A growing number of tech companies and internet service providers are warning they could pull their services from Canada if the federal government’s proposed lawful access legislation goes ahead, warning they could be forced to compromise users’ privacy.
The encrypted private messaging app Signal is among the most prominent platforms to make such a threat while speaking out against Bill C-22, which would allow for regulations requiring service providers to retain certain metadata for up to a year and develop capabilities in its systems for police and the Canadian Security Intelligence Service to obtain that information for investigations.
“In its current form, Bill C-22 would convert the everyday tools Canadians rely on into a sprawling, insecure surveillance apparatus,” Udbhav Tiwari, Signal’s vice-president of strategy and global affairs, told the House of Commons public safety committee Tuesday.
“If we are ever forced to choose between betraying the people who rely on us and leaving a market, we will leave.”
Signal, as well as some of the world’s most powerful and widely-used tech firms including Apple and Google, have said the bill as written could require them to build or maintain capabilities that break or weaken encryption, effectively creating “backdoors” into those products.
Such entryways could then be exploited by cybercriminals, exposing retained metadata to wide-scale breaches.
“Effectively, the government through this legislation seeks to insert itself into the networks and devices of various providers,” Michael Geist, a professor at the University of Ottawa and the Canada research chair in internet and e-commerce law, told Global News in an earlier interview.
“The concerns that many providers have is that they’ve got obligations to their customers. They’ve got basic standards they want to exercise with respect to the security of their systems, using encryption and the like. They want to be able to provide assurances about privacy, and that becomes hard to do when you’ve got the government inserting itself into these systems.”
The bill as written would introduce mandatory requirements for certain “core” providers — likely large telecommunications companies and satellite providers — to have specific capabilities for law enforcement access.
In addition, the public safety minister could issue a ministerial order to require a provider to develop a particular capability, even if they are not a core provider. The bill would prohibit a provider from disclosing the existence or content of a ministerial order, which would only require approval from the intelligence commissioner, rather than through a judicial warrant.
Geist said companies that comply with the regulations and ministerial orders could also face major additional costs for redesigning their systems and maintaining extra metadata storage capabilities, which may lead to higher prices for customers.
NordVPN, a major virtual private network provider, said in response to a user on X last month that it would refuse to compromise its privacy and encryption protections if Bill C-22 passes in its current form.
Get breaking National news
Get breaking Canada news delivered to your inbox as it happens so you won’t miss a trending story.
“To prevent this, we will consider all viable options, including limiting or, if necessary, removing our presence from Canadian jurisdiction,” it wrote.
That post came in response to Windscribe, a Canadian-based anonymizing VPN service, saying on X that it “won’t be far behind” other companies like Signal threatening to leave Canada over the legislation.
“We pay an ungodly amount of taxes to this corrupt government, and in return they want to destroy the entire essence of our service to basically spy on its own citizens,” it wrote on X. “Not happening. We’ll move HQ and take our taxes elsewhere.”
A spokesperson for DuckDuckGo, a privacy-focused web browsing platform, told Global News in an email that the company “can confirm we’d remove our VPN service” from Canada if the current legislation passes.
Avery Pennerun, CEO of Toronto-based VPN provider Tailscale, told Geist’s Law Bytes podcast on Monday that the company would “have to think about what’s best for our customers are willing to put up with” if the bill passes as written, suggesting it could affect its international operations in countries without similar regulations.
“We would have to find some way of operating that would let our European customers not use Canadian employees, not use Canadian-hosted hosting services,” he said. “There would be a lot of business, like money that could be flowing into Canada, that would not be allowed to flow into Canada. We’d have to go do it somewhere else, and the profits would go elsewhere.”
All of these companies, as well as Signal’s Tiwari in his testimony Tuesday, have said they don’t keep logs of users’ metadata like IP addresses and location data as a regular practice.
In testimony to the House of Commons public safety committee last week, executives from Apple and Google warned the bill could force them to compromise their encryption protections.
Last year, Apple ended its cloud-based data encryption services in the United Kingdom after British authorities issued a lawful access order to the company.
Erik Neuenchwander, Apple’s senior director of user privacy and child safety, wouldn’t say if a similar move would follow in Canada or if Apple was considering leaving the country altogether when asked.
Jeanette Patell, the director of government affairs and public policy at Google Canada, also wouldn’t say how Google would respond, but noted the legislation may force it to break its own precedent by allowing law enforcement to circumvent end-to-end encryption for its products.
Meta — which has already barred Canadian news content on its Facebook and Instagram platforms over legislation forcing tech companies to compensate publishers for lost ad revenue — has also protested against the bill.
“As drafted, the bill could require companies like Meta to build or maintain capabilities that break, weaken, or circumvent encryption or other zero-knowledge security architectures, and force providers to install government spyware directly on their systems,” Rachel Curran, the company’s director of public policy for Canada, told the committee last month.
All three companies have said that, while the bill purports to protect against risks to encryption by allowing providers to challenge demands that would introduce a “systemic vulnerability,” the definition of such a vulnerability is overly broad.
“Essential terms like ‘encryption’ are left to be defined in regulation, while ministerial orders can override those same regulations,” Curran said. “Moreover, the bill contains no process for challenging a problematic order.
“These omissions leave companies in a very uncertain place legally, with no clear understanding of how these authorities may be used and the corresponding impact on Canadians’ privacy and cybersecurity.”
Public Safety Minister Gary Anandasangaree said last week that the bill will be amended to clarify that breaching encryption would not be allowed.
However, he told the public safety committee last Thursday that the one-year timeframe for retaining metadata will not be shortened.
“We talked to law enforcement, we talked about the practicalities of shortening it — it does impede their ability to do an effective investigation, so one year is something that I believe we will hold steady on,” he said.
“Having said that, I think there’s other areas where we would be willing to either clarify or strengthen (the bill).”
In a new analysis of Bill C-22 published Tuesday, the Citizen Lab at the University of Toronto’s Munk School of Global Affairs & Public Policy and the Canadian Civil Liberties Association called for the section related to metadata retention and ministerial orders to be withdrawn from the bill entirely.
The “fundamentally flawed” section “provides the government with maximum flexibility, minimal restrictions, and minimal judicial scrutiny,” the analysis says.
“This is an unacceptable combination and one that makes the proposed legislation simply unfit for purpose.”
