Bill C-22 Faces Backlash: Tech Giants Warn Against Encryption Threats

The delicate equilibrium between state-sponsored surveillance and individual digital privacy has reached a critical flashpoint in Canada. As the House of Commons intensifies its debate over the proposed Lawful Access Act, colloquially known as Bill C-22, a coalition of the world’s most powerful technology companies, civil liberty organizations, and cybersecurity experts has issued a stark, united warning: the proposed legislation, in its current state, threatens to break end-to-end encryption and establish an unprecedented surveillance infrastructure. What began as a domestic policy push to modernize the investigative capabilities of law enforcement has quickly snowballed into a global debate over the future of cryptographic security and the limits of state power in the internet age.

The core tension of this legislative battle lies in a fundamental technical reality: encryption is mathematically binary. It is either completely secure, or it is not secure at all. As Canadian lawmakers scramble to catch up with the digital era, they find themselves locked in an ideological and technological stalemate with major tech firms including Apple, Google, and Meta, alongside privacy-first organizations like the Internet Society, OpenMedia, and the Canadian Civil Liberties Association (CCLA). While the government maintains that the bill is essential for national security, critics argue that the structural costs of the legislation are far too high, potentially compromising the digital safety of millions of users worldwide.

Understanding the Anatomy of Bill C-22: From Border Security to Digital Dragnet

To grasp the gravity of the current debate, one must first examine how Bill C-22 came to be. The legislation is actually a repackaged, slightly modified version of a highly controversial bill introduced in mid-2025: the Strong Borders Act (Bill C-2). Due to overwhelming backlash from the privacy and legal community, the omnibus legislation was eventually split. Its border-security elements were moved to Bill C-12, while its highly invasive lawful access provisions were isolated and reintroduced on March 12, 2026, as Bill C-22 by Public Safety Minister Gary Anandasangaree.

The proposed Lawful Access Act is divided into two highly consequential parts:

• Part 1: Computer Search Warrants and Subscriber Information. This section empowers the Royal Canadian Mounted Police (RCMP), the Canadian Security Intelligence Service (CSIS), and other law enforcement bodies to obtain digital information more rapidly during investigations. Crucially, it includes warrantless powers that allow investigators to compel telecommunications providers to disclose whether a specific individual is a customer of their service—essentially a “yes or no” client confirmation—without prior judicial approval.
• Part 2: The Supporting Authorized Access to Information Act (SAAIA). This is the most contentious portion of the bill. It establishes a broad legal framework requiring “electronic service providers” to design and modify their systems to facilitate the interception and retrieval of data for law enforcement. It also mandates that “core providers” retain user metadata, such as IP addresses and transmission logs, for up to one year.

The legal definitions within the SAAIA are exceptionally broad. An “electronic service provider” is defined to include almost any entity that creates, stores, processes, transmits, receives, or makes available digital information. This means the bill does not merely apply to traditional internet service providers (ISPs) and telecommunications conglomerates; it sweeps in operating systems, secure messaging applications, virtual private networks (VPNs), and localized developer networks like Tailscale, a global mesh VPN provider originally founded in Canada.

The “Backdoor” Trap: Why “Encryption Neutrality” is a Myth

The primary battleground of the parliamentary hearings on Bill C-22 is the preservation of end-to-end encryption (E2EE). E2EE ensures that data is encrypted on the sender’s device and can only be decrypted by the intended recipient. Not even the service provider operating the network has the cryptographic keys required to read the transmitted data. Under the current drafting of Bill C-22, the government claims the legislation is “encryption neutral” because it contains language stating that providers are not obligated to introduce “systemic vulnerabilities” into their products.

However, during testimony before the Standing Committee on Public Safety and National Security (SECU) on May 26, 2026, technology executives and cryptographers dismantled this defense. Erik Neuenschwander, Apple’s Senior Director of User Privacy and Child Safety, delivered a definitive engineering reality check: “Speaking as an engineer, we do not know of a way to deploy encryption technology that provides access only for the good guys without creating new ways for the bad guys to break in.”

Neuenschwander explained that requiring a company to bypass its own security controls to hand over encrypted content inherently forces the creation of a systematic vulnerability. In cybersecurity, there is no such thing as a “selective backdoor.” If a mechanism is engineered into an operating system or messaging protocol to allow state actors to bypass encryption, that mechanism becomes an immediate high-value target for sophisticated bad actors, organized crime syndicates, and hostile foreign intelligence agencies. To illustrate this point, Neuenschwander referenced the devastating 2024 Salt Typhoon cyberattacks, where state-sponsored threat actors successfully exploited systemic interception points that had been built into U.S. telecommunications networks under American lawful access laws. “That law was narrower than Bill C-22,” he warned. “So imagine what could happen if more companies were required to create these vulnerabilities.”

