Digital Rights

Canada's Backdoor: Bill C-22 Forces ISPs to Build Government Spy Ports Into Their Own Networks

Canada's new Bill C-22 requires network operators to install permanent government access infrastructure inside their own systems. (Pexels)

The headline concession in Canada's new Lawful Access Act sounds reasonable: the government dropped its most aggressive warrantless data grab and will now require judicial approval before accessing most subscriber records. Privacy advocates called it an improvement over the disastrous Bill C-2 attempt last spring. The government called it balanced.

Read the fine print. The second half of Bill C-22 - the Supporting Authorized Access to Information Act, or SAAIA - is a structural demand that internet service providers build permanent, government-accessible surveillance infrastructure directly into their own networks. The secret kind. With no public disclosure of what exactly is being installed.

Canada is building a wiretapping architecture into the commercial internet at the national level. And the law requires the companies doing it to stay quiet about the whole thing.

What the Bill Actually Does

Bill C-22, introduced to Parliament in March 2026, is actually two pieces of legislation stitched together. The first half deals with subscriber information access - when and how police can compel telecoms to identify their customers. The second half, SAAIA, is something else entirely.

SAAIA divides the internet economy into two tiers. All "electronic service providers" - a deliberately broad definition that includes anyone providing digital services to Canadians - face basic obligations to assist government in testing surveillance and monitoring capabilities. "Core providers," a category the government will define through regulation, face far deeper requirements.

Those core obligations include developing, implementing, and maintaining "operational and technical capabilities" for extracting and organizing data. They include installing and operating "any device, equipment or other thing" that enables authorized persons to access information. They include retaining categories of metadata - defined to include transmission data - for periods of up to one year.

This is not a metaphorical backdoor. This is a legal mandate to build a physical port into commercial network infrastructure through which the government can enter.

"The SAAIA envisions providing law enforcement with direct access to provider networks to test capabilities for data access and interception. The bill introduces a new term - 'electronic service provider' - that is presumably designed to extend beyond telecom and Internet providers by scoping in Internet platforms like Google and Meta." - Professor Michael Geist, Canada Research Chair in Internet and E-Commerce Law, University of Ottawa

The definition of an "electronic service" in the bill is so broad it covers essentially any digital function: "a service, or a feature of a service, that involves the creation, recording, storage, processing, transmission, reception, emission or making available of information in electronic, digital or any other intangible form by an electronic, digital, magnetic, optical, biometric, acoustic or other technological means."

That definition encompasses email, messaging apps, cloud storage, video streaming, gaming servers, financial apps, and AI chatbots. If it processes digital information in Canada, it may be in scope.

The Secrecy Mandate: A Gag Order Baked Into Law

Network providers who receive government capability orders under SAAIA will be required by law to keep those orders secret. (Pexels)

One of the most troubling elements of Bill C-22 is not what the government can access - it is what you are not allowed to know about it.

SAAIA requires companies to keep capability requests secret. An internet provider that receives an order to install government monitoring infrastructure cannot tell its customers, cannot publish a transparency report about it, and cannot - in most circumstances - publicly acknowledge the order exists. The bill models this on existing national security law, where court challenges happen behind closed doors and the public learns about surveillance capabilities years after the fact, if ever.

This secrecy is not incidental. It is load-bearing. Without secrecy, the public pressure that killed earlier versions of this legislation would mobilize again. Researchers at the Citizen Lab - the University of Toronto group that has exposed state surveillance programs from Ethiopia to the United Arab Emirates - have consistently warned that such secrecy provisions create "accountability vacuums" where abuse flourishes precisely because oversight requires information that no one is allowed to share.

The government added oversight in the form of the Intelligence Commissioner, who must approve ministerial orders before they take effect. This is procedural improvement over Bill C-2. But the Intelligence Commissioner operates under the same secrecy constraints. Reviews happen in secret. Findings are classified. The public cannot evaluate whether oversight is working because they cannot see what is being overseen.

"The concerns regarding surveillance capabilities, security vulnerabilities, secrecy, and cross-border data sharing remain." - Michael Geist, michaelgeist.ca, March 2026

Canada is not unique in this approach. The UK's Investigatory Powers Act, Australia's Assistance and Access Act, and Germany's Telekommunikationsgesetz all contain similar provisions requiring telecoms to build law enforcement access into their systems. What makes Bill C-22 notable is the breadth of its "electronic service provider" definition and the explicit metadata retention mandate - neither of which appeared in comparable legislation elsewhere at this scope.

