Erik Neuenschwander, Apple's senior director of user privacy and child safety, sat before the House of Commons Standing Committee on Public Safety and National Security on May 26 and stated what cryptographers have been saying since the 1990s: 'Speaking as an engineer, we do not know of a way to deploy encryption technology that provides access only for the good guys without creating new ways for the bad guys to break in.' He was not speaking hypothetically. He was explaining why Bill C-22, a live piece of Canadian legislation already past two readings in Parliament, cannot work as written, and why Apple will not build the backdoor it would require.

Bill C-22, formally called the Lawful Access Act, would empower the Canadian government and law enforcement to compel 'electronic service providers' (a term broad enough to cover Signal, Apple, Google, and any encrypted messenger) to create technical capabilities for surveillance and metadata retention. The bill is not a proposal. It has passed second reading, sits in committee for stakeholder feedback, and heads to the Senate for final review. On the same day Neuenschwander testified, representatives from Google, the Privacy Commissioner of Canada, and civil liberties groups told the committee the bill as drafted is incompatible with end-to-end encryption, which is to say, incompatible with how modern security actually works. What emerged was not a careful legislative debate but, by Neuenschwander's own account in testimony, a procedural mess: the Privacy Commissioner's written reform recommendations were not distributed to MPs, and the final thirty minutes dissolved into failed attempts to negotiate more hearing time.

Google's director for government affairs, Jeanette Patell, articulated the second-order problem: the bill allows surveillance orders to be issued 'in secret,' meaning companies would be compelled to act without judicial transparency or the ability to challenge the order in court, a standard Patell noted is 'out of step with other democratic countries.' Apple made the point harder by referencing the 2024 Salt Typhoon breach, which exploited vulnerabilities created by a narrower U.S. lawful-access regime. Neuenschwander told the committee: 'That law was narrower than Bill C-22,' and it still resulted in a state-level adversary breaking into U.S. government systems. The implication landed clearly: Canada's version would be worse.

But the testimony also exposed what the real leverage point actually is. Signal, the encrypted messenger used by millions of Canadians, does not have shareholders to pressure or a compliance officer to negotiate with. Udbhav Tiwari, Signal's VP of Strategy and Global Affairs, said the organization 'would rather pull out of the country than be compelled to compromise on the privacy promises we have made to our users.' Windscribe, a Toronto-based VPN provider, announced it would relocate its headquarters out of Canada entirely. NordVPN warned it would consider the same. This is not lobbying theater, this is a credible market exit threat from the exact tools that Canadian users rely on to maintain private communication and self-custody of their digital lives. Apple has precedent: it withdrew its Advanced Data Protection feature from the United Kingdom rather than comply with a Technical Capability Notice ordering access to encrypted iCloud data, and its litigation before the Investigatory Powers Tribunal concluded in approximately October 2025 when the case was dismissed after the UK government revised its TCN order.

The real question is not whether the government understands encryption, the testimony made clear it does not, and several MPs visibly struggled with the basic architecture of E2EE. The question is whether Parliament passes the bill despite that. If it does, Canada becomes the first G7 nation to legislatively mandate encryption backdoors in systems already deployed to millions of users. Signal exits. Apple weakens iCloud. Windscribe relocates. And the gap in the market fills with whatever tools users can find that are not subject to Canadian law, Tor, Nostr-based messaging, whatever crosses the border and cannot be regulated. Watch three things: whether the Senate committee demands stronger encryption carve-outs, whether Signal releases an explicit withdrawal timeline if the bill passes as written, and whether Apple initiates a second Technical Capability Notice fight in Canada as it has in the UK. Each one is a binary. Any one moves the outcome.