Canada bill C-22 threatens encryption

Encryption is the thing that keeps your messages, backups, and account data unreadable to everyone except the people meant to see them. Bill C-22 is Canada’s new lawful-access bill — introduced on March 12 and now in House committee — and the fight is over whether it quietly turns “help police with a warrant” into “redesign your systems so access is always possible.” That sounds like a legal tweak. But for Apple, Meta, and privacy lawyers, the real issue is architectural. Once a government can order a company to maintain access capability, strong end-to-end or zero-knowledge security starts to break. ### What is Bill C-22 trying to do? The bill has two big parts. Part 1 updates Criminal Code tools for subscriber information, transmission data, and related investigative steps. Part 2 is the more explosive piece — it creates a framework meant to ensure electronic service providers can actually comply with lawful orders from police or CSIS, instead of leaving that support voluntary outside old voice-telephony rules. The government’s pitch is simple: investigators already get warrants, but modern services are not always built to execute them. (parl.ca) ### Why are Apple and Meta alarmed? Because “be able to comply” can mean “build the capability first.” Meta said in committee on May 7 that Part 2 could force companies to build or maintain capabilities that “break, weaken, or circumvent” encryption and other zero-knowledge systems, and could even require providers to install government spyware on their own infrastructure. Apple’s public line is the same basic idea — it says it will work with lawful requests, but it will not build backdoors that make everyone less safe. (parl.ca) ### Why is that different from a normal warrant? A warrant lets the state demand access to data that exists and can be produced. It does not magically solve the math. End-to-end encryption works precisely because the provider does not hold the key. Zero-knowledge cloud systems work because the provider cannot read the protected data even if it wants to. So if a law says the provider must still deliver readable access, the provider has only a few options — keep extra keys, add bypass mechanisms, or redesign the product so the secure version is unavailable in that country. (about.fb.com) That is why the industry keeps saying there is no “backdoor just for the good guys.” ### What exactly in the bill worries critics? The phrase to watch is “systemic vulnerability.” Critics say the safeguards are too weak and too vague. Meta wants the bill amended to explicitly rule out any requirement that weakens encryption or introduces security weaknesses, and to create a clear process for companies to challenge bad orders. Michael Geist, who testified to the same committee, said the bill’s systemic-vulnerability protections are inadequate and warned that outlier rules could push companies to remove privacy features from the Canadian market altogether. (canada.ca) ### Is Canada saying it wants a backdoor? Not in those words. The government says Part 2 does not create new interception powers and is only about making sure providers can comply with existing lawful authorities. But that is exactly why the fight is so sharp — critics think the bill avoids the word “backdoor” while still creating the legal pressure that produces one in practice. If a service is designed so the provider cannot access the content, then a compliance mandate can become a redesign mandate. (about.fb.com) That is an inference, but it is the core of the dispute. ### Why does the UK keep coming up? Because Apple already showed what a company may do when a government demands access that collides with its security design — it can pull features instead of weakening them. Reporting around C-22 points to that precedent as the real leverage point here. The threat is not just secret access. It is regionalized security, where Canadians get a worse version of a product because their law demands exceptional access. (canada.ca) ### Where does the bill stand now? Bill C-22 passed second reading on April 20, 2026 and is at consideration in committee in the House of Commons. That matters because committee is where the language can still change. Meta is not asking Parliament to kill the whole bill — it says Part 1 could work with narrow amendments, while Part 2 needs major fixes. So this is not a settled law story yet. It is a drafting fight happening right now. (macrumors.com) ### Bottom line? This is really a fight over whether governments can demand access without demanding insecurity. Canada says it wants lawful access. The companies and privacy experts are saying the current text risks turning that into compelled weakness — and once that weakness exists, everyone inherits it. (canada.ca) (parl.ca)