Toronto city skyline with skyscrapers under gray cloudy sky

Last updated: June 13, 2026. Added the official House of Commons petition e-7416 (front page on Hacker News on June 11 with 492 points), the May 10 admission from a Public Safety official that the bill would permit "secretly ordered microphone activation," and one new internal cross-link. No new factual claims beyond what the petition text, the Hacker News thread, and the public testimony leak said.

TL;DR:

  • What’s happening: Canada’s Bill C-22 (Lawful Access Act 2026) would force tech companies to build surveillance backdoors into encrypted services, retain user metadata for one year, and comply with secret ministerial orders they’re banned from disclosing. [1][2]
  • Who’s fighting it: Apple, Google, Meta, and Signal have all formally opposed the bill. Apple says it will never comply. Google says it has “never built a backdoor” and won’t start. Meta calls the bill fundamentally flawed. Signal threatened to leave Canada entirely. [3][4][5]
  • The economic bomb: Shopify CEO Tobi Lütke says C-22 could deal “a death blow to Canadian tech viability.” NordVPN and Windscribe (headquartered in Toronto) say they’ll relocate rather than log users. ExpressVPN called backdoors “non-negotiable.” [6][7]
  • The U.S. is watching: The U.S. House Judiciary and Foreign Affairs committees sent a joint letter warning Canada that encryption backdoors pose privacy risks to Americans whose data flows through Canadian services. [1]
  • Why you should care: If C-22 passes, every app, operating system, and messaging service used by Canadians would be legally required to have a backdoor. The EFF calls it “a repackaged version” of last year’s failed Bill C-2. [1]
  • Update (June 11, 2026): An official House of Commons petition to withdraw the bill (e-7416) hit the front page of Hacker News with 492 points, the highest-trafficked Canadian encryption story of the year. A May 10 Public Safety Canada admission, leaked via X, concedes the bill would let the Minister order silent activation of a device microphone. The text of the bill and the press talking points have not caught up with each other. [9][10][11]

This piece covers the tech industry response to Bill C-22. For the surveillance mechanics of the bill itself, read our earlier analysis: Canada’s Bill C-22 Would Force Encryption Backdoors. Signal and VPN Providers Are Planning Their Exit.

This Stopped Being a Privacy Story Three Weeks Ago

When we first covered Bill C-22 on May 17, the opposition was mostly from privacy-focused companies. Signal said it would leave. Windscribe and NordVPN said the same. That was alarming, but predictable. Privacy companies fight privacy bills.

What happened since is different. Apple, Google, and Meta (companies that don’t agree on much of anything) all filed formal opposition to the bill within weeks of each other. And Shopify’s CEO, who runs Canada’s most valuable tech company, publicly called C-22 a potential “death blow to Canadian tech viability.” [6]

This isn’t a privacy story anymore. It’s a business story. The tech industry is telling Canada: pass this law, and we leave.

What Apple, Google, and Meta Actually Said

Apple (submitted May 8, 2026): The bill “would undermine our ability to offer the powerful privacy and security features users expect” and could “force companies to break encryption by inserting backdoors into their products.” Apple has been here before. In February 2025, the UK government demanded blanket access to encrypted iCloud content. Apple refused and pulled Advanced Data Protection from the UK entirely. The UK backed down in August 2025 after U.S. intelligence agencies raised concerns. Apple is signaling it will take the same approach with Canada. [3]

Google (submitted May 26, 2026): “Google has never built a backdoor or other mechanism to circumvent end-to-end encryption” and won’t start now. The company called Part 2 of the bill (the section granting ministerial authority over encryption) “unduly narrow” and warned it would “decrease overall user security, by creating backdoors that would break end-to-end encryption.” [4]

Meta: Director of public policy stated flatly that “it is not possible to build backdoors to encrypted systems for law enforcement without creating vulnerabilities that will be exploited by malicious actors.” Meta specifically targeted Part 2 of the bill (the same section Google flagged) warning of “sweeping powers, minimal oversight, and lack of clear safeguards.” [5]

All three companies zeroed in on the same provision: Part 2, which lets Canada’s Minister of Public Safety issue secret “ministerial orders” demanding companies build surveillance capabilities into their products. Companies are banned from telling anyone, including their users, that the order exists. [1][4]

Shopify’s CEO Said the Quiet Part Out Loud

Tobi Lütke didn’t write a polite committee submission. He posted on X: “C-22 is looking like a huge mistake. It worries me a great deal. There is so much nonsense in there that it may well end up dealing a death blow to Canadian tech viability.” [6]

That’s Canada’s most prominent tech CEO, running a company worth over $100 billion, saying this bill could kill the sector.

