Spark Solidarity

Bill C-22

Bill C-22 Legalizes the Surveillance Canada Already Runs

Alex MacMillan
<!– ============================================================= SPARK SOLIDARITY — ARTICLE PRODUCTION PACKAGE ============================================================= SEO TITLE (56 chars): Bill C-22 Legalizes the Surveillance Canada Already Runs META DESCRIPTION (153 chars): Bill C-22 codifies surveillance Canada already conducts: mandatory metadata retention and secret backdoor orders the government can compel with no judge. PRIMARY SEARCH TERM: Bill C-22 SLUG: /bill-c-22-legalizes-existing-surveillance/ PUBLISH DATE: 2026-05-23 MOST RECENT SOURCE DATE: 2026-05-22 CATEGORIES: Terror Factory [PRIMARY], Canada [secondary] CROSS-LINKS (both confirmed live): – SPVM drone: https://sparksolidarity.ca/2026/05/22/montreal-riot-police-were-staged-before-the-habs-winning-goal/ – 2014 CSIS: https://sparksolidarity.ca/2014/10/30/how-did-csis-miss-them/ ============================================================= FACT NOTES (all verified): – Bill C-22, Lawful Access Act 2026; introduced March 12 2026 by Public Safety Min. Gary Anandasangaree (Justice Min. Sean Fraser alongside); 1-yr mandatory metadata retention; ministerial power to compel providers to build interception/technical capability; lowered threshold for subscriber data. Predecessor: Bill C-2 (Strong Borders Act, June 2025), whose lawful-access Parts 14/15 were split off after backlash. CONFIRMED (Fasken, Global, Wikipedia). – Govt position represented before countered: spokesperson says retention is "metadata only," NOT content/browsing/social activity; Anandasangaree "not looking for sneaky ways to surveil." – SALT TYPHOON (confirmed, multi-source): MSS-linked group exploited CALEA lawful-intercept at 9+ US telecoms. CORRECTION applied: metadata for 1M+ users kept DISTINCT from call-AUDIO interception of a SMALLER set of high-profile targets (FBI est.

Bill C-22 does not build a new surveillance system. It legalizes the one Canada already runs — and makes it permanent, mandatory, and exportable.

Bill C-22, the Lawful Access Act, does not create a surveillance apparatus. It codifies one that is already deployed and expands its legal reach. The distance between what Canada’s security agencies already do and what the bill makes lawful is, in large part, paperwork. The infrastructure exists. The bill makes its use permanent, mandatory, and shareable with foreign governments.

Introduced on March 12, 2026 by Public Safety Minister Gary Anandasangaree, the bill compels electronic service providers — internet providers, messaging apps, cloud services, email hosts, social platforms, VPNs — to retain user metadata for up to a year and to build access mechanisms for law enforcement and CSIS. The minister insists the government is “not looking for sneaky ways to surveil Canadians,” and his office says the bill covers metadata only, not the content of communications. The companies that would have to build the access do not believe the distinction holds.

Their response has been close to unanimous. Signal says it would leave the Canadian market rather than comply. Windscribe, headquartered in Toronto, says it would move its head office and its taxes out of the country. NordVPN says it would not weaken its architecture under any version of the law.

Apple says the bill would force it to break encryption, “something Apple will never do.” Meta has objected, two US House committee chairs have warned it could weaken North American cyber-defences, and Shopify’s Tobi Lütke called it a potential “death blow to Canadian tech viability.” The government has not substantively answered any of them.

What the bill actually does

C-22 has two operative mechanisms. The first is mandatory metadata retention: providers must store the data around a communication — its timing, the device identifiers, IP addresses, location, and the record of who contacted whom and when — for up to a year, available to law enforcement and CSIS. The second is mandatory capability: the minister can issue orders requiring a provider to build interception and access capabilities into its systems, with limited public disclosure and little meaningful recourse for the company served with the order.

The NDP has named the core problem plainly. Bulk retention replaces targeted suspicion with generalized surveillance: you do not need to be suspected of anything for your metadata to be held. Everyone’s is held, all the time, for a year, available to the state on request.

