Cybersecurity Experts Demand Canada Scrap Bill C-22 Backdoor

Canada’s federal government is being asked to scrap Bill C-22 by a coalition that has grown to include 30 organizations and more than 20 cybersecurity experts.

The open letter, published by the Global Encryption Coalition on April 28, 2026, lands one week after a separate group of 14 civil liberties organizations, refugee advocates, academics, and 15 of Canada’s most prominent privacy scholars sent their own demand for full withdrawal to Prime Minister Mark Carney and every Member of Parliament.

The bill forces “electronic service providers” to install “technical capabilities” that hand law enforcement access to Canadian communications and sensitive data on demand.

The signatories of the open letter want the legislation pulled, not amended, because Part 2 of the bill, the so-called Supporting Authorized Access to Information Act, cannot be fixed without abandoning its core purpose.

That core purpose is breaking encryption. The signatories put the technical reality plainly. “There is no way to provide backdoor access to encrypted data and communications without compromising the privacy and security of millions of law-abiding citizens,” the letter states.

The signatories include Jon Callas of Indiana University, John Gilmore who co-founded the Electronic Frontier Foundation, Susan Landau of Tufts University, and Eugene H. Spafford of Purdue, alongside organizations such as the Internet Society, the Tor Project, Tuta, OpenMedia, the Center for Democracy & Technology, and Fight for the Future.

The Canadian government’s framing leans hard on a familiar reassurance. Public Safety Minister Gary Anandasangaree told an audience of police chiefs and law enforcement officials in March that the bill targets criminals, not ordinary citizens. “I want to be very clear about what C-22 is not. It is not about the surveillance of honest, hard-working Canadians going on about their daily lives,” Anandasangaree said.

He added moments later, “We’re not looking for sneaky ways to surveil Canadians. We are doing our part to combat bad actors in both the physical and digital worlds.”

What the minister described, however he labelled it, is a surveillance bill.

C-22 compels electronic service providers to retain Canadian metadata for a year and gives police and CSIS new mechanisms to retrieve it. Location data, device identifiers, daily movement patterns. All of it is warehoused in advance, on every Canadian, regardless of whether anyone is suspected of anything.

Location data alone tells a detailed life story: where someone sleeps, which doctor they see, which protests they attend, which church they walk into on a given day. Twelve months of that, sitting on private servers, organized for retrieval by the state.

The bill does retreat from its predecessor. Bill C-2, which collapsed last year under opposition from rights groups, opposition parties, and industry, would have allowed police to ask any service provider, including those bound by professional privilege, whether someone was a client and where they connected from, all without a warrant. C-22 narrows that warrantless inquiry to telecommunications companies, and limits the question to a yes-or-no on client status. Anything further requires a warrant.

Anandasangaree acknowledged the climbdown directly. “One thing I’ve learned is that at times when more work needs to be done on a particular bill, you retreat and you come back. You come back with better consensus, better consultation, and better supports from across the board,” he said.

The retreat is a concession. The premise is not. Companies still have to pre-organize sensitive data on every Canadian on behalf of the state, and the bill’s most concerning section authorizes the Minister of Public Safety to issue secret orders forcing designated “core” electronic service providers, a category the government has not bothered to fully define, to build and maintain surveillance capabilities. The companies that receive these orders cannot tell anyone they received them.

The government has written in a restriction saying the capabilities cannot create systemic vulnerabilities or weaken encryption, but that restriction is written by the same government that issues the secret orders, with no public accountability for how it gets applied.

The open letter notes that those supposed protections are flimsy on their own terms. “Systemic vulnerability” is vaguely defined in the bill and “encryption” is not defined at all.

The Governor in Council has wide remit to alter definitions and processes inside Part 2 after the fact, and the government has already admitted, on the record, that it is open to expanding C-22’s powers. Limited safeguards on a piece of surveillance legislation are not really safeguards if the people writing them say openly that they want them broader.

The cybersecurity argument against backdoors has not changed in 30 years. Encryption is mathematics. It works for everyone or it works for no one. A backdoor that only the good guys can use does not exist and the people who keep insisting it must be possible are making a political argument dressed in technical language.

The signatories point to recent history to show what happens when governments mandate access.