In a world where online surveillance has become normalized, we are now reaching the point where governments and authorities are benefiting from it. Unfortunately, Canada may soon join the 1984 party if this new privacy-invasive bill passes.
Recently, Canada’s Liberal Party introduced Bill C-22, also known as the Lawful Access Act, which would require one year of metadata retention under the guise of “investigating digital crimes.”
⚠️ The Issue
Metadata can expose almost everything you do on a platform. This includes IP addresses, user agents, call logs/times, GPS data, and more.
- The worst part? It affects everyone.
This affects services like social media platforms, web apps, and also privacy-focused services such as VPNs or messaging apps. With an order from the Canadian Ministry of Public Safety, a service provider (even one with a strict no-logs/metadata policy) may be required to retain metadata and allow authorities to access it with a warrant. The retention of metadata affect any users on a platform, no matter what.
- C-22 is a major threat to privacy-focused services
Privacy-focused services were created to escape mass and capitalist surveillance from large corporations and governments, and to give people peace of mind regarding their precious data.
With Bill C-22, it is ruining their purpose.
⁉️ C-22 Is Unclear on Encryption
The bill lacks precision. For example, it does not clarify how authorities would handle encrypted data.
While the bill does not explicitly mention encryption, it may pressure companies to weaken encryption or limit its use in order to comply with the law.
In theory, authorities may eventually require encrypted metadata to be decrypted for inspection if they permit or mandate its retention.
🟡 A Coffer Full of Gold for Bad Actors, Made In Canada™
This is how bad actors see tech companies: the more data you collect, the bigger a target you become.
Retaining massive amounts of data increases the risk of data breaches, as it makes companies more attractive to attackers and could expose a huge amount of information about their users.
❔ So What Now?
- Many are concerned.
Windscribe and Signal has manifested their intention to leave Canada.
Forjed, as a privacy-focused organization, is very concerned about this bill. The organization itself is Canadian, with two servers located in Sweden. Despite the fact that our servers are in Sweden and that we are an unincorporated organization, certain laws still apply to us (e.g. GDPR from the EU, PIPEDA, etc.), but we are unofficially in the “safe zone.”
In the unlikely event that we are required to comply, we may have no choice but to restrict or even shut down access to Canada—our own country. We hope this never happens, but we cannot rule it out entirely.
For now, C-22 is still in the House of Commons. After a third reading, it may proceed to the Senate.
📃 Summary of How C-22 Would Work
So basically:
- The Ministry of Public Safety sends a request to an ESP to retain data
- The service retains the data (everyone’s metadata is kept)
- Authorities such as the RCMP, local police forces, and others can request access to specific data with a warrant, potentially undermining the purpose of privacy-focused services and expanding surveillance capabilities
This affects everyone, regardless of whether they have been involved in a crime or not.
🌐 Take Action!
The Justice Centre for Constitutional Freedoms has recently launched a national petition.
Sign here: https://www.jccf.ca/stop-bill-c-22-stop-surveillance-in-canada/
ℹ️ Remember: Privacy Is a Human Right
Privacy has increasingly been framed as a luxury, or even as something associated with criminals in recent years. It is not.
In fact, privacy is a right in a democracy with free people.