dontsurveil.me 01
← All Announcements Threat vectors Act
01

Bill C-22  •  Canada  •  May 2026

For the last decade, your messages have had a lock on them.

Only you, and the person you're talking to, hold the key. Not the app. Not the company. Not the government. You probably don't think about it. That's the whole point — it just works.

Until, possibly, the end of this summer.

What Bill C-22 would do

Every messaging app in Canada would be required to build a second key.

With Bill C-22, the government would hold the copy. The lock you trust would no longer be a lock only you can open. It would be a lock the locksmith was ordered to duplicate.

The paradigm shift

Today

Only you have the key.

  • Even the app's own engineers can't read your messages.
  • If a court demands the content, Signal has nothing to hand over.
  • A hacker who breaks in finds noise, not your conversations.
If Bill C-22 passes

A copy of the key must exist.

  • The provider must build a way in, even when they don't want to.
  • A court can demand the content. The provider must comply or be fined.
  • A hacker who finds the way in walks through it. It has happened.
Photo for Why this is about you

Why this is about you

It touches almost everything you do online.

It's tempting to read a bill called "Lawful Access" as something that affects other people. In practice, the architecture it would build sits inside the apps and services you use every day.

If you text family or friends

Every message you send through Signal, iMessage, WhatsApp, or Messenger becomes legally reachable. Today, the company can't read them. Under this bill, it would be required to be able to.

If you message a doctor or therapist

The confidentiality you assume when texting your clinic, scheduling a sensitive appointment, or messaging through a patient portal relies on the same encryption this bill weakens. Health-care apps are in scope.

If you talk to a lawyer

Solicitor-client privilege depends on confidential communication. End-to-end encryption is how that promise gets enforced in practice today. A backdoor doesn't recognize privilege.

If you're a journalist or source

Source protection becomes structurally harder. A backdoor doesn't distinguish between a whistleblower exposing corruption and a leak of state secrets. Both flow through the same compromised channel.

If you organize, protest, or dissent

Activist coordination, advocacy work, and political organizing all rely on private communication. Surveillance burdens historically fall hardest on already-policed communities. This bill continues that pattern.

If you run a small business

"Electronic service provider" is defined broadly — your SaaS, your booking system, even a small clinic's patient portal can fall in scope. Some orders come with gag clauses. None come with funding.

If you cross borders

Once Canada builds this framework, foreign governments can request data through mutual legal assistance treaties. Your data — including data created entirely within Canada — becomes reachable by states whose privacy norms differ from yours.

If you're escaping harm

Survivors of intimate-partner violence and stalking often rely on encrypted messaging to coordinate with shelters, lawyers, and family without being tracked. A mandated way around encryption doesn't ask who's looking — it opens the door for whoever finds it.

We already know how this ends

In 1994, the United States passed a law just like this. Phone companies were required to build a second key into their networks.

For thirty years, it sat there. Working as intended.

Then, in 2024 —

stolen.

A hacking group linked to the Chinese state walked through the lawful-access infrastructure of every major U.S. phone carrier.

They listened to calls. They read texts. They watched the data of presidential campaigns.

They were inside for months before anyone noticed.

The copy was the door.

The attack is called Salt Typhoon. Afterwards, Canada's own Centre for Cyber Security joined twelve other governments' cybersecurity agencies in formally recommending more encryption, not less.

What this bill does, by threat vector

What this bill actually compromises.

Bill C-22 isn't a single law doing a single thing — it crosses multiple distinct categories of digital surveillance. Tap any vector to see the plain-language explanation and the specific bill section where it lives.

01 Encryption mandates The state forces providers to build a way around end-to-end encryption.
Plain

The Minister of Public Safety can order any designated "core provider" to build the operational and technical capability to give state actors access to user information — even when that information is end-to-end encrypted. There's a "systemic vulnerability" safeguard, but Meta, Apple, Signal, and NSIRA all say it's inadequate because the Governor in Council retains unilateral authority to define what counts as a "systemic vulnerability."

Bill

Part 2 — Supporting Authorized Access to Information Act, §§ 5–14. See especially s. 7 (Ministerial orders) and s. 14 (Obligation to assist).

