Privacy-focused messaging app Signal has threatened to exit the Canadian market if forced to comply with the country’s proposed lawful access legislation. The company’s vice president argued Bill C-22 threatens encryption and could create vulnerabilities for cyberattacks. The bill, currently under parliamentary review, would require service providers to build surveillance capabilities and retain user metadata.
Privacy messaging app Signal stated it may exit Canada if compelled to comply with the proposed lawful access bill, Bill C-22. The legislation would require companies to build technical surveillance capabilities that some argue threaten end-to-end encryption.
In an interview, Signal‘s vice president of strategy and global affairs, Udbhav Tiwari, argued the bill could “threaten encryption” and leave private messaging services vulnerable to potential cyberattacks. The regulatory package would require electronic service providers to build surveillance capabilities and retain certain user metadata for up to a year.
The bill aims to help law enforcement investigate serious crimes like terrorism and child exploitation. Some have criticized it for implications on user privacy, echoing concerns similar to the EU’s chat control proposal.
Tiwari said the firm “would rather pull out of the country” than comply and compromise its privacy promises to users. He added that Bill C-22 could allow hackers to exploit engineered vulnerabilities, with private messaging services being ideal targets.
The bill is not yet law and must still pass through parliamentary review and receive royal assent. Committee hearings on the legislation began on May 7 and are currently ongoing.
Tech giant Meta has welcomed certain aspects, stating it provides law enforcement an effective legal framework. The company also raised concerns that certain parts negatively affect Canadians’ privacy and cybersecurity.
VPN service provider Windscribe said it would follow Signal out of Canada if the law passes. In an X post, the company argued the law poses a threat to user privacy and would likely require VPNs to log identifying user data.