Secret Ministerial Orders and the Loss of Public Transparency

Beyond the immediate destruction of cryptographic protocols, Bill C-22 introduces an unprecedented governance model that bypasses traditional judicial oversight. Under the SAAIA, the Public Safety Minister is granted the authority to issue confidential ministerial orders (MOs) directly to electronic service providers. These orders can compel companies to build specific interception capabilities, test devices, or install surveillance-enabling equipment within their architecture.

While the government points out that these ministerial orders must be reviewed by the Intelligence Commissioner—a quasi-judicial oversight body—the execution of these demands remains cloaked in deep state secrecy. The bill includes draconian confidentiality and non-disclosure obligations, explicitly prohibiting companies from revealing to their users, the media, or the general public that they have received a ministerial order.

Testifying at the same House committee hearings, Jeanette Patell, Google’s Director of Government Affairs and Public Policy in Canada, warned that these secret data-access orders pose a severe risk to global digital trust. She emphasized that such secret orders “are out of step with other democratic countries and would severely restrict companies’ ability to be transparent with users about how their data is protected.” Because Google operates global cloud infrastructure, forcing secret surveillance mandates in Canada could weaken the user privacy and cybersecurity postures of customers globally, making systems vulnerable to foreign interference.

The “Nuclear Option” and the Threat of Digital Market Flight

The legislative overreach of Bill C-22 has pushed tech giants and privacy-first organizations to consider extreme countermeasures. In the realm of privacy advocacy, this is known as the “nuclear option”: completely disabling secure communication features or exiting the Canadian market entirely rather than compromising global codebases.

This is not an idle threat. In 2023, Apple stood firm against the United Kingdom’s proposed updates to the Investigatory Powers Act, threatening to disable services like iMessage and FaceTime in the UK rather than deploy client-side scanning or encryption backdoors. During the Canadian hearings, when asked directly if Apple would withdraw its secure messaging services from Canada if forced to build a backdoor, Neuenschwander did not dismiss the possibility, stating, “I can’t speculate what would happen in that situation… Through this engagement and the continued dialogue, we hope to have positive amendments made to the bill.”

Meanwhile, highly secure platforms like Signal and various top-tier VPN providers have been even more vocal. These companies operate on a strict “zero-logs” and end-to-end encrypted architecture. Because their entire business model relies on absolute, uncompromised security, they cannot comply with Canadian metadata retention mandates or backdoor orders. If forced to choose between breaking their encryption globally or leaving Canada, these platforms will choose the latter, leaving Canadian citizens without access to secure, privacy-preserving tools and severely damaging Canada’s reputation as a safe hub for digital innovation.

The Government’s Strategic Retreat: Anandasangaree Promises Amendments

The overwhelming cascade of criticism from tech giants, academic experts, and the public has forced the Liberal government into a swift defensive posture. On May 27, 2026, just one day after the intense parliamentary committee hearings, Public Safety Minister Gary Anandasangaree announced that the government would officially propose key amendments to the bill.

Anandasangaree told reporters that the upcoming amendments would aim to:

1. Explicitly safeguard end-to-end encryption protocols, adding legal clarity to ensure that companies are not forced to break encryption or deploy backdoors.
2. Tighten and clarify definitions around metadata, ensuring that the retention requirements do not inadvertently mandate the collection of web-browsing histories, social media activities, or actual message contents.
3. Align the encryption language more closely with legislative frameworks utilized by G7 and Five Eyes allies, specifically the United States.

Despite these concessions, the Minister remained unyielding on the core necessity of the bill, stating that Canada is currently the only G7 nation without a modernized, comprehensive lawful access regime. He actively pushed back against Big Tech’s narrative, accusing companies of spreading “misinformation” regarding the bill’s intent. “Let me be absolutely clear. There are no backdoors available through this bill,” Anandasangaree asserted, questioning the credibility of tech firms on privacy. “The companies that are coming forth and talking about privacy protection and vulnerabilities better step up and provide their path to how they’re protecting the privacy rights of Canadians.”

The Path Forward: Navigating a Flawed Balance

The government’s sudden willingness to amend Bill C-22 is undoubtedly a tactical victory for privacy advocates and technology companies. However, deep skepticism remains. Legal scholars like Michael Geist have noted that the parliamentary committee hearings have been chaotic and rushed, leaving little time to thoroughly vet the intricate technological implications of the proposed changes. Furthermore, even if the government explicitly carves out end-to-end encryption, the broader mandates of the SAAIA—including the massive storage of user metadata and the potential for secret ministerial decrees—still lay the groundwork for a highly centralized surveillance apparatus.

As the legislative battle over Bill C-22 moves into its next phase, the fundamental question remains unanswered: can a democratic state ever truly balance the investigative needs of national security with the absolute mathematical requirements of modern cybersecurity? For now, the tech giants have held the line in Ottawa. But in the global chess match of digital rights, this is merely one move in a much larger, ongoing war over who holds the keys to our digital lives.