Signal vs. Bill C-22: Why Canada's Lawful Access Law Could Become a Global Encryption Battlefield

The Standoff: Signal Draws a Red Line

Encrypted messaging giant Signal has issued an ultimatum to the Canadian government: if Bill C-22 becomes law in its current form, the platform will exit the Canadian market entirely. The announcement, made by Signal VP of Strategy and Global Affairs Udbhav Tiwari in an interview with The Globe and Mail, marks one of the most forceful corporate stances against government-mandated surveillance infrastructure since the encryption wars of the 2010s.

"Signal would rather pull out of the country than be compelled to compromise on the privacy promises we have made to our users," Tiwari stated, adding that mandated surveillance capabilities would inevitably create exploitable weaknesses for hackers, criminal actors, and foreign intelligence agencies alike. The statement reflects a growing consensus among cryptographers and security engineers: there is no such thing as an encryption backdoor that only the "good guys" can use.

What Is Bill C-22 and Why Is It Controversial?

Bill C-22 is Canada's proposed lawful access legislation, currently under review by Parliament's Standing Committee on Public Safety and National Security. The bill is divided into two parts. Part 1 introduces relatively narrow investigative tools — subscriber information production orders, confirmation-of-service demands, and judicial oversight mechanisms — that largely modernize existing police powers for the digital age.

Part 2, however, is where the controversy ignites. It would require "electronic service providers" — a definition broad enough to encompass messaging apps, email providers, VPN services, cloud platforms, and social media companies — to maintain technical capabilities enabling law enforcement and intelligence agencies to access data under authorized orders. Future regulations could also require providers to retain certain metadata for up to one year.

The Canadian Department of Justice insists the bill is "encryption-neutral" and that nothing in C-22 compels companies to weaken security protections. But critics — including Apple, Meta, Signal, Citizen Lab, and dozens of cybersecurity experts — argue the broad language of Part 2 could effectively force providers to build encryption backdoors, weaken key management systems, or deploy government surveillance tooling within their infrastructure.

The Technical Reality: Why Backdoors Break Everything

To understand why Signal is willing to exit an entire G7 market, you need to understand the cryptographic architecture behind modern end-to-end encryption (E2EE). Signal uses the Signal Protocol — a double ratchet algorithm that generates ephemeral encryption keys for every single message. Even if an attacker compromises one message key, they cannot decrypt past or future messages. This property is called forward secrecy and future secrecy.

A lawful access mandate would require providers to engineer a mechanism that extracts plaintext from an otherwise encrypted channel. There are only a few ways to do this technically:

• Key escrow: The provider retains copies of encryption keys and surrenders them upon order. This creates a single point of failure — a centralized key repository that becomes the ultimate target for hackers and foreign intelligence services.
• Ghost participants: A silent third party is added to every encrypted conversation, receiving all messages in plaintext. This is functionally identical to a man-in-the-middle attack and fundamentally incompatible with E2EE guarantees.
• Client-side scanning: Software on the user's device scans message content before encryption. Apple attempted this with its abandoned CSAM detection system and faced massive backlash from privacy advocates and security researchers worldwide.

Each approach introduces what cryptographers call a "systemic vulnerability" — a weakness deliberately engineered into the system that cannot be restricted to a single lawful purpose. The UK's 2025 demand that Apple create a backdoor into iCloud's Advanced Data Protection — which led Apple to withdraw the feature from the UK entirely — demonstrated exactly this dynamic: once a capability exists, its scope inevitably expands and its security inevitably degrades.

Apple and Meta Join the Resistance

Signal is not alone. On May 7, Meta's Director of Public Policy for Canada, Rachel Curran, testified before the parliamentary committee that Bill C-22 could require companies to "build or maintain capabilities that break, weaken, or circumvent encryption." Meta warned that mandatory lawful access systems mirror the infrastructure weaknesses exploited in the "Salt Typhoon" espionage campaign — a China-linked cyberattack that infiltrated multiple US broadband providers and exposed systemic vulnerabilities in telecom infrastructure.

Apple issued an even sharper statement: "At a time of rising and pervasive threats from malicious actors seeking access to user information, Bill C-22, as drafted, would undermine our ability to offer the powerful privacy and security features users expect from Apple. This legislation could allow the Canadian government to force companies to break encryption by inserting backdoors into their products — something Apple will never do."

Both companies urged lawmakers to split Part 2 from the broader bill and amend provisions involving surveillance tooling, encryption protections, and company appeal rights. Meta specifically criticized vague language around "systemic vulnerabilities," noting the legislation lacks a clear process for companies to challenge problematic government orders.

Global Context: The Encryption Domino Effect

The Canadian debate does not exist in a vacuum. It unfolds against a backdrop of escalating global pressure on encryption. In 2025, the UK government reportedly issued a Technical Capability Notice to Apple demanding backdoor access to encrypted iCloud data — Apple's response was to withdraw Advanced Data Protection from UK users entirely rather than comply. Sweden and France abandoned similar encryption-related surveillance proposals last year after technical and legal pushback. Australia's Assistance and Access Act of 2018 remains a cautionary tale, with its broad technical assistance powers criticized for lacking meaningful safeguards and driving security-conscious companies away from the Australian market.

The pattern is clear: when governments mandate encryption workarounds, companies face an impossible choice between violating their security promises to users and abandoning entire national markets. Canada's Bill C-22 now threatens to add the world's ninth-largest economy to this growing list of encryption battlegrounds.

Kate Robertson, senior research associate at the University of Toronto's Citizen Lab, warned that encrypted communication platforms are essential for journalists, dissidents, and human rights defenders globally. Michael Geist, Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, noted that the legislation goes beyond traditional court-ordered disclosures by potentially mandating permanent technical modifications to provider systems — a requirement with no precedent in Canadian law.

What Happens Next?

Bill C-22 remains under committee review, with no fixed timeline for a final vote. The Canadian government maintains its "encryption-neutral" stance, with Public Safety Minister Gary Anandasangaree's office insisting that "nothing in Bill C-22" compels companies to weaken security protections. But the technical reality — articulated by Signal, Apple, Meta, and the cryptography community — is that lawful access to end-to-end encrypted content cannot exist without breaking the encryption itself.

Several outcomes are possible. The most optimistic scenario sees Part 2 stripped from the bill or amended with explicit encryption protections and robust judicial oversight. A middle ground would involve narrowing the scope of technical assistance obligations to exclude E2EE platforms. The worst case — Bill C-22 passing unchanged — could trigger an exodus of privacy-focused services from Canada, with Signal leading the way and others likely to follow.

For Canadian users who rely on encrypted communication for everything from personal conversations to business confidentiality and journalist-source protection, the stakes could not be higher. The outcome of Bill C-22 will determine whether Canada remains a jurisdiction where secure communication is legally protected — or becomes yet another country where encryption exists only on paper.

Source: Signal threatens to leave Canada over proposed lawful access bill — CyberInsider