The Right Honourable. Mark Carney, P.C., O.C., M.P.
Prime Minister of Canada
The Honourable Gary Anandasangaree P.C., M.P.
Minister of Public Safety
CC:
The Honourable Lena Metlege Diab P.C., M.P.
Minister of Immigration, Refugees and Citizenship
The Honourable Sean Fraser P.C., M.P.
Minister of Justice and Attorney General of Canada
Open Letter: Bill C-2 Strong Borders Act
Dear Prime Minister Carney and Minister Anandasangaree,
The undersigned civil society organizations, companies, and cybersecurity experts, including members of the Global Encryption Coalition, urge the federal government to withdraw Bill C-2, An Act respecting certain measures relating to the security of the border between Canada and the United States and respecting other related security measures (Strong Borders Act).
Bill C-2’s stated aim is to improve security, but Parts 14 and 15 would do just the opposite by giving the Canadian government broader powers to access private information without a warrant and force services to install “technical capabilities” to access Canadians’ encrypted communications and sensitive data. The consensus among cybersecurity experts is clear. There is no way to provide backdoor access to encrypted data and communications without compromising the privacy and security of millions of law-abiding citizens. Failing to ensure adequate safeguards for use of encryption could lead to poor interpretations of the bill’s supposed protections against “systemic vulnerabilities,” leading to encryption backdoors.
Forcing businesses to create backdoors for law enforcement and intelligence agencies would:
- jeopardize the security and privacy of people in Canada and abroad, including children and vulnerable communities.
- expose Canadians to domestic and international surveillance.
- undermine the growth and resilience of Canada’s digital economy.
- subject Canadians to the rising cost of cybercrime.
Strong encryption is crucial to keep private information out of the wrong hands. In a digital society where online services, including AI companies, are increasingly collecting, compiling, and selling identifiable and sensitive data, encryption is often our last line of defense for privacy and security online. Preventing people and businesses from protecting themselves with the strongest security tools available would be disastrous.
Breaking encryption is a threat to border security and national security
There is no such thing as a backdoor that is only open to law enforcement and intelligence agencies. And if you build it, the question is not ‘if’ adversaries will exploit the vulnerability, but ‘when’.
The 2024 Salt Typhoon cyber espionage campaign is a stark reminder that backdoors are never only available to the ‘good guys’. Nation-state attackers gained access to highly sensitive US national security information in part using a built-in wiretap capability in US telecommunications networks. Furthermore, infected US telecommunications companies may never be able to undo the espionage campaign’s compromise to their networks. Salt Typhoon’s wiretap breach happened as a result of a US policy decision that forced telecommunications infrastructure companies to create a dangerous backdoor that attackers could exploit. Part 15 of Bill C-2 could do far worse—threatening the security of virtually any Internet-based service (within Canada and abroad) that receives similar orders, as well as the individuals and businesses that rely on them.
The Canadian Centre for Cyber Security recently issued a bulletin about Salt Typhoon’s distinct impact on Canadian companies, and that at least one telecommunications company may have already been targeted.
Canada will become a hotbed for cyber incidents and Canadians will shoulder the cost
Canadians are increasingly at risk of data breaches and financially motivated cybercrime. Statistics Canada says Canadian businesses spent 1.2 billion on cyber incident recovery in 2023. Strong encryption is crucial to help prevent and mitigate the impact of cyber incidents. It allows people, businesses, and networks to send sensitive information over the Internet so eavesdroppers and attackers cannot see or tamper with the content. This is critical to making sure online services (e.g., banking, ecommerce, tax filing, telemedicine)—as well as the Internet infrastructure that makes them possible—operate in the way that people and businesses expect. The volume and impact of cyber incidents could soar under Part 14 and 15 of Bill C-2 and the cost will most certainly be passed onto consumers, contributing to an already growing cost of living and doing business in Canada.
Bill C-2 will push innovation, talent, and investment dollars away from Canada
Requiring businesses to reconfigure their systems specifically to enable access to communications systems to comply with government orders would force businesses to choose between weakening the security of their services, putting users’ security and privacy risk, or withdrawing their secure services and/or products from Canada altogether. Either choice will weaken security for Canadians.
