Securing Public Interest Cybersecurity Researchers in Canadian Universities

Abstract

Rooted in democratic ideals, public interest cybersecurity research is essential for understanding the complex relationship between cybersecurity, human rights, and social justice. Universities, with their long tradition of independent inquiry, provide a crucial space for challenging the dominant influence of private industry in shaping our understanding of cybersecurity. Researchers in these institutions are uniquely positioned to generate knowledge that goes beyond profit-driven narratives and encompass a wider range of concerns, including those of civil society organizations, activists, journalists, and marginalized communities. However, researchers employing established computer security methods in public interest cybersecurity work at Canadian universities face their own crisis of the “security of self” due to substantial legal uncertainties surrounding the lawful permissibility of their research. These uncertainties not only threaten the personal and professional security of researchers, but also hinders the ability to contribute to a broader critical understanding of cybersecurity risks, ultimately limiting our collective “security of self” in the digital age.

Building upon Deibert’s (2018) call for a human-centric approach to cybersecurity that prioritizes digital security alongside public interest values, this chapter argues that the legal ambiguities surrounding cybersecurity research in Canadian universities threaten researchers’ ability to conduct meaningful research in the public interest. It examines common methodological practices in this field and their interaction with legal considerations, exploring implications under criminal and copyright law, as well as civil issues like breach of contract and negligence. By scrutinizing potential interpretations of computer security methods under relevant law, the chapter highlights the need to protect researchers and foster an environment conducive to critical knowledge production in human-centred cybersecurity. Ultimately, it poses a series of recommendations for governments to strengthen legal safeguards for public interest cybersecurity research in Canadian universities.