Signal has never threatened to leave a country before. On May 14, the secure messaging service broke that silence. Udbhav Tiwari, Signal's VP of strategy and global affairs, told The Globe and Mail that the company would 'rather pull out of the country than be compelled to compromise on the privacy promises we have made to our users', a direct reference to Canada's Bill C-22, which would require electronic service providers to build surveillance capabilities and retain user metadata for up to a year. Signal stores almost nothing: phone numbers, account creation dates, last login timestamps. Conversations, contacts, call records never touch its servers. They live only on users' devices. Bill C-22 demands the opposite: exceptional access (a legal backdoor) and data retention at scale. The two are incompatible. Signal chose to say so publicly.

Within a week, the exodus threat metastasized. Windscribe, a Canadian-domiciled VPN provider, announced it would relocate its entire headquarters out of Canada if the bill passed. Then NordVPN joined, warning it would 'consider leaving Canada if it requires compromising its privacy protections.' The timing matters: these were not abstract warnings but coordinated, named commitments published within 48 hours of each other. This is not how Silicon Valley typically responds to surveillance legislation. Companies lobby, delay, negotiate, litigate. They do not publicly threaten to abandon markets. Three major privacy infrastructure providers doing so simultaneously suggests the bill's architecture is genuinely non-negotiable for businesses built on encryption-first models.

Bill C-22 is still in the House of Commons Standing Committee on Public Safety and National Security, having passed second reading on April 20. Committee hearings began May 7. The bill's core mechanisms are two-fold: it would allow the federal government to secretly order companies to weaken encryption, and it would mandate retention of identifying metadata for investigative access. Apple has already said it 'will never' add a backdoor and warned it might not release certain features in Canada. The logic is simple: if you build an encryption system that works in Canada, it must work identically everywhere, you cannot have one master key for Toronto and another for Tokyo. Any exception compromises the entire system's security model. This is not posturing; it is cryptographic fact.

The bill's cross-border dimension just became explicit. Heads of the U.S. House judiciary and foreign affairs committees sent a joint letter to Canada's Public Safety Minister stating that Bill C-22 would 'drastically expand Canada's surveillance and data access powers in ways that create significant cross-border risks to the security and data privacy of Americans' and would allow 'Canadian government officials to compel American companies to build backdoors into their encrypted systems.' Washington is signaling that this is not a Canadian domestic issue. If Canada mandates backdoors, Apple, Google, Microsoft, Signal, and every other U.S.-domiciled encryption provider face a choice: comply with Canada's order and weaken their products globally, or exit Canada. The U.S. Congress is warning that compliance is not an option.

Windscribe's relocation threat is the material telling detail. Signal can toggle a server or route traffic differently; it is a foreign service with no legal domicile in Canada to defend. Windscribe is Canadian. If it relocates, it leaves behind real estate, employees, tax residency, operational infrastructure. A Canadian company making that threat means the cost of compliance exceeds the cost of exit. That threshold is not abstract, it is where a regulatory environment stops being negotiable and becomes hostile. NordVPN's threat carries similar weight. Both companies are saying: we would rather rebuild our operations from scratch than log user data in Canada. The question now is whether other Canadian and North American privacy firms follow, or whether the bill's passage becomes the first time a Western democracy has successfully forced the encryption industry to choose between privacy and market access.

Watch three markers: (1) the committee's vote timing and what amendments, if any, it proposes; (2) whether U.S. diplomatic pressure escalates beyond the House letter into formal state-level intervention; and (3) whether crypto wallets, hardware custody providers, or decentralized communication platforms join the public exodus threat. If the bill passes in current form, Canada becomes the test case for whether surveillance mandates can survive industry defection. If the industry holds and the government backs down, the precedent reverses.