This has already happened. A recent United Kingdom (UK) government order issued to Apple under its Investigatory Powers Act led Apple to stop offering Advanced Data Protection within the UK, rather than weaken the security of its product by providing the UK government with backdoor access. The so-called protections related to “systemic vulnerabilities” in Part 15 of Bill C-2 are not adequate to protect the security and integrity of Canadian data.
While some businesses may choose to move out of Canada altogether, Canadian companies that are not able to leave the jurisdiction will likely suffer the economic consequences of a distrusted tech sector. An Internet Society-commissioned report on the economic consequences of laws that weaken encryption found that Australia’s Telecommunications and Other Legislation Amendment (Assistance and Access) (TOLA) Act caused massive distrust in Australia’s tech sector and significant financial losses. One company interviewed estimated an “adverse economic impact” to the order of AU$1 billion.
Vulnerable populations will be at greater risk of harm
Bill C-2’s lawful access provisions would erode a last line of defense to ensure people can have safe experiences on and offline. International human rights bodies and child safety experts have recognized the importance of encryption to protect the safety and privacy of people, including children and vulnerable communities. Encryption ensures people have safe lines of communication online when they need it most. For survivors of domestic violence, encryption is a lifeline that secures confidential communication about escape plans and protecting victims (including children) from abusers. For children, it means schools and health authorities can help keep their sensitive data out of the hands of predators. For Indigenous communities and marginalized groups, it can help create safe spaces to engage in advocacy and connect with communities while avoiding harassment and surveillance online. Encryption also protects people from transnational repression, shielding sensitive data from other governments that could misuse it to silence criticism through intimidation or threats of violence.
Bill C-2 sets up Canadians for international surveillance
Bill C-2 could expose everyone in Canada to international surveillance. This would include information sharing amongst intelligence partners like the US, Australia, and the UK if its powers are used to support foreign law enforcement requests. For instance, Canada is currently negotiating a CLOUD Act (Clarifying Lawful Overseas Use of Data Act) agreement with the US, which could give the US greater power to advance their domestic law enforcement interests in Canada. Such an agreement could incentivize and give leverage to US authorities to ask the Canadian government to force companies to create encryption backdoors. Enabling governments intrusive warrantless access to sensitive information could have the effect of turning regular citizens and institutions into foreign assets, including immigration lawyers, healthcare providers, and academic institutions.
Prime Minister Carney and Minister Anandasangaree: Don’t make one of your first acts of Parliament to jeopardize Canada’s digital security, privacy, and safety on and offline.
The undersigned signatories ask that the federal government withdraw Bill C-2 to address the immediate threats in Part 14 and 15 and conduct a full study including consultations and an Internet Impact Assessment to mitigate other risks in the Bill. This due diligence will help ensure the Bill aligns with its goals to improve safety in Canada, by making sure people and businesses have the strongest tools to avoid data breaches and the next major cyberattack, promote the resilience of Canada’s digital economy, and protect people and vulnerable communities from harm.
Signatories:
Organizations
Africa Rural Internet and STEM Initiative (AFRISTEMI)
British Columbia Civil Liberties Association
Center for Democracy & Technology
Emerald Onion
Indigenous Connectivity Institute
International Civil Liberties Monitoring Group
Internet Society
Internet Society UK England Chapter
Internet Society Manitoba Chapter Inc.
Internet Society Québec Chapter
LGBT Tech
OpenMedia
Privacy & Access Council of Canada
SECURECRYPT
The Tor Project
Tuta Mail
Individual Experts*
Sofia Celi, Brave / University of Bristol
Robert Diab, Thompson Rivers University
Dr. Jean Dinco
Jeff Doctor, Animikii Indigenous Technology
Dr. Richard Forno, UMBC Cybersecurity Institute
Ronald L. Rivest, MIT
Kate Robertson, Citizen Lab, Munk School of Global Affairs & Public Policy, University of Toronto
Adam Shostack, Author, Threat Modeling: Designing for Security
Kris Shrishak, ICCL – Enforce
Chad Walter, Paperclip Inc.
Daniel Zappala, Brigham Young University
*Affiliations listed for identification purposes only
