Introduction
In today's digital age, the importance of robust cybersecurity measures cannot be overstated. Canada, like many other nations, has recognized the critical need to protect its digital infrastructure and the privacy of its citizens. As cyber threats continue to evolve, so too do the laws and regulations designed to combat them. Canadian cyber laws encompass a wide array of legislation aimed at safeguarding personal information, preventing cybercrime, and ensuring the security of digital transactions. This blog post delves into the intricacies of these laws, exploring their impact on individuals, businesses, and the broader Canadian society, while highlighting recent developments and future directions in the realm of cybersecurity legislation.
Hacking | Unauthorized Access
It is an offence to fraudulently obtain, use, control, access, or intercept computer systems or functions under the Criminal Code (R.S., 1985, c. C-46, s. 1841993, c. 40, s. 32004, c. 12, s. 42019, c. 25, s. 64). The relevant provisions of the Criminal Code that prohibit hacking (i.e., unauthorized access) are as follows:
184 (1) Every person who, by means of any electromagnetic, acoustic, mechanical, or other device, knowingly intercepts a private communication is guilty of:
(a) an indictable offence and liable to imprisonment for a term of not more than five years; or
(b) an offence punishable on summary conviction.
Unauthorized Use of a Computer
342.1 (1) Everyone is guilty of an indictable offence and liable to imprisonment for a term of not more than 10 years, or is guilty of an offence punishable on summary conviction who, fraudulently and without colour of right:
(a) obtains, directly or indirectly, any computer service;
(b) by means of an electromagnetic, acoustic, mechanical, or other device, intercepts or causes to be intercepted, directly or indirectly, any function of a computer system;
(c) uses or causes to be used, directly or indirectly, a computer system with intent to commit an offence under paragraph (a) or (b) or under section 430 in relation to computer data or a computer system; or
(d) uses, possesses, traffics in, or permits another person to have access to a computer password that would enable a person to commit an offence under paragraph (a), (b), or (c).
Fraud
380 (1) Everyone who, by deceit, falsehood, or other fraudulent means, whether it is a false pretence within the meaning of this Act, defrauds the public or any person, whether ascertained or not, of any property, money, valuable security, or any service:
(a) is guilty of an indictable offence and liable to a term of imprisonment not exceeding fourteen years, where the subject matter of the offence is a testamentary instrument or the value of the subject matter of the offence exceeds five thousand dollars; or
(b) is guilty of:
(i) an indictable offence and is liable to imprisonment for a term not exceeding two years, or
(ii) an offence punishable on summary conviction,
where the value of the subject matter of the offence does not exceed five thousand dollars.
Minimum punishment
(1.1) When a person is prosecuted on indictment and convicted of one or more offences referred to in subsection (1), the court that imposes the sentence shall impose a minimum punishment of imprisonment for a term of two years if the total value of the subject matter of the offences exceeds one million dollars.
Affecting public market
(2) Everyone who, by deceit, falsehood, or other fraudulent means, whether it is a false pretence within the meaning of this Act, with intent to defraud, affects the public market price of stocks, shares, merchandise, or anything that is offered for sale to the public is guilty of an indictable offence and liable to imprisonment for a term not exceeding fourteen years.
(R.S., 1985, c. C-46, s. 380R.S., 1985, c. 27 (1st Supp.), s. 541994, c. 44, s. 251997, c. 18, s. 262004, c. 3, s. 22011, c. 6, s. 2)
Mischief
430 (1) Everyone commits mischief who wilfully:
(a) destroys or damages property;
(b) renders property dangerous, useless, inoperative, or ineffective;
(c) obstructs, interrupts, or interferes with the lawful use, enjoyment, or operation of property; or
(d) obstructs, interrupts, or interferes with any person in the lawful use, enjoyment, or operation of property.
Mischief in relation to computer data
(1.1) Everyone commits mischief who wilfully:
(a) destroys or alters computer data;
(b) renders computer data meaningless, useless, or ineffective;
(c) obstructs, interrupts, or interferes with the lawful use of computer data; or
(d) obstructs, interrupts, or interferes with a person in the lawful use of computer data or denies access to computer data to a person who is entitled to access to it.
Punishment
(2) Everyone who commits mischief that causes actual danger to life is guilty of an indictable offence and liable to imprisonment for life.
Punishment
(3) Everyone who commits mischief in relation to property that is a testamentary instrument or the value of which exceeds five thousand dollars:
(a) is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years; or
(b) is guilty of an offence punishable on summary conviction.
Idem
(4) Everyone who commits mischief in relation to property, other than property described in subsection (3):
(a) is guilty of an indictable offence and liable to imprisonment for a term not exceeding two years; or
(b) is guilty of an offence punishable on summary conviction.
Denial-of-Service Attacks
Denial-of-service attacks are considered mischief under Section 430(1.1) of the Criminal Code.
Phishing
Phishing, see 380(1).
See CASL.
Infection of IT Systems with Malware
Ransomware, Spyware, Worms, Trojans, and Viruses fall under the category of mischief. See Mischief.
