Good Will Hacking: The Good-Faith Security Researcher’s Dilemma in Canada and Beyond

Cybersecurity has never been more critical, with governments worldwide scrambling to protect sensitive infrastructure, safeguard privacy, and counter cyber threats. However, when it comes to good-faith security research—the practice of probing systems for vulnerabilities to improve security—the legal landscape is a mixed bag.

Here’s a deep dive into how Canada, the U.S., and Europe approach good-faith security research, through the lens of Bill C-26, Loi 25, and other global policies.

Canada’s Bill C-26: Progress in Cybersecurity, Not for Good-Faith Researchers

Canada’s Bill C-26, also known as the Critical Cyber Systems Protection Act (CCSPA), represents a significant step forward in protecting critical infrastructure. By setting higher cybersecurity standards and enforcing mandatory reporting of cyber incidents, it aims to fortify national defenses.

But for good-faith researchers, the story remains unchanged:

• No Specific Protections: Bill C-26 does not include legal safeguards for good-faith researchers who identify vulnerabilities with honest intentions.

• Criminal Code Risks:

  • Unauthorized access remains illegal under Section 342.1, even when conducted to improve security.

  • Possession of hacking tools is prohibited under Section 342.2, creating additional barriers.

• Vulnerability Disclosure: While Bill C-26 might encourage companies to adopt disclosure programs, good-faith researchers still face legal risks unless they have explicit permission.

Quebec’s Loi 25: Privacy Gains, Good-Faith Research Overlooked

Quebec’s Loi 25—Canada’s strictest privacy legislation—focuses on enhancing:

• Consent and Transparency: Stricter rules require organizations to clearly inform individuals about data collection and use.

• Privacy Assessments: Companies must evaluate risks to personal information before implementing new systems.

• Accountability: Organizations are encouraged to proactively safeguard data and demonstrate compliance.

However, Loi 25 does not address protections for good-faith researchers, leaving security professionals vulnerable to the same legal pitfalls as under federal law.

Global Perspectives: Good-Faith Researcher Protections

United States

The Department of Justice (DOJ) made headlines in 2022 by updating its policy to distinguish good-faith security research from malicious activity under the Computer Fraud and Abuse Act (CFAA):

• Good-Faith Protections: Security researchers conducting legitimate vulnerability assessments will not face prosecution.

• Clearer Definitions: A distinction is made between malicious intent and responsible disclosure, fostering a safer environment for researchers.

Europe

Some European countries are leading the way in embracing good-faith research:

• Lithuania: Legalized good-faith research for reporting vulnerabilities, provided strict conditions are met.

• Belgium: Offers safe harbor under whistleblower protections, encouraging responsible disclosure and collaboration between researchers and organizations.

Key Differences: Canada vs. U.S. and Europe

• Canada:

  • Good-faith research is legally risky.

  • Researchers must have explicit permission to test systems, with no safe harbor protections in place.

  • Possession of hacking tools remains criminalized, even for legitimate purposes.

• United States:

  • Good-faith researchers are protected under DOJ policy, creating a safer climate for vulnerability testing.

• Europe:

  • Several countries actively protect good-faith research, promoting vulnerability disclosure and accountability through legislation.

The Takeaway: Canada Needs to Catch Up

Canada’s emphasis on stricter cybersecurity through Bill C-26 and Loi 25 is commendable, but the lack of explicit protections for good-faith researchers hinders progress. In contrast, the U.S. and Europe are creating environments where security professionals can contribute without fear of legal repercussions.

For Canada to truly lead in cybersecurity, it must address these gaps by:

• Legalizing good-faith security research.

• Establishing safe harbor laws for good-faith researchers.

• Encouraging responsible vulnerability disclosure programs nationwide.

As the fictional Good Will Hacking would teach us, the world benefits when untapped potential is nurtured—not penalized. Good-faith researchers hold the key to a safer digital future, but it’s up to governments to unlock their full potential.

What’s your take? Should Canada adopt policies to protect good-faith researchers, or does strict regulation provide better cybersecurity? Let’s discuss!