Canada wants the power to create backdoors in telecom networks for surveillance

Kate Robertson is a senior research associate and Ron Deibert is director at the University of Toronto’s Citizen Lab.

A federal cybersecurity bill, slated to advance through Parliament soon, contains secretive, encryption-breaking powers that the government has been loath to talk about. And they threaten the online security of everyone in Canada.

Bill C-26 empowers government officials to secretly order telecommunications companies to install backdoors inside encrypted elements in Canada’s networks. This could include requiring telcos to alter the 5G encryption standards that protect mobile communications to facilitate government surveillance.

The government’s decision to push the proposed law forward without amending it to remove this encryption-breaking capability has set off alarm bells that these new powers are a feature, not a bug.

There are already many insecurities in today’s networks, reaching down to the infrastructure layers of communication technology. The Signalling System No. 7, developed in 1975 to route phone calls, has become a major source of insecurity for cellphones. In 2017, the CBC demonstrated how hackers only needed a Canadian MP’s cell number to intercept his movements, text messages and phone calls. Little has changed since: A 2023 Citizen Lab report details pervasive vulnerabilities at the heart of the world’s mobile networks.

So it makes no sense that the Canadian government would itself seek the ability to create more holes, rather than patching them. Yet it is pushing for potential new powers that would infect next-generation cybersecurity tools with old diseases.

It’s not as if the government wasn’t warned. Citizen Lab researchers presented the 2023 report’s findings in parliamentary hearings on Bill C-26, and leaders and experts in civil society and in Canada’s telecommunications industry warned that the bill must be narrowed to prevent its broad powers to compel technical changes from being used to compromise the ”confidentiality, integrity, or availability” of telecommunication services. And yet, while government MPs maintained that their intent is not to expand surveillance capabilities, MPs pushed the bill out of committee without this critical amendment last month. In doing so, the government has set itself up to be the sole arbiter of when, and on what conditions, Canadians deserve security for their most confidential communications – personal, business, religious, or otherwise.

The new powers would only make people in Canada more vulnerable to malicious threats to the privacy and security of all network users, including Canada’s most senior officials. Encryption of 5G technology safeguards a web of connection points surrounding mobile communications, and protects users from man-in-the-middle attacks that intercept their text and voice communications or location data. The law would also impact cloud-connected smart devices like cars, home CCTV, or pacemakers, and satellite-based services like Starlink – all of which could be compromised by any new vulnerabilities.

Unfortunately, history is rife with government backdoors exposing individuals to deep levels of cyber-insecurity. Backdoors can be exploited by law enforcement, criminals and foreign rivals alike. For this reason, past heads of the CIA, the NSA and the U.S. Department of Homeland Security, as well as Britain’s Government Communications Headquarters (GCHQ) and MI5, all oppose measures that would weaken encryption. Interception equipment relied upon by governments has also often been shown to have significant security weaknesses.

The bill’s new spy powers also reveal incoherence in the government’s cybersecurity strategy. In 2022, Canada announced it would be blocking telecom equipment from Huawei and ZTE, citing the “cascading economic and security impacts” that a supply-chain breach would engender. The government cited concerns that the Chinese firms might be “compelled to comply with extrajudicial directions from foreign governments.” And yet, Bill C-26 would quietly provide Canada with the same authority that it publicly condemned. If the bill passes as-is, all telecom providers in Canada would be compellable through secret orders to weaken encryption or network equipment. It doesn’t just contradict Canada’s own pro-encryption policy and expert guidance – authoritarian governments abroad would also be able to point to Canada’s law to justify their own repressive security legislation.

Now, more than ever, there is no such thing as a safe backdoor. The GCHQ reports that the threat from commercial hacking firms will be “transformational on the cyber landscape,” and that cyber mercenaries wield capabilities rivalling that of state cyber-agencies. If the Canadian government compels telcos to undermine security features to accommodate surveillance, it will pave the way for cyberespionage firms and other adversaries to find more ways into people’s communications. A shortcut that provides a narrow advantage for the few at the expense of us all is no way to secure our complex digital ecosystem.

Against this threat landscape, a pivot is crucial. Canada needs cybersecurity laws that explicitly recognize that uncompromised encryption is the backbone of cybersecurity, and it must be mandated and protected by all means possible.

Read More

Kate Robertson Ron Deibert