Canada is about to weaken every lock on your private messages

For now, your encrypted messages have a lock on them. Only you, and the person you're talking to, hold the key. Not the app. Not the company. Not the government. You probably don't think about it. That's the whole point — it just works. Until, possibly, the end of this summer.

What Bill C-22 would do Every messaging app in Canada would be required to build a second key. With Bill C-22, the government would hold the copy. The lock you trust would no longer be a lock only you can open. It would be a lock the locksmith was ordered to duplicate.

The paradigm shiftTodayOnly you have the key. Even the app's own engineers can't read your messages. If a court demands the content, Signal has nothing to hand over. A hacker who breaks in finds noise, not your conversations. If Bill C-22 passesA copy of the key must exist. The provider must build a way in, even when they don't want to. A court can demand the content. The provider must comply or be fined. A hacker who finds the way in walks through it. It has happened.

And the other shift The bill also changes who keeps records on you — and for how long. The fight over encryption is the most visible piece of Bill C-22. The metadata-retention piece is quieter and just as consequential — Michael Geist calls blanket metadata retention "one of the most privacy-invasive tools a government can deploy." "Metadata" doesn't just mean who you talked to. It means everything about a call or message except the words themselves: who you contacted, when, how long it lasted, where you were when you sent it, what device you used, what network it traveled across. Stacked together over months, that's a near-complete picture of your life — who you trust, where you sleep, where you work, who you visited and when.

What changesTodayMetadata is scattered, and brief. Providers keep records only as long as their own business needs require. Most don't collect detailed transmission data on every user.

Information about your contacts, location, device, and network paths doesn't sit in one place. If Bill C-22 passesA year of metadata on everyone. Providers must retain transmission data for up to one year. On everyone, regardless of suspicion. Including data they wouldn't otherwise collect. Patterns across contact, location, and device often reveal more than the content of any single message. The retention authority is new in C-22 — it was not in the predecessor Bill C-2. The European Court of Justice struck down equivalent EU rules in 2014 as disproportionate.

Why this is about you It touches almost everything you do online. It's tempting to read a bill called "Lawful Access" as something that affects other people. In practice, the architecture it would build sits inside the apps and services you use every day. If you text family or friendsEvery message you send through Signal, iMessage, WhatsApp, or Messenger becomes legally reachable. Today, the company can't read them. Under this bill, it would be required to be able to.If you message a doctor or therapistThe confidentiality you assume when texting your clinic, scheduling a sensitive appointment, or messaging through a patient portal relies on the same encryption this bill weakens. Health-care apps are in scope.If you talk to a lawyerSolicitor-client privilege depends on confidential communication. End-to-end encryption is how that promise gets enforced in practice today. A backdoor doesn't recognize privilege.If you're a journalist or sourceSource protection becomes structurally harder. A backdoor doesn't distinguish between a whistleblower exposing corruption and a leak of state secrets. Both flow through the same compromised channel.If you organize, protest, or dissentActivist coordination, advocacy work, and political organizing all rely on private communication. Surveillance burdens historically fall hardest on already-policed communities. This bill continues that pattern.If you run a small business"Electronic service provider" is defined broadly — your SaaS, your booking system, even a small clinic's patient portal can fall in scope. Some orders come with gag clauses. None come with funding.If you cross bordersOnce Canada builds this framework, foreign governments can request data through mutual legal assistance treaties.

Your data — including data created entirely within Canada — becomes reachable by states whose privacy norms differ from yours.If you're escaping harmSurvivors of intimate-partner violence and stalking often rely on encrypted messaging to coordinate with shelters, lawyers, and family without being tracked. A mandated way around encryption doesn't ask who's looking — it opens the door for whoever finds it.

We already know how this ends In 1994, the United States passed a law just like this. Phone companies were required to build a second key into their networks. For thirty years, it sat there. Working as intended.

Then, in 2024 —stolen.

A hacking group linked to the Chinese state walked through the lawful-access infrastructure of every major U.S. phone carrier. They listened to calls. They read texts. They watched the data of presidential campaigns. They were inside for months before anyone noticed. The copy was the door. The attack is called Salt Typhoon. Afterwards, Canada's own Centre for Cyber Security joined twelve other governments' cybersecurity agencies in formally recommending more encryption, not less.

