A developing number of technology companies are raising concerns over Canada’s proposed lawful access legislation, arguing that some provisions could force them to choose between complying with government requirements and maintaining the privacy standards promised to users.
The debate centers on Bill C-22, a proposed law that would expand the government’s ability to obtain digital information during investigations. The legislation would allow regulations requiring certain service providers to preserve specified metadata for up to one year and maintain technical capabilities that could assist law enforcement and intelligence agencies in accessing information when legally authorized.
Among the companies voicing opposition is Signal, the encrypted messaging platform known for its strong privacy protections. During a recent parliamentary committee hearing, Signal representatives warned that the bill, in its current form, could fundamentally alter how secure communication services operate. The company stated that if compliance ultimately required weakening user protections, it would consider leaving the Canadian market rather than changing its security model.
Several technology firms and privacy advocates have expressed concern that the legislation’s language could create pressure to build or preserve technical access mechanisms within encrypted systems. Critics argue that any capability designed to bypass or weaken security protections could eventually become a target for cybercriminals or other malicious actors.
Legal experts have also questioned the broader implications of the proposal. Some argue that service providers have a responsibility to protect customer information and maintain secure systems, while the bill could require additional government involvement in digital infrastructure that may conflict with those obligations.
Under the proposed framework, certain telecommunications and communications providers would be required to maintain capabilities that support lawful access requests. The legislation would also allow the Public Safety Minister to issue orders requiring providers to develop specific technical capabilities, even if they do not fall within the category of designated core providers. Those orders would not be publicly disclosed, and approval would come through the Intelligence Commissioner rather than a traditional court warrant process.
Industry representatives have warned that compliance could involve significant operational costs. Companies may be required to redesign systems, expand data retention capabilities, and implement new technical controls. Some experts believe those costs could ultimately be passed on to consumers.
VPN providers have emerged as some of the bill’s most vocal critics. NordVPN has publicly stated that it would not compromise its encryption or privacy protections and may reevaluate its Canadian presence if the legislation proceeds without substantial revisions. Windscribe, a Canadian-based VPN provider, has also indicated that it could relocate operations rather than modify core privacy features.
DuckDuckGo confirmed that its VPN service could be withdrawn from Canada if the bill becomes law in its current form. Meanwhile, executives at networking company Tailscale have warned that the legislation could affect international business decisions, investment flows, and where future infrastructure is deployed.
Many of the companies opposing the bill note that they do not routinely store logs containing user metadata such as IP addresses or location information. They argue that introducing mandatory retention requirements would require major changes to their existing privacy practices.
The concerns extend beyond smaller priva
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: