Last year's attempt to erode Canadian digital rights, **Bill C-2**, faced significant backlash and failed to reach committee. Now, **Bill C-22**, aka The Lawful Access Act, is making a similar attempt. ### Key Concerns with Bill C-22 Like its predecessor, Bill C-22 retains many of the same problematic elements. The bill mandates that digital services, including telecoms and messaging apps, record and retain **metadata** for a full year. It also expands information sharing with foreign governments, including the United States. This expanded collection of metadata creates a larger target for malicious actors. Perhaps most concerning is the provision that allows the Minister of Public Safety to demand companies create backdoors to their services, granting law enforcement access to data. This is contingent on these mandates not introducing a “systemic vulnerability.” Companies are also prohibited from publicly revealing the existence of these orders. ### Ambiguous Definitions and Circumventing Encryption The definitions of “systemic vulnerabilities” and “encryption” within **C-22** are insufficiently clear. This ambiguity could allow the government to demand that companies circumvent encryption. Canadian officials believe surveillance can be added without introducing systemic vulnerabilities, a claim disputed by privacy advocates who argue that surveillance of encrypted communications is inherently a systemic vulnerability. ### Echoes of the UK's Encryption Debate This situation mirrors events in the UK, where the government demanded that **Apple** implement a backdoor into its Advanced Data Protection feature. Ultimately, Apple revoked the feature for UK users rather than comply with the request. Both **Meta** and Apple have voiced concerns that C-22 could grant the Canadian government similar powers. The U.S. House Judiciary and Foreign Affairs committees have also expressed concern over backdoors into encrypted systems. ### The Real-World Risks of Backdoors The dangers of backdoors are not theoretical. The **Salt Typhoon hack** in 2024 exploited a system built to grant law enforcement access to user data. Such systems become targets for malicious actors. Canadians deserve strong privacy protections, transparency in data handling, and robust safeguards around encrypted data. Bill C-22 fails to provide these, instead expanding lawful access mechanisms into tech companies' digital holdings. ### Further Reading * [Full text of C-22](https://www.parl.ca/DocumentViewer/en/45-1/bill/C-22/first-reading) * [Canadian Civil Liberties Association statement and letter](https://ccla.org/privacy/coalition-to-mps-scrap-unprecedented-surveillance-measures/) * [Open Media blog on C-22](https://openmedia.org/press/item/ottawa-repackages-its-surveillance-backdoor-in-bill-c-22) * [EFF’s blog on bill C-2](https://www.eff.org/deeplinks/2025/07/canadas-bill-c-2-opens-floodgates-us-surveillance)