A federal bill that would compel electronic service providers to build government access capabilities into their systems is moving through Parliament with less public scrutiny than it deserves. Bill C-22, framed as lawful-access modernization, would do more than update police powers for the digital age - it would authorize secret technical-access orders, compelled assistance from technology companies, and broad metadata retention that touches the daily lives of people who have never been suspected of anything. The case against it is not about shielding wrongdoers. It is about whether the architecture of digital life in Canada should be redesigned around surveillance infrastructure that creates as many dangers as it resolves.
What the Bill Actually Proposes
There is a meaningful distinction between giving police the ability to obtain specific evidence in a specific investigation - with judicial authorization and clear legal thresholds - and requiring companies to build standing access capabilities before any investigation exists. Bill C-22 pursues both. Part 2, the more troubling half, would authorize the government to order electronic service providers to build access infrastructure, retain metadata, and assist authorities in ways that go well beyond responding to a lawful warrant.
Metadata is not a technical abstraction. It is a record of where a person travels, who they contact, at what hours, how often, and through which services. Accumulated over time, metadata reveals health conditions, religious practice, political association, financial stress, and intimate relationships - often more reliably than the content of communications themselves. Requiring companies to retain it at scale, across a population of people not under suspicion, is not targeted policing. It is the construction of a standing surveillance layer.
The government has stated that Bill C-22 will not require encryption backdoors. That commitment should be written into the law itself, clearly and without ambiguity. A policy assurance that does not appear in the statutory text offers little protection when an administration changes, an order is issued, or a court is asked to interpret the scope of compelled-assistance powers.
Lessons From Allies Who Went First
Canada is not operating in a vacuum. Two cautionary examples from close allies have already demonstrated the real-world consequences of this kind of legislation.
In the United Kingdom, secret technical-access powers reportedly prompted Apple to withdraw its strongest iCloud encryption option from new users in that market rather than build a mechanism for government access into its systems. Users lost protection. Apple lost nothing it could not afford to lose. The people who bore the cost were ordinary consumers whose data became less secure as a direct result of the law.
In the United States, the Salt Typhoon cyberattack - attributed to a foreign state actor - reportedly compromised systems that American telecom companies had built specifically to support lawful wiretap requests. The access infrastructure created for legitimate law enforcement became the entry point for hostile foreign intelligence. The lesson is not that lawful access is always wrong. The lesson is that building dedicated access points into communications infrastructure creates attack surfaces that adversaries, not only investigators, will eventually find and exploit.
Canada faces the same risk. A surveillance system is a target. The more comprehensive and technically deep that system is required to be, the more valuable it becomes to anyone - foreign state actors, criminal organizations, opportunistic attackers - who wants access to Canadian communications at scale.
The Cybersecurity Cost of Forced Access
Encryption is not a feature that governments can selectively disable for bad actors while leaving it intact for everyone else. It is a mathematical property of the systems that protect banking transactions, medical records, legal correspondence, journalistic sources, and critical infrastructure. When a government compels a company to maintain a mechanism for bypassing encryption - whatever that mechanism is called - it weakens the protection for every user, because the mechanism itself can be found, stolen, or misused.
Major technology companies and encrypted-communications providers have been explicit: forced access requirements may lead them to remove secure features from their Canadian offerings or exit the Canadian market entirely rather than compromise protections they have built into their global infrastructure. That outcome would leave Canadians with less security than residents of countries whose governments did not pursue these powers. It would make the country a less attractive destination for privacy-dependent industries, including healthcare technology, legal services, and financial platforms that depend on end-to-end confidentiality.
The irony is direct. A bill presented as making Canadians safer could reduce the baseline security of Canadian digital life while doing little to impede determined criminal actors, who will move to platforms outside Canadian jurisdiction the moment domestic ones are compromised.
What Parliament Should Do
Lawful investigations deserve robust legal support. Police should be able to obtain communications evidence, subscriber information, and technical assistance through proper judicial processes with meaningful oversight. None of that requires Part 2 of Bill C-22 as currently drafted.
Parliament should, at minimum, amend the bill to address the following:
- A clear statutory prohibition on encryption backdoors, not merely a ministerial statement
- The removal or strict limitation of blanket metadata retention requirements
- Raised thresholds for access to subscriber information, requiring judicial authorization rather than administrative demand
- Mandatory transparency reporting so Canadians can know, in aggregate, how these powers are being used
- Independent oversight with genuine authority, not advisory review after the fact
The stronger position - and the one that takes the full risk picture seriously - is to delete Part 2 entirely and return to Parliament with legislation that addresses law enforcement needs without building a permanent surveillance infrastructure into the foundations of Canadian digital life. Privacy and public safety are not opposing values that must be traded against each other. The assumption that they are is what makes legislation like this feel inevitable when it is not.
