The EFF argues that Bill C-22 is a 'repackaged version of last year's surveillance nightmare' (Bill C-26), reintroduced with minimal substantive changes despite extensive criticism from civil liberties organizations, privacy commissioners, and legal scholars. They highlight that the bill grants cabinet secret, virtually unlimited power to order telecom providers to modify network architecture and encryption, with no judicial review and gag orders preventing disclosure to users.
The EFF specifically flags the secrecy mechanism as the bill's most dangerous feature: government orders to telecom operators can be classified, operators are prohibited from disclosing their existence, and there is no mandatory judicial review before they take effect. They characterize this as 'the architecture of a backdoor regime' that prevents companies from even informing users that their infrastructure has been compromised by government mandate.
The EFF emphasizes that Bill C-26 died on the order paper when Parliament dissolved, and rather than addressing specific criticisms raised by civil liberties groups, privacy commissioners, legal scholars, and the tech industry, the government reintroduced essentially identical legislation under a new number. This pattern suggests the government is not engaging with substantive objections but simply waiting for political opportunities to pass the bill.
The EFF highlights that the bill's language is intentionally vague, covering orders to modify network architecture, install equipment, change security practices, or alter how encryption is implemented. This breadth means the government could effectively mandate encryption backdoors under the guise of 'securing' the telecom system, without any public accountability for doing so.
The Canadian government has introduced Bill C-22, a cybersecurity and telecom regulation bill that the Electronic Frontier Foundation calls a "repackaged version of last year's surveillance nightmare." The bill landed with a Hacker News score north of 300 — significant for a policy story — because developers recognized it immediately: it's the controversial Bill C-26 (the Critical Cyber Systems Protection Act) from the previous parliamentary session, resurrected with a fresh number and minimal substantive changes.
Bill C-26 died on the order paper when Parliament was dissolved. Rather than address the specific criticisms raised by civil liberties organizations, privacy commissioners, legal scholars, and the tech industry, the government chose to reintroduce essentially the same legislation. The core problem hasn't changed: the bill grants cabinet the power to secretly order telecom providers to do virtually anything the government deems necessary to "secure" Canada's telecommunications system.
The "anything" is doing a lot of work in that sentence. The bill's language is deliberately broad, covering orders to modify network architecture, install equipment, change security practices, or — critically — alter how encryption is implemented.
The bill's most dangerous feature is its secrecy mechanism. Under the proposed legislation, the government can issue orders to telecom operators that are classified. The operators receiving these orders would be prohibited from disclosing their existence. There is no requirement for the government to publish the orders, no mandatory judicial review before they take effect, and companies are gagged from even telling their own users that their infrastructure has been compromised by government mandate.
This is the architecture of a backdoor regime dressed up as cybersecurity regulation. The government frames it as protecting critical infrastructure from foreign threats — a legitimate concern in an era of state-sponsored cyberattacks. But the mechanism chosen is indistinguishable from the "lawful access" frameworks that security researchers have spent decades explaining are fundamentally incompatible with actual security.
The math hasn't changed since the Clipper Chip: you cannot build a backdoor that only the "good guys" can use. Every cryptographer of note has made this point. A government-mandated weakness in telecom infrastructure is a weakness, full stop. It doesn't check passports.
Canada is not operating in a vacuum here. The Five Eyes alliance — the US, UK, Canada, Australia, and New Zealand — has been coordinating pressure on encrypted communications for years. Australia passed its Assistance and Access Act in 2018, which created a framework for compelling companies to break their own encryption. The UK's Online Safety Act contains similar provisions. Bill C-22 fits neatly into this pattern: each Five Eyes nation building its own legal lever to pry open encrypted communications, creating a de facto international backdoor mandate without ever having to pass one explicitly.
The Canadian Civil Liberties Association, the Citizen Lab at the University of Toronto, and multiple legal scholars raised these exact concerns about Bill C-26. The specific criticisms were detailed and technical: the scope of ministerial orders was too broad, the secrecy provisions eliminated accountability, the definition of "telecommunications service provider" was expansive enough to capture cloud services and potentially app developers, and the absence of proportionality requirements meant the government could order a nuclear response to a routine threat.
The government's response to these criticisms was not to fix the bill — it was to reintroduce it with a new number and hope nobody noticed. The Hacker News score suggests that strategy isn't working.
If you're a developer building or maintaining services that operate in Canada or serve Canadian users, Bill C-22 demands attention. The bill's definition of "telecommunications service provider" in the C-26 predecessor was broad enough to potentially encompass VPN providers, encrypted messaging services, cloud infrastructure operators, and CDN providers with Canadian points of presence.
The practical implications break down into several categories:
If you operate telecom infrastructure in Canada — traditional carriers, ISPs, and potentially cloud providers with Canadian data centers — you could receive a secret order requiring you to modify your infrastructure. You would not be able to tell your customers. You would not be able to challenge the order in public court. Your compliance team would be operating under a gag order.
If you build encrypted communications tools — messaging apps, email services, VPNs — the bill's broad language around "securing telecommunications" could be interpreted to include orders requiring you to implement lawful intercept capabilities. This is the encryption backdoor scenario that the security community has been warning about for a decade, arriving not as a single dramatic law but as ministerial discretion buried in an infrastructure bill.
If you're a Canadian developer working on open-source security tools — the interaction between compelled assistance orders and open-source development is genuinely unclear. Can you be ordered to introduce a vulnerability into open-source code? The bill doesn't address this, which is itself a problem.
The defensive playbook is limited but worth noting: understand your legal exposure, talk to counsel about whether your service falls under the bill's definitions, and if you operate encrypted services, consider whether your architecture allows you to comply with an intercept order at all. End-to-end encryption where the provider genuinely cannot access plaintext is both the technically correct design choice and, increasingly, a legal shield — you can't be compelled to do what is architecturally impossible.
Bill C-22 will go through committee review, where it will face the same expert testimony that savaged its predecessor. The question is whether this Parliament will do what the last one didn't: actually listen. The EFF's involvement signals that international pressure from digital rights organizations will be louder this time. But the Five Eyes coordination pattern suggests this isn't a bill that exists in isolation — it's one tile in a mosaic of allied nations building parallel legal frameworks to circumvent the technical reality that strong encryption works. For developers, the political fight matters, but the engineering decision is simpler: build systems where you hold no keys. It's good security practice regardless, and it's becoming good legal practice too.
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.