Source

Bill C-22 — full text (Parliament of Canada)

Actions
  • PoliticalSign the OpenMedia letter. Email your MP before second reading. Push committee for explicit "no backdoor" language in s. 7.
  • PersonalMove sensitive conversations to Signal (the Signal Foundation has said it would leave Canada rather than comply). Turn on iCloud Advanced Data Protection.
  • CollectiveBack OpenMedia, CCLA, and CIPPIC — they're carrying the legal and lobbying load.
02 Bulk metadata retention Providers must keep records of who-talked-to-whom for up to a year, on everyone.
Plain

Tucked into Part 2, a clause authorizes the government to require providers to retain broad categories of metadata — including transmission data — for up to one year. On everyone, regardless of suspicion. Even data providers don't currently collect for their own business purposes.

New in C-22. This retention provision was added in C-22 — it wasn't in the predecessor Bill C-2. So C-22 isn't just a carve-out of C-2's lawful access content; on metadata, it's an expansion. (Geist, March 2026.)

Michael Geist calls blanket metadata retention "one of the most privacy-invasive tools a government can deploy" — the patterns it captures (who you called, when, from where, with what device) are often more revealing than what was said. The EU struck down equivalent rules in 2014 as disproportionate.

Bill

SAAIA s. 5(2)(d) — authority for the Governor in Council to make retention regulations covering "categories of metadata — including transmission data, as defined in section 487.011 of the Criminal Code — for reasonable periods of time not exceeding one year."

Source

CTA brief to committee, recommendation 3(b)

Actions
  • PoliticalDemand SAAIA s. 5(2)(d)'s one-year retention authority be struck or sharply scoped at committee. Cite the 2014 EU Data Retention Directive ruling as precedent.
  • PersonalUse messengers that minimize metadata (Signal logs almost nothing). Turn on disappearing messages.
  • CulturalMake the metadata-vs-content distinction visible — "we don't read your messages" doesn't mean "we don't know who you talk to."
03 Cross-border data sharing Canadian courts can compel foreign providers to hand over Canadian users' data.
Plain

A new provision lets Canadian courts authorize peace officers to make production requests to foreign entities that provide telecommunications services to Canadians. The extraterritorial reach matters: it ties into the in-progress CLOUD Act conversation between Canada and the U.S., and it means a Canadian subpoena now points at servers outside Canada.

Bill

Part 1, new Criminal Code s. 487.0181 — Application for transmission data or subscriber information held by foreign entity. Threshold: reasonable grounds to suspect.

Why this is its own vector

It's not just data retention — it's the legal architecture for reaching outside the country. Authoritarian governments cite frameworks like this in their own debates.

Actions
  • PoliticalPush to raise s. 487.0181's "reasonable suspicion" threshold to "reasonable belief." Insist any Canada–US CLOUD Act executive agreement goes through Parliament before signing.
  • PersonalChoose providers in jurisdictions with stronger data protection where you can — Swiss or German hosting for sensitive material.
  • EducationalTrack quiet bilateral agreements your government is negotiating. Most never make the news.
04 Platform compulsion Providers can be forced to comply — and forbidden from telling anyone.
Plain

Three mechanisms working together: (1) the "Obligation to Assist" requires designated providers to comply with any order issued under SAAIA; (2) the "Prohibition on Disclosure" makes it illegal for a provider to disclose the existence or contents of an order — sometimes for up to a year; and (3) the new voluntary-disclosure safe harbour shields providers from civil and criminal liability if they hand over data without an order at all. Together: compelled assistance, compelled silence, and incentivized voluntary handover.

Bill

SAAIA ss. 14 (Obligation to assist), 15 (Prohibition on disclosure). Criminal Code s. 487.0195 as amended by C-22 cl. 11 (voluntary-disclosure liability shield). Criminal Code s. 487.0121 (Confirmation-of-service demand, with non-disclosure conditions up to one year).

Source

Meta brief, recommendations 3 and 5

Actions
  • PoliticalDemand sunset clauses on gag-order durations. Push for a mandatory transparency-report requirement so providers can publish aggregate order numbers.
  • PersonalUse providers with strong track records of resisting unlawful orders. Watch for sudden shutdown notices as red flags (Lavabit, ProtonMail letters).
  • CollectiveBack journalism that exposes secret order regimes — Citizen Lab, the Guardian, the NYT national-security desk.
Photo for On the record

On the record

A row of no's you don't usually see line up together.

