How to Spot the Surveillance Risks in Canada's Bill C-22

Introduction

Canada’s Bill C-22, also known as the Lawful Access Act, is back for a second round after last year’s Bill C-2 failed due to massive public backlash. While the new version includes some tweaks, the core problems remain – and in some ways, the bill has become even more dangerous. This step-by-step guide will walk you through the key surveillance risks hidden in Bill C-22, helping you understand exactly what’s at stake for your digital privacy. By the end, you’ll know how to identify the threats, where the bill falls short, and what you can do about it.

How to Spot the Surveillance Risks in Canada's Bill C-22 — Source: www.eff.org

What You Need

A basic understanding of digital privacy concepts (metadata, encryption, backdoors)
Access to the full text of Bill C-22 (available on Canada’s Parliament website)
Familiarity with recent news about government surveillance (e.g., Salt Typhoon hack, UK Apple case)
Willingness to think critically about security trade-offs

Step-by-Step Guide

Step 1: Recognize the Bill’s Origins – A Repackaged Failure

Start by understanding that Bill C-22 is not a new, well-thought-out law. It’s essentially a sequel to last year’s Bill C-2, which was so controversial it never even made it to committee. The Canadian government rushed to reintroduce the same surveillance powers under a new name, making only minor changes to try and deflect criticism. Knowing this history is key – it shows that the government is prioritizing surveillance over public input and digital rights.

Step 2: Understand What Metadata Retention Means for You

Bill C-22 forces digital service providers – including telecoms, messaging apps, and others – to record and retain your metadata for a full year. Metadata includes who you communicate with, when, and from where. It does not include the content of your messages, but don’t be fooled: metadata can reveal incredibly sensitive details about your life, such as your daily routines, personal relationships, medical appointments, and political affiliations. The bill expands the types of data companies must store, creating a massive honeypot for hackers and a goldmine for law enforcement.

Step 3: Identify the Forced Backdoor Provision

The most alarming part of Bill C-22 is the mechanism that allows the Minister of Public Safety to demand companies create a backdoor into their services. The bill says these mandates cannot introduce a “systemic vulnerability” – but that phrase is dangerously vague. In practice, any backdoor into an encrypted system is a systemic vulnerability, no matter how well it’s hidden. The government claims it can bypass encryption without weakening security, but security experts universally disagree. This provision essentially legalizes widespread surveillance backdoors.

Step 4: Examine the Vague Definitions and Loopholes

The bill defines key terms like “systemic vulnerabilities” and “encryption” in a way that leaves huge loopholes. For example, the definition of “encryption” can be interpreted to include not just full-disk encryption but also end-to-end encryption used by apps like Signal and WhatsApp. This means the government could demand backdoors into systems that currently protect billions of users globally. The overbroad definitions also apply to operating systems, not just apps, potentially forcing Apple, Google, and Microsoft to weaken their core security.

Step 5: Consider Real-World Precedents – The UK Apple Case and Salt Typhoon

Look at what happened in the UK in 2024: the government demanded that Apple create a backdoor into its Advanced Data Protection feature, which uses end-to-end encryption for iCloud data. Apple chose to remove the feature from UK users entirely rather than comply. UK residents still lack access to that powerful privacy tool. That’s the kind of choice Bill C-22 could force on Canadian companies. Even worse, the Salt Typhoon hack of 2024 showed exactly what happens when you build surveillance systems: hackers exploit them. That attack used a system designed for lawful access by ISPs to compromise millions of records.

Step 6: Acknowledge the Ban on Disclosure – A Secrecy Red Flag

Bill C-22 prohibits companies from publicly revealing they have received a backdoor order. This blackout clause prevents citizens from knowing their government is actively undermining their security. It’s a classic secrecy tactic that erodes democratic oversight. Without transparency, the public cannot challenge these orders or demand accountability. This step is crucial to understanding why the bill is so dangerous – it hides surveillance from the people it affects.

Tips

Stay Informed: Follow digital rights organizations in Canada (e.g., OpenMedia, Canadian Civil Liberties Association) for updates on Bill C-22’s progress and analysis.
Contact Your MP: Write or call your Member of Parliament to express your concerns. Emphasize that backdoors weaken security for everyone, not just targets.
Use Strong Encryption: Protect yourself now by using end-to-end encrypted services like Signal, ProtonMail, and VPNs. While this won’t stop a legal demand, it makes mass surveillance harder.
Share This Guide: The more people understand the risks, the harder it is for politicians to push through bad laws. Spread the word on social media and in your community.
Watch for Amendments: The bill may be changed during parliamentary debate. Keep an eye out for amendments that either fix the problems or make them worse.

Tags: