Canada Bill C-22 encryption has become the flashpoint for a rare alignment between Big Tech rivals and privacy advocates. Google has joined Apple, Meta, Signal, and privacy organizations in warning that the proposed Lawful Access Act could fundamentally weaken encryption and establish a government surveillance infrastructure. The bill, still in proposal stage, represents a critical test of whether democracies can mandate backdoors without destroying the security that billions of people depend on.
Key Takeaways
- Bill C-22 would require digital service providers to retain metadata for up to one year and develop lawful-access capabilities
- Apple warned that building backdoors into encrypted devices creates vulnerabilities anyone can exploit
- The bill’s definitions of “systemic vulnerabilities” and “encryption” are too vague, critics argue
- Canada’s government says the framework includes judicial oversight and does not create new interception powers
- Tech companies worry the broad definition of “electronic service provider” could force product redesigns across the industry
What Canada Bill C-22 Encryption Actually Proposes
Canada Bill C-22 encryption rules would require digital service providers—a term broad enough to capture messaging apps, telecoms, and operating systems—to develop and maintain capabilities that enable law enforcement to access communications when legally authorized. The government says Part 2 does not create new powers for police or intelligence agencies to intercept communications; instead, it mandates that companies build the technical infrastructure to comply with existing judicial orders. Regulations could allow retention of prescribed metadata, such as transmission information, for up to one year.
But the bill’s language troubles critics far more than the government’s intent. Michael Geist, a leading Canadian technology law expert, says the definition of “electronic service provider” is so broad it can capture any service involving the creation, recording, storage, processing, transmission, or reception of information provided to people in Canada or by any entity doing business in Canada. Every ESP would face a general assistance obligation and a secrecy requirement that bars them from publicly revealing the existence of government requests. This combination means companies could be forced to redesign products in secret, without transparency or public debate.
Why Tech Giants Say Bill C-22 Encryption Threatens Security
The core objection from Google, Apple, and others is that mandating encryption-breaking capabilities is fundamentally incompatible with end-to-end encryption. Apple’s Director of User Privacy, Erik Neuenschwander, stated the risk plainly: “When you build a backdoor into an encrypted device, anyone can walk through and cause so much is built on encryption we can’t take that risk”. If a company installs a mechanism to let law enforcement bypass encryption, that same mechanism becomes a vulnerability that criminals, foreign governments, and hackers can exploit.
The Electronic Frontier Foundation characterizes the bill as a “repackaged version of last year’s surveillance nightmare,” pointing to vague definitions of “systemic vulnerabilities” and “encryption” that leave room for the government to demand circumvention of encryption protections. The EFF disputes Canada’s officials’ claim that it is possible to add surveillance without introducing systemic vulnerabilities, arguing that surveillance of encrypted communications is fundamentally a systemic vulnerability. The organization points to the UK case in which Apple was reportedly asked to implement a backdoor into its optional Advanced Data Protection feature, prompting Apple to revoke the feature for UK users rather than comply.
The Secrecy Problem and Global Precedent
One of the bill’s most controversial provisions requires companies to keep government requests secret. The bill bans companies from publicly revealing the existence of orders, which means Canadians would have no way of knowing whether their government is using these powers. This secrecy obligation, combined with the broad definition of ESPs and the vague exception for “systemic vulnerabilities,” creates a scenario in which the government could force product redesigns that weaken security for all users—not just criminal suspects—without any public disclosure.
Michael Geist argues that tech companies “aren’t bluffing and they aren’t misreading the bill”. He notes that the broader obligations, including mandated metadata retention and technical capability requirements, can be applied to ESPs under ministerial direction, subject only to an inadequately defined exception for systemic vulnerabilities. Geist also observes that the Canadian rules do not apply to US-based competitors and are limited or unconstitutional in much of Europe, raising the question of whether Canadian companies will simply relocate to avoid compliance.
What the Canadian Government Says
Public Safety Canada maintains that the proposal is narrowly tailored and includes robust oversight. The framework uses two routes for mandated capability development: core providers and Ministerial Orders, both subject to approval by the Intelligence Commissioner and reviewable by the courts. The government emphasizes that regulations would allow retention of prescribed metadata—not content, web-browsing history, or social media activity. The bill would also require a mandatory annual report and a public version within 60 days, plus a parliamentary review after three years.
The government’s position is that the bill targets specific judicial orders, not mass surveillance. But critics argue that the broad definition of ESPs and the vague exception for systemic vulnerabilities undermine these safeguards. If a company must develop a capability to decrypt communications for a specific suspect, that capability exists and can be misused or demanded for broader purposes. The government’s assurances about oversight and limitation do not address the fundamental architectural risk that encryption-breaking introduces.
Is Canada Bill C-22 Encryption Different From Other Countries?
Canada is not the first democracy to push for backdoor access to encrypted communications. The UK pursued similar demands through its Online Safety Bill and Advanced Data Protection discussions. Australia passed the Assistance and Access Act, which allows law enforcement to demand companies build decryption capabilities. The US has repeatedly called for backdoors, though it has not passed comprehensive legislation. Canada’s approach mirrors these efforts but with a broader definition of covered services and stronger secrecy provisions, making it one of the most aggressive encryption-access regimes proposed in a major democracy.
Could Tech Companies Leave Canada?
The threat of a tech exodus is real. If Bill C-22 encryption mandates become law, companies may choose to disable certain features for Canadian users, withdraw services, or relocate operations—just as Apple did with its Advanced Data Protection feature in the UK. A mass exodus would harm Canadian consumers and the domestic tech sector. Yet the government’s position suggests it believes the judicial oversight and limited scope of the bill make compliance feasible. The disconnect between what the government believes is reasonable and what tech companies say is technically dangerous remains unresolved.
What happens if Bill C-22 encryption passes into law?
If the bill becomes law, digital service providers would have a defined timeline to develop lawful-access capabilities and comply with metadata retention rules. Companies would face pressure to either build backdoors, disable encryption for Canadian users, or exit the market. The government says judicial oversight and court review would prevent abuse, but the secrecy obligation means the public would not know how often these powers are used or whether they are being misused.
Does Bill C-22 encryption affect only criminal investigations?
The government frames the bill as targeted at lawful investigations, but critics argue the broad definition of ESPs and the vague exception for systemic vulnerabilities mean the mandate could expand beyond criminal cases. The secrecy obligation prevents public scrutiny of how the powers are actually used, so there is no way to verify whether scope creep occurs.
How does Canada’s approach compare to the US and Europe?
Michael Geist notes that the Canadian rules do not apply to US-based competitors and are limited or unconstitutional in much of Europe. The US has pursued backdoor access through legislative proposals but has not passed a comprehensive mandate. Europe has resisted encryption backdoors more strongly, with courts and regulators skeptical of surveillance mandates. Canada’s Bill C-22 encryption proposal is more aggressive than most European approaches and broader in scope than current US law, positioning Canada as a leader in demanding encryption-breaking capabilities.
Canada Bill C-22 encryption represents a fork in the road for democratic governance of technology. The government believes judicial oversight and narrow scope make the bill safe; tech companies and privacy advocates believe the definitions are too broad and the secrecy obligations too sweeping. The outcome will signal whether democracies can mandate encryption backdoors without destroying the security and privacy that billions of people depend on globally.
Edited by the All Things Geek team.
Source: TechRadar
