The Right Honourable. Mark Carney, P.C., O.C., M.P. 

Prime Minister of Canada 

The Honourable Gary Anandasangaree P.C., M.P. 

Minister of Public Safety 

The Honourable Sean Fraser P.C., M.P. 

Minister of Justice and Attorney General of Canada

The undersigned civil society organizations, companies, and cybersecurity experts, including members of the Global Encryption Coalition, urge the federal government to withdraw Bill C-22, An Act respecting lawful access. 

While Bill C-22 aims to make Canadian’ safer, Part 2 of the Bill, the Supporting Authorized Access to Information Act, will instead force services to install “technical capabilities” to access Canadians’ communications and sensitive data. The consensus among cybersecurity experts is clear. There is no way to provide backdoor access to encrypted data and communications without compromising the privacy and security of millions of law-abiding citizens. This is particularly true in the wake of new AI systems that can autonomously scan software, find the vulnerabilities created by encryption backdoors, and write attacks to break in.  AI has collapsed the timeline from discovery to exploitation from months to mere hours, ensuring that any mandated backdoor will be weaponized by adversaries almost instantly.

In 2025, the federal government attempted to pass Bill C-2, which included lawful access provisions. Part 2 of Bill C-22 would create the same and worse problems as last year’s legislation.

By forcing companies to build encryption backdoors into their services, Bill C-22 would: 

• expose Canadians and Canadian institutions to foreign surveillance and interference. 
• jeopardize the security and privacy of people in Canada and abroad, including children and vulnerable communities.
• undermine the growth and resilience of Canada’s digital economy.
• subject Canadians to the rising cost of cybercrime

The Bill’s so-called protections related to “systemic vulnerabilities” in Part 2 of Bill C-22 are not adequate to protect the security and integrity of Canadian data. The term “systemic vulnerability” is vaguely defined and “encryption” remains undefined in the legislation. Furthermore, the Bill gives the Governor in Council wide remit to make changes to the definitions and processes in Part 2 of the Bill. This risk of limited safeguards being eroded even further is even greater with the government’s admission that it is open to broadening C-22 powers for law enforcement.

Strong encryption is crucial to keep private information out of the wrong hands. In a digital society where online services are increasingly collecting, compiling, and selling identifiable and sensitive data, encryption is often our last line of defense for privacy and security online. Preventing people and businesses from protecting themselves with the strongest security tools available would be disastrous.

Bill C-22 will expose Canadians and Canadian institutions to foreign surveillance and interference.

Bill C-22 could expose everyone in Canada to international surveillance and undermine Canada’s efforts to improve national security amid geopolitical uncertainty. There is no such thing as a backdoor that is only open to law enforcement and intelligence agencies. And if you build it, the question is not ‘if’ adversaries will exploit the vulnerability, but ‘when’. 

The threat to Canada is real. In March 2026, the Canadian Centre for Cyber Security (CCCS) noted that “Russian cyber threat actors are very likely targeting Canadian government, military, private sector and critical infrastructure networks.” Furthermore, a CCCS 2025 bulletin, found that a Chinese hacking group, Salt Typhoon, “almost certainly” targeted the Canadian telecommunications sector and other industries. 

The 2024 Salt Typhoon cyber espionage campaign is a stark reminder that backdoors are never only available to the ‘good guys’. Nation-state attackers gained access to highly sensitive US national security information by taking over the built-in wiretap capabilities of US telecommunications networks.¹ Crucially, the attackers did not need to exploit a technical flaw in the intercept system itself to break in. They breached the perimeter using everyday software bugs and stolen credentials, and then simply commandeered the mandated backdoor to conduct their own espionage. Furthermore, infected US telecommunications companies may never be able to undo the espionage campaign’s compromise to their networks. Salt Typhoon’s devastation happened because a US policy decision forced the creation of a powerful “dual-use” tool, proving that any mandated access system will become a weapon for anyone who compromises the host network. 

Bill C-22 could do far worse—threatening the security of virtually any Internet-based service (within Canada and abroad) that receives similar orders, as well as the individuals and businesses that rely on them. New AI tools recently showed how quickly and cheaply attackers can spot and exploit vulnerabilities. Because AI drastically lowers the cost and skill floor for vulnerability discovery, the “time to exploit” window has collapsed. Cyber security professionals already face a significant challenge in combatting this threat, but C-22 would force services to introduce new vulnerabilities for these models to exploit, not fix them.