Installation of Computer Program
8 (1) A person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person's computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless:
(a) the person has obtained the express consent of the owner or an authorized user of the computer system and complies with subsection 11(5); or
(b) the person is acting in accordance with a court order.
Possession of Device to Obtain Unauthorized Use of Computer System or to Commit Mischief
342.2 (1) Every person who, without lawful excuse, makes, possesses, sells, offers for sale, imports, obtains for use, distributes, or makes available a device that is designed or adapted primarily to commit an offence under section 342.1 or 430, knowing that the device has been used or is intended to be used to commit such an offence, is:
(a) guilty of an indictable offence and liable to imprisonment for a term of not more than two years; or
(b) guilty of an offence punishable on summary conviction.
Forfeiture
(2) If a person is convicted of an offence under subsection (1), in addition to
any punishment that is imposed, any device in relation to which the offence was committed or the possession of which constituted the offence may be ordered forfeited to Her Majesty and may be disposed of as the Attorney General directs.
Limitation
(3) No order of forfeiture may be made under subsection (2) in respect of anything that is the property of a person who was not a party to the offence under subsection (1).
Definition of Device
(4) In this section, device includes:
(a) a component of a device; and
(b) a computer program within the meaning of subsection 342.1(2).
(1997, c. 18, s. 192014, c. 31, s. 172018, c. 29, s. 34.)
Identity Theft
402.2 (1) Every person commits an offence who obtains or possesses another person's identity information with intent to use it to commit an indictable offence that includes fraud, deceit, or falsehood as an element of the offence.
Trafficking in Identity Information
(2) Everyone commits an offence who transmits, makes available, distributes, sells, or offers for sale another person's identity information, or has it in their possession for any of those purposes, knowing that or being reckless whether the information will be used to commit an indictable offence that includes fraud, deceit, or falsehood as an element of the offence.
Clarification
(3) For the purposes of subsections (1) and (2), an indictable offence referred to in either of those subsections includes an offence under any of the following sections:
(a) section 57 (forgery of or uttering forged passport);
(b) section 58 (fraudulent use of certificate of citizenship);
(c) section 130 (impersonating peace officer);
(d) section 131 (perjury);
(e) section 342 (theft, forgery, etc., of credit card);
(f) section 362 (false pretence or false statement);
(g) section 366 (forgery);
(h) section 368 (use, trafficking, or possession of forged document);
(i) section 380 (fraud); and
(j) section 403 (identity fraud).
Trade Secret
391 (1) Everyone commits an offence who, by deceit, falsehood, or other fraudulent means, knowingly obtains a trade secret or communicates or makes available a trade secret.
Trade Secret – Prior Knowledge
(2) Everyone commits an offence who knowingly obtains a trade secret or communicates or makes available a trade secret knowing that it was obtained by the commission of an offence under subsection (1).
Punishment
(3) Everyone who commits an offence referred to in subsection (1) or (2) is guilty:
(a) of an indictable offence and is liable to imprisonment for a term not exceeding 14 years; or
(b) of an offence punishable on summary conviction.
See 342.1
See 322
See 326
See 327
See 46
Penetration Testing
Unsolicited penetration testing may also be considered mischief under Section 430(1.1) of the Criminal Code.
See Terrorism
Offences Outside Canada
Subject to this Act or any other Act of Parliament, no person shall be convicted or discharged under section 730 of an offence committed outside Canada.
See 730
Espionage
See Security of Information Act
Conspiracy
(2001, c. 41, s. 29) See 23
Extraterritorial Application
26 (1) A person who commits an act or omission outside Canada that would be an offence against this Act if it were committed in Canada is deemed to have committed it in Canada if the person is:
(a) a Canadian citizen;
(b) a person who owes allegiance to Her Majesty in right of Canada;
(c) a person who is locally engaged and who performs his or her functions in a Canadian mission outside Canada; or
(d) a person who, after the time the offence is alleged to have been committed, is present in Canada.
Jurisdiction
(2) If a person is deemed to have committed an act or omission in Canada, proceedings in respect of the offence may, whether the person is in Canada, be commenced in any territorial division in Canada, and the person may be tried and punished in respect of the offence in the same manner as if the offence had been committed in that territorial division.
Punishment
Unless this Act provides otherwise, a person who commits an offence under this Act is guilty of:
(a) an indictable offence and liable to imprisonment for a term of not more than 14 years; or
(b) an offence punishable on summary conviction and liable to imprisonment for a term of not more than 12 months or to a fine of not more than $2,000, or to both.
(2001, c. 41, s. 29)
Conclusion
As technology continues to evolve, so too must our understanding and enforcement of cybersecurity laws. Canadian cyber laws provide a framework for protecting digital infrastructure, personal information, and ensuring the integrity of online transactions. Staying informed about these laws is crucial for individuals and businesses alike to navigate the complex landscape of cybersecurity and to mitigate the risks associated with cyber threats.