The Metadata Retention Bomb

Here is the part of Bill C-22 that was not in the earlier, rejected Bill C-2: mandatory metadata retention.

Core providers under SAAIA must retain categories of metadata - including transmission data - for up to one year. The bill carves out explicit protections for content: companies cannot be required to retain the substance of communications, web browsing history, or social media activities. The government's framing is that metadata is the harmless shell around content - just the technical overhead of network operation.

That framing has not survived serious scrutiny for over a decade. Stewart Baker, former NSA General Counsel, said it plainly in 2014: "metadata absolutely tells you everything about somebody's life." The European Court of Justice agreed, twice, striking down EU-level data retention directives in 2014 and 2016 precisely because bulk metadata retention was incompatible with fundamental rights even without content access.

The bill's metadata exemptions - no browsing history, no social media activity, no content - sound protective in isolation. But transmission data, which the bill explicitly permits retaining, often contains equivalent information. When your device sends a DNS lookup for a medical specialist's website, that transmission data reveals the visit even if the browsing "history" is technically excluded. The boundary between metadata and content has been dissolving for twenty years as technology evolves.

Canada's Supreme Court recognized this in R v Spencer (2014), ruling that individuals have a reasonable expectation of privacy in subscriber information that could reveal internet activity patterns. The government's legal team will argue that Bill C-22's judicial review safeguards bring it into constitutional compliance. Critics think that fight is coming - and that SAAIA's metadata retention provisions are the most vulnerable part of the bill.

The Security Vulnerability Nobody Wants to Talk About

There is a technical problem with government-mandated surveillance backdoors that has nothing to do with civil liberties or constitutional law. It is an engineering problem. And it is serious.

When you build a capability for authorized government access into a network, you build a capability. That capability can be targeted. Authorized backdoors are attack surfaces. This is not a theoretical concern - it is what happened to US telecoms in 2024 when Chinese state actors reportedly accessed lawful intercept systems that American carriers were required to maintain for government use. The backdoors that US authorities demanded for their own surveillance became entry points for a foreign intelligence service.

Bill C-22 contains a narrow carve-out: core providers are not required to comply with capability mandates if compliance would "require the provider to introduce a systemic vulnerability related to that service or prevent the provider from rectifying such a vulnerability."

This exception sounds substantial. In practice, security researchers say it is nearly useless. Determining whether a specific surveillance capability creates a "systemic vulnerability" requires a security assessment. That assessment involves disclosing details about the government's capability requirements. Those details are covered by the secrecy provisions of the same bill. The exception is a loop that closes before it opens.

"There remain concerns that the exception is insufficient and that there are real risks that networks may be made less secure by virtue of these rules - with the changes kept secret from the public." - Michael Geist, University of Ottawa, analyzing SAAIA provisions

Signal, the end-to-end encrypted messaging app that human rights workers and journalists rely on, may be technically exempt - if it does not maintain operations in Canada and does not serve a certain threshold of Canadian users. The bill's drafters appear aware that applying SAAIA to fully end-to-end encrypted services would require breaking encryption, which would trigger international legal consequences and diplomatic friction with the United States and Europe.

But WhatsApp, iMessage, Gmail, Google Drive, Microsoft 365, Dropbox, and dozens of other services that billions of Canadians use daily are different. Many use encryption in transit but not end-to-end across their entire stack. These services maintain Canadian operations, serve Canadian users at scale, and fall squarely within the bill's "electronic service provider" definition. They may become core providers subject to mandatory capability installation.

The Global Data-Sharing Architecture Hidden in Appendices

Bill C-22's SAAIA provisions are explicitly designed for compatibility with the Second Additional Protocol to the Budapest Convention and the US CLOUD Act - making Canadian user data potentially accessible to foreign law enforcement. (Pexels)

Buried in the legal analysis of Bill C-22 is a detail that most Canadian coverage has missed entirely: the surveillance infrastructure this bill mandates is not designed solely for Canadian law enforcement.

Kate Robertson, senior researcher at the Citizen Lab, has documented how the SAAIA provisions appear specifically engineered to enable compliance with two international frameworks: the Second Additional Protocol to the Budapest Convention on Cybercrime (2AP) and the United States CLOUD Act.

The Budapest Convention is the primary international treaty governing cybercrime cooperation. The 2AP, adopted in 2022 and currently in ratification across Western democracies, establishes new mechanisms for law enforcement in one country to directly request subscriber data and even device data from service providers in another country - bypassing traditional mutual legal assistance treaties that provided diplomatic oversight and delay.

