Bill C‑22 would force Canadian messaging services to create a government‑controlled backdoor, mandate bulk metadata retention, and enable cross‑border data sharing. The proposal repeats a pattern seen in the U.S., U.K., and Australia, and experts warn it could expose Canadians to hacking, legal overreach, and foreign surveillance.
Canada’s Bill C‑22 threatens to dismantle end‑to‑end encryption
What the bill claims to do
Bill C‑22, introduced in March 2026, is framed as a “lawful‑access” measure aimed at helping law‑enforcement intercept criminal communications. In practice the bill would:
- Require every electronic service provider that offers private messaging to implement a second encryption key that the government can request.
- Mandate bulk metadata retention for up to a year, recording who talked to whom, when, and via which service.
- Allow Canadian courts to compel foreign providers to hand over data on Canadian users under mutual legal‑assistance treaties.
- Compel compliance under threat of fines and prohibit providers from disclosing the existence of any order.
The government presents these steps as a modest technical tweak that merely “adds a copy of the key” for legitimate investigations.
What is actually new (or different)
| Aspect | Current situation | What C‑22 adds |
|---|---|---|
| Encryption | End‑to‑end encryption (E2EE) means only the two participants hold the decryption keys. Companies like Signal, iMessage, and WhatsApp cannot read the content. | Providers must build a lawful‑access backdoor that creates a duplicate key under government control. |
| Metadata | Canadian telecoms retain limited call‑detail records for a short period, primarily for billing and emergency services. | All messaging services must store who‑talked‑to‑whom for a full year, regardless of content. |
| Cross‑border requests | Foreign providers can be served with a Canadian subpoena only if the data physically resides in Canada. | Courts can compel any provider, even if the data never left the provider’s foreign servers, turning Canada into a de‑facto “data extraction hub”. |
| Transparency | Companies can publish transparency reports about government requests. | Providers may be gagged from acknowledging any order, eliminating public oversight. |
In short, the bill does not merely request data; it forces a structural change to the cryptographic architecture of every app used by Canadians.
Technical limitations and practical risks
1. Security‑by‑obscurity does not hold up
Creating a second key means introducing a new attack surface. Historical incidents show that mandated lawful‑intercept systems are repeatedly breached:
- 2005 Athens Affair – Vodafone Greece’s intercept system was compromised, exposing senior officials’ calls.
- 2010 Operation Aurora – Attackers accessed Google’s compliance portal and read Gmail accounts of activists.
- 2024 Salt Typhoon – A Chinese‑linked group walked through the U.S. phone‑carrier lawful‑intercept infrastructure, listening to calls and texts for months. Each case involved a single backdoor that, once built, became a high‑value target. Adding a comparable backdoor to every messaging app multiplies the attack surface dramatically.
2. Implementation complexity
E2EE protocols such as the Signal Protocol rely on a double‑ratchet mechanism that generates fresh session keys for each message. To embed a government‑accessible key, providers would need to redesign the key‑exchange layer, likely breaking forward secrecy and requiring constant updates to client apps. Smaller Canadian SaaS firms lack the resources to audit and maintain such a system, increasing the chance of bugs that could be exploited.
3. Legal contradictions
Section 8 of the Canadian Charter guarantees protection against unreasonable search. Courts have struck down similar provisions in the U.S. (e.g., Riley v. California for cell‑phone data) and the U.K. (judicial reviews of the Investigatory Powers Act). A blanket requirement to retain decryption keys is likely to be challenged, but the challenge would only occur after the backdoor is built and metadata is already being harvested.
4. International spill‑over
Once Canada adopts this framework, other Five‑Eyes partners may cite it when drafting their own lawful‑access laws. Companies operating globally could be forced to maintain two codebases: a “Canadian‑compliant” version with a backdoor and a “rest‑of‑world” version without. This duality has already been observed in the U.K., where Apple removed Advanced Data Protection for the British market.
Who is speaking out
| Organization | Position |
|---|---|
| Signal | Threatens to withdraw from Canada rather than implement a backdoor. |
| Apple | Publicly refuses to insert any lawful‑access capability. |
| Meta | Calls Part 2 of the bill “unworkable as drafted”. |
| OpenMedia | Coordinates the open‑letter campaign and provides briefing kits for activists. |
| Citizen Lab | Highlights the technical feasibility of large‑scale interception and the risk of state‑linked hacking groups. |
| NSIRA (National Security and Intelligence Review Agency) | States the bill would impede its own oversight duties. |
Timeline and the remaining window
- Mar 12 2026 – Bill introduced (first reading).
- Apr 20 2026 – Second reading passed; referred to the Standing Committee on Public Safety and National Security (SECU).
- May 15 2026 – Committee reviewing written briefs; clause‑by‑clause review not yet started.
- Late May / Early June – Expected start of clause‑by‑clause review, the last realistic chance for amendments.
- Mid‑June – Committee report; House debate and third reading.
- Late June – Senate review.
- After Royal Assent – Minister can issue technical‑capability orders within weeks.
Because the clause‑by‑clause stage is still open, targeted advocacy (brief submissions, MP emails, public testimony) can still shape the final text.
How to push back (practical steps)
- Email your MP – A concise, personal note asking them to vote against Part 2 carries high leverage, especially if the MP sits on SECU.
- Submit a brief to the committee – Even a one‑page comment becomes part of the public record and is reviewed by all members.
- Join collective actions – Sign the OpenMedia open letter, attend the live Q&A hosted by Goodbot, or donate to groups like the EFF and Citizen Lab that are preparing litigation.
- Upgrade personal security – Switch to Signal for sensitive chats, enable encrypted backups, and audit app permissions.
- Spread the word – Use the media pack (PDF one‑pager, talking points, FAQ) to inform friends and colleagues; tag #cdnpoli and #BillC22 on social platforms.
Bottom line
Bill C‑22 does not merely add a “lawful‑access” clause; it rewrites the cryptographic foundation of everyday communication tools, forces bulk metadata collection, and opens Canadian data to foreign governments. Past incidents in the U.S., U.K., and Australia show that once a backdoor exists, it becomes a high‑value target for state‑aligned hackers. The technical and legal challenges are substantial, and the window for meaningful amendment closes in early June. Citizens, privacy advocates, and even some industry players are urging Parliament to reject the proposal before the backdoor is built and the metadata vaults are filled.
For the latest status, see the official LegisInfo page for Bill C‑22.
Comments
Please log in or register to join the discussion