Key Takeaways
- DuckDuckGo will pull its VPN service from Canada if Bill C‑22 becomes law, citing conflicts with its no‑tracking privacy policy.
- Bill C‑22 would require electronic service providers to build lawful‑access backdoors and retain customer metadata for up to one year.
- Metadata retention (who called whom and approximate location) is seen by critics as a privacy risk and a potential hacking target.
- Other privacy‑focused firms—Signal, Windscribe, and Tailscale—have warned they may also exit Canada or demand changes to the bill.
- Public Safety Minister Gary Anandasangaree says the government is open to amending the bill to strengthen encryption but will not retreat on the metadata‑retention requirement.
- Civil‑society groups argue that any mandate to install surveillance tools in encrypted services threatens Canadian privacy and could undermine security.
DuckDuckGo’s Decision to Withdraw VPN Service from Canada
DuckDuckGo, the privacy‑oriented search engine founded by Gabriel Weinberg, announced that it will cease offering its virtual private network (VPN) in Canada should Bill C‑22, the government’s lawful‑access legislation, be enacted. Weinberg emphasized that the bill’s mandates for security backdoors and compulsory metadata retention directly contradict DuckDuckGo’s core privacy pledge: “we don’t track you.” While the company will continue to provide its search engine to Canadian users—marketed as a tracker‑free alternative to mainstream rivals—the VPN service, which encrypts traffic and masks users’ geographic location, will be withdrawn if the law forces the company to alter its infrastructure in ways that enable state surveillance.
Overview of Bill C‑22 and Its Lawful‑Access Provisions
Bill C‑22 proposes to amend Canada’s telecommunications and criminal‑law frameworks to give police and the Canadian Security Intelligence Service (CSIS) lawful‑access capabilities to electronic communications. Under the bill, “electronic service providers”—a broad category that includes phone companies, messaging apps, VPN operators, and other tech firms—would be required to modify their systems so that authorities can intercept data upon lawful warrant. The legislation aims to bring Canada in line with its Five Eyes intelligence partners (the United States, United Kingdom, Australia, and New Zealand), which already possess similar regimes to aid criminal and national‑security investigations. Critics, however, warn that the bill’s sweeping language could compel companies to embed vulnerabilities that weaken encryption for all users.
Metadata Retention Requirements and Privacy Concerns
A particularly contentious element of Bill C‑22 is the requirement that service providers retain certain metadata about their customers for up to twelve months. The retained data would not include the content of emails, web‑browsing histories, social‑media posts, or text messages, but could reveal which telephone numbers have communicated with each other and provide granular location information derived from cell‑tower logs or IP‑address associations. Cybersecurity experts argue that aggregating such metadata creates a lucrative target for hackers, including those sponsored by hostile foreign states, because the data can be exploited to map social networks, infer sensitive habits, or facilitate identity theft. Moreover, the mere existence of a long‑term metadata store raises concerns about mission creep, where initially limited law‑enforcement access expands over time without adequate oversight.
Industry Reactions: Signal, Windscribe, and Tailscale
DuckDuckGo is not alone in voicing alarm. Signal, the end‑to‑end‑encrypted messaging app, told The Globe and Mail that it would withdraw from Canada if compelled to compromise user privacy under Bill C‑22. Similarly, Yegor Sak, CEO of Toronto‑based Windscribe—a provider of VPN and privacy tools—said his company is exploring relocation options because the bill threatens its business model. Avery Pennarun, CEO and co‑founder of Tailscale, which offers a corporate‑focused VPN, warned that mandated “plug‑in” devices or software could become the weakest link in security architecture, noting that historically such government‑mandated backdoors have been implemented by vendors prioritizing accessibility over protection, leading to exploitable flaws. Across the sector, the consensus is that any law forcing companies to weaken encryption or retain invasive metadata undermines the very security promises they make to customers.
Government Stance and Proposed Amendments
Public Safety Minister Gary Anandasangaree acknowledged the pushback, stating that the government is preparing amendments to address critics’ concerns while emphasizing that it will not retreat on the metadata‑retention obligation. He signaled a willingness to consider changes that “strengthen encryption” and asserted that “encryption should not be compromised under any circumstances.” Nonetheless, the minister’s comments suggest that the core architecture of Bill C‑22—requiring providers to retain metadata and to provide lawful‑access mechanisms—will remain intact. OpenMedia’s executive director, Matt Hatfield, countered that the minister’s recent statements show public concerns are justified, arguing that any legislation allowing the state to install interception devices in a broad range of services poses an existential threat to Canadian privacy, regardless of promised encryption safeguards.
Broader Implications for Canadian Privacy and Security
The standoff between privacy‑focused tech firms and the federal government highlights a growing tension between legitimate law‑enforcement needs and the protection of individual rights in the digital age. If Bill C‑22 passes in its current form, Canada could see a notable exodus or scaling back of services that rely on strong encryption, potentially reducing the availability of secure communication tools for journalists, activists, businesses, and ordinary citizens. Conversely, proponents argue that without lawful‑access capabilities, investigations into terrorism, child exploitation, and organized crime may be hampered. The debate ultimately hinges on finding a balance that permits targeted, lawful surveillance without mandating systemic weaknesses that could be exploited by malicious actors or erode public trust in digital services. As the legislative process continues, the outcome will shape not only the operational landscape for companies like DuckDuckGo, Signal, Windscribe, and Tailscale but also the broader state of privacy and security for Canadians.