Canada bill C-22 risks encryption

Encryption is the part of the internet that keeps private messages private, backups unreadable to hackers, and cloud data useless if someone steals it. The problem with Canada’s Bill C-22 is that it pushes on that exact layer. This week, Apple and Meta warned that the bill’s current draft could force companies to add access capabilities that undermine end-to-end or zero-knowledge security. The bill is real, current, and moving — it was introduced on March 12, 2026, passed second reading on April 20, and is now in committee. ### What is Bill C-22, exactly? Bill C-22 is Canada’s new “Lawful Access Act, 2026.” Part 1 is the less explosive half — it updates rules for subscriber information, production orders, and cross-border data requests. Even Meta says Part 1 could work with narrower amendments. The real fight is Part 2, which creates a framework to make electronic service providers facilitate authorized access to information for police and security agencies. (about.fb.com) ### Why are Apple and Meta so alarmed? Because the bill is not just asking companies to hand over data they already have. Their claim is that Part 2 could force them to create or preserve technical capabilities they do not currently use — the digital equivalent of requiring a building to keep a master key under government rules. Meta said the draft could require companies to “build or maintain capabilities” that break, weaken, or circumvent encryption and even install government spyware on their own systems. (parl.ca) Apple made the same basic point in its submission — it will work with lawful requests, but not by redesigning products to create new vulnerabilities. ### Why does that collide with end-to-end encryption? Because strong encryption is not a switch you can flip only for the good guys. If a service is designed so the provider cannot read your messages or files, the provider also cannot quietly produce readable copies on demand without changing the architecture. That is the catch. A lawful-access mandate aimed at one investigation becomes a product requirement for everyone using that service in that market — and sometimes everywhere, because companies do not like maintaining one “safe” version and one “special access” version. (about.fb.com) ### Didn’t Canada say this bill is narrower? Yes — the government says Bill C-22 is meant to help police and CSIS identify suspects faster and modernize powers that are behind peer countries. Officials have also argued the bill is focused on basic identifying information in many cases, not a free-for-all into message content. But critics keep coming back to the same issue: the text around technical assistance and vulnerabilities is too broad, and broad language is exactly what companies fear when security architecture is on the line. (about.fb.com) ### Why is everyone talking about “backdoors”? Because that is the simplest name for what companies think this could become. The government does not frame the bill as “insert a backdoor.” But if a company must ensure officials can get around encryption, or must not remove the capability to do so, the practical result starts to look very similar. Civil-liberties groups and the Global Encryption Coalition argue the bill’s protections against “systemic vulnerabilities” are too vague to stop that outcome. (cbc.ca) ### Why does this matter outside Canada? Because encrypted products are global. A country-specific lawful-access rule does not stay neatly inside that country’s borders if the same app, phone, or cloud system serves millions of users elsewhere. That is why U.S. lawmakers and global tech firms are paying attention. Once one major democracy treats secure design as optional, other governments get a template. (globalencryption.org) ### So what happens next? Committee review is the near-term battleground. Meta is explicitly asking Canada to amend Part 2 — remove third-party surveillance obligations, strengthen the definition of systemic vulnerability, and give companies a clearer way to challenge orders. If those changes do not happen, the likely outcome is not quiet compliance. It is product withdrawal, feature removal, or a legal fight over whether secure systems can be forced to become less secure. (msn.com) ### Bottom line? This is not really a debate about whether police should get evidence. It is a debate about whether governments can demand access by changing how secure products are built. Once that line moves, it rarely moves back. (about.fb.com)