CDT polling undercuts Canada's encryption crackdown

The Center for Democracy and Technology released polling data today showing that Canadian public opinion crushes the government's core justification for Bill C-22. Across every tested provision of the Lawful Access Act, 2026, mandatory metadata retention, exceptional access to encrypted communications, expanded foreign data sharing, voters oppose the measures by overwhelming margins. The CDT commissioned Public First, a UK polling firm, to test Canadian attitudes on encryption and government surveillance. The results directly contradict the government's framing that the bill has broad public backing. This timing matters: Parliament's House of Commons Standing Committee on Public Safety and National Security is actively reviewing the bill right now, with hearings ongoing since May 7. The committee's work will determine whether Bill C-22 moves to third reading and a final vote.

Bill C-22 itself is straightforward in its reach. It forces digital services, encrypted messaging apps like Signal, VPN providers, telecoms, to retain metadata for a full year and to comply with government access orders. The bill includes a "systemic vulnerability" exception that sounds protective until you read the fine print: Sections 12 and 13 state that compliance orders "prevail over inconsistent regulations," which means the government can order companies to comply even where doing so would introduce security flaws. The statute never defines "systemic vulnerability" with precision, leaving room for the government to reinterpret it narrowly enough to hollow out the protection entirely. In practice, this creates a legal trap. A company cannot comply with an access order to an end-to-end encrypted system without introducing a backdoor, a deliberate weakness that hackers can exploit. Signal's vice-president of strategy and global affairs, Udbhav Tiwari, stated the company's position plainly on May 14: "End-to-end encryption is incompatible with exceptional access, no matter how creative the route taken to achieve it. Provisions that enable the deliberate engineering of vulnerabilities into critical infrastructure like Signal are a grave threat to privacy everywhere." That is not rhetoric. It is physics.

The commercial resistance is already visible. Signal has said it would rather pull out of Canada entirely than comply. Windscribe, a Toronto-headquartered VPN provider, has announced it would relocate its headquarters out of Canada. NordVPN has warned it would consider the same. Apple and Meta have both raised public concerns about the bill's effect on encryption and cybersecurity. None of these are small players making idle threats, they are major infrastructure providers with millions of active users and real operational footprints. Signal alone claims over 100 million registered users globally; a Canadian withdrawal would be a signal (pun intended) that the company will not compromise its core product regardless of market size.

The political ground shifted further last week when two U.S. House committees, the Judiciary Committee chaired by Representative Jim Jordan and the Foreign Affairs Committee chaired by Representative Brian Mast, sent a joint letter to the Canadian government on May 8 warning that Bill C-22 could "weaken both countries' collective defences against hackers" and create "significant cross-border risks" to American security and privacy. This is not academic hand-wringing. It is an explicit statement from the U.S. legislative branch that Canada's surveillance bill threatens continental cybersecurity. The letter shifts the framing from privacy advocacy to national security, a frame that resonates in Washington and signals to Canadian lawmakers that they are about to isolate themselves from continental allies on a security question.

Here is what the polling data and the industry response tell us: Bill C-22 is moving through Parliament on the assumption that it balances privacy and security in a way the Canadian public accepts. The public does not. Vendors are preparing to exit rather than comply. And the U.S. Congress is openly warning that the bill weakens both countries' defenses. The committee is still reviewing the bill, but the political math has shifted in real time. The question now is whether the government can absorb this much pressure, public opposition, industry flight, U.S. legislative warning, and still move the bill to a vote. Watch for the committee's report, expected within the next 4-6 weeks. Watch whether any major Conservative or Liberal backbenchers break ranks. And watch whether Signal, Windscribe, or NordVPN actually file legal challenges or formally announce departure timelines. If any of those happen, Bill C-22 will face a choice: proceed over open commercial and international resistance, or redraft the exception language around systemic vulnerability to give it real teeth. The current version does neither.