Canada is quietly pushing legislation that would force Apple, Meta, and other tech companies to build surveillance backdoors into their encrypted services—and both companies are now publicly opposing it.
Bill C-22, formally titled The Lawful Access Act, is a repackaged version of Bill C-2, which failed to advance last year after privacy advocates and the tech industry mounted fierce opposition. The new bill retains the same core threat to digital privacy while making minor tweaks designed to sidestep earlier criticism. For millions of Canadian users, the stakes are immediate: their encrypted messages, stored data, and location patterns could become accessible to law enforcement without the technical safeguards that currently protect them.
- The Backdoor Mandate: Bill C-22 gives Canada’s Minister of Public Safety power to demand surveillance backdoors in encrypted services used by millions.
- The Metadata Dragnet: All digital services would be required to record and retain user communication patterns for a full year.
- The Precedent Risk: Apple already withdrew encryption features from UK users in 2025 rather than comply with similar backdoor demands.
The bill’s mechanism is straightforward and alarming. It would require digital services—including telecoms, messaging apps, and potentially operating systems—to record and retain metadata for a full year. Metadata doesn’t contain the words of your messages, but it reveals something almost as intimate: who you communicate with, when you do it, and often where you are when you do it. The bill then goes further by giving Canada’s Minister of Public Safety the power to demand that companies create backdoors into their services, provided these backdoors don’t introduce what the legislation calls a “systemic vulnerability.”
Here’s the problem: that definition is deliberately vague. The bill doesn’t clearly define either “systemic vulnerabilities” or “encryption,” leaving the government room to interpret the law expansively. Canadian officials have publicly stated they believe surveillance can be added to encrypted systems without creating systemic vulnerabilities—a claim that security researchers and the companies themselves reject outright. Encryption backdoors are, by definition, a systemic vulnerability because they weaken the barrier that protects everyone using that service.
Why Are Apple and Meta Fighting Back?
Apple and Meta aren’t alone in their alarm. The U.S. House Judiciary and Foreign Affairs committees sent a joint letter to Canada’s Minister of Public Safety highlighting the backdoor concerns. Both companies have explicitly stated that C-22 would give the Canadian government powers similar to those the UK government attempted to wield last year.
That UK precedent is instructive. In 2025, the British government demanded that Apple implement a backdoor into its Advanced Data Protection feature, which encrypts data stored in iCloud. Rather than comply, Apple revoked the feature entirely for UK users. Today, British users still cannot access this privacy-protective tool—a direct consequence of government pressure to weaken encryption. Both Apple and Meta fear C-22 would trigger the same outcome in Canada, forcing them to either build surveillance mechanisms or withdraw services and features from Canadian users.
• Companies would be banned from revealing backdoor demands to users
• One-year mandatory retention applies to all communication metadata
• No clear definition of “systemic vulnerability” in the legislation
The bill also includes a gag order: companies would be banned from revealing the existence of government backdoor demands. This means Canadian users would have no way of knowing whether their encrypted communications have been compromised by a government order, a transparency void that contradicts basic principles of informed consent.
What Happens When Backdoors Get Hacked?
The dangers of encryption backdoors aren’t theoretical. In 2024, the Salt Typhoon hack demonstrated exactly what happens when backdoor systems are built for “legitimate” purposes. Hackers exploited a system that Internet Service Providers had constructed to give law enforcement access to user data. Once a backdoor exists, bad actors will eventually find it. Building mandatory metadata storage systems creates additional targets for criminals and foreign adversaries—expanding the surface area for surveillance infrastructure beyond what companies already face.
Research on encryption legislation consistently demonstrates the security risks of mandated access systems. Studies examining encryption and privacy regulations show how such requirements may compromise both national security and individual privacy protections, creating vulnerabilities that extend far beyond their intended scope.
Is This Just Bill C-2 in Disguise?
What makes C-22 particularly troubling is its resurrection after failure. Bill C-2 died in committee last year precisely because the privacy community and tech industry recognized its dangers. The government’s decision to repackage and reintroduce nearly identical legislation suggests a strategy of persistence rather than genuine reform. The minor tweaks are cosmetic; the core threat remains unchanged.
For Canadian users, the practical impact would be substantial. Your messaging apps, your location history, your communication patterns—all would be subject to longer retention periods and easier government access. If you use Apple’s iCloud encryption or Meta’s encrypted messaging, those protections could be systematically weakened. If the bill passes, Canada would join a small and troubling group of democracies actively demanding that tech companies build surveillance infrastructure into consumer devices.
• Bill C-22 directly contradicts established privacy-by-design principles
• Mandatory backdoors violate the principle of proactive protection
• Gag orders eliminate transparency and user control over personal data
The legislation fundamentally conflicts with privacy by design principles that have guided Canadian data protection policy for decades. These principles emphasize building privacy protections into systems from the ground up, rather than creating deliberate vulnerabilities for government access.
What’s Next for Canadian Digital Rights?
The bill is currently in early stages, but momentum matters. As it moves through Parliament, the privacy implications will become clearer—and the pressure on lawmakers to choose between security theater and actual digital rights will intensify. The question facing Canadian legislators is whether the theoretical law-enforcement benefits of backdoor access outweigh the documented risks of weakened encryption for millions of ordinary users.
The broader implications extend beyond Canada’s borders. If a major democracy successfully forces tech companies to implement backdoor systems, it creates precedent for authoritarian governments to make similar demands. The global nature of digital services means that surveillance capabilities built for one government can potentially be exploited by others, creating a cascade of privacy erosion that affects users worldwide.
