Canada passed Bill C-26 through the House of Commons at midnight on June 18, 2026, using a voice vote that bypassed a recorded division - a procedural maneuver that prevented individual MPs from being publicly identified with their vote. The legislation mandates encryption backdoors in messaging and communication services operating in Canada, requiring providers to build government access capabilities into their systems. Despite earlier signals that the government might retreat under widespread technical and civil liberties objections, the midnight vote surprised observers tracking the bill's progress. For VPN users and privacy-focused Canadians, the bill's passage represents one of the most significant encryption policy setbacks in the country's history - and has triggered immediate exit threats from several major security-focused providers.
What Canada's Bill C-26 Requires for VPNs and Encryption
Bill C-26 imposes a legal obligation on communications service providers operating in Canada to maintain the technical capability for lawful access - meaning providers must be able to hand over plaintext communications to Canadian law enforcement and intelligence agencies upon receipt of a valid legal order. The legislation applies to:
- End-to-end encrypted messaging services: Providers like Signal, WhatsApp, and iMessage that currently cannot access user message content would be required to redesign their systems to allow government access.
- VPN providers: Services offering encrypted tunnels would face requirements to log user activity or maintain decryption capabilities, undermining the core function of a privacy-focused VPN.
- Cloud storage and communication platforms: Any service with users in Canada faces potential liability if it cannot fulfill lawful access orders.
Cryptographers and security researchers have consistently argued that there is no technical way to build a backdoor accessible only to authorized government agencies. The vulnerabilities created by mandated backdoors are structurally available to anyone who discovers them - including foreign intelligence services, criminal hackers, and malicious insiders. This fundamental technical reality is why every major cryptography organization worldwide has opposed backdoor legislation.
The Midnight Vote: How Parliament Bypassed Public Accountability
The circumstances of the bill's passage drew immediate criticism from opposition MPs, digital rights advocates, and constitutional lawyers. Parliamentary rules permitted the government to call a voice vote - in which members call out "yea" or "nay" and the Speaker determines the result by ear - rather than a recorded division in which each MP's vote is individually recorded and published. Critics argued the timing and method were deliberately chosen to minimize public accountability on legislation with sweeping implications for digital privacy.
Michael Geist, the University of Ottawa law professor who has been Canada's most prominent critic of backdoor legislation, described the procedure as "a deliberate strategy to avoid accountability." Geist had spent months documenting the technical and legal objections to Bill C-26, arguing that it would expose Canadian users to greater security risks while undermining Canada's reputation as a destination for privacy-respecting technology companies.
The bill now moves to the Senate, which is expected to consider it in the fall session. Senators have historically been more receptive to technical expert testimony on cybersecurity matters, and several digital rights organizations have announced plans to mount a comprehensive campaign in the upper chamber.
Signal, Windscribe and NordVPN: VPN Providers Threaten to Exit Canada
The responses from major security providers were swift and unambiguous. Signal's president Meredith Whittaker reiterated that Signal would exit any market rather than compromise its encryption architecture: "We will not build backdoors. We will not weaken our cryptography. If Canada requires us to do so, we will not operate in Canada." Signal has made similar statements regarding other jurisdictions and has followed through in the past - the company briefly removed itself from app stores in certain markets when faced with compliance demands.
Windscribe, a Canadian-based VPN provider, announced it would either move its technical infrastructure out of Canadian jurisdiction or cease operations entirely if the bill's lawful access requirements were applied to VPN services. The company's founder noted the deep irony: a Canadian company that built its reputation on privacy protection would be forced by Canadian law to undermine that protection for Canadian users.
NordVPN, which operates infrastructure in Canada, stated it would remove its Canadian servers rather than log user activity or create government access capabilities. The company emphasized that the core value proposition of a no-logs VPN cannot coexist with mandatory access requirements, and that it would prioritize its no-logs policy over maintaining Canadian server presence.
The VPN Angle: What Bill C-26 Means for Canadian Privacy
Bill C-26 puts Canadian VPN users in a particularly difficult position. A VPN's core function is to encrypt internet traffic and prevent surveillance - but if VPN providers operating in Canada are required to maintain decryption capabilities or activity logs, the tool stops serving its purpose for the very jurisdiction it was designed to protect against. Users would face a landscape where VPN services operating legally in Canada may be legally required to cooperate with government access requests.
The practical implications extend beyond VPN services to anyone who relies on end-to-end encrypted communications for sensitive conversations: journalists communicating with sources, lawyers with clients, healthcare providers with patients, activists with vulnerable community members, and ordinary citizens with private lives. Backdoor legislation does not create selective access - it creates structural access available to anyone who can obtain a legal order, and whose vulnerabilities can be exploited by anyone who discovers them.
For Canadians who want to maintain private communications, the bill increases pressure toward using international services based outside Canadian jurisdiction. But even this strategy has limits: if major providers like Signal exit the Canadian market entirely, the practical options for privacy-focused communications narrow significantly.
Senate Prospects and the Path Forward for Digital Rights
The Senate represents the most significant remaining obstacle to Bill C-26 becoming law. Canadian senators have the power to reject, amend, or delay legislation indefinitely. Digital rights organizations including the Canadian Civil Liberties Association, OpenMedia, and international organizations like EFF have signaled plans to provide extensive expert testimony to Senate committees examining the bill.
The technical community's opposition is broad and expert-backed. A coalition of cryptographers, security researchers, and computer scientists signed an open letter arguing that mandated backdoors would make all Canadian communications systems less secure, not more. Former intelligence officials have also raised concerns about the national security implications of weakening Canadian encryption infrastructure.
International pressure is also a factor. The Five Eyes intelligence alliance - of which Canada is a member alongside the US, UK, Australia, and New Zealand - has historically pushed for lawful access capabilities. But the EU has moved in a different direction in recent years, and Canada's bill would put it out of step with European privacy regulations if applied to European users' data.
