Stop the Surveillance State: Stop Bill C-22

The government just introduced Bill C-22 — a sweeping surveillance proposal that would force collection of vast quantities of Canadians’ private data, on every digital service and device we use. Internet providers, messaging services, and other online services will be obligated to store a year’s worth of metadata about who we’re talking to and where we’re travelling, build surveillance backdoors to access that data into their services, and even hand foreign governments a faster path to that information. This isn't about catching criminals. It's a framework for mass surveillance that leaves every Canadian exposed.

Tell your MP: the surveillance state will not take root in Canada. Say NO to Bill C-22!

To: Your Member of Parliament

Please feel free to edit your letter below.

Hi {contact_data~firstName} {contact_data~lastName},

I'm writing to ask you to oppose Bill C-22, the Lawful Access Act, and call on the government to withdraw it entirely.

Bill C-22 would require internet providers, messaging platforms, and cloud services to build and maintain surveillance capabilities inside their own systems — capabilities that create serious security risks for every Canadian. We already know what happens when governments mandate these backdoors: state-backed Chinese hackers exploited similar loopholes in the United States in 2024’s Salt Typhoon attack, compromising millions of people's private communications.

C-22 doesn’t just replicate those vulnerabilities: it greatly expands them. It would compromise a much wider range of digital services And it does something the United States never required: companies would be forced to store a full year of metadata about every Canadian – records of where we go, who we contact, and when we did it – without us ever having been under investigation.

The limited safeguards C-22 contains are both overly narrow, and are compromised by a clause that lets future governments reinterpret basic terms like "encryption" and "systemic vulnerability" by future regulations, with no parliamentary debate required. That means the very limited protections in this bill are only as strong as the government decides they are, on any given day.

Bill C-22 cannot pass in its current form. Please join me in calling on the government to withdraw it in full.

Sincerely,

{user_data~First Name} {user_data~Last Name}

*You can resize the text box by dragging the corner toggle to view the full text.

A complete Canadian address is required to submit your message. Please enter a complete Canadian address to continue. We will notify your representative.

First Name

Last Name

Your Email

Street

City

Postal Code

Or...

Uncheck this box to unsubscribe from all updates.

Receive campaigns in English

This campaign is hosted by OpenMedia. We will protect your privacy, and keep you informed about this campaign and others. Find OpenMedia's privacy policy here.

What the government isn’t telling you about C-22

The centrepiece of Bill C-22 is a requirement that electronic service providers — meaning internet companies, messaging platforms, cloud services, and potentially even hardware companies — build and maintain technical capabilities that allow government access to private communications and data. The government calls this "lawful access infrastructure." Security experts call it a backdoor that anyone could walk through.^1,2,3,4

The government says our privacy is protected because Bill C-22 won’t force these companies to introduce "systemic vulnerabilities" to their systems. But this is privacy theatre: the government reserves the right to reinterpret what "systemic vulnerability" means, or any other definition used by C-22, whenever it chooses to, without returning to Parliament. That’s not a simple oversight: that’s a protection that’s hollow by design. Security experts say that any intercept capability built into a platform's infrastructure is a systemic vulnerability by any widely used technical definition. ^5,6

The Salt Typhoon precedent

Bill C-22 isn’t just breaking our privacy from our own government; it would break it for every bad actor in the world. That’s because there’s no such thing as privacy loophole for just “good guy” domestic state actors; a technical vulnerability for one party is a vulnerability anyone with access can use.

This isn't a hypothetical concern. In late 2024, Chinese state hackers penetrated multiple major US telecommunications companies — AT&T, Verizon, and others — and maintained access to their networks for months.^7,8 They got in through the lawful intercept infrastructure US telecoms were legally required to build under CALEA, the significantly narrower US equivalent to what Bill C-22 proposes for Canada. The backdoor built for American law enforcement became the door Chinese intelligence walked through– and up to a million people's private data was compromised.

