Petition to Withdraw Canada's Bill C-22

Privacy
Security
Regulation
Canada
Infrastructure

The post links to an official House of Commons petition asking Canada to withdraw Bill C-22. In plain terms, commenters described the bill as a lawful-access and surveillance package that would require broad metadata retention and could pressure providers to make encrypted communications accessible to authorities. That is why people kept bringing up Signal, Proton, and no-log VPNs. The fear is not just more warrants. It is a legal regime that makes privacy-preserving service design incompatible with operating in Canada.

The strongest thread consensus was simple: this is a bad bill, and it is bad in the familiar way. People see it as another attempt to “solve” online harms, foreign interference, and crime by mandating retention and access that will hit ordinary users, create new breach risk, and push privacy-first services out of the market. Several commenters pointed out that mandatory collection is itself the danger. Once data exists, it gets leaked, abused, repurposed, or demanded for uses far beyond the original pitch. A few people tried to soften the picture by saying the text leaves room for narrower interpretation and does not explicitly order systemic vulnerabilities. That did not move the center of gravity much, because RCMP interest in “solving the problem of encryption” made many readers treat the ambiguity as the threat, not the reassurance. There was also a practical organizing layer, not just outrage. One commenter tracked the SECU committee meeting in real time, posted the livestream, shared contact details for committee members, and listed advocacy tools for messaging MPs. The useful update was procedural: the bill was still in clause-by-clause review, a meeting ended early after a supporter quit, and delay past the June 18 summer recess suddenly looked possible. That made the petition feel less like symbolic venting and more like a short-window lobbying push. The broader political argument sprawled into Canada’s weak startup environment, but the sharpest version was not really about party labels. The recurring point was that Canada already struggles to build durable consumer tech companies, and rules that punish zero-knowledge products make that worse by handing the market to larger foreign platforms or forcing Canadian users onto offshore workarounds. Even people who supported stronger action against hate speech, extremism, or foreign interference mostly did not trust a metadata-retention and backdoor-adjacent approach to deliver that without collateral damage.

If you operate consumer internet products in Canada, plan for a world where metadata retention and lawful-access requirements get attached to ordinary online services, not just telecoms. Even if C-22 stalls, the policy direction is clear enough that privacy architecture, data minimization, and market-exit contingencies now belong on the roadmap.

June 11, 2026
ourcommons.ca
Discuss on HN

Key insights

The bill was still stoppable in committee

Clause-by-clause review at the SECU committee was still underway, and the procedural updates changed the story from vague outrage to a live legislative fight. The key signal was that a meeting ended early after a supporter walked out, which created a real chance that C-22 could miss the June 18 summer recess deadline and stall before final passage.

If you are affected, last-minute advocacy was not pointless here. In similar legislative fights, watch committee calendars and amendment sessions closely because that is often the last place timing can still kill a bill.

Attribution:

EmbarrassedHelp #1 #2 #3 #4

Ambiguity around encryption is the mechanism

The important point was not that the bill plainly says “ban encryption.” It is that broad capability requirements plus police statements about access to encrypted communications give regulators room to treat zero-knowledge systems as noncompliant without ever writing “backdoor” into the statute. That is how modern anti-encryption policy often works. The text stays slippery and the operational burden lands on providers later.

Do not wait for a law to spell out “backdoor” before assessing risk. If your product depends on not being able to access user content, scrutinize any capability or lawful-access language as an existential issue.

Attribution:

EmbarrassedHelp #1 #2 #3

Metadata retention creates its own harm surface

The strongest privacy argument went beyond civil-liberties rhetoric and focused on operational reality. Forced retention means creating a valuable pile of sensitive relational data that can be leaked, resold, mishandled, or reused against people who were never suspects. The Alberta voter-data leak was offered as a concrete example of how routine sharing turns into real-world exposure for vulnerable people, including those hiding from abusive ex-partners.

Treat mandated metadata storage as a security liability, not a neutral compliance box. If rules force collection, the resulting breach and misuse exposure should be part of your product, legal, and trust planning from day one.

