Major Tech Firms Warn of Canada Departure Amidst Privacy Concerns
A significant number of technology companies and internet service providers are signaling a potential withdrawal from the Canadian market if the federal government proceeds with its proposed lawful access legislation. These firms express deep concerns that the bill could compel them to compromise user privacy, with some vowing to cease operations in Canada rather than comply.
Signal Leads Charge Against Bill C-22
The encrypted messaging application Signal has emerged as a prominent voice against Bill C-22. The legislation, if enacted, would empower regulations requiring service providers to retain specific metadata for up to a year. Furthermore, it would mandate the development of systems enabling law enforcement and the Canadian Security Intelligence Service to access this information for investigative purposes.
Udbhav Tiwari, Signal’s vice-president of strategy and global affairs, articulated the company’s stance forcefully before the House of Commons public safety committee. “In its current form, Bill C-22 would convert the everyday tools Canadians rely on into a sprawling, insecure surveillance apparatus,” Tiwari stated. He added, “If we are ever forced to choose between betraying the people who rely on us and leaving a market, we will leave.”
Encryption Backdoors and Security Risks
Industry leaders, including representatives from Apple and Google, have voiced that the bill as drafted could necessitate the creation or maintenance of capabilities that undermine or bypass encryption. This, they warn, could effectively establish “backdoors” into their products, presenting a significant risk of exploitation by cybercriminals and leading to widespread data breaches.
Michael Geist, a professor at the University of Ottawa and a Canada Research Chair in internet and e-commerce law, commented on the government’s intent. “Effectively, the government through this legislation seeks to insert itself into the networks and devices of various providers,” Geist explained. He highlighted the inherent conflict for companies committed to customer privacy and system security. “The concerns that many providers have is that they’ve got obligations to their customers. They’ve got basic standards they want to exercise with respect to the security of their systems, using encryption and the like. They want to be able to provide assurances about privacy, and that becomes hard to do when you’ve got the government inserting itself into these systems.”
Mandatory Capabilities and Ministerial Orders
Bill C-22 proposes mandatory requirements for certain “core” providers, primarily large telecommunications and satellite companies, to possess specific law enforcement access capabilities. Additionally, the public safety minister retains the authority to issue ministerial orders compelling any provider to develop particular capabilities, irrespective of their core provider status. Crucially, these ministerial orders would be exempt from disclosure and would only require approval from the intelligence commissioner, bypassing the traditional judicial warrant process.
Geist further noted that compliance with these regulations and ministerial orders could impose substantial costs on companies, requiring system redesigns and the upkeep of additional metadata storage. These expenses, he suggested, could ultimately be passed on to consumers through increased prices.
VPN Services Echo Exit Threats
Virtual private network (VPN) providers are also expressing strong opposition. NordVPN, a prominent VPN service, declared on social media that it would refuse to compromise its privacy and encryption standards if Bill C-22 passes in its current form. The company indicated it would consider all options, including limiting or exiting the Canadian market.
Windscribe, a Canadian-based anonymizing VPN service, echoed these sentiments, stating on X that it would not comply with legislation that undermines its core service. The company expressed its intent to relocate its headquarters and operations if the bill proceeds.
A spokesperson for DuckDuckGo, a privacy-focused web browsing platform, confirmed that its VPN service would be withdrawn from Canada should the legislation pass as currently written.
Tailscale Considers Operational Adjustments
Avery Pennerun, CEO of Toronto-based VPN provider Tailscale, indicated that the company would need to reassess its operations in Canada if the bill becomes law. He suggested that this could involve segmenting operations to ensure European customers do not interact with Canadian employees or hosting services, potentially diverting business and profits away from Canada.
Apple and Google Raise Precedent Concerns
Executives from Apple and Google have previously testified before the House of Commons public safety committee, warning that the bill could force them to compromise their encryption standards. Apple’s experience in the United Kingdom, where it ended cloud-based data encryption services following a lawful access order, was cited. Representatives from both companies declined to comment on specific responses to the Canadian legislation but acknowledged the potential for breaking existing precedents regarding encryption.
Meta, which has already restricted Canadian news content on its platforms due to separate legislation, has also voiced objections. Rachel Curran, Meta’s director of public policy for Canada, stated that the bill could compel companies to build capabilities that weaken encryption or install government spyware. She further criticized the bill’s definition of “systemic vulnerability” as overly broad and highlighted the lack of a process for challenging problematic ministerial orders, creating significant legal uncertainty for companies and Canadians.
Minister Promises Amendments, Retains Metadata Timeline
In response to the widespread concerns, Public Safety Minister Gary Anandasangaree stated that amendments would be introduced to clarify that breaching encryption is not permissible. However, he indicated that the one-year metadata retention period would remain unchanged, citing its importance for effective investigations.
An analysis of Bill C-22 by Citizen Lab and the Canadian Civil Liberties Association has called for the withdrawal of the sections pertaining to metadata retention and ministerial orders, deeming them “fundamentally flawed” and providing the government with excessive power and insufficient oversight.
