Canada’s Bill C-22 Sparks Industry Backlash Over Encryption and Metadata Access
Canada’s proposed lawful access bill, Bill C-22, drew opposition from Signal, Apple, Google, Meta, NordVPN, DuckDuckGo, Windscribe, and Tailscale, which warned that the measure could force providers to weaken encryption, retain user metadata for up to one year, and build technical capabilities for government access. Critics said the bill’s use of secret ministerial orders and limited judicial oversight could undermine privacy commitments, raise compliance costs, and create new security weaknesses that malicious actors could exploit.
Canadian officials said the legislation is intended to modernize investigative powers and that amendments will clarify it is not meant to break encryption, but the government plans to preserve the one-year metadata retention requirement. Civil liberties groups and researchers including Citizen Lab and the Canadian Civil Liberties Association argued that the metadata retention and ministerial-order provisions should be removed entirely, warning that the proposal deepens the conflict between lawful access demands and the need to protect privacy, cybersecurity, and secure communications.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Canadian minister says Bill C-22 amendments will clarify encryption stance
Public Safety Minister Gary Anandasangaree said amendments to Bill C-22 will clarify that the legislation is not intended to undermine encryption, while the government plans to retain the one-year metadata retention provision.
Tech firms and advocates oppose Canada's Bill C-22
Signal, NordVPN, Windscribe, DuckDuckGo, Apple, Google, Meta, Tailscale, and privacy advocates publicly opposed Canada's proposed lawful access bill, warning it could weaken encryption, mandate metadata retention, and require government access capabilities.
Passengers seek full Fifth Circuit rehearing in CrowdStrike case
Airline passengers asked the full Fifth Circuit Court of Appeals to rehear their lawsuit against CrowdStrike, arguing their claims concern CrowdStrike's negligence as a software developer rather than airline services. CrowdStrike said it remains confident the dismissal will be upheld.
Lower courts dismiss passengers' CrowdStrike lawsuit
A U.S. District judge and later a three-judge Fifth Circuit panel held that airline passengers' claims against CrowdStrike were preempted by the Airline Deregulation Act.
Faulty CrowdStrike Falcon update disrupts 8.5 million systems
In July 2024, a defective CrowdStrike Falcon software update caused a major outage that disrupted 8.5 million systems and led to airline-related disruptions affecting passengers.
Citizen Lab submits Senate analysis urging changes to Bill C-22
On 2026-06-02, Citizen Lab submitted an analysis of Canada's Bill C-22 to the Standing Senate Committee, warning that the proposal could impose broad surveillance obligations, threaten human rights and transparency, weaken encryption, and harm cybersecurity. The submission recommended withdrawing several elements of the bill and amending others to reduce harm.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Submission to the Standing Senate Committee on National Security, Defence and Veterans Affairs of Bill C-8 - The Citizen Lab
citizenlab.ca
Open sourceSignal and Other Firms Oppose Canada's Proposed Surveillance Law - CySecurity News - Latest Information Security and Hacking Incidents
cysecurity.news
Open sourcePassengers Seek Full Appeals Court Review in CrowdStrike Case
govinfosecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ireland Proposes Communications Bill to Legalize Police Spyware and Expand Interception Powers
Ireland’s government announced plans to introduce the **Communications (Interception and Lawful Access) Bill**, a legislative overhaul intended to modernize the country’s lawful interception framework and explicitly provide a legal basis for law enforcement use of **spyware**. Officials said the existing **Postal Packets and Telecommunications Messages (Regulation) Act 1993** predates modern communications, particularly end-to-end encrypted messaging, and argued a new framework is needed to address serious crime and security threats while adding “robust” safeguards to ensure powers are necessary and proportionate. The proposed bill is described as covering **“all forms of communications, whether encrypted or not,”** and enabling access to both **content and metadata**, expanding scope to services and device categories such as electronic messaging platforms, email, and **IoT** communications. While the announcement emphasizes privacy/security safeguards and increased technical cooperation between state agencies and service providers, reporting notes it does not clearly explain the technical mechanism for accessing encrypted communications—an outcome that in practice often requires **device compromise** (e.g., government-grade spyware) or local forensic extraction tools (e.g., *Cellebrite*). The government also indicated alignment with the EU Commission’s roadmap on lawful access and encryption-related interception issues.
Mar 21, 2026
Civil Society and Industry Opposition to EU Digital Omnibus and Encryption Backdoor Proposals
A coalition of 127 civil society organizations and trade unions has voiced strong opposition to the European Union's proposed Digital Omnibus changes, warning that these reforms could significantly weaken existing data protection and privacy laws such as the GDPR. The proposed legislation is criticized for potentially reducing safeguards on personal data, including genetic and biometric information, and for making it easier to use such data in AI training and online tracking. The coalition also expressed concern over the lack of transparency and democratic oversight in the legislative process, urging the European Commission to maintain robust digital rights protections. In parallel, more than 60 digital commerce and trade groups have called on governments worldwide to reject any efforts to weaken or bypass encryption, emphasizing that strong encryption is essential for user privacy, secure data protection, and trust in digital interactions. These groups argue that introducing backdoors or technical mandates for lawful access would undermine security for all users, outweighing any potential benefits for law enforcement. The letter comes amid ongoing debates in Europe and elsewhere about mandating access to encrypted data for criminal and national security investigations.
Mar 21, 2026
Signal Threatens EU Exit Over Proposed Chat Control Law Mandating Message Scanning
Signal, a leading provider of end-to-end encrypted messaging services, has publicly stated it will withdraw from the European Union market if the proposed Chat Control legislation is enacted. The Chat Control proposal, currently under consideration by the European Union and spearheaded by the Danish Presidency, would require all messaging platforms, including those offering end-to-end encryption, to scan user communications and files for abusive or illegal material before messages are sent. This measure is intended to combat child exploitation and other criminal activities, but has raised significant concerns among privacy advocates, technology experts, and encrypted messaging providers. Signal Foundation President Meredith Whittaker has argued that the legislation would effectively mandate mass surveillance, undermining the privacy and security of all users, including government officials, journalists, activists, and vulnerable populations. The proposed law would require service providers to implement scanning mechanisms that could potentially be exploited by hackers or nation-state adversaries, thereby increasing the risk of unauthorized access to sensitive communications. Privacy experts warn that the requirement to scan messages before encryption would fundamentally break the security model of end-to-end encrypted services, exposing all users to potential surveillance and data breaches. The pending vote, scheduled for October 14, has become a focal point of debate, with Germany holding a pivotal swing vote that could determine the law's fate. Historically, Germany has opposed such measures, but recent political developments have cast uncertainty on its position. Denmark, currently presiding over the Council of the European Union, has been a strong proponent of the legislation and is pushing for its adoption. The controversy highlights the ongoing tension between law enforcement objectives and the protection of digital privacy in Europe. Signal's threat to exit the EU market underscores the potential impact on both users and the broader technology ecosystem if the law is passed. Other encrypted messaging platforms, such as Telegram, WhatsApp, and Threema, are also likely to be affected by the proposed requirements. The debate has drawn international attention, with privacy advocates warning that the law could set a precedent for similar measures in other jurisdictions. The outcome of the EU vote will have significant implications for the future of encrypted communications and digital privacy rights across Europe. If enacted, the law could force major changes in how messaging services operate, potentially leading to reduced privacy protections for millions of users. The situation remains fluid as stakeholders on all sides lobby for their positions ahead of the critical vote.
Mar 21, 2026