Signal, DuckDuckGo, and NordVPN say they could leave Canada if Bill C-22 is introduced, arguing that the proposed surveillance laws could force encrypted apps to build backdoors into their services.
-
Privacy-focused companies may exit Canada: Signal, DuckDuckGo, and NordVPN warn they could withdraw services rather than comply with Bill C-22's metadata retention requirements.
-
Mandatory data retention creates security risks: critics argue storing user metadata for up to a year creates databases that could be breached or misused, regardless of encryption protections.
-
Privacy versus law enforcement debate: supporters say the bill aids criminal investigations, while opponents contend any mandated access or retention becomes a vulnerability that undermines user trust.
The companies are among a growing group of tech firms and privacy advocates criticizing the country’s Bill C-22, which would require digital service providers to retain certain user metadata for up to a year and disclose it to authorities when lawfully required.
Signal executive Udbhav Tiwari warned Canadian lawmakers that the Bill would effectively transform digital services into a surveillance network by mandating metadata retention.
Last week he told the Canadian Parliament that, in its current form, Bill C-22 would “force us to rewrite our code, dismantle our robust privacy architectures and design surveillance into our systems.”
“The powers in this bill are broad enough to compel a service like Signal to sell our users. To do things like silently create hidden accounts and slip them into private group conversations.”
He indicated that Signal would “rather pull out of the country” than comply with the law and compromise on the “privacy promises” it has made to users.
Similarly, DuckDuckGo confirmed that it would remove its VPN service from Canada if the legislation passes in its current form, while NordVPN and other privacy-focused providers voiced similar concerns.
While Canada’s Public Safety Minister Gary Anadasangaree has said the bill will be amended to ensure providers are not required to break encryption, critics argue that mandatory retention of metadata would still introduce security and privacy risks.
“Safest database is the one you never created”
Elsewhere, security firm Tailscale argued that the proposed law would create new databases to store the metadata that must be secured, monitored and maintained – which could be a honeypot for hackers.
“Once a law requires a company to retain more metadata, the company now has a new database,” Tailscare said in a blog on its website. “The safest database is the one you never created,” it added.
Supporters of the legislation argue that lawful access measures are needed to help investigators obtain digital evidence during criminal investigations.
In their support for the bill on X, Canadian police authorities said that it can determine whether authorities can “quickly locate a missing child, identify the source of a live streamed sexual assault or interview before online extremist threats become real world violence.”
However, Tiwari argued that creating a “backdoor for the good guys” was “simply a vulnerability waiting for the bad guys to find it.”
Last year, Apple successfully opposed a similar proposal in the United Kingdom that would have required it to build a backdoor into iCloud.
US lawmakers argued the UK's order could be exploited by cybercriminals and authoritarian governments.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked