Canada’s Bill C-22 (Lawful Access Act) revives failed Bill C-2, mandating one-year metadata retention, encryption backdoors, and expanded US data sharing.
Key Takeaways
Services including telecoms and messaging apps must retain user metadata for 12 months, increasing breach attack surface.
The Minister of Public Safety can secretly order backdoors as long as they don’t introduce a “systemic vulnerability” – a technically incoherent carve-out.
Gag orders prohibit companies from publicly disclosing these access mandates.
Apple and Meta have both opposed C-22; the UK Apple/iCloud Advanced Data Protection episode is the direct precedent.
The 2024 Salt Typhoon hack exploited a lawful-access system built for law enforcement – the canonical real-world failure case cited by the bill’s opponents.
Hacker News Comment Review
Commenters broadly expect services like Signal, WhatsApp, iMessage, and Matrix to geo-block Canadian users rather than comply, a concrete business and infrastructure risk for Canadian operators.
Persistent reintroduction strategy is the main structural concern: the bill only needs to pass once; defenders must block it every cycle indefinitely.
Skepticism runs high that contacting MPs will change outcomes, with some arguing the parliamentary majority structure makes constituent pressure structurally ineffective.
Notable Comments
@wewewedxfgdf: “Just keep bringing legislation back eventually it gets through” – concise framing of the asymmetric attrition dynamic.
@HerbManic: Reinforces the one-pass asymmetry: attackers need one win, defenders must hold every time.
