What Bill C-22 Actually Asks Companies to Do

Canada’s Lawful Access Act, 2026 — commonly called Bill C-22 — compels Canadian telecom and internet companies to retain user data and build interception infrastructure that law enforcement can access on demand. The government frames the bill as modernizing outdated legal frameworks that predate widespread internet use, a framing that is accurate as far as it goes but obscures how broadly the technical requirements reach.

The bill does not stop at updating old rules. It mandates that companies engineer their systems to accommodate surveillance access — meaning the interception capability must be built in, not bolted on after the fact. Companies must also retain specified categories of user data for defined periods, creating centralized stores of information that did not previously exist.

Canadian-founded companies serving international users face a particular problem here. Tailscale, founded in Canada and operating a global network, would carry obligations that follow its Canadian origin regardless of where its users sit. A Canadian company handling traffic for users in Germany, Brazil, or the United States would still fall under Bill C-22’s requirements. That jurisdictional reach turns a domestic Canadian law into a framework with global consequences.

The bill targets the same class of companies — telecoms and internet service providers — that privacy-conscious users have increasingly moved away from in favor of encrypted, minimal-logging alternatives. Requiring those alternatives to replicate the data retention and access features of legacy infrastructure defeats the architectural choices those companies deliberately made. The modernization language in the bill’s framing suggests catching up with the internet era. The technical obligations it imposes push in the opposite direction, toward a model of data accumulation that the security community has spent years arguing against.

The Global Pattern Canada Is Joining — and Why Timing Matters

Canada is not writing this legislation in isolation. The UK’s Investigatory Powers Act, Australia’s Assistance and Access Act, and the EU’s ongoing debates over chat control all reflect the same governmental impulse: update lawful access rules for an encrypted internet. The result is a global patchwork of data retention mandates and surveillance obligations that, taken together, are quietly reshaping the baseline assumptions of how the internet stores information about its users.

Security experts draw a clear line between these efforts. Measures that streamline legal process — faster warrant execution, clearer jurisdictional rules — are generally considered compatible with strong security. Measures that require companies to retain data longer, build in persistent access capabilities, or weaken encryption are not. That second category is where Bill C-22 raises serious concerns, and it shares that category with some of the most criticized provisions in laws passed by Canada’s closest allies.

The timing compounds the problem. Nation-state cyberattacks are accelerating, not retreating. The Salt Typhoon intrusion into US telecommunications infrastructure — which compromised systems built specifically to support lawful intercept — demonstrated exactly what security researchers have warned about for years: the access point you build for authorized government use is the same access point a hostile foreign actor will target. Canada is proposing to expand mandated data collection and system access at precisely the moment when those mandated stores have become primary targets for state-sponsored attackers.

Every new data retention requirement creates a new database. Every new database is a new liability. When governments collectively mandate that companies store more subscriber data, more traffic metadata, and more communication records, they are collectively building a distributed infrastructure of high-value targets. The companies holding that data did not choose to hold it. The people whose information sits in those databases did not consent to becoming part of a surveillance architecture. And the attackers probing those systems do not distinguish between data retained voluntarily and data retained by legal compulsion.

The Security Paradox: More Data Retention Means More Risk

Every dataset a company is forced to collect and retain transforms into a target. Hackers, ransomware groups, and foreign intelligence services don’t stumble onto sensitive data — they hunt for it deliberately, and mandatory retention laws guarantee the prey stays in place longer than any responsible security team would allow.

This directly contradicts one of the foundational principles of modern data security: minimization. Collect only what you need. Delete it when the purpose is served. Bill C-22 inverts that logic entirely, compelling companies to hold data well past the point their own risk assessments would ever recommend. The longer data sits, the larger the attack surface grows.

History has already run this experiment. During the 2004 Athens Olympics, Ericsson’s lawful intercept system built into Vodafone Greece’s network was compromised by unknown attackers. Over 100 Greek officials — including the Prime Minister — had their phones tapped for nearly a year before the breach was discovered. The surveillance infrastructure built for legal access became the tool of illegal access.

Five years later, in 2009, the FBI confirmed that US telecom lawful intercept systems — the same CALEA-mandated infrastructure designed to give law enforcement wiretap access — had been breached by foreign intelligence operatives. The vulnerabilities weren’t incidental. They were structural. Building a door for authorized access means building a door, and doors can be opened by anyone with the right skills and motivation.

These precedents are receiving almost no attention in mainstream coverage of Bill C-22. That silence is a problem. The bill’s proponents frame expanded data retention as a public safety measure. What they consistently fail to account for is that the honeypot they’re creating poses its own direct threat to public safety. Every Canadian whose metadata, communications records, or network activity sits in a retention database becomes a potential victim of the next breach — not despite the law, but because of it.

What the Bill Misses: You Can’t Build a Backdoor Only Good Guys Can Use

The technical flaw at the heart of Bill C-22 is one that politicians rarely discuss but security engineers understand immediately: you cannot build a surveillance capability that only authorized parties can use. A backdoor is a door. It does not check credentials before it opens.