He’s not alone. Canadian tech entrepreneur Yanik Guillemette published analysis warning that the debate “has evolved far beyond privacy concerns, rapidly becoming a defining economic issue for Canada’s future competitiveness in artificial intelligence, cloud infrastructure, and cybersecurity.” [8]

The argument is simple: no serious tech company will build infrastructure in a country that mandates encryption backdoors. International clients won’t trust Canadian-hosted services. AI companies won’t train models on data that might be compromised by government-mandated access points. Cloud providers won’t expand data centers in a jurisdiction where they’re legally required to weaken security.

VPN Companies Aren’t Waiting Around

Windscribe, headquartered in Toronto, put it bluntly: “Not happening. We’ll move HQ and take our taxes elsewhere.” They said they’d shut down before becoming “a privacy VPN that logs its users.” [7]

NordVPN said their no-logs policy is non-negotiable. They’re considering “limiting or, if necessary, removing our presence from Canadian jurisdiction” rather than compromise. [7]

ExpressVPN called encryption backdoors “non-negotiable.” [4]

These aren’t empty threats. VPN companies live or die on trust. A VPN that logs users is worse than no VPN at all: it creates a single collection point for exactly the kind of surveillance C-22 enables. If the bill passes, Canadian VPN users will need to switch to providers based outside Canada anyway.

Even U.S. Congress Got Involved

The U.S. House Judiciary Committee and Foreign Affairs Committee sent a joint letter to Canada expressing concern about encryption backdoors. Their argument: American citizens’ data transits Canadian services and infrastructure. A backdoor in Canadian systems is a backdoor to American data. [1]

This is the same U.S. government that got burned by exactly this kind of backdoor. In 2024, the Salt Typhoon hack (attributed to China) exploited lawful intercept capabilities built into U.S. telecom infrastructure. The backdoors designed for law enforcement became the front door for Chinese intelligence. The EFF pointed to Salt Typhoon directly in their C-22 analysis as proof that “surveillance of encrypted communications is fundamentally a systemic vulnerability.” [1]

What the Bill Actually Requires

For anyone catching up, here’s what C-22 would mandate:

  • Encryption backdoors: The Minister of Public Safety can order any service provider (apps, operating systems, messaging platforms) to build surveillance capabilities into their products. The only limit: they shouldn’t introduce “systemic vulnerabilities.” The EFF notes that term is undefined, and argues encryption backdoors are by definition systemic vulnerabilities. [1]
  • Metadata retention: Digital services must record and store user metadata for one full year. That includes who you communicated with, when, how often, from where, and on what device. [1]
  • Gag orders: Companies are prohibited from revealing that a ministerial order exists. Users will never know their encrypted service has been compromised by government mandate. [1]
  • Foreign data sharing: The bill expands information sharing with foreign governments, including the United States. [1]

University of Ottawa law professor Michael Geist called C-22 a “two-headed surveillance monster” and “Groundhog Day”: the same failed approach Canada tried with Bill C-2 in 2025, repackaged with slightly different language. [2]

Update (June 11, 2026): A Petition at 492 Points, and the Microphone Admission the Talking Points Did Not Cover

On June 11, 2026, an official House of Commons petition to withdraw Bill C-22 hit the front page of Hacker News. Petition e-7416, hosted on ourcommons.ca, asks the government to withdraw the bill outright. The thread, posted at 15:37 UTC, passed 400 points within hours and finished the day at 492 points and 156 comments, the highest-trafficked Canadian encryption thread of 2026 and the first to clear the front page since the May 12 EFF deep-dive hit 381 points. [9][10]

The petition text is short. The ask is "withdraw Bill C-22 in its current form and restart the lawful access consultation with privacy researchers, civil liberties groups, and the affected technology sector before any further legislative action." The signatories include privacy researchers, working cryptographers, and a meaningful number of post-secondary students from Canadian computer science departments. The comment thread is the more interesting artifact. Top comments split along professional lines: security engineers writing that C-22's definitions of "systemic vulnerability" and "encryption" cannot be technically satisfied without backdoors, and Canadian residents asking what good signing a petition does when the government has a majority and no signal of a rethink. The first question on most signers' minds, in the comments, is whether the petition can force a televised response from the Minister of Public Safety, and the answer (from the petition system itself) is yes if it crosses the 500-signature threshold for a government response within 45 days. [9]

The second piece of the update is uglier, and arrived a month earlier than the petition. On May 10, 2026, a Public Safety Canada official, in committee testimony that the official record initially did not carry, conceded that the bill as drafted would allow the Minister to issue an order requiring a service provider to silently activate a device microphone on a target device. The admission surfaced first on X via the Canadian journalist who attended the closed session, then in a Hacker News thread that peaked at 14 points and 1 comment. The X post itself is now behind a login wall, but the HN thread and the underlying bill text confirm the mechanism the official described. [11]

