The latest version of Canada’s ongoing Bill C-22 has once again sparked a backlash from global tech companies over the government’s attempts to “build surveillance” into internet infrastructure. The bill intends to require various digital service providers to retain user metadata for a long time and provide law enforcement agencies with "legal access" channels. Some companies with privacy protection as their core selling point have publicly stated that they would rather withdraw from the Canadian market than cooperate with enforcement.
According to the current public text, "Bill C-22" will cover Internet service providers, instant messaging platforms, email services, and may even affect hardware manufacturers, requiring them to retain users' metadata information for up to one year. At the same time, relevant companies must also establish technical mechanisms to enable law enforcement agencies to obtain this information in accordance with the law during criminal investigations. Critics believe that this is essentially equivalent to the government forcing companies to reserve "backdoors" in the system, fundamentally changing the privacy and security boundaries of Internet services.
Testifying before the Canadian House of Representatives Standing Committee on Public Safety and National Security, Signal executive Udbhav Tiwari said Bill C-22 would turn the digital tools people use every day into a vast surveillance network. He pointed out that forcing companies to retain metadata of user communications is completely contrary to Signal's long-standing privacy protection practices. Signal's position is that if this legislation passes, it will be difficult for the company to continue operating in Canada without sacrificing its core privacy commitments.
DuckDuckGo, a privacy-focused search and web services company, also sent a similar signal. Its spokesperson confirmed that once Bill C-22 is approved, the company will remove its VPN services in Canada. Well-known VPN provider NordVPN and other similar service providers have also stated that they will not rule out opting out of the Canadian market to avoid being forced to participate in the construction of metadata retention and access mechanisms.
Large platform companies also have reservations or even opposition to the bill. Apple and Google have joined industry warnings that the legislation could force them to weaken existing encryption measures. Last year, Apple successfully blocked a similar proposal in the UK that would have created a government-accessible backdoor into iCloud. This incident is just the latest in a series of conflicts between Apple and regulatory agencies in various countries over security and user privacy. It also highlights the long-term game between companies and governments on the issue of "security vs. privacy."
The core concern of opponents is that once a "backdoor" is artificially installed in a digital system, regardless of whether its original intention is limited to law enforcement or national security purposes, it will eventually be discovered and exploited by malicious actors. The civil organization OpenMedia described Bill C-22 as an attempt to create a "surveillance state" and cited a case in late 2024 as evidence. At that time, hackers allegedly supported by the Chinese government broke into the systems used by multiple U.S. communications operators for police lawful surveillance and stole a large amount of sensitive data from companies such as AT&T, Verizon, and Lumen Technologies, showing that the "lawful surveillance" system itself may also become a high-value attack target.
Facing skepticism from industry and civil society, Canada's Public Safety Minister Gary Anandasangaree said last week that Bill C-22 would be amended to make it clear that digital service providers would not be required to break end-to-end encryption itself. However, he also emphasized that the obligation to retain metadata will still remain, which is also one of the key focuses of the current dispute.
Controversies surrounding "backdoors" have arisen frequently in other fields recently. A security researcher recently accused Microsoft of deliberately leaving a backdoor in its BitLocker encryption system and tried to silence the issue after the researcher raised questions. After the details of the vulnerability were made public, Microsoft urgently released a temporary mitigation update, but it has not yet directly responded to whether the flaw was a design error or intentional. To critics, such incidents deepen public concerns about the line between "legitimate access" and "technical backdoors," making it harder to gain trust in legislative proposals like Bill C-22.