I take self-custody seriously. Bitcoin, my seed phrases, my communication channels, the phone in my pocket. This is the same instinct that drives the discipline of choosing constraints — the hard cap on my money and the hard limits on who gets access to my data. So when I started reading about Bill C-22, I paid attention.
What Is Bill C-22?
Formally the “Lawful Access Act, 2026,” C-22 is the Liberal government’s attempt to update how police and CSIS access digital communications during investigations. Sponsored by Public Safety Minister Gary Anandasangaree. Currently being studied by the House of Commons public safety committee.
Sounds reasonable on the surface. Police need tools. Nobody wants criminals to operate in the dark.
But the bill has two parts. One of them is a problem.
Part 1 modernizes warrant processes — streamlined court orders for basic subscriber info (name, IP address). Not great, mostly procedural.
Part 2 is where things get dangerous.
The Metadata Problem
Part 2 would force internet and phone companies — Rogers, Bell, Telus, anyone providing electronic services in Canada — to retain your metadata for up to one year.
Not message content. But who you talked to. When. For how long. Where you were. What you searched. In what pattern.
Privacy Commissioner Philippe Dufresne appeared before the committee and said this directly: mandatory metadata retention at this scale raises serious privacy concerns. His submission: Privacy Commissioner’s statement
The problem with metadata is that it describes your life. Researchers have shown four location pings are enough to uniquely identify 95% of people. Who you call at 2am, where you sleep, which doctor you visit, who you associate with — all stored for a year. Not because you’re a suspect. Because the law says so.
Michael Geist, a University of Ottawa law professor and Canada’s leading digital rights scholar, called C-22 “a two-headed surveillance monster.” His full analysis: How Bill C-22 went off the rails
Encryption Under Direct Threat
This is the one that should worry anyone using encrypted messaging.
C-22 gives the Minister the power to order any electronic service provider to build surveillance capabilities into their systems. The “technical capability” provision. In plain language: if the government wants to tap your encrypted messages, it can order the provider to redesign its app to allow it.
The government says this won’t affect encryption. Critics, including Meta (rare to see them on the privacy side of anything), say it absolutely will. Meta’s position: Meta on Bill C-22
ProtonVPN — the Swiss company built on a no-logs architecture — says they literally cannot comply. They don’t keep the data. Michael Geist covered it: ProtonVPN says C-22 would violate Swiss law
You can’t weaken encryption for “the bad guys” without weakening it for everyone. Every backdoor is a vulnerability. Every compelled redesign makes the entire user base less safe.
The Constitutional Challenge
The Justice Centre for Constitutional Freedoms, based in Calgary, submitted a parliamentary brief opposing Bill C-22. Their argument: the bill violates Section 8 of the Charter (unreasonable search and seizure). Mandatory metadata retention without suspicion is fundamentally unconstitutional.
If the bill passes in its current form, they’re likely to pursue a Charter challenge. A win there would set a precedent for the whole country.
Where It Stands
The bill is at the House of Commons Standing Committee on Public Safety and National Security (SECU). Minister Anandasangaree is pushing for passage before Parliament breaks for summer.
- Liberals proposed amendments on May 27. Critics say they don’t go far enough.
- Conservatives want the bill split in two — pass Part 1, kill Part 2. Oshawa MP Rhonda Kirkland moved this motion on June 2.
- Centre for Free Expression called it “the most expansive invasion of Canadian privacy rights in modern history.”
- Meta, Proton, and others publicly opposed.
What You Can Do
1. Write your MP
A short email takes five minutes. Find your MP
2. Write the SECU committee
Tell them to kill Part 2 — or send the whole bill back for a rewrite with real privacy protections.
3. Support the JCCF
They’re leading the legal fight and need funding for Charter challenges: JCCF donate
4. Get your tools in order now
Whether or not C-22 passes:
- XMPP + PGP for messaging (decentralized, encrypted)
- A VPN that doesn’t log (ProtonVPN, Mullvad)
- GrapheneOS on a Pixel if you’re on Android
- Bitcoin over Tor when transacting
- Payjoin for better privacy on-chain
- Lightning for smaller payments
5. Read the bill yourself
Full text: Bill C-22 on openparliament.ca
Bottom Line
Same principle as Bitcoin: don’t trust, verify. C-22 asks you to trust that these powers won’t be abused, that metadata retention won’t be expanded, that encryption mandates will stay carefully scoped. That’s a lot of trust.
I prefer systems that don’t require trust.
The history of surveillance legislation — in Canada, in the UK, everywhere — is that once the infrastructure is built, it gets used. And expanded. And normalized. This is the Blue stage demanding order, Red demanding control — and both need a Yellow response: build alternatives, not ask permission.
If you’re a Bitcoiner, you already understand. The same instinct that makes you hold your own keys should make you care about whether encrypted communication is under threat, or whether your ISP is keeping a year-long record of every site you visit.
This one’s not theoretical. It’s in committee right now.