The public safety and national security committee of the House of Commons has recommended that the federal government look at ways to make sure that Canadian data stays on Canadian soil.
The federal government should, according to the committee, “explore ways to ensure all sensitive data moved within Canada has a domestically routed path, ensuring data packets are not exposed to foreign network infrastructure.”
The recommendation comes in a report on cybersecurity in the financial sector, released Thursday, among several other recommendations related to cybersecurity.
According to committee witness testimony cited in the report, some 80 per cent of Canadian internet communications with countries other than the United States pass physically through the U.S., while at least a quarter of internet communications between people in Canada is routed through the U.S. at some point.
University of Toronto professor emeritus Andrew Clement, testified in March that he came across this “boomerang routing” when while researching data paths at the University of Toronto, a “trace route” showed that data moving between his office at the university and the website of the Ontario student assistance program — also located in Toronto — passed through the U.S. “Will even the best ally keep the interests of its friends in the fore, when its own critical infrastructure in threatened? “ Clement asked the committee.
The Canadian Internet Registration Authority (CIRA) has been raising concerns about the situation for years, while the election of Donald Trump focused cybersecurity advocates’ desire to see more data stay within Canada.
Clement also recommended to the committee that the government “support the development and use of Canada’s Internet exchange points for direct-inter-network data exchange to avoid U.S. routing,” and also create new standards requiring telecommunications companies and financial institutions to report their routing practices.
The Canadian Bankers Association told the committee that there is a risk of exposure when banks outsource parts of its services to companies located outside of Canada. PayPal Holdings Inc. confirmed to the committee that some of its customer’s data is stored in the United States, while the Interac Corporation testified that all of its data is stored in Canada, with Canadian vendors and suppliers.
In April, the Office of the Privacy Commissioner told the committee the office would begin consultations on boomerang routing shortly. “It’s a live issue for our office and we’re thinking deeply about it and trying to solicit input from various stakeholders,” deputy commissioner Gregory Smolynec said at the time.
Among the other recommendations in the report are for the government to encourage the reporting of all cybercrime, and for the security committee to establish a permanent sub-committee on cybersecurity.
The committee held 12 meetings between January and May, and heard from 45 witnesses.