A group of privacy-focused technology companies has warned it could withdraw services from Canada if the latest version of Bill C-22 is enacted, escalating tensions with the federal government over user metadata collection and potential encryption backdoor requirements.
The legislation would require a range of digital services, including internet providers, messaging platforms, email companies, and possibly hardware vendors, to retain user metadata for up to one year. Companies would also be expected to provide lawful access to that information for criminal investigations, a requirement critics view as an effective backdoor.
During testimony before a House of Commons committee, Signal executive Udbhav Tiwari argued that Bill C-22 could turn everyday online services into surveillance tools. He said forcing companies to keep communication metadata goes against the privacy principles Signal is built on.
A spokesperson for DuckDuckGo confirmed that the company would remove its VPN service from Canada if the bill passes. NordVPN and other VPN providers have made similar statements.
Apple and Google have joined other technology companies in warning that the legislation could undermine encryption protections. Their concerns follow Apple’s successful challenge to a similar proposal in the United Kingdom last year, which would have required the company to create access mechanisms for iCloud. The dispute was the latest chapter in Apple’s long-running battle with regulators over privacy and security.
Privacy groups have cited past security incidents as evidence that backdoor mechanisms can create new vulnerabilities. OpenMedia referenced a late-2024 attack involving hackers linked to the Chinese state who compromised lawful-intercept systems and accessed sensitive information from major telecom providers. The organization argues that any access mechanism built for government use could ultimately be exploited by unauthorized parties.
Public Safety Minister Gary Anandasangaree said last week that the government plans to amend Bill C-22 to ensure digital service providers are not forced to weaken or bypass encryption. The proposed changes, however, would leave the bill’s metadata retention requirements intact.
Questions about access to encrypted communications have resurfaced after a recent dispute involving Microsoft. A security researcher claimed the company built a backdoor into BitLocker and then tried to discourage them from speaking publicly about it. After details of the exploit became public, Microsoft released a fix, though it did not address whether the flaw was intentional.
Maybe you would like other interesting articles?