Over the past week, a growing number of tech companies have warned that they may be forced to leave Canada if Bill C-22, the lawful access bill, remains unchanged. The government’s response to warnings from Signal, Windscribe, NordVPN, Apple, and Meta is that the companies are misreading the bill. But the prospect of a tech exodus from Canada rests on clear-cut privacy and security risks that do not apply in the U.S. or Europe.
…
The Act’s definition of “electronic service provider” captures any service involving the creation, recording, storage, processing, transmission, or reception of information, provided either to persons in Canada or by an entity carrying on business activities in Canada.
The breadth intentionally covers far more than just telecom companies and internet providers, extending to platforms, messaging applications, VPN services, and device manufacturers. Every ESP is subject to a general assistance obligation under section 7 and to a secrecy obligation that bars disclosure of the existence of requests.
…
[Signal’s Vice President of Strategy and Global Affairs Udbhav] Tiwari put the point bluntly in his statement to the Globe: “End-to-end encryption is incompatible with exceptional access, no matter how creative the route taken to achieve it.”
What places the Canadian tech sector at risk of an exodus is that U.S. law imposes neither obligation. There is no federal mandatory data retention law in the United States, as the Electronic Frontier Foundation has documented across more than a decade of failed legislative proposals. The closest analog, the preservation provision in 18 U.S.C. § 2703(f) of the Stored Communications Act, allows the government to compel a provider to preserve existing records for up to 90 days while it obtains a court order, with a single 90-day extension available. It is a reactive, targeted mechanism tied to a specific account, not a forward-looking retention mandate covering every user of the service.
…
A U.S.-based VPN or messaging service can therefore lawfully maintain a no-log approach, which is precisely how the no-log policies are built. Given the choice, VPNs and other services will surely leave Canada rather than architect their systems to retain metadata on every single user for a year.
…
In Europe, the Court of Justice of the European Union struck down general data retention regimes in Digital Rights Ireland in 2014 and Tele2 Sverige in 2016, and has continued to constrain them in later rulings. Germany’s Federal Constitutional Court has imposed similar limits, and general retention obligations on email providers remain unlawful there. The jurisdictions that have moved in C-22’s direction are precisely the ones where major services have begun to exit or restrict features.
…
The United Kingdom’s Investigatory Powers Act sparked Apple’s withdrawal of its Advanced Data Protection feature from the U.K. market rather than comply with a Technical Capability Notice ordering it to create access to encrypted iCloud data, and Apple is now litigating that order before the Investigatory Powers Tribunal.
Switzerland’s recent attempt to extend its surveillance ordinance to VPN providers and encrypted messaging services prompted Proton to begin moving infrastructure out of the country to Germany before the Swiss Federal Council paused the amendment pending an impact study. Where jurisdictions impose obligations of the kind Bill C-22 contains, privacy-protective services have either left, scaled back, or restricted features.
…
The compliance obligations on Canadian electronic service providers under Bill C-22 do not apply to a U.S.-based competitor, are limited or unconstitutional in much of Europe, and have led to exits or feature withdrawals in jurisdictions that have imposed them.
The companies aren’t bluffing, and they aren’t misreading the bill. Rather, they are responding to an outlier approach that threatens the Canadian tech landscape with obligations that place the privacy and security of millions at risk.
Meh, the intentions of the legislation aren’t bad, and the main thing that needs a minor tweak is some of the phrasing in part 2.
And yea, I say a minor tweak, in part because the legislation has very explicit statements that it does not require service providers to create systemic vulnerabilities, they re-iterate this in both part 1 and part 2 of the bill. And while there’s explicit verbiage of that nature, opponents are busy saying, essentially, “You may say that, but if you interpret these three other parts of the bill in a specific way, and ignore those explicit notes about not introducing systemic vulnerabilities, then it could maybe translate into a backdoor!”.
The retention requirements primarily target meta data. There’s nothing in the bill saying companies need to hold on to content for 1 year. The meta data retention is generally tied to situations like asking Telus “Hey, we have this IP address that hit this child porn site a few months ago. It’s in your DHCP range for your customers. Can you tell us who it was assigned to?” (right now, Telus doesn’t retain dhcp logs for long at all, cause storing logs costs money). Or, “Hey, Canadians keep getting scam called via your service, can you tell us who was using your service to make those scam calls?”. One reason some of those issues persist/are difficult to hold people accountable for, is because tech companies facilitate it.
Part 2’s assistance stuff, is mostly about giving the govt permission to ask companies to verify they can comply with the legislation, and to provide evidence of such on request, without publicly disclosing their communications of such with the govt. There’s some verbiage that’s a bit wobbly in terms of the scope of data included in that part that needs shoring up, potentially, but the re-iteration of the no-systemic risk clause in part 2 basically means you don’t need to redesign anything, so long as you’re meeting part 1’s meta data logging requirement.