Attribution:

beloch #1

Noncompliant services would likely offshore, not comply

Several comments converged on the same practical outcome for VPNs and encrypted services. Providers with no Canadian infrastructure are hard to compel directly, so the realistic result is market exit, ISP blocking attempts, or users routing around restrictions with foreign VPS tunnels and offshore tools. That means the policy may mostly hit compliant domestic operators while determined users keep moving elsewhere.

Assume surveillance-heavy internet rules can become an anti-domestic-operator policy. If you run a Canada-facing service, model both compliance costs and the competitive damage from pushing privacy-conscious users to foreign alternatives.

Attribution:

nik282000 #1
llm_nerd #1
cmrdporcupine #1

Against the grain

Some legal language may be narrower than critics claim

A minority view argued that the bill is being read in the most maximal way. The commenter noted that the text appears to require a year of metadata retention for designated core providers and says any technical capability cannot impose a systematic vulnerability, which could mean the government is aiming for access workflows rather than explicit universal backdoors. That does not make the bill good, but it does mean some of the loudest claims may outrun the text as written.

Read the actual operative clauses before locking into a public position. The right response may be to attack vague capability language and provider scope, not only the most extreme interpretation.

Attribution:

llm_nerd #1

Security agencies already feel outmatched

One pro-enforcement argument held that Canada faces real foreign interference and extremist coordination problems, while CSIS remains weaker than peer intelligence services because of fragmented responsibilities and limited access. From that view, stronger platform-cooperation powers are not an authoritarian luxury. They are an attempt to make existing hate-speech and public-safety laws enforceable in a network environment where providers can simply refuse to help.

Do not dismiss the bill as driven only by censorship instincts. Policymakers are responding to real coordination and attribution gaps, so opponents need credible alternatives for targeted investigations if they want privacy arguments to land.

Attribution:

alephnerd #1 #2

In plain english

backdoor ↩

A built-in method for bypassing normal security protections so someone other than the user can gain access.

Bill C-22 ↩

A proposed Canadian federal law discussed here as expanding surveillance powers, requiring metadata retention, and enabling access demands on online services.

CSIS ↩

Canadian Security Intelligence Service, Canada’s main civilian intelligence agency.

ISP ↩

Internet Service Provider, a company that supplies internet access.

metadata ↩

Data about a communication, such as who contacted whom, when, from where, and often how often, rather than the message content itself.

RCMP ↩

Royal Canadian Mounted Police, Canada’s national police service.

SECU ↩

The Standing Committee on Public Safety and National Security in the Canadian House of Commons.

VPS ↩

Virtual private server, a rented remote machine that behaves like a dedicated server.

zero-knowledge ↩

A system design where the provider does not possess the keys or information needed to read a user’s private data.

Reference links

Bill analysis and policy criticism

Citizen Lab analysis of Bill C-22
Detailed technical and legal critique of the bill that commenters used to explain why it threatens encryption and privacy.
Michael Geist on RCMP and encrypted communications under C-22
Cited as evidence that police see the bill as a way to gain access to encrypted communications.
Michael Geist on Bill C-34
Referenced as related digital-policy legislation that expands concerns beyond C-22.

Legislative text and parliamentary process

Bill C-22 first reading text
Primary source for the bill’s wording, cited by commenters arguing for a narrower reading.
SECU meeting notice for clause-by-clause review
Official committee page used to follow the bill’s amendment session and livestream.
ParlVu livestream for the SECU meeting
Direct video link for watching the committee proceedings live.

Advocacy and action tools

Internet Society Canada action tool
Tool for contacting MPs about opposition to the bill.
OpenMedia action page
Another campaign tool for messaging elected representatives.
ICLMG Stop C-22 page
Civil liberties campaign page opposing the bill.

Related background on security and interference

CSIS report on foreign interference threats to Canada’s democratic process
Used to justify the claim that Canada faces serious foreign interference threats.
RUSI commentary on foreign actors and UK riots
Referenced to support the argument that social platforms can be exploited by foreign actors to trigger unrest.

Petition to Withdraw Canada's Bill C-22

Discussion mood

Key insights

Against the grain

In plain english

Reference links

Bill analysis and policy criticism

Legislative text and parliamentary process

Advocacy and action tools

Related background on security and interference