(Version française disponible ici)

Canada’s digital charter carried a core promise of keeping Canadians safe and secure online when it was announced in 2019. Yet, it appears to have become a legislative version of vapourware – a product announced, never to be released.

Not one of the charter’s underlying bills has become law. The government even initially refused to share many legislative amendments with the parliamentary committee charged with studying them.

Ottawa’s funding decisions and its attitudes toward transparency all make clear that its priorities lie elsewhere.

The government often moves to protect its own interests – rather than those of Canadians – when it does act on online safety.

After cyberattacks compromised more than 11,000 credentialsthe Canada Revenue Agency in 2020, the agency responded by tightening its privacy statement for the electronic tax-filing service NETFILE to clear itself of liability in the event of future data security breaches.

Law enforcement has also struggled to adapt to new threats presented by the online landscape. Five years ago, the government promised a centralized reporting site to help combat increased online scams that have reached new heights year after year. But it is still in beta testing and two years behind schedule.

The RCMP operates the national cybercrime and fraud reporting system with just 105 employees for the entire country with no cybercrime investigators in Saskatchewan, Manitoba or anywhere in the Maritimes, according to a government response to my access-to- information request.

The critical shortage of cybersecurity expertise

Canada’s fledgling cybersecurity centre must do more collaborating and educating

Don’t give more powers to CSE until it submits to effective review

By contrast, the online directory of federal employees currently shows 102 employees whose job title includes “social media” and almost 4,000 employees whose job title includes “communications.”

Canada’s digital security spending has been inefficient, too. For example, the government’s $28.5-million cybersecurity certification program, formally launched in 2020 for small- and medium-sized businesses, had delivered only 41 certificates as of August 2023 – after promising 5,000.

The trend was downward: only two were from 2023. Despite the poor performance, the government has announced a cybersecurity certification program for defence contracts with a $25-million price tag.

SIGN UP

The inner workings of government

Keep track of who’s doing what to get federal policy made. In The Functionary.

Read it now.

SUBSCRIBE

The Functionary

Our newsletter about the public service. Nominated for a Digital Publishing Award.

Canada’s digital security measures have likewise been criticized as outdated and for not keeping up with those of peer countries. The United States, Australia and the United Kingdom have laws regarding cybersecurity for critical infrastructure. Canada still does not.

The proposed Canadian bill in this area has been languishing for more than a year and is based on an already-replaced European law. The proposed law does not mention ransomware, even though more than half of the reports to the RCMP cybercrime reporting system involve the malicious cyber activity that blocks access to computer sites until money is paid.

As for the proposed privacy law from the digital charter, it would not update the outdated consent model constantly being perpetuated in website and app privacy notices. It would place no meaningful constraints on data transfers abroad. It avoids specific meaningful measures for protecting children.

It is also notable for failing to bring government conduct under stricter regulation. It covers only the private sector.

The extent of the problems Canada faces online is made worse by the antagonism many federal institutions show toward transparency in the use of technology.

Multiple federal institutions have been using tools capable of extracting personal data from phones or computers of government employees without having conducted privacy-impact assessments, as required by government policy.

The Communications Security Establishment, one of Canada’s key security and intelligence organizations, has been called out for ignoring requests for information by its own oversight body. In a worrying sign of its lack of commitment to respecting human rights online, the agency did not acknowledge in a response to an access-to-information request whether it has used, or is actively using, mercenary proprietary spyware.

As for funding decisions on technology procurement, the scandals of ArriveCAN during the COVID-19 pandemic and the Phoenix pay system for government employees speak for themselves. The federal government showers cash on consultants for such projects, yet vital components of Canadian democracy are weakened through underfunding.

It also offers foreign companies like Stellantis and Volkswagen assurances of capital and tax credits in amounts that at least surpass annual spending on national defence.

Just as the digital charter has resulted in little action, promises of transparency have proven to be a familiar political ritual. In 2014, then-Opposition MP Justin Trudeau introduced his first private member’s bill, the Transparency Act, to draw attention to problems with access to information.

But eight years into the Trudeau government, Information Commissioner Caroline Maynard has stated in unequivocal terms that “it is clear that improving transparency is not a priority for the government.”

On balance, federal tech policies and priorities are increasingly making Canadians unsafe and insecure through privacy and data protection legislation that deprives citizens and regulators of meaningful enforcement powers, funding priorities deeply out of touch with needs, and gaps in law and policy that the government shows no urgency to fill.