Someone stores an encrypted blob online, where your system is designed so that you as a business never see the private keys/data? That seems totally fine in terms of the legislation. But you gotta record the meta data identifiers of who accesses that blob. Because if an investigation later finds out its a blob of kiddie porn, they want to be able to follow up.
And it’s probably also worth highlighting how much assistance the cops/govt really needs in Canada. Our Auditor General just recently released a report about Student Visa frauds, where the govt had been getting around 75k reports per year, but were only able to action/investigate about 2k per year – with half of those being non-investigations because the students just didn’t bother picking up the phone, and Canada’s govt gave up. I’ve heard in the past that the RCMP division for investigating things like cyber crimes / financial frauds was absurdly understaffed – about a decade ago, I’d heard from one of their industry liason officers that they had a department of 20 people, though half the positions were unstaffed due to resource shortages. Guy was telling industry to start reporting incidents more aggressively, so that they could try and get some funding to support their mandate. The thought that Canada could realistically enact this legislation, and then crack down on all the service providers, is sorta laughable to me. It just gives their tiny state apparatus the ability to tread water longer, and to try and pressure big US tech oligarchs into “some kind” of regulated space. Tech Oligarchs that have more lawyers, and more PR professionals, than the Canadian government.
Well I guess I’ll just stop talking to people at all.
I’m already prepping for an Internet less world, or at least EXTREMELY limited…
books, guitar, drums, banjo, jellyfinn media libraries… all offline accessable. saving/backing up more and more data daily to ensure decades of entertainment without corporations trying to rape me further
when shit really gets fucked, I’m out… I’ll return randomly to check on the status of the local meshtastic network and see everyone there.
I do not want to live and play, into he same areas as governments or corporations any longer.
You might find project nomad interesting too: https://github.com/Crosstalk-Solutions/project-nomad It’s very docker-heavy which I don’t love but even as just an idea for stuff you can download manually it’s got some good ideas. Among the most important stuff there is lots of learning materials and honestly I’d recommend an AI model or few too.
We can discuss why I’d bother to recommend that, even if you hate AI, but I’d suggest keeping an open mind to these AI datasets that are effectively statistical models of all content they’ve been trained on. Statistical models can be very useful to collect huge amounts of data and information into a relatively small space, even if they don’t have perfect accuracy and aren’t universally applicable. Even if you can’t imagine a use personally right now, even if you don’t have the hardware to run it, grabbing a few more gigabytes that you might find to contain valuable statistical weights someday in the future might be worth the download and storage. Demographics don’t become useless just because they can’t accurately predict whether they apply to any given individual, and what are essentially the demographics of all information humanity has ever recorded on the internet can still be viewed as deeply interesting, regardless of how ethically they are being collected and used.
And as you seem to be interested in the entertainment stuff, I’d also recommend downloading an archive of GameFAQs (at least the text-only portions of it, which are shockingly small, only a few gigabytes which is smaller than many entire games nowadays) and as many libraries of retro games as you can get, including ROMs and old PC abandonware that can be emulated in Dosbox etc.
But at the end of the day I really don’t think they’ll completely collapse the internet. We will find ways to get our message out there to each other. Meshtastic is great. I2P is great. But I think it’s realistically impossible for the internet to ever become as completely locked down as people fear. We can and will become ungovernable. They can’t stop the signal. They’ve never been able to in the past and they’re never going to be able to. The resistance has become widespread, and the tighter their grasp becomes, the more will slip through their fingers.
I honestly thought I was the only one willing to give up my net connection over this.
you should look into meshtastic and have a node ready to go live.
‘internet’ (not really) without any isp or corporate garbage… literally free communication between other meshtastic folks to communicate and share knowledge/information/data etc…
Did you stop reading halfway through before they mentioned coming back every now and then to check the state of things…on a meshtastic network?
Yup. PS4 is becoming an emulator. PS5 will probably become a linux PC.
Tech exodus we don’t have any tech companies they are all American companies. I don’t think they well leave.
We are 1/10 the US market, they loose nothing by dropping Canada.
If the bill can be mis-read by that many that easily, it is not worded clearly enough to be a bill. There should be ambiguity checks that have to be passes before a bill can be tabled in the first place.
Maybe I am mistaken, but I don’t think that it is that much misread. It’s a backdoor and likely not in line with legislation in Europe and other Canadian partners.
In addition, there is a major threat that it gets exploited by foreign malign actors such as China or Russia. I recently commented in another thread that in 2024, U.S. officials urged U.S. citizens to use encrypted apps after China hacked into the U.S. ISP’s wiretap systems.
As the alert reads,
… we have identified that [China-]affiliated actors have compromised networks at multiple telecommunications companies to enable the theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to U.S. law enforcement requests pursuant to court orders. We expect our understanding of these compromises to grow as the investigation continues …
Canada risks a lot more than “only” some degree of privacy imo. As much as I understand law enforcement’s desire to get more data, we all know that a backdoor only for the ‘good guys’ doesn’t exist. It exposes citizens to a high risks of surveillance of malign actors.
