A new lawful access bill in Canada would let the government compel service providers to retain metadata on everyone and build interception capabilities into encrypted systems. The proposal lands at a moment when the technical community has unusually fresh evidence for an old argument: that mandated access points become everyone's problem.
A petition currently circulating through the House of Commons e-petition system (e-7416) has put Bill C-22, an Act respecting lawful access, back in front of a Canadian tech audience that has fought this battle before. The bill would authorize regulations requiring designated "core providers" to collect and retain metadata on all Canadians for up to a year, with no requirement that any individual be under suspicion. It would also let the Minister of Public Safety extend those obligations to essentially any electronic service provider by ministerial order, and compel providers to implement interception capabilities or technical assistance measures, including ones that could weaken encrypted systems.
If this feels familiar, that is because it is. Canada has cycled through lawful access proposals for well over a decade, from the old Bill C-30 era onward. What has changed is not the legislative ambition but the evidence available to the people arguing against it.
The pattern: same request, new packaging
Governments asking for exceptional access to communications tend to frame each attempt as narrow and carefully bounded. The recurring objection from cryptographers and network engineers is structural, not political: a system built to grant access to one authorized party is a system with an access mechanism, and access mechanisms do not reliably distinguish between authorized and unauthorized users. This is the core of the 2015 paper "Keys Under Doormats", in which a group including Whitfield Diffie, Ronald Rivest, and Bruce Schneier laid out why mandated exceptional access introduces risks that are hard to contain.
Bill C-22 reproduces several features that security researchers have flagged in earlier proposals. The definition of electronic service provider is broad enough to capture encrypted messaging apps, VPNs, email hosts, banking apps, and cloud storage. The government retains regulatory power to redefine terms like "encryption" and "systemic vulnerability" without returning to Parliament, which makes any statutory privacy assurance contingent on regulation that can shift later. For people who read legislation the way they read API contracts, the undefined and mutable terms are where the actual behavior lives.
The evidence that changed the conversation
The argument that interception capabilities create exploitable weaknesses used to be somewhat theoretical in public debate. It is less theoretical now. The petition itself cites the 2024 Salt Typhoon campaign, in which a China-linked group compromised major United States telecom carriers. Reporting from CISA and others indicated the intruders reached systems associated with lawful intercept, the very infrastructure built to satisfy government access requirements under CALEA.
That is the detail the technical community keeps returning to. The interception capability that a government mandates for its own use is a high-value, standardized target. Once it exists, it is available to whoever can reach it, and nation-state actors have demonstrated they can. The U.S. case turned an abstract risk model into a concrete incident report. For Canadian engineers reading C-22, Salt Typhoon functions as a worked example of the failure mode they have been describing for years.
Counter-perspectives worth taking seriously
The case for lawful access is not nothing, and treating it as obviously bad faith misreads the debate. Law enforcement agencies point to real investigative gaps. End-to-end encryption genuinely does close off content that was historically obtainable with a warrant, and metadata genuinely does help reconstruct criminal networks, including in cases involving child exploitation and organized crime where few civil libertarians want to argue the police should have less to work with. The "going dark" framing, associated with former FBI director James Comey and revisited many times since, reflects a real operational frustration rather than an invented one.
There is also a reasonable position that metadata retention and content decryption are distinct issues that get collapsed too quickly. A government could, in principle, pursue targeted, warrant-bound access without mandating bulk retention or encryption weakening. Critics of C-22 would respond that the bill does not draw those lines clearly, and that the ministerial-order and regulatory-redefinition powers erase whatever lines do appear in the text. That is the crux: the disagreement is less about whether police should ever get data and more about whether suspicionless bulk collection and built-in interception are a proportionate way to get it.
A second counter-perspective is jurisdictional reality. Even if Canada declines to mandate access, the largest providers operate globally and respond to legal demands from many governments. Some argue a clear domestic framework is preferable to an ad hoc one. Others note that a Charter challenge is close to inevitable; suspicionless bulk retention sits uneasily with Section 8 protections against unreasonable search and seizure, and the European Court of Justice has already struck down indiscriminate retention regimes in the EU, which suggests the legal ground is contested rather than settled.
What to actually watch
For people in software and security, the useful signal is not the petition count. It is whether the bill's eventual regulations define "systemic vulnerability" in a way that engineers would recognize, whether interception mandates apply to end-to-end encrypted services or carve them out, and how metadata retention scope is bounded. Those are the parameters that determine whether C-22 is a targeted lawful access update or a standing piece of infrastructure that future attackers inherit.
The petition asks Parliament to withdraw the bill, strip suspicionless bulk retention from any future version, and explicitly prohibit mandates that weaken or break encryption. Whether or not those specific demands prevail, the deeper question Canada is now reopening is the one the security community has answered consistently for thirty years: an access point you build for yourself is an access point someone else can use. Salt Typhoon was a fairly expensive way to relearn it.
Comments
Please log in or register to join the discussion