The Electronic Frontier Foundation has warned that the bill’s definitions of “systemic vulnerability” and “encryption” are broad enough to require companies not merely to hand over data but to build the mechanism through which access is obtained — to undermine their own security architecture. The Canadian Civil Liberties Association and a coalition of rights groups have called on Parliament to scrap the bill’s most expansive provisions outright.

The bill also widens information sharing with foreign governments, the United States foremost among them, and opens the door to requests aimed at companies abroad. Its predecessor, Bill C-2, the Strong Borders Act, was drafted broadly enough that critics warned it could be used to ask whether a person had seen a particular doctor or donated to a given cause. C-22 narrows some of that. The core architecture — bulk retention, secret ministerial orders, mandatory backdoor capability, foreign sharing — survives intact.

The backdoor is the vulnerability

The government’s case is that the access exists only for authorized use. That argument was tested in the United States in 2024 and it failed completely. A Chinese state-linked group known as Salt Typhoon exploited the lawful-intercept infrastructure that American telecoms are required to maintain under the Communications Assistance for Law Enforcement Act — the very backdoor built for the FBI. They moved through the systems of nine or more major carriers.

What they took is the point. They accessed the communications metadata of more than a million users, obtained the lists of phone numbers under active law enforcement surveillance, and in a smaller set of cases involving senior political figures, captured the actual audio of phone calls. The intercept system designed to let American agencies listen became the instrument through which a foreign intelligence service listened to America. As the EFF put it, there is no such backdoor that only lets in the good guys.

Michael Geist, Canada’s leading authority on digital-rights law, has documented that C-22’s core provider obligations — the requirement to develop interception capability and install the devices that enable access — are functionally the Canadian equivalent of the CALEA requirements Salt Typhoon walked through. This is not a hypothetical risk. It is the same design, proposed for Canadian networks, after its American version was demonstrated to be a liability rather than an asset.

The European legal system reached the same conclusion years ago, in law rather than through breach. The Court of Justice of the EU struck down general data retention twice — in the 2014 Digital Rights Ireland judgment and again in the 2016 Tele2 ruling — finding that holding everyone’s metadata without reasonable suspicion is incompatible with fundamental rights. Canada is now proposing, in 2026, to build the architecture that Europe has already ruled unlawful and that America’s own implementation proved dangerous.

The likely outcome is not a mystery either. When India ordered VPN providers in 2022 to retain customer data for five years, ExpressVPN, NordVPN, Surfshark, and others pulled their physical servers out of the country rather than comply. India’s government told them that if they disliked the rules, they could leave. They left. Canada appears to be running the same play, and the companies are again signalling the same answer.

The surveillance is already happening

C-22 is not the beginning of state surveillance of digital life in Canada. It is the legalization of practices already in operation. Stingray devices — IMSI catchers that impersonate a cell tower, tricking every phone nearby into connecting and surrendering its identifiers, IP address, and location — were established technology long before the public encountered them in coverage of events like the 2021 Capitol riot. The technology was in active use for years before it was convenient for anyone in power to confirm it existed.

The retention provisions become most alarming when paired with the tools that already exist to query the data. Geofencing tools let an investigator identify every device present in a given area within a given window, then pull the identifiers, location history, and online traces tied to those devices — the same behavioural data the advertising industry already collects and sells. The result is a complete picture of who was where and when, cross-referenced against everything those devices have done online.

Anyone who has visited a site that fingerprints their browser knows how much is surrendered without a login or a click: operating system, browser, network, location, a device signature. The panopticon is largely built. C-22 makes feeding it a legal requirement.

Drones extend it into physical space. Montreal police flew surveillance drones over celebrating Habs fans this month with no incident being monitored, no explanation offered, and no regulatory framework governing the practice. There is no requirement in Canada to disclose what police drones surveil, who receives the footage, or how long it is kept.

That absence is not an oversight. Police use drones because they can, because no one has stopped them, and because the data is useful whether or not it is ever cited in a prosecution. C-22 is that same posture written into law and applied to the entire digital infrastructure.