Apple

"We will never insert backdoors."

Reuters · May 2026
Signal

"We'd rather pull out of Canada than compromise our users' privacy."

Globe & Mail · 2026
Meta

"Sever Part 2 from this bill. It is unworkable as drafted."

Brief to committee · May 2026
NSIRA

"Under this bill, we cannot do our job."

Canada's own oversight body · April 2026
U.S. Congress

"Providers will inevitably face directives to weaken encryption."

House Judiciary & Foreign Affairs chairs
NordVPN

"There isn't a scenario in which we would compromise our no-logs architecture or encryption protections."

Globe & Mail · May 2026
Windscribe

"VPNs cannot operate if they are forced to retain information on the people who use their networks."

Toronto-based · May 2026
Internet Society

"We need more tools to protect ourselves online, not less."

Keep Canada Protected · 2026
CCF

"Bill C-22 puts at risk Canadians' fundamental right to privacy under Section 8 of the Charter."

Canadian Constitution Foundation · 2026

The institutions opposing this bill include the government's own national security review body, every major messaging company in Canada, the two largest VPN providers (one of them Toronto-based), and the chairs of two U.S. House committees. There is no institutional brief on the public record defending Part 2 — apart from the government itself.

How we got here

This effort to compromise our digital life has been coming for fourteen years.

The same content has appeared three times. It has been defeated twice. Today, it is at parliamentary committee — the last realistic window in which it can be changed.

2012

Bill C-30. The federal "Protecting Children from Internet Predators Act" proposes warrantless access to subscriber information. Withdrawn after public backlash.

Jun 2025

Bill C-2 (Strong Borders Act). The lawful-access content reappears, buried as Parts 14 and 15 of an omnibus border bill. Stalls.

Sep 2025

NSICOP Special Report on Lawful Access. A committee of MPs and senators with top-secret clearance publishes a 100+ page review of Canada's existing lawful-access powers. The report becomes the intellectual scaffolding for the bill that lands six months later.

Oct 2025

Bill C-12. The border parts are reintroduced without the lawful-access sections. Eventually becomes law in March 2026 — without them.

Mar 12 2026

Bill C-22 introduced as a standalone lawful-access bill. First reading.

Apr 20 2026

Second reading passes. Bill referred to the Standing Committee on Public Safety and National Security (SECU).

May 7 2026

Most recent committee meeting. NSIRA, Meta, the Canadian Telecommunications Association, the Internet Society have all filed briefs.

Today · May 15

Committee is reviewing written briefs (NSIRA, Meta, CTA, Internet Society, others) and hearing witnesses. Clause-by-clause review hasn't started yet — meaning the bill text is still open to amendment. This is the window in which the bill can still be changed.

Late May

More witness hearings. SECU's witness list is partially public; the rest is set by the chair (Hon. Jean-Yves Duclos). Civil society organizations, cryptographers, and additional industry voices are still being scheduled. Written briefs continue to be accepted.

Early Jun est.

Clause-by-clause review. Members go through the bill line by line and vote on amendments — every party can propose them. This is the last realistic moment to add specific protections, such as a hard statutory bar on encryption-breaking orders.

Mid-Jun est.

Committee reports back to the House. Report-stage debate. Final amendments by motion. Third reading vote in the House of Commons.

Late Jun

Senate referral, if the House passes it. The Senate runs its own committee study and three readings. Historically, the Senate has been a meaningful check on lawful-access legislation. Could move fast or slow the bill considerably.

After

Royal assent, if both chambers pass it. The bill becomes law. The Minister can begin issuing technical-capability orders within weeks. After this point, the politics is over — the fight moves to the courts.

Committee's end date isn't publicly announced. Based on the government's stated timeline — passage before Parliament rises for next major committee milestone (around May 27) — committee study most likely wraps in late May or early June. Check LEGISinfo for current status.

Time is running out

The window to influence this outcome is closing.

