Yegor Sak is the CEO and co-founder of VPN service provider Windscribe, a self-funded, Canada-based internet privacy company.
Canada has a legitimate public safety problem to solve. Police and national security agencies need lawful tools to investigate serious crimes and threats that move through digital systems.
However, the problem with Bill C-22—the proposed legislation intended to give law enforcement these tools—is that the machinery it builds to get there comes at the cost of online privacy for every Canadian internet user, and many businesses operating in the country.
“If the law pushes privacy companies toward retaining data, it weakens the very architecture users choose us for.”
C-22 creates risk far beyond the handful of large telecoms people imagine when they hear “lawful access.” Its definition of an electronic service provider is broad: a person or company providing an electronic service to people in Canada, or carrying on all or part of its business in Canada. It doesn’t take a tech genius or veteran lawyer to see how large of an umbrella this is and how most Canadian businesses will fall under it.
At a high level, Bill C-22 would let the government require selected providers to build and maintain technical capabilities so law enforcement and intelligence agencies can access information they are already legally authorized to obtain. It also allows regulations requiring categories of metadata to be retained for up to one year.
RELATED: Government considering amendments to Bill C-22 amid backlash from tech, civil liberties groups
The bill says metadata retention doesn’t include message content, browsing history, or social media activity. They’re making it seem like they just want a quick peek at some basic info—“we want to read the envelopes, not the letters inside”—but that’s still plenty to start painting a picture. Metadata can include transmission data and account-related information that reveals who connected, when, from where, through what service, with what identifier, and sometimes links to other accounts or devices. In practice, metadata is often the map of a person’s digital life. If this is available to authorities, they’ll know the places you’ve been and for how long, just not what you did there.
The other issue is that capability for this metadata retention still has to be built somewhere. Building databases, maintaining systems, providing employees proper access, complying with all the required regulations, every one of those pieces becomes not only a new cost but a new failure point as well.
For small providers, costs can be absurd
Large providers can foot the bill for these obligations, albeit still expensive and risky, but for small providers, they can be absurd. A family-run online store, a regional software company, a small hosting provider, or even a doctor or lawyer sending out emails do not have the security team of a bank or a major privacy company.
Grandma Beth, running her flower shop that takes online orders, doesn’t have full-time legal counsel or system engineers to ensure that her government-mandated database of customer information is secure from modern threats. The politicians in Ottawa might say that this is not who the legislation is intended for, but the law is what is written in the pages of the bill, and currently its broad language leaves room for these obligations to land far outside the group of companies actually equipped to handle them.
“Metadata is often the map of a person’s digital life. If this is available to authorities, they’ll know the places you’ve been and for how long, just not what you did there.”
Once a business is required to collect or retain data it would otherwise avoid keeping, the privacy of citizens, by nature, is more at risk. The more of your information that is stored somewhere, the more opportunities there are for criminals, hostile states, malicious insiders, and identity thieves to get at it. Canada has spent years telling organizations to collect less data because data minimization reduces breach risk, yet introduces a bill which goes completely against that philosophy.
Windscribe has a direct stake in this debate because our product is built around not retaining user logs. If the law pushes privacy companies toward retaining data, it weakens the very architecture users choose us for. But beyond VPNs, any Canadian who uses online services should care when the state encourages businesses to store more sensitive data than they need.
As of writing, Canada’s Public Safety Minister Gary Anandasangaree has stated that amendments to the bill are being prepared. We don’t yet know what the changes to the written text of the bill will be, but going off his stated intentions, the focus is on maintaining encryption.
While a step in the right direction, he also said there won’t be any budging on the requirement for electronic service providers to collect and store a year of metadata. This means the privacy and security of Canadian citizens remains at risk, and Windscribe would still be forced to relocate our headquarters out of Canada to maintain user privacy.
The fix is straightforward. Bill C-22 should be narrowed so mandatory retention and technical-capability requirements apply only to clearly defined classes of providers that are technically capable, security mature, and genuinely necessary to the investigative purpose. Privacy services and small businesses should not be forced into broad data-retention schemes.
Orders should require strong judicial authorization, meaningful transparency where possible, independent technical review, and a practical right to challenge overbroad demands before compliance work begins. There is a way to give law enforcement the tools they need to solve crimes without turning every business in Canada into the government’s surveillance sector and every Canadian citizen into a suspect.
If Parliament wants a lawful-access bill, it should write one that respects the security reality of the internet. The safest database is still the one that never had to exist. Canada should be rewarding companies that collect less, not building a legal framework that pressures them to collect more.
The opinions and analysis expressed in the above article are those of its author, and do not necessarily reflect the position of BetaKit or its editorial staff. It has been edited for clarity, length, and style.
Feature image courtesy Pexels. Photo by Splash of Rain.