The template has been running since Harper

The cycle that produced C-22 is old. On October 22, 2014, a gunman killed Corporal Nathan Cirillo at the National War Memorial and stormed Centre Block on Parliament Hill while the Conservative caucus was meeting inside. The attack triggered an internal security review that produced Bill C-51, the sweeping anti-terror law Stephen Harper introduced months later, expanding CSIS’s powers to “disrupt” threats. The attack, the legislation, and the justification formed a closed loop: a security failure becomes the proof that the security apparatus needs more power.

The loop’s tell is what came next. Harper himself conceded that C-51 would not have prevented the attack that was being used to justify it. The powers were not a response to the failure; the failure was the occasion for powers that had nothing to do with it. We covered the original moment of that loop in 2014, when the question being asked was how CSIS missed a man it already knew about — a failure of attention, not of authority, answered with more authority anyway.

C-22 runs the same play. It is framed as a modernization of investigative tools to fight human trafficking, terrorism, and organized crime, and the stated purpose is legitimate. But the mechanism — bulk retention, secret orders, mandatory backdoors, foreign sharing — has little to do with that purpose and everything to do with building permanent infrastructure for generalized surveillance.

The errors that infrastructure produces are not flaws in it. A false match flags you. Your metadata associates you with a flagged number. You assert your rights, and the assertion is itself recorded. The system does not need to be accurate to function. It needs only to be comprehensive.

The government’s reassurance is that the law-abiding have nothing to fear. Signal’s answer to that reassurance is to prepare to leave the country rather than build the thing that would make the claim testable, and that is the correct answer. The question was never whether you are doing anything wrong. The question is who gets to decide what wrong means, and what tools are waiting in their hands on the day they decide you qualify.

Sources
  1. Fasken — Bill C-22, the Lawful Access Act: provisions, metadata retention, ministerial orders, C-2 lineage
  2. Global News — Your metadata may be kept a year under the lawful access bill; government “metadata only” position
  3. Michael Geist — the systemic-vulnerability gap; ss. 5(2) obligations as the Canadian CALEA equivalent
  4. Electronic Frontier Foundation — Canada’s Bill C-22, a repackaged surveillance nightmare
  5. Canadian Civil Liberties Association — coalition letter urging MPs to scrap the surveillance measures
  6. TechRadar — Signal and Windscribe threaten to exit Canada over C-22
  7. BigGo Finance — Apple, Meta, Signal, NordVPN, and Shopify’s Lütke (“death blow”) respond to C-22
  8. CBC News — Why two US House committee chairs are warning about Canada’s Bill C-22
  9. State of Surveillance — Salt Typhoon exploited CALEA wiretap systems; metadata for 1M+ users; EFF “no backdoor” quote
  10. Breached.Company — Salt Typhoon compromised CALEA at 9+ carriers; call content for high-profile targets, FBI surveillance lists exposed
  11. Court of Justice of the EU — Digital Rights Ireland (2014) and Tele2 Sverige/Watson (2016): general data retention unlawful
  12. The Register — ExpressVPN and others pull servers from India over 2022 data-retention rule; “they can leave”
  13. APTN News — Harper admits Bill C-51 would not have stopped the October 2014 Ottawa attack
  14. The Canadian Encyclopedia — the October 22, 2014 Parliament Hill attack
  15. Spark Solidarity — Ottawa Attack on Parliament: “How did CSIS miss them?” (2014)

9/11 ACAB Action Advanced Technology American Politics BRICS Canada Complicity Canada Politics China Cuba Current Events Doug Ford Economy Free Palestine Geopolitics Global Capitalism Global South History Imperialism iran Land Back Left Content Media Mexico Middle East Montreal Politics No War Ontario Politics Palestine Police Brutality Police Corruption Politics Protest Quebec Politics Socialist Canada Socialist Ontario Socialist Quebec Systemic Racism Terror Factory Toronto Politics Trump Uncategorized War War On Terror Zionist Israel