Bill C-22 is a serious privacy risk. Contact your MP!!
Bill C-22 (Lawful Access Act) is moving through Parliament and I don’t think enough people are paying attention.
The government’s pitch is basically: don’t worry, this doesn’t mean companies have to store the contents of your messages, your full web browsing history, or your social media activity .. but that misses the point.
Metadata can be extremely revealing on its own especially when it's collected at scale and kept for months. You don’t need the actual contents of someone’s messages to learn a lot about them. IP addresses, timestamps, session lengths, DNS requests, server connections, location patterns, and account/session links can paint a detailed picture of someone’s life.
This is already how big tech infers things about people without them explicitly saying it. Your phone’s location (ip address) between 10pm - 7am? … that’s where you live and your probable income bracket. Where you go every weekday can reveal where you work. What services you connect to, when, and from where can reveal your habits, associations, interests, and private life and political leanings.
So when the government says “it’s not content,” that should not be the end of the conversation. Metadata is not harmless.
For VPNs and encrypted services, this could undermine the entire point. A no-log VPN is only useful because it does not keep logs that can later be demanded. If the law forces providers to create or retain those logs, the privacy model is broken even if nobody is storing the actual contents of your messages.
That is why companies like Signal, Proton, NordVPN, and Windscribe have raised serious concerns. Some have warned they may leave Canada, relocate infrastructure, or refuse to compromise their privacy architecture if they are forced to create logs or weaken their services.
Another concern is secrecy. The bill includes secrecy around certain government orders, meaning companies may be limited in what they can tell the public about what they are being required to do.
Maybe the bill does not literally say “mass surveillance.” But it could create the legal and technical infrastructure for something much broader than most people realize. Once that infrastructure exists, it tends to expand.
It also seems completely at odds with the privacy and control principles in Canada’s own Digital Charter, which says Canadians should have control over what data they share, who uses it, and for what purpose.
… so contact your MPs and let them know how ridiculous this bill is!
At minimum, MPs should be forced to answer hard questions before this goes any further.
Find your MP here: https://www.ourcommons.ca/Members/en
Ask them:
- Do you accept that metadata can be as revealing as content and is therefore a violation of our privacy?
- Why should innocent Canadians have their metadata retained before they are suspected of anything?
- Will you vote against Bill C-22 unless it explicitly protects no-log VPNs and encrypted services?
- What exact metadata should the government be allowed to force companies to retain?
- Will you oppose any version of the bill that allows secret technical orders?
- If privacy-focused services leave Canada or weaken their Canadian services because of this bill, will you take responsibility?