The CLOUD Act, the 2018 US law, allows American prosecutors to compel US-based cloud providers to hand over data stored anywhere in the world. It also enables bilateral agreements between the US and other countries to share access to each other's surveillance capabilities under "CLOUD Act executive agreements."

Building SAAIA in a way that is compatible with 2AP and the CLOUD Act means building Canadian surveillance infrastructure that can be queried, or whose products can be shared, with foreign law enforcement under these frameworks. A Canadian ISP required to retain transmission metadata for twelve months under SAAIA is not retaining that data only for the RCMP. Under 2AP and CLOUD Act-compatible access agreements, that same data pool could be accessible to the FBI, the UK's National Crime Agency, or other Allied agencies under data-sharing arrangements that Parliament has never explicitly voted on.

This is not speculative. The government's own briefing notes, obtained through access to information requests and reviewed by civil liberties researchers, reference "interoperability with allied partner frameworks" as an explicit design goal of the surveillance capability infrastructure. Canada did not build SAAIA to work only with Canadian warrants. It built SAAIA to plug into a Five Eyes-compatible surveillance architecture.

The Parallel Privacy Collapse: Bill C-4

Bill C-22 did not pass in isolation. The same week it was introduced, a separate piece of legislation - Bill C-4, a budget implementation bill - quietly received royal assent after what legal observers described as a legislative sprint that bypassed normal parliamentary scrutiny.

Bill C-4 carved federal political parties out of Canada's privacy law framework. Under the bill, political parties are exempt from most privacy obligations that apply to corporations and government agencies. They can collect, use, and share Canadians' personal data with rules so weak they are effectively unenforceable. The Senate had amended the bill to require the government to establish real privacy obligations for parties within three years. The government rejected the amendment. Only one MP spoke before the motion passed. Royal assent followed within hours.

The juxtaposition is striking. In the same legislative session, Canada's government simultaneously removed privacy protections for political party data operations while mandating expanded surveillance infrastructure for communications networks. The entities with the least oversight over personal data are, by design, the political parties making decisions about where surveillance capabilities point.

"All within a matter of hours. Bill passes without privacy safeguards and without any real discussion or debate." - Michael Geist, on Bill C-4's royal assent, March 2026

Privacy commissioners in multiple provinces have raised alarms about the combined effect. If political parties can collect and analyze metadata about Canadians' communication patterns - data that, under SAAIA, will now be retained for up to a year by telecoms - the potential for surveillance-informed political targeting becomes significant. The data retention mandates in SAAIA do not specify that only law enforcement can ever access retained data through legal process. Litigation about who can compel production of retained metadata is already anticipated by civil liberties lawyers who reviewed early drafts of the bill.

The Constitutional Collision Course

Section 8 of the Canadian Charter of Rights and Freedoms protects against unreasonable search and seizure. The Supreme Court's line of jurisprudence beginning with R v Plant (1993) and continuing through R v Tessling (2004), R v Spencer (2014), and R v Marakah (2017) has progressively recognized that digital communications carry reasonable expectations of privacy.

Spencer specifically addressed whether subscriber information - the identity behind an internet connection - can be accessed without a warrant. The Court found that the anonymity of internet activity is a genuine privacy interest. The subsequent Rogers/CRTC legal battles over whether telecoms could share metadata with third parties extended this reasoning into the commercial context.

Bill C-22's first half addresses this by requiring judicial orders for most subscriber information access. This is the improvement legal analysts acknowledge. The SAAIA provisions are where the constitutional vulnerability lives.

The Supreme Court has not yet addressed whether compelling private companies to build surveillance infrastructure on behalf of the state, and to secretly maintain that infrastructure for potential government use, constitutes an unreasonable search. The Assistance and Access Act in Australia has faced similar challenges. The UK's Investigatory Powers Act survived a Court of Justice of the European Union review only because Brexit removed the UK from EU law - the Act would have been struck down under EU data protection standards.

Canadian civil liberties organizations and academic legal researchers are already preparing the arguments. The SAAIA provisions - specifically the capability-building mandates and the metadata retention requirements - are the most likely targets for Charter challenges under Sections 7 (life, liberty, security) and 8 (unreasonable search). The secrecy provisions may face separate challenges under Section 2 (freedom of expression) and Section 1 (reasonable limits demonstrably justified in a free and democratic society).