Days
Hours
Minutes
Seconds

By this date, the committee studying the bill is expected to finish hearing witnesses. In early June, MPs will go through the bill line by line and vote on changes — the last realistic chance to alter what it says. After that, the bill goes back to the full House of Commons, where changing it becomes much harder.

Photo for If this passes

If this passes

Here's what happens after the vote.

A bill becoming law isn't a single moment of change — it rolls out in stages. Some consequences hit immediately. Others compound over years. Together, they're what's actually being decided right now.

01 The first days

The Minister gains a new pen, and a list of recipients we can't see.

Within weeks of royal assent, the Minister can begin issuing technical-capability orders to electronic service providers. Some orders are public. Some are classified — even the existence of an order can be a state secret. The first round will likely go to the big providers most Canadians use every day. Smaller services will not be told they're next until they are.

02 The first year & the court fight

Providers comply, leave, or fight in court.

Apple has said publicly they will not comply. Signal has said they will leave. WhatsApp's parent company has said the technical demands are unworkable. Smaller Canadian SaaS companies — most of which can't afford a Charter challenge — will face the hardest choice. Litigation will take years. During those years, the orders are still in force.

Lawyers expect this bill to be challenged under Section 8 of the Charter — your right against unreasonable search. But that challenge happens after the law is in force. By then the backdoors are built, the metadata is being collected, and orders are going out. Untangling that in court can take years.

03 The first hack

It has happened before.

The capability built for police becomes the capability that gets stolen. Three confirmed cases of mandated lawful-access infrastructure being breached, across three decades:

  • 2005 The Athens Affair. Unknown attackers compromised the lawful-intercept system mandated in Vodafone Greece's network. The Greek Prime Minister and roughly 100 senior officials had their calls monitored for almost a year before anyone noticed.
  • 2010 Operation Aurora. Chinese state-linked attackers breached Google's internal compliance system — the same portal used to respond to lawful U.S. government data requests — and read the Gmail accounts of dissidents and journalists.
  • 2024 Salt Typhoon. A Chinese state-linked group walked through the CALEA-mandated lawful-intercept infrastructure of every major U.S. phone carrier. Months of calls and texts. Presidential campaigns. Members of Congress.

Three countries. Three decades. Three different attackers. The same architectural decision in every case. The same outcome. Canada's smaller providers will not have better security than the systems that have already failed.

04 Years out

The vulnerability becomes someone else's law, too.

Once Canada has the framework, foreign governments can request data through mutual legal assistance treaties. Authoritarian governments cite the Canadian precedent for their own laws. Companies operating in Canada either accept the same architecture globally, or build a two-tier product where Canadian users get the weaker version.

The U.K.'s Investigatory Powers Act has been in force since 2016 — and in 2025, the Home Office used it against Apple's Advanced Data Protection. Apple withdrew the feature from the U.K. rather than weaken it. Australia's Assistance and Access Act, passed in 2018, is the broadest comparable framework in the Five Eyes; civil society and industry have spent six years documenting its harms. These are not cautionary stories from elsewhere. They are the architecture Canada is about to copy. We are deciding whether to join them.

How to push back

Protect your privacy.

What committee members are watching is the breadth of opposition — whether it's coming from many directions at once. Pick whichever fits your time and inclination. They all matter.

Start here · 15 minutes

Email your MP. Tell them to vote against Part 2.

The single highest-leverage move you can make right now. Especially if your MP sits on the Public Safety committee — they're the ones reviewing the bill this week. One paragraph, in your own words, mentioning that you're a constituent.

Find your MP →

Other ways to be heard, in parallel:

Political

Add weight to the political path.

  • Sign an open letter 5 minutes

    Adds your name to the OpenMedia campaign. Volume signals scale even if individual letters land harder.

  • Submit a brief to SECU 30 minutes

    Written briefs are still being accepted at committee. Even a one-page letter on the public record adds to what MPs see during clause-by-clause review.

Personal

Defend your own communications.

  • Use Signal 2 minutes

    The strongest end-to-end encrypted messenger. Open-source, independently audited, free, works on every platform. Move sensitive conversations there.

