Ottawa’s proposed strong-borders legislation could compromise cybersecurity in Canada by prohibiting electronic service providers from warning each other of vulnerabilities found in their systems so they can bolster their defences against hackers, experts warn.
The Canadian Civil Liberties Association said the proposed legislation, known as Bill C-2, contains a “sweeping provision” that, if the bill becomes law, would introduce a secrecy requirement running counter to how cybersecurity works.
The “prohibition on disclosure” covering electronic service providers includes a ban on disclosing “information related to a system vulnerability or potential systemic vulnerabilities in electronic protections employed by that service provider.”
Matt Hatfield, executive director of OpenMedia, which advocates for keeping the internet open and surveillance-free, said that security professionals and companies flagging system vulnerabilities they have discovered is a proven way to protect against hacking.
“It is extremely important that researchers be able to collaborate,” he said. “The greatest defence to our cybersecurity is that there is a community of white-hat security professionals who alert others to vulnerabilities.”
Bill C-2 would enable the federal government to issue orders potentially requiring social-media companies, e-mail and cellphone providers, and other digital services to re-engineer their platforms to help the Canadian Security Intelligence Service and the police access information.
The bill says that a service provider need not comply with the order if compliance would mean introducing a vulnerability into their system.
Mr. Hatfield said he feared that the bill could allow law enforcement to access data from within the system prior to encryption. He expressed concern that the non-disclosure clause may be designed to stop companies from disclosing interventions.
The CCLA says the government could force electronic services, including those operated by telecoms, to be redesigned in ways that significantly expand what data are accessible and the ability to access them.
Tamir Israel, director of the CCLA’s privacy, surveillance and technology program, said that during a technical briefing in July, Public Safety Department officials indicated the non-disclosure clause was a drafting error.
He said the department suggested at the briefing that the clause was intended to make a subset of systemic vulnerability information confidential temporarily in certain situations – for example, when a service provider initiates a court challenge of a government order.
“It is a little concerning to see this type of drafting error in a law of this size and complexity. It lends credence to the suggestion that this legislation was rushed,” he said.
“Sharing of vulnerability information is critical to cybersecurity, and there are numerous bodies established to share and publicize this type of information to make sure that discovered vulnerabilities are addressed by all impacted providers once they are discovered,” he added.
Ottawa’s strong borders bill could infringe on Charter and privacy rights, parliamentary study warns
“This provision as drafted basically prevents any service provider from disclosing security vulnerability information regardless of how they discover it, ever. This would mean if they discovered a vulnerability, they wouldn’t be able to warn other service providers who use the same systems and are subject to the same vulnerability. They also couldn’t publicize it.”
Tim Warmington, spokesperson for the Public Safety Department, said in an e-mail that “we appreciate the concerns raised by stakeholders about this section of C-2."
“The Government has been clear that it is open to consider proposed amendments to the legislation as the Bill continues through the legislative process in the House of Commons,” he added.
Bill C-2 is currently at second reading in the Commons. On Tuesday, NDP public safety critic Jenny Kwan called in the Commons for the bill’s withdrawal, saying it was flawed and would give the government fresh surveillance powers and compromise Canadians’ privacy.
She said it could allow law enforcement to demand information, without a warrant, about whether Canadians have used a range of services, including psychiatrists.
The MP also raised concerns that the bill would enhance the government’s ability to share information about Canadians with foreign powers such as the United States.
Conservative MP Brad Vis also raised concerns about the bill’s effect on Canadians’ privacy.
The omnibus bill, which includes clauses restricting access to asylum hearings and enables the immigration minister to cancel visa applications, is being shepherded through the Commons by Public Safety Minister Gary Anandasangaree.
In a statement, Mr. Anandasangaree’s office said that “we welcome all constructive debate on this matter to ensure that this legislation is effective, balanced, and responsive to Canadians’ needs.”
“As this Bill proceeds through Parliament, we will continue to support law enforcement, protect our borders, and ensure the safety of Canadians across the country,” it said.