures in encrypted components of Canada’s telecommunication networks.” Ultimately, I did find away, so it is a valid point as far as I’m concerned.

So, with Bill C-8, the idea is that someone from the government would approach a company and say that they are required to implement a certain security standard. Not a big deal, right? Well, with Bill C-2, that security standard could be required to have back door access for the government, undermining security and allowing the government to spy on a specific user.

There is a political caveat to this. That caveat being that both bills have to become law for this to happen. Still, it is technically possible that this can happen. Consider it a legal backdoor to get a security backdoor in place.

Conclusions

Bill C-8 has a lot of text, but not a lot that actually winds up being particularly relevant. Still, what is relevant is actually quite a difficult thing to catch. Even I missed some of the provisions in my initial read through and had to look at what others were seeing in this bill to figure that one out. After all, this bill does have a lot of cryptic language, so it’s not that surprising.

Either way, this bill definitely contains components to help bring in warrantless wiretapping. While this bill alone may or may not be enough to get the job done, when combined with Bill C-2, that picture becomes complete. Critically, there isn’t really much in the way of safeguards to prevent the shoehorning of warrantless wiretapping into private businesses as Open Media points out. While not the biggest threat to digital rights, it certainly is one.

Drew Wilson on Mastodon, Twitter and Facebook.

Discover more from Freezenet.ca

Subscribe to get the latest posts sent to your email.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top