When legislation compels companies to retain data or architect systems for lawful intercept, it does not create a secure channel reserved for Canadian law enforcement. It creates a structural vulnerability. The 2010 Operation Aurora attack on Google, the 2016 Bangladesh Bank heist, and the 2024 Salt Typhoon breach of U.S. telecom wiretapping infrastructure all followed the same pattern: capabilities built for legitimate access became the entry point for malicious actors. Salt Typhoon is particularly relevant here — Chinese state hackers exploited the exact lawful intercept systems American carriers were legally required to maintain. The backdoor worked. Just not for the intended users.

Tailscale, a Canadian company, builds its network security on a privacy-by-design model. Connections are encrypted end-to-end using WireGuard, and the architecture is structured so that Tailscale itself cannot read user traffic. This is not a workaround or an obstacle to law enforcement — it is the security model. Mandating that companies weaken this design does not make users safer from criminals. It makes users more exposed to them, while trading that increased risk for investigative capabilities that courts can obtain through other means.

Security researchers have framed this debate correctly for decades: the question is not how governments get access, but what the net security outcome is for ordinary people. When the FBI urged users to adopt encrypted messaging in 2024 following the Salt Typhoon disclosure, the agency was acknowledging, explicitly, that strong encryption protects the public. Bill C-22 points in the opposite direction.

Encryption is not the problem legislators are trying to solve. It is part of the solution to the problem they are worried about. Treating it as an obstacle produces policy that weakens the infrastructure everyone depends on — and hands adversaries a gift that no warrant can take back.

Who Bears the Cost — And Who Doesn’t Have a Seat at the Table

The compliance burden of Bill C-22 does not distribute evenly. Large telecoms like Bell and Rogers have entire legal departments and engineering teams whose job is to absorb exactly this kind of regulatory obligation. A ten-person startup building a secure messaging tool or a privacy-focused networking product does not. Smaller Canadian tech companies face the same mandatory data retention requirements, the same technical implementation demands, and the same legal exposure — with a fraction of the resources. The predictable outcome is consolidation: larger players absorb the cost, smaller ones exit the market or avoid it entirely.

The people with the most at stake in that outcome are not in the room where the legislation is being shaped. Domestic abuse survivors who use encrypted communication to stay safe from their abusers. Journalists protecting sources. Activists in diaspora communities with legitimate reasons to keep their networks private. These users depend on minimal data retention and strong encryption as a practical matter of personal safety. If the data governments require companies to collect is later breached — and breaches of government-mandated data stores have happened repeatedly, from the U.S. Office of Personnel Management to Canada’s own CRA — the harm falls on those users first and hardest.

Civil society organizations and security technologists have raised these objections publicly. The problem is the political architecture around the bill. When legislation is framed as protecting children and enabling national security investigations, opposing it requires arguing against those goals in public. That framing is not accidental. It shapes which voices get treated as credible and which get dismissed as obstructionist. Groups raising legitimate security and civil liberties concerns find themselves politically outmaneuvered before the technical debate even begins.

Canadian companies like Tailscale, which was founded in Canada and serves users globally, sit at the intersection of all three problems: compliance costs, user exposure, and the difficulty of raising objections without being mischaracterized. The conversation Canada needs is about who actually pays when surveillance infrastructure fails. That conversation is not happening at the pace or depth the legislation demands.

What Responsible Lawful Access Could Actually Look Like

The distinction that matters most in lawful access policy is the one Canada’s legislators appear to be glossing over: the difference between targeted requests and blanket mandates.

When law enforcement obtains a warrant for records a company already holds for legitimate operational purposes — authentication logs, billing data, account metadata — that is a narrow, judicially supervised tool. It is categorically different from requiring companies to collect and store data they would otherwise never touch. The first approach gives investigators meaningful access. The second turns every service provider into passive surveillance infrastructure, holding data indefinitely on the off chance it becomes useful later.

A workable alternative is a data minimization plus judicial oversight framework. Under this model, companies retain only what they need to operate their services. Law enforcement accesses that data through specific, warrant-based requests reviewed by an independent judge. The scope of the request is bounded by what exists, not expanded by a government mandate to pre-emptively stockpile more. Countries like Germany have applied variants of this approach through their telecommunications data frameworks, requiring judicial authorization before access rather than after the fact.

Canada is in a position to set a standard here. It has a mature legal system, a credible privacy commissioner, and a technology sector with genuine expertise in networked systems and cryptography. The engineers and security researchers raising objections to Bill C-22 are not protecting commercial interests — they are pointing out that mandatory data retention creates attack surfaces that adversaries, including state-sponsored ones, actively exploit. The 2024 Salt Typhoon intrusions into US telecommunications infrastructure, which compromised lawful intercept systems at major carriers, demonstrated exactly what happens when surveillance capability becomes a structural feature of a network.

Parliament has a choice: treat technical objections as inconvenient lobbying and pass a bill that degrades security for everyone, or treat them as substantive input and design a lawful access regime that is both effective and secure. The second path requires more work. It also produces law that holds up.