OTTAWA – MARCH 16, 2021 – Last evening the Canadian Internet Registration Authority (CIRA) submitted an intervention to the Canadian Radio-television and Telecommunication Commission (CRTC)’s botnet consultation. The CRTC proceeding focuses on whether to establish rules that would permit internet service providers (ISPs) to filter malicious internet traffic that enable cyber attacks.
CIRA’s own DNS Firewall and Canadian Shield services help Canadians mitigate cyber attacks. However, CIRA sounded a note of caution to the CRTC. Technical measures to make the internet safer must not allow for a slippery slope towards blocking content or free speech – in fact, safeguarding net neutrality and user privacy are two of the CRTC’s main jobs. CIRA’s intervention offers several proposals for ensuring that any framework to filter for network security is narrowly-tailored, builds in accountability, and requires that all blocking decisions be the technical decisions of independent third parties, not telecommunications service providers.
Canada’s internet faces a greater number of cyber threats than ever before. To protect users, ensure the safety and stability of our internet infrastructure, and bring independent oversight to what many ISPs already do without review, CIRA supports the creation of a voluntary framework that lets ISPs filter cyber attacks on their networks in standards-based, accountable ways. Drawing on its decades of network operation and cyber security experience, CIRA offers several proposals for how such a framework can be structured to prevent cyber attacks, protect user privacy, and defend Canada’s internet infrastructure.
CIRA’s Submission to the CRTC
Several of CIRA’s proposals to the CRTC are summarized below:
- Adoption of a new network-level blocking framework by ISPs must be voluntary, not mandatory.
- There should be a simple mechanism for users to opt out of any filtering provided by an ISP.
- The decision to block a given cyber threat should not be made by just one actor. To prevent a single point of failure, the framework should provide for multiple certified parties to offer block lists, and use that certification as a key oversight mechanism.
- Parties providing block lists must be independent from any internet service provider or content provider.
- The rules for which types of harmful traffic can be blocked should be guided by principles of transparency, non-discrimination, necessity, and proportionality. Blocking should never be authorized when a more proportionate response is available.
- Any framework should hold internet service providers to the highest privacy standards to prevent overcollection, over-retention, or misuse of user data.
You can see CIRA’s full submission here.