The government's legal team will defend SAAIA as a law enforcement necessity with adequate oversight through the Intelligence Commissioner. That argument may survive at the trial division level. Observers who watched the UK and Australian versions of these fights predict it will not survive the appellate courts indefinitely - particularly as the Supreme Court's metadata privacy jurisprudence continues to develop.

What Comes Next for Canadian Internet Users

Canadians using communications platforms that qualify as "core providers" under SAAIA may have their metadata retained for up to a year - and won't know who can access it. (Pexels)

The practical implications of Bill C-22 will not be immediately visible. That is by design. The surveillance architecture SAAIA creates will be built incrementally, through regulation, outside the full glare of parliamentary debate. The government will identify "core providers" through a regulatory process. Core providers will receive capability orders. They will comply in secret. The networks Canadians use every day will develop new technical capabilities that their users cannot see and cannot audit.

For most Canadians, nothing will change on the surface. Phones will still work. Email will still arrive. Streaming will still buffer. The infrastructure underneath those services will be different.

The second-order effects are where it gets interesting. Several large international platforms are watching Canadian legislation closely as they evaluate their legal exposure under SAAIA. Meta's WhatsApp has resisted Australian Assistance and Access demands through legal challenge for several years. Signal has publicly stated it will exit jurisdictions that require backdoors rather than comply. If SAAIA triggers similar conflicts with major platforms, Canadians could find that some communication services withdraw from the country or degrade their service levels to avoid capability-building obligations.

Smaller Canadian internet providers and cloud startups face a different problem. The capability-building mandates in SAAIA assume substantial technical resources. A large ISP like Bell or Rogers can absorb the compliance cost of building and maintaining government access infrastructure. A small regional ISP or a Canadian startup offering secure communications to healthcare providers or legal firms may not be able to - or may find that compliance fundamentally changes the security architecture of their product in ways their customers will not accept.

The innovation chilling effect of broad surveillance mandate legislation has been documented across multiple jurisdictions. Australia's Assistance and Access Act caused several security-focused Australian tech companies to restructure operations or relocate outside Australian jurisdiction. Encryption startup founders cited SAAIA's predecessor Bill C-2 as a factor in their decisions about whether to incorporate Canadian entities. Bill C-22's narrower subscriber access provisions reduce one piece of that concern. SAAIA expands another.

The Bigger Picture: Five Eyes Infrastructure Standardization

Step back from the Canadian debate and the picture that emerges is systematic. Australia passed surveillance capability mandates in 2018. The UK strengthened its Investigatory Powers Act in 2022 and 2024. New Zealand's Government Communications Security Bureau has operated under similar frameworks since 2013. The United States has CALEA (the Communications Assistance for Law Enforcement Act, dating to 1994) and increasingly aggressive interpretations of it applied to internet services.

Five Eyes nations - the intelligence-sharing alliance comprising the US, UK, Canada, Australia, and New Zealand - have been progressively standardizing their lawful access requirements across their respective domestic legislation. The stated goal is eliminating "safe harbor" jurisdictions where criminal networks and hostile intelligence services can operate in the gap between national surveillance architectures.

The effect is the creation of a unified surveillance infrastructure standard across the democratic world's most powerful intelligence alliance. An ISP operating in multiple Five Eyes countries faces essentially the same capability mandates in each jurisdiction, implemented through domestically-branded legislation, aligned with 2AP and CLOUD Act frameworks for cross-border data sharing.

This architecture was not designed in Parliament. It was designed in the intelligence community, negotiated in intelligence-sharing agreements, and then expressed into domestic legislation one bill at a time over two decades. Bill C-22's SAAIA provisions are the Canadian chapter of a much longer book.

The privacy advocates challenging SAAIA in Canadian courts are not just challenging a Canadian law. They are challenging one node in a transnational surveillance infrastructure. Canadian courts can strike down SAAIA's worst provisions - and they may. They cannot strike down the Budapest Convention, the CLOUD Act, or the bilateral intelligence sharing agreements that form the structural foundation of what SAAIA is designed to plug into.

That is the fight ahead. The bill is new. The architecture it joins is twenty years old. And it was built specifically to be difficult to unwind.

Professor Michael Geist, whose decade of detailed analysis of Canadian lawful access legislation has made him the most-cited legal voice on these issues, summarizes the situation precisely: the government made real concessions on subscriber information access, and SAAIA remains dangerous. Both things are true. The bill is better than Bill C-2 in one specific dimension and worse in another. That is not a reason to stop worrying. It is a reason to read the whole bill.