The Government of Canada introduced Bill C-63, the Online Harms Act, on 26 February 2024. As the name implies, the Bill seeks to address certain harms that people see online through various public platforms.
The Internet Society was extremely concerned about this legislation, mainly because early discussions of what the Bill might do contained alarming ideas about what is and is not technically possible in a functioning Internet. We feared that, when introduced, the Bill would contain provisions that would permanently harm the experience of the Internet in Canada.
Instead, what we see appears to be a genuine effort to grapple with content many people find problematic, but without damaging the fundamentals of the Internet. It is clear that this was drafted with an eye to the responsibility of a system operator on the Internet and without the intent to regulate the fundamentals of the Internet itself. This is a great example of how to regulate certain terrible content online without catching far too much in the regulation and without damaging the security, trustworthiness, or operation of the Internet itself. In that way, the Bill preserves the potential of the Internet to continue to be a resource for all and a source of good in society.
Notably, the Bill places private communications firmly out of scope and does not impose an overarching duty to scan all content on platforms. Those are easy targets for many governments but introduce dangerous unintended consequences. Yet this bill carefully excludes them from consideration.
Contrast this legislation with some other bills or laws in Canada and other countries that could have serious consequences for how the Internet functions:
The Canadian S-210 (a Bill, not yet law)
Intention: Prevent children from being exposed to pornographic material online.
Consequence: Makes every service (Internet service providers, content delivery networks, etc.) anywhere on the path from the original server where the pornographic material originates to the eyeballs of the end user responsible for validating a user’s age, even if there is no way for the service provider to know what the content of the message is.
Internet fundamental ignored: The Internet is a large distributed system with many intermediaries that may have no direct relationship with the endpoints of any given communication.
The US STOP CSAM Act and EARN IT Act (Bills that are not yet law)
Intention: Prevent the spread of various (generally illegal) content online.
Consequence: Create liability for online services and systems by forcing them to break (or never introduce) end-to-end encryption.
Internet fundamental ignored: End-to-end encryption is the only way to truly protect both the privacy and authenticity of messages online. Your health or banking information should not be compromised so that online system operators can avoid liability.
The UK Online Safety Act (a law passed in the UK in 2023)
Intention: Among other things, reduce online harms by giving the independent regulator Ofcom the power to compel online services and platforms to perform mass surveillance by scanning content.
Consequence: To do this, it would be necessary to break the security and privacy provided by end-to-end encryption.
Internet fundamental ignored: There is no technical way to achieve what the Act requires (something which appears to have been implicitly conceded by the sitting Government).
The European Union Child Sexual Abuse (CSA) content draft regulation
Intention: Eliminate dissemination of CSA content online by requiring platforms to scan user content for any CSA material.
Consequence: This would require breaking end-to-end encryption. Some have proposed having the end devices do the scanning instead, which moves the problem of security to the computer where the message originated. This is like preventing interference of sealed envelopes traveling through the physical mail system by having someone read over every letter writer’s shoulder and acting as a censor.
Internet fundamental ignored: Again, end-to-end encryption is the only way to truly protect both the privacy and authenticity of messages online.
What all these bills, laws, and regulations have in common is that they ignore the fundamental design of the Internet and undermine one or more of the things that are necessary to have the Internet at all.
The contrast with Bill C-63 is remarkable: C-63 is very careful to delineate what kinds of Internet services are included and to err on the side of keeping private communications safe and private. It appears that the people who drafted this legislation made a concerted effort to understand what unintended consequences could come from regulations for the wider Internet (and especially private communications) and then to limit those regulations to avoid such “collateral damage.”
The Internet Society continues to do a detailed analysis of the bill, and we would not be surprised to find areas where incremental refinements may be made to improve its technical feasibility. We also recognize that there are critics of portions of the Bill who are focused on legal issues beyond the scope of the Bill’s interaction with the Internet itself. Those discussions will no doubt be more fruitful, given Canadians don’t have to worry about whether the bill might interfere with the fundamental elements the Internet needs to exist in the first place. We appreciate that this Bill has, quite apparently, been through some rigorous evaluation of its Internet impacts, and we hope that other governments will look at the Canadian example and conduct Internet Impact Assessments when considering legislation.
Learn more about how we defend the Internet through our work to counter Internet threats.
Image © Shubham Sharan on Unsplash