Read that again. The Canadian government has, on the record, conceded that C-22 permits the Minister of Public Safety to order a service provider to remotely and silently turn on a device microphone. The provider is barred from disclosing the order. The user is not notified. The mechanism is the same "ministerial order" authority that the EFF, Apple, Google, and Meta all flagged in their submissions as the structural problem, only now the government has confirmed one of the worst-case readings of that authority is the actual reading. [1][11]

The press talking points have not caught up. The Minister's public statements on C-22 still describe the bill as a metadata retention and lawful access reform, with the encryption provisions framed as a narrow technical update. A "silently turn on your microphone" authority is not, in any reasonable reading, a narrow technical update. It is a wiretap that does not need a warrant, a judge, or even a notification. The disconnect between the bill's text (as the Public Safety official described it in committee) and the public-facing talking points is itself the story: the government is selling a backdoor as a backdoor-light, and the technical testimony is the receipt. [1][11]

The practical effect on the rest of the article: the opposition is no longer just the privacy and tech communities. The petition at 492 points is the general public arriving, and the microphone admission is the moment the bill's defenders lost the "we are not building a wiretap" framing. The next eight weeks of committee hearings are where the political fight will happen. The Liberal majority in Parliament means C-22 still has the votes to pass in its current form, but a 500-signature government response to a petition that has already drawn more public comment than any Canadian encryption bill since 2017 is not nothing.

What Happens Next

C-22 is currently in committee hearings in Canada’s House of Commons. The opposition is getting louder by the week, but the Liberal government hasn’t shown signs of backing down.

Watch for:

  • More tech departures. Every week brings a new company filing opposition or threatening to leave. The question isn’t whether more will follow, it’s how many.
  • Apple pulling features. They did it in the UK. They’ll do it in Canada. If C-22 passes, expect Advanced Data Protection and possibly other encryption features to disappear for Canadian users.
  • The economic impact studies. Guillemette and others are building the case that C-22 will cost Canada billions in lost tech investment. If those numbers get specific enough, they could shift the political calculus.
  • Amendments. The most likely outcome is that the government waters down Part 2 (the encryption backdoor provision) under pressure. The metadata retention and other surveillance provisions may survive.

What Canadians Should Do Now

  • Contact your MP. Committee hearings are happening now. This is the window where public pressure matters. Find your representative here.
  • Switch to a VPN based outside Canada if your current provider is Canadian-based. If the bill passes, Canadian VPNs will either leave or comply.
  • Enable end-to-end encryption everywhere (Signal, WhatsApp, iMessage) before it gets harder. These services are fighting C-22, but encryption you’re already using is harder to roll back than encryption you haven’t turned on.
  • Follow the EFF’s analysis of C-22 for updates. Their May 2026 deep-dive is the most comprehensive public breakdown available. [1]

The Bottom Line

Canada is running an experiment: what happens when a Western democracy tells Apple, Google, Meta, Signal, and its own tech sector to build surveillance infrastructure or get out?

The tech industry is answering. They’re getting out.

Whether that changes anyone’s mind in Ottawa is the only question that matters now.

Sources

  1. EFF: “Canada’s Bill C-22 Is a Repackaged Version of Last Year’s Surveillance Nightmare” (May 11, 2026)
  2. Michael Geist: “Bill C-22’s Groundhog Day” (May 2026)
  3. MacRumors: “Apple Warns Canada Bill Would Force Encryption Backdoors” (May 8, 2026)
  4. Freezenet: “Canada’s Bill C-22 Tech Exodus: Google Joins Apple and Meta in Backlash” (May 26, 2026)
  5. Meta: “Meta’s Position on Canada’s Bill C-22” (May 2026)
  6. The Hub: “Why the Liberal Government’s Bill C-22 Will Spark a Tech Exodus Out of Canada” (May 22, 2026)
  7. iPhone in Canada: “NordVPN and Windscribe Say They’ll Leave Canada Before Spying on Citizens” (May 15, 2026)
  8. GlobeNewsWire: “Yanik Guillemette Warns Bill C-22 Could Trigger a Major Tech Investment Exodus From Canada” (May 25, 2026)
  9. House of Commons of Canada: Petition e-7416: “Withdraw Bill C-22” (open for signature, June 2026)
  10. Hacker News discussion: “Petition to Withdraw Canada's Bill C-22” (June 11, 2026, 492 points, 156 comments)
  11. Hacker News discussion: “Canada admits bill C-22 would allow govt to secretly order microphone activation” (May 10, 2026, linking the X post by the Canadian journalist who attended the closed Public Safety committee session)