Several prominent technology companies and internet service providers are signaling a potential withdrawal of their services from Canada, citing serious privacy concerns over proposed legislation. The core of their objection lies in Bill C-22, which could mandate the retention of user metadata for up to a year and require companies to develop systems enabling law enforcement and intelligence agencies to access this information.
Privacy Under Threat from New Legislation
Encrypted messaging application Signal has been among the most vocal critics, with its vice-president of strategy and global affairs, Udbhav Tiwari, stating before a parliamentary committee that the bill, in its current form, risks turning everyday communication tools into a “sprawling, insecure surveillance apparatus.” Tiwari emphasized a stark choice: “If we are ever forced to choose between betraying the people who rely on us and leaving a market, we will leave.”
Major tech players, including Apple and Google, have expressed similar anxieties. They contend that the bill could compel them to build or maintain capabilities that undermine or break encryption, potentially creating security vulnerabilities. These weaknesses, they warn, could be exploited by malicious actors, leading to widespread data breaches of the retained metadata.
Concerns Over Systemic Vulnerabilities
Michael Geist, a professor at the University of Ottawa specializing in internet law, explained that the legislation effectively seeks to embed government access within provider networks and devices. He noted the inherent conflict for companies aiming to uphold customer obligations and maintain system security through encryption. “They want to be able to provide assurances about privacy, and that becomes hard to do when you’ve got the government inserting itself into these systems,” Geist commented.
Bill C-22 proposes mandatory capabilities for designated “core” providers, typically large telecommunications and satellite companies. Additionally, the Public Safety Minister could issue orders requiring other providers to develop specific access capabilities, even without being classified as a core provider. Critically, these ministerial orders would not require judicial warrants, only approval from the intelligence commissioner, and providers are prohibited from disclosing their existence or content.
VPN Services Lead Exodus Threats
Virtual private network (VPN) providers are particularly vocal. NordVPN, a leading VPN service, publicly stated on social media that it would refuse to compromise its privacy and encryption standards if Bill C-22 passes as is. The company indicated it would “consider all viable options, including limiting or, if necessary, removing our presence from Canadian jurisdiction.”
Windscribe, a Canadian-based VPN service, echoed these sentiments, declaring on social media that it would not comply with provisions that would undermine its service. The company stated, “Not happening. We’ll move HQ and take our taxes elsewhere.”
A spokesperson for DuckDuckGo, a privacy-focused browsing platform, confirmed that the company would “remove our VPN service” from Canada should the legislation proceed in its current form.
Avery Pennerun, CEO of Tailscale, a VPN provider headquartered in Toronto, suggested that the bill could necessitate operational changes to shield their European customers from Canadian employees or hosting services. “There would be a lot of business, like money that could be flowing into Canada, that would not be allowed to flow into Canada. We’d have to go do it somewhere else, and the profits would go elsewhere,” Pennerun explained.
Precedents and Encryption Risks
Executives from Apple and Google have also voiced concerns to the House of Commons public safety committee. They warned that the bill could force them to compromise their encryption standards. Apple previously ended its cloud-based data encryption services in the United Kingdom following a lawful access order from British authorities.
Jeanette Patell, director of government affairs and public policy at Google Canada, noted that the legislation might compel the company to break its own established practices by permitting law enforcement to bypass end-to-end encryption on its products. Meta, which has previously blocked Canadian news content over separate legislation, has also protested the bill, arguing it could force companies to build or maintain capabilities that weaken encryption or install government spyware.
All three companies have pointed out that while the bill includes provisions to challenge demands that introduce “systemic vulnerabilities,” the definition of such vulnerabilities is overly broad. Furthermore, they argue that essential terms like “encryption” are left for future regulation, and ministerial orders could supersede these regulations without a clear process for challenging problematic orders.
Government Signals Amendments
Public Safety Minister Gary Anandasangaree has indicated that amendments will be made to clarify that breaching encryption will not be permitted. However, he confirmed that the one-year metadata retention period would remain, stating it is crucial for effective investigations.
Meanwhile, an analysis of Bill C-22 by the Citizen Lab and the Canadian Civil Liberties Association called for the withdrawal of the metadata retention and ministerial order sections of the bill, describing them as “fundamentally flawed” and providing the government with excessive flexibility and minimal oversight.