Bill C-22 will jeopardize the security and privacy of people in Canada and abroad, including children and vulnerable communities.

Bill C-22’s lawful access provisions would erode a last line of defense to ensure people can have safe experiences on and offline. International human rights bodies and child safety experts have recognized the importance of encryption to protect the safety and privacy of people, including children and vulnerable communities. Encryption ensures people have safe lines of communication online when they need it most. For survivors of domestic violence, encryption is a lifeline that secures confidential communication about escape plans and protecting victims (including children) from abusers. For children, it means schools and health authorities can help keep their sensitive data out of the hands of predators. For Indigenous communities and marginalized groups, it can help create safe spaces to engage in advocacy and connect with communities while avoiding harassment and surveillance online. Encryption also protects people from transnational repression, shielding sensitive data from other governments that could misuse it to silence criticism through intimidation or threats of violence. 

Bill C-22 will push innovation, talent, and investment dollars away from Canada 

Requiring businesses to reconfigure their systems specifically to enable access to communications systems to comply with government orders would force businesses to choose between weakening the security of their services and putting users’ security and privacy at risk, or withdrawing their secure services and/or products from Canada altogether. Either choice will weaken Canadians’ security. 

Businesses have already faced this impossible choice. A recent United Kingdom (UK) government order issued to Apple under its Investigatory Powers Act led Apple to stop offering Advanced Data Protection within the UK, rather than weaken the security of its product by providing the UK government with backdoor access.  While some businesses may choose to move out of Canada altogether, Canadian companies that are not able to leave the jurisdiction will likely suffer the economic consequences of a distrusted tech sector. An Internet Society-commissioned report on the economic consequences of laws that weaken encryption found that Australia’s Telecommunications and Other Legislation Amendment (Assistance and Access) (TOLA) Act caused massive distrust in Australia’s tech sector and significant financial losses. One company interviewed estimated an “adverse economic impact” to the order of AU$1 billion. With the tech sector employing 2.2 million Canadians, the economic consequences of this disruption would be large.

Canada will become a hotbed for cyber incidents and Canadians will shoulder the cost 

Canadians are increasingly at risk of data breaches and financially motivated cybercrime. Statistics Canada says Canadian businesses spent 1.2 billion on cyber incident recovery in 2023. Strong encryption is crucial to help prevent and mitigate the impact of cyber incidents. It allows people, businesses, and networks to send sensitive information over the Internet so eavesdroppers and attackers cannot see or tamper with the content. This is critical to making sure online services (e.g., banking, ecommerce, tax filing, telemedicine)—as well as the Internet infrastructure that makes them possible—operate in the way that people and businesses expect. The volume and impact of cyber incidents could soar under Part 2 of Bill C-22 and the cost will most certainly be passed onto consumers, contributing to an already growing cost of living and doing business in Canada.

The undersigned signatories ask that the federal government withdraw Bill C-22 to address the immediate threats Part 2 and conduct a full study including consultations and an Internet Impact Assessment to mitigate risks in the Bill. 

Only by making sure people and businesses have the strongest tools to avoid data breaches and the next major cyberattack, can we promote the resilience of Canada’s digital economy and protect people and vulnerable communities from harm. 

Signatories:

Organizations

3 Steps Data

Betapersei SC

Canadian Muslim Public Affairs Council (CMPAC)

Center for Democracy & Technology

Comunitatea Internet Association

Cryptopocalypse

Cybersecurity Advisors Network

Fight for the Future

International Civil Liberties Monitoring Group

Internet Infrastructure Coalition

Internet Society

Internet Society Catalan Chapter (ISOC-CAT)

Internet Society Colombia Chapter

Internet Society Ecuador Chapter

Internet Society Uganda Chapter

JCA-NET

LGBT tech

OpenMedia

Privacy and Access Council of Canada

The Tor Project

Tuta

VPN Trust Initiative

Webfala Digital Skills for all Initiative

YOUTH FORUM FOR SOCIAL JUSTICE

Individual Experts*

Rubia Reis Guerra, University of British Columbia

Nguyen Phong Hoang, University of British Columbia

Gabrielle Lim, University of Toronto

Puneet Mehrotra, University of British Columbia

Mr Michele Neylon, Founder & CEO of Blacknight

Caleb Ogundele 

Margo Seltzer, The University of British Columbia

Joel Templeman, Internet Society Manitoba Chapter Inc.

*Affiliations listed for identification purposes only