On June 18, 2026, Canada's telecom regulator did something it has historically been reluctant to do: it told carriers they may deliberately stop delivering some of your internet traffic. In Compliance and Enforcement and Telecom Decision CRTC 2026-140, the Canadian Radio-television and Telecommunications Commission expanded its year-old cybersecurity blocking framework, authorizing carriers to use port blocking, forged-source-address filtering, and traffic-anomaly detection — not just static blocklists — to block malicious traffic at the network level.
This is a genuine carve-out from one of Canada's bedrock net-neutrality provisions. Section 36 of the Telecommunications Act states that, "Except where the Commission approves otherwise, a Canadian carrier shall not control the content or influence the meaning or purpose of telecommunications carried by it for the public." Blocking traffic is, plainly, controlling content. The CRTC's own reasoning concedes the point: blocking "falls within the scope of section 36 of the Act," which is precisely why carriers need the Commission's blessing to do it. Decision 2026-140 is that blessing, broadened.
The case for the exception is strong
It is worth stating the strongest version of the regulator's argument before quibbling with it. Botnets, spoofed-source DDoS attacks, and command-and-control traffic are real, escalating harms that a blocklist alone cannot catch — by the time a malicious IP lands on a list, the damage is often done. Carriers sit at the only vantage point from which volumetric and forged-source attacks can be filtered before they reach their targets. Forbidding network-level defense in the name of neutrality would be a pyrrhic victory: a perfectly neutral pipe that floods your hospital or your bank. The CRTC framed its expansion around the principles it set in Decision CRTC 2025-142 — necessity, customer privacy, accountability, transparency, and accuracy — and kept the most important structural safeguard intact: participation is voluntary. "Carriers are not required to block Internet traffic crossing their networks," the decision states. No mandate, no government blocklist, no court-free censorship regime.
That distinction matters enormously. Canada has flirted with the darker version of network blocking — Bell's 2018 proposal for a CRTC-administered piracy-blocking agency operating without court review, which Michael Geist rightly called anti-consumer and anti-speech. Decision 2026-140 is the opposite species: defensive, opt-in, and scoped to security. As a matter of principle, a narrow, transparent, accountable security exception to section 36 is defensible. Traffic engineers already exercise this discretion informally in a threat-strewn environment; bringing it inside a rule with published standards is better than leaving it in the shadows.
But the guardrails moved the wrong way
Here is the problem, and it is the one Commissioner Bram Abramson identified in a pointed dissent. The 2026 revision expands what carriers may do while relaxing the safeguards that govern how they do it. The original 2025-142 framework required carriers to resolve a customer complaint — for instance, a false positive that blocks legitimate traffic — "within two business days." Decision 2026-140 stretches that to five business days and softens the prescribed remedies into "more flexibility." The Commission widened carrier discretion and lengthened the leash at the same moment.
Abramson's core insight is about visibility. The new techniques operate, as he put it, in a framework that functions "on by default, yet remains barely visible to those subject to it." Anomaly detection and forged-address filtering act on far more traffic metadata than a discrete blocklist, and their errors are harder for a user to notice. "Where blocking is automated, upstream-fed, or difficult for users to diagnose, erroneous blocking may not reliably generate complaints at all," he wrote. A complaint-driven accountability system is only as good as users' ability to detect that something was wrongly blocked — and these methods are precisely the ones that defeat that detection.
The reporting obligations compound the gap. Carriers file annual confidential reports listing aggregate indicators-of-compromise blocked and complaint counts, which the CRTC may publish at its discretion. Abramson called this "bookkeeping, not management" — aggregate tallies without the context needed to judge whether the blocking was accurate or proportionate. Most troubling, he noted the revision "narrows an existing safeguard never put in issue," loosening limits on secondary uses of traffic-related data that the prior framework had restricted. A privacy protection nobody asked to weaken was weakened anyway.
A proceeding missing the people it affects
Part of why the framework drifted is who was in the room. Abramson observed that the proceeding drew carriers and law enforcement but "no dedicated public-interest advocate, user group, or privacy intervener." When the only parties at the table are the ones who benefit from broader discretion and lighter reporting, the predictable result is broader discretion and lighter reporting. That is not a conspiracy; it is a structural defect in how the consultation was scoped.
The fix is not to scrap the exception. A voluntary, security-scoped carve-out from section 36 is a reasonable, proportionate piece of regulation — arguably a model other jurisdictions weighing carrier-level security should study. But the trade is backwards. As carrier power over traffic grows, the transparency, complaint, and privacy protections governing that power should grow with it, not contract. The CRTC should restore the two-business-day complaint window, mandate user-facing disclosure when an account's traffic is actively blocked, publish disaggregated accuracy metrics by default, and reinstate the secondary-use limits it quietly dropped. Canada got the principle right and the proportionality wrong. Both are fixable — and 2026-140 should be revisited before the next expansion, not after.