Canada is on the verge of passing legislation that would compel encrypted messaging platforms to install secret backdoors for law enforcement - and major players including Signal and Apple are already warning they may exit the Canadian market rather than comply. Bill C-22, introduced in May 2026, represents the most aggressive mandatory decryption law proposed by any G7 country to date, and privacy advocates warn it sets a dangerous template that other Western governments are watching closely.
What Bill C-22 Actually Requires
The legislation, officially titled the Protecting Canadians from Online Harms Act (encryption provisions), would require communication platforms operating in Canada to provide police and intelligence agencies with covert technical access to encrypted communications - without notifying users that their messages are being intercepted. The bill covers end-to-end encrypted applications, meaning the government would effectively mandate that companies break the cryptographic guarantees their products are built on.
Unlike traditional wiretapping laws that intercept data in transit, C-22 would require platforms to build persistent technical capabilities that could be activated on demand by government order. The gag provisions in the bill would prohibit companies from disclosing to users that they have received such an order - creating a system of secret compliance with no public accountability mechanism.
- Scope: All encrypted messaging platforms operating in Canada, including Signal, iMessage, WhatsApp, and others.
- Mechanism: Covert technical backdoor access, not interception of existing unencrypted traffic.
- Gag order: Platforms prohibited from notifying users about government access orders.
- Penalty for non-compliance: Not yet fully specified, but significant fines and potential market exclusion.
Signal and Apple Push Back Hard
Signal, the gold standard for private messaging, was direct in its response: the organization said it would withdraw from the Canadian market rather than build backdoor capabilities. Signal's position is technically grounded - its security model is built on the mathematical guarantee that it cannot read user messages, even if compelled by a court order. Building a backdoor would require fundamentally redesigning the protocol in ways that undermine security for all users globally, not just in Canada.
Apple issued a warning that it may be forced to remove iMessage and FaceTime from the Canadian App Store if compelled to break their end-to-end encryption. This is consistent with Apple's previous position in the UK, where similar Online Safety Act provisions prompted the company to threaten withdrawal of encrypted services rather than weaken security globally for the sake of a single jurisdiction.
The Electronic Frontier Foundation was sharper in its assessment, calling C-22 a "repackaged surveillance nightmare" and drawing explicit comparisons to the EU's Chat Control proposal, which faced years of opposition from civil liberties groups and technical experts before being shelved repeatedly. EFF noted that Canada, as a Five Eyes intelligence partner, could effectively extend backdoor access across the entire alliance.
Why Backdoors Cannot Be Made Safe
The technical consensus among cryptographers and security researchers is unambiguous: there is no way to build a backdoor that is accessible only to authorized governments. A vulnerability created for Canadian law enforcement is a vulnerability that can be exploited by hostile nation-states, criminal hackers, and foreign intelligence agencies. History bears this out - the NSA's NOBUS ("Nobody But Us") doctrine, which assumed backdoors could be kept exclusive to US intelligence, was proven catastrophically wrong when its own hacking tools were leaked and weaponized by ransomware groups.
If C-22 passes in its current form, the practical outcome will not be a neat system of court-ordered surveillance. It will be a degraded security ecosystem in which Canadians' communications are less protected than those of citizens in countries without such laws - and in which threat actors, from criminals to state-sponsored hackers, have a larger attack surface to exploit.
The G7 Template Problem
What makes C-22 particularly significant beyond Canada's borders is its potential as a model. The UK's Online Safety Act, Australia's Assistance and Access Act, and the EU's Chat Control proposals have all attempted versions of mandatory lawful access to encrypted communications, with varying degrees of technical sophistication and civil liberties protections. Canada's version is notable for combining mandatory backdoor access with a complete gag on user notification - a combination more aggressive than most comparable proposals in democracies.
If Canada - a country with strong rule-of-law traditions and a tech-literate population - normalizes covert encrypted-communications access, it becomes significantly easier for other G7 governments to argue that the same approach is reasonable for them. The EFF's concern that C-22 is a template being watched by allied governments is not hyperbole - it reflects how surveillance legislation has historically spread across Western democracies once one country breaks the consensus.
The broader lesson from C-22 is one that privacy advocates have been pressing for years: encryption is not a feature that governments can selectively weaken for "bad actors" while leaving it intact for "good actors." It is a mathematical property that either holds or it does not. Any law that mandates backdoor access is a law that mandates weaker security for everyone - and in an era when critical infrastructure, financial systems, and personal communications all depend on the same cryptographic foundations, that is not a trade-off that can be made safely.
What You Can Actually Do
It is important to be honest about what tools can and cannot protect against legislation like C-22. A VPN encrypts your traffic at the network level and hides your IP address and browsing activity from your internet provider and network observers - but it cannot protect the content of messages if the messaging app itself is legally required to build a backdoor into its own code. What network-layer privacy tools do protect is your metadata: who you contacted, when, how often, and from where. Under a surveillance law that forces platforms to secretly report communications, shielding your network-level identity remains one of the few technical measures still under your control - and one that becomes more relevant, not less, as application-layer encryption comes under legal pressure.