  • Audit your phone's defaults 15 minutes

    Disable ad tracking. Turn on encrypted backups. Limit which apps can read your contacts, location, mic, and camera. Most of the surveillance footprint on your phone is in defaults you never chose.

  • Choose open alternatives 30 minutes

    Migrate off closed platforms whose business model is harvesting you. Signal over WhatsApp. Firefox over Chrome. Proton or Tuta over Gmail. Open-source tools are auditable, community-built, and structurally harder to silently compromise.

Collective

Move with others.

  • Join a live Q&A 1 hour

    Hear directly from people working on this. Ask questions. Find out what's happening at committee right now, from people who are there.

  • Support digital-rights organizations 5 minutes

    OpenMedia (Canada), EFF, Internet Society, Citizen Lab — the orgs litigating, lobbying, and researching this fight need ongoing support.

  • Share the PSA + media pack 5 minutes

    Most Canadians likely don't know this change is happening. The media pack has pre-written social copy, posters, talking points, FAQ, and templates — built for activists, organizers, journalists, and educators who want to share this resource.

Upcoming events

Hear from the people working on this.

Live conversations with researchers, advocates, and organizers tracking Bill C-22. Ask questions. Find out what's happening at committee right now, from people who are there.

Upcoming

Bill C-22 on Lawful Access (or I'll be Watching You)

Hosted by Goodbot. A live session covering what's in the bill, where it stands in Parliament, and what's effective to do right now. Open to anyone.

RSVP on Lu.ma →

More events coming soon. Hosting one or know of one?

Photo for Community board

Community board

Explore the landscape of related activity.

Know an effort related to this? An article worth reading? A related campaign in your country? The opposition is scattered across blogs, briefs, and inboxes. This is where it lives in one place.

Organizations

  • OpenMediaCanadian digital-rights advocacy
  • Citizen LabUniversity of Toronto · research
  • CCLACanadian Civil Liberties Association
  • CIPPICU. of Ottawa public interest clinic

Reading

Related efforts

Have a resource to suggest — an org, a piece of reading, a related effort? Send it in →

Media pack

Share this anywhere.

A briefing kit, not just assets: one-pager, talking points, FAQ, plus posters and pre-written templates. Free to use.

When posting on social, tag with #cdnpoli and #BillC22 so it reaches the right audience.

PDF One-page brief What the bill does, in four minutes PDF Talking points For interviews, panels, op-eds PDF FAQ with rebuttals The pushback you'll hear, and the answers MD Research pack Sources, citations, committee briefs — all linked PDF Poster — "second key" 11×17, ready to print PNG Social card 1200×630 · OpenGraph format TXT Pre-written social copy Tweet, IG caption, LinkedIn — ready TXT Email-to-MP template Drop your MP's name, hit send TXT Press one-liner & boilerplate For journalists and editors

For journalists

Who can speak to this on the record.

A short list of informed people, projects and organizations likely available for contact. If you're working on a piece and need someone who can speak to a specific angle, start here.

Michael Geist

Canada Research Chair in Internet Law · U. of Ottawa

Speaks toLegal & policy analysis, comparative law, internet regulation, the Online News Act parallel

media@uottawa.ca EN / FR

Robert Diab

Professor of Law · Thompson Rivers University

Speaks toCharter rights, metadata retention regimes, comparative Five Eyes analysis

media@tru.ca EN

OpenMedia

Digital-rights advocacy · Vancouver

Speaks toCivil society framing, public engagement, the campaign coalition

media@openmedia.org EN / FR

Citizen Lab

Munk School · University of Toronto

Speaks toTechnical research on surveillance, encryption analysis

info@citizenlab.ca EN

CIPPIC

Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic

Speaks toStatutory analysis, Charter challenges, public interest litigation

cippic@uottawa.ca EN

CCLA

Canadian Civil Liberties Association

Speaks toCivil liberties framing, historical context (Bill C-30), advocacy

media@ccla.org EN / FR

Photo for Sources / Receipts

Sources / Receipts

Every claim on this page traces back to a primary document. Open any of them and verify for yourself.

The bill

In the parliamentary record

Companies & officials on the record

Expert analysis

Civil society & advocacy

Know a source we should add — a brief, a piece of analysis, a primary document? Suggest a resource →