What Canada's Bill C-22 Actually Requires

Here's the thing about government surveillance proposals — they rarely come out and say "we want to spy on you." They use softer language. "Lawful access." "Metadata retention." "Criminal investigations." But when you strip away the framing, Canada's latest version of Bill C-22 is asking for something pretty significant.

The bill would require digital services — internet service providers, messaging platforms, email providers, and potentially even hardware companies — to hold onto up to one year of user metadata. And it doesn't stop there. Companies would also need to build mechanisms that let authorities pull that information whenever a criminal investigation calls for it. Critics aren't mincing words about what that actually means: it's a government-mandated backdoor, dressed up in legal language.

Why Signal, DuckDuckGo, and NordVPN Are Pushing Back Hard

When Signal's executive Udbhav Tiwari testified before the House of Commons Standing Committee on Public Safety and National Security, he didn't pull punches. His argument was direct — requiring companies to retain metadata about users' communications doesn't just conflict with Signal's privacy model. It turns ordinary digital tools into pieces of a surveillance network. That's a pretty stark image, but it's the one he wanted lawmakers sitting with.

DuckDuckGo went further than words. A company spokesperson confirmed it would pull its VPN service from the Canadian market entirely if Bill C-22 passes. NordVPN and other VPN providers said much the same. And Apple and Google joined the chorus of industry warnings, arguing the legislation could force them to weaken encryption for their users.

None of this is empty posturing, either. Apple already proved it was willing to fight these battles when it successfully pushed back against a nearly identical proposal in the United Kingdom — one that would have required a backdoor built directly into iCloud. That fight set a precedent, and companies are clearly prepared to have it again.

The Core Security Argument Against Metadata Backdoors

Okay, so why does this matter beyond privacy? Because the concern isn't just about governments reading your messages. It's about what happens when a backdoor exists at all.

The argument — and it's a solid one — is that any digital backdoor designed for law enforcement will eventually be found and exploited by someone else entirely. OpenMedia, which has called C-22 an attempt to build a surveillance state, pointed to a real-world example that happened in late 2024: Chinese state-backed hackers broke into government-mandated police wiretap systems and used that access to steal sensitive data from AT&T, Verizon, Lumen Technologies, and other major telecom providers. That's not a hypothetical. That's exactly what critics say will happen when you engineer vulnerability into infrastructure by design.

You build the door. Someone else finds the key.

The Government's Response and Where C-22 Stands

Public Safety Minister Gary Anandasangaree stepped in last week to address at least part of the backlash. He said Bill C-22 will be amended so that digital service providers won't be required to actually break encryption. That's something. But the metadata retention requirement — the part that kicked this whole conversation off — stays in.

So companies won't be forced to decrypt your messages. They'll just be forced to keep records of who you talked to, when, and how often. For privacy advocates and security-focused companies, that distinction doesn't move the needle much.

A Pattern Bigger Than Canada

It's worth zooming out for a second. This isn't an isolated incident. Governments have been trying to build access points into digital infrastructure for years, with varying degrees of success. The UK iCloud fight. Ongoing tensions between Apple and regulators over device encryption. And just recently, a security researcher publicly accused Microsoft of deliberately introducing a backdoor into its BitLocker encryption system — and then attempting to quiet the researcher after they raised the alarm. Microsoft released a fix after the exploit went public, but stopped short of confirming whether the vulnerability was intentional.

The pattern is there. And each time it surfaces, the same tension plays out: governments want access, companies say no, and users are caught somewhere in the middle wondering how much of their digital life is actually private.