So is Bill C-22 just as bad as America’s CALEA? No – it is much worse! Unlike CALEA, C-22 reaches messaging apps, cloud services, and other online platforms that US law never covered. And it adds something CALEA never required: a requirement to actually store Canadians' data in advance.

The metadata retention database

Bill C-22 explicitly authorizes regulations that will require companies to retain categories of metadata — including transmission data for up to one year. Metadata doesn't include the content of your messages — but it doesn't need to. It can include a complete picture of who you contacted, when, for how long, from where, and on what device. A year of your location data, communications patterns, and device activity paints a detailed picture of anyone's life: where you sleep, where you worship, which doctors you visit, which protests you attend.^9,10

This database must exist for every covered Canadian, whether or not anyone is under investigation. The warrant requirement governs who can legally search it. It does nothing to stop a hostile actor from breaking in and taking it.

The government writes its own rules — some in secret

Section 47(1)(c) of the bill gives the Governor in Council the power to change the interpretation of "any term or expression" in the law by regulation long after C-22 passes.^11,12 That includes the meaning of "electronic protection," "systemic vulnerability," "encryption," and "metadata."

That’s asking Parliament to pass an empty enabling device, not a lawful access system; the government will change what it all means later, quietly, without debate. This is not a normal drafting choice. It means the protections written into the statute are placeholders, to be reinterpreted to meaninglessness when future governments decide they’re inconvenient.

The foreign access question

Bill C-22 also amends the Mutual Legal Assistance in Criminal Matters Act to make it easier for foreign governments to access data held by Canadian companies about Canadians. The existing process requires both ministerial approval and a Canadian judicial order before foreign requests are honoured. The bill's amendment creates a fast track pathway for enforcing foreign decisions about transmission data and subscriber information — and whether a Canadian judge will still review that request is left for our Minister of Public Safety to decide.^13,14

These problems are too deep to patch

Last year, more than 10,000 Canadians from OpenMedia’s community spoke up against Bill C-2, the government’s previous surveillance legislation, and stopped it in its tracks.^15,16

But now its core architecture is back in C-22; and paired with a new nation-wide system for retaining a full year of every Canadian’s metadata, they’re much, much worse. The breadth of this surveillance state in the making cannot be fixed by amendments. The only answer is full withdrawal of Bill C-22.

Sources

C-22 An Act respecting lawful access – LEGISinfo
Ottawa Reboots Its Lawful Access Bill: What C-22 Fixes and What It Doesn’t – Robert Diab
A Tale of Two Bills: Lawful Access Returns With Changes to Warrantless Access But Dangerous Backdoor Surveillance Risks Remain – Michael Geist
Lawful access bill could create vulnerabilities for hackers, experts warn – Globe and Mail
Salt Typhoon Hack Shows There's No Security Backdoor That's Only For The "Good Guys" – EFF
Keys Under Doormats: mandating insecurity by requiring government access to all data and communications – Bruce Schneier
Experts Agree U.S. Communications Networks Remain Vulnerable Following Salt Typhoon Hack – US Senate Committee on Commerce, Science, and Transport
Telecoms haven't notified most victims of Chinese phone data hacking campaign, sources say – NBC
The Lawful Access Privacy Risks: Unpacking Bill C-22’s Expansive Metadata Retention Requirements – Michael Geist
Is the Power to Preserve Everyone’s Metadata Constitutional? – Robert Diab
see 1
Ottawa Repackages Its Surveillance Backdoor in Bill C-22 – OpenMedia
Unspoken Implications: A Preliminary Analysis of Bill C-2 and Canada’s Potential Data-Sharing Obligations Towards the United States and Other Countries – CitizenLab
Bill C-2 FAQ: Explaining Canada’s Dangerous New Surveillance Law – OpenMedia
Over 10,000 OpenMedia Members Demand Withdrawal of the “Strong Borders” Act – OpenMedia
Over 300 Organizations Unite to Demand Complete Withdrawal of Bill C-2 – OpenMedia

If you haven't taken action yet click here

Press: Matt Hatfield | Phone: +1 (888) 441-2640 ext. 0 | [email protected]