Bill C‑22 would force Canadian and global tech firms to retain bulk metadata and build government‑access capabilities, threatening the security model that makes modern encrypted services safe. The article explains why mandatory data retention expands attack surfaces, how Tailscale’s architecture avoids unnecessary collection, and what legislative changes are needed to protect both privacy and public safety.
Canada’s Bill C‑22 and the Security Cost of Collecting More Data
Tailscale was founded in Canada, but our users span the globe. That geographic origin makes us especially attentive to Bill C‑22, the proposed Lawful Access Act that would reshape how electronic service providers handle data for law‑enforcement requests. While the bill is Canadian, it reflects a broader international push to update lawful‑access rules for the Internet era—some reasonable, many overreaching.
What Bill C‑22 Would Change
The legislation defines “electronic service providers” very broadly: any entity that creates, stores, processes, transmits, receives, or makes digital information available to people in Canada, regardless of where the company is headquartered. In practice this includes not only traditional telecoms and ISPs but also cloud platforms, SaaS tools, and VPN services like Tailscale.
Under the bill, core providers could be compelled to:
- Develop, assess, test, and maintain technical capabilities that enable government access.
- Install or operate equipment that facilitates such access.
- Retain categories of metadata—including transmission timestamps, IP addresses, and device identifiers—for up to one year.
The retention requirement runs counter to the privacy‑first momentum sparked by regulations such as the GDPR, which explicitly limited mandatory data hoarding. By mandating bulk collection, the law forces companies to create new databases that were never part of their design.
Tailscale’s VPN: What We Collect and What We Don’t
Tailscale is an identity‑aware mesh network built on WireGuard. To operate, we need only a minimal set of data:
- Account identifiers and device registrations.
- Public IP addresses of devices for NAT traversal.
- Operating‑system version and connection state for reliability and abuse prevention.
We do not inspect customer traffic, log browsing activity, record DNS queries, or store the contents of communications. All traffic inside a tailnet is encrypted end‑to‑end; private keys never leave the user’s device, and even our relay servers lack the keys needed to decrypt the payload. This design is not a policy choice that can be toggled—it is baked into the code, which is open source for independent verification.
Why Mandatory Metadata Retention Is a Security Problem
Security thrives on data minimisation. When a law requires a service to retain additional metadata, the company must:
- Build a new storage system.
- Implement access controls, audit logging, and backup procedures.
- Allocate staff to manage and protect the data.
- Extend incident‑response plans to cover the new repository.
Each of those steps introduces a fresh attack surface. A database that would not exist otherwise becomes a tempting target for theft, insider abuse, or accidental exposure. The safest database is the one you never create.
Moreover, bulk retention erodes the principle of targeted lawful access. A specific, court‑authorized request for data that actually exists is a narrow, accountable action. Requiring providers to keep large swaths of metadata “just in case” shifts the balance toward speculative surveillance, making it harder to audit and easier to misuse.
What Lawful Access Should Look Like
The core goal—allowing law enforcement to investigate serious crimes—remains legitimate. The path to that goal, however, should not compromise the security guarantees that users rely on. A more balanced framework would:
- Tie access to specific investigations, accounts, and court orders. No blanket tools for hypothetical future requests.
- Eliminate or sharply limit broad metadata retention. Preservation orders should be narrowly scoped and time‑limited.
- Narrow the definition of covered services. Separate telecom infrastructure from modern SaaS and VPN providers.
- Protect encryption and architecture. Explicitly forbid compelled weakening of encryption, key escrow, or client‑side spyware.
- Require transparency reporting. Providers should be able to publish aggregate statistics on government requests without compromising investigations.
- Preserve vulnerability‑disclosure rights. No provision should block a company from reporting or fixing security flaws.
- Introduce independent oversight and sunset clauses. Extraordinary powers must be reviewed regularly and expire unless renewed based on evidence.
A Call to Action
If you live in Canada, reach out to your Member of Parliament and voice support for amendments that preserve targeted lawful access while rejecting mandatory bulk data collection. For those outside Canada, recognize that similar bills are emerging worldwide; the principle remains the same: secure services should not be forced to redesign their architecture to accommodate surveillance.
Canada has an opportunity to become a hub for security‑focused companies and AI innovators, but only if its laws protect both public safety and the technical foundations of privacy. By safeguarding data‑minimisation and encryption, the country can attract the very infrastructure it needs for a digital future.
Author: Avery Pennarun
Published: May 26, 2026
Comments
Please log in or register to join the discussion