What this bill does, by threat vector What this bill actually compromises. Bill C-22 isn't a single law doing a single thing — it crosses multiple distinct categories of digital surveillance. Tap any vector to see the plain-language explanation and the specific bill section where it lives. 01 Encryption mandates The state forces providers to build a way around end-to-end encryption. PlainThe Minister of Public Safety can order any designated "core provider" to build the operational and technical capability to give state actors access to user information — even when that information is end-to-end encrypted. There's a "systemic vulnerability" safeguard, but Meta, Apple, Signal, and NSIRA all say it's inadequate because the Governor in Council retains unilateral authority to define what counts as a "systemic vulnerability."BillPart 2 — Supporting Authorized Access to Information Act, §§ 5–14.

See especially s. 7 (Ministerial orders) and s. 14 (Obligation to assist).Actions PoliticalSign the OpenMedia letter. Email your MP before second reading. Push committee for explicit "no backdoor" language in s. 7. PersonalMove sensitive conversations to Signal (the Signal Foundation has said it would leave Canada rather than comply). Turn on iCloud Advanced Data Protection. CollectiveBack OpenMedia, CCLA, and CIPPIC — they're carrying the legal and lobbying load. 02 Bulk metadata retention Providers must keep records of who-talked-to-whom for up to a year, on everyone. PlainTucked into Part 2, a clause authorizes the government to require providers to retain broad categories of metadata — including transmission data — for up to one year. On everyone, regardless of suspicion. Even data providers don't currently collect for their own business purposes.New in C-22. This retention provision was added in C-22 — it wasn't in the predecessor Bill C-2. So C-22 isn't just a carve-out of C-2's lawful access content; on metadata, it's an expansion. (Geist, March 2026.)Michael Geist calls blanket metadata retention "one of the most privacy-invasive tools a government can deploy" — the patterns it captures (who you called, when, from where, with what device) are often more revealing than what was said. The EU struck down equivalent rules in 2014 as disproportionate.BillSAAIA s. 5(2)(d) — authority for the Governor in Council to make retention regulations covering "categories of metadata — including transmission data, as defined in section 487.011 of the Criminal Code — for reasonable periods of time not exceeding one year."Actions PoliticalDemand SAAIA s. 5(2)(d)'s one-year retention authority be struck or sharply scoped at committee. Cite the 2014 EU Data Retention Directive ruling as precedent. PersonalUse messengers that minimize metadata (Signal logs almost nothing).

Turn on disappearing messages. CulturalMake the metadata-vs-content distinction visible — "we don't read your messages" doesn't mean "we don't know who you talk to." 03 Cross-border data sharing Canadian courts can compel foreign providers to hand over Canadian users' data. PlainA new provision lets Canadian courts authorize peace officers to make production requests to foreign entities that provide telecommunications services to Canadians. The extraterritorial reach matters: it ties into the in-progress CLOUD Act conversation between Canada and the U.S., and it means a Canadian subpoena now points at servers outside Canada.BillPart 1, new Criminal Code s. 487.0181 — Application for transmission data or subscriber information held by foreign entity. Threshold: reasonable grounds to suspect.Why this is its own vectorIt's not just data retention — it's the legal architecture for reaching outside the country. Authoritarian governments cite frameworks like this in their own debates.Actions PoliticalPush to raise s. 487.0181's "reasonable suspicion" threshold to "reasonable belief." Insist any Canada–US CLOUD Act executive agreement goes through Parliament before signing. PersonalChoose providers in jurisdictions with stronger data protection where you can — Swiss or German hosting for sensitive material. EducationalTrack quiet bilateral agreements your government is negotiating. Most never make the news. 04 Platform compulsion Providers can be forced to comply — and forbidden from telling anyone. PlainThree mechanisms working together: (1) the "Obligation to Assist" requires designated providers to comply with any order issued under SAAIA; (2) the "Prohibition on Disclosure" makes it illegal for a provider to disclose the existence or contents of an order — sometimes for up to a year; and (3) the new voluntary-disclosure safe harbour shields providers from civil and criminal liability if they hand over data without an order at all. Together: compelled assistance, compelled silence, and incentivized voluntary handover.BillSAAIA ss. 14 (Obligation to assist), 15 (Prohibition on disclosure).