Udbhav Tiwari, Signal vice-president of strategy and global affairs, says Ottawa’s Bill C-22 could threaten encryption and make private messaging services a potential target for cyberattacks.Kiichiro Sato/The Associated Press
Secure messaging service Signal, which uses end-to-end encryption, is warning it would withdraw from Canada if asked to compromise its users’ privacy under Bill C-22, Ottawa’s proposed lawful access legislation.
In an interview, Udbhav Tiwari, Signal vice-president of strategy and global affairs, said the company has deep concerns about measures in the bill, including its potential to introduce security vulnerabilities.
Mr. Tiwari said that Signal “would rather pull out of the country than be compelled to compromise on the privacy promises we have made to our users.”
He expressed fears that Bill C-22, which is currently being scrutinized by Commons committee, could threaten encryption.
Mr. Tiwari also warned changes to systems required under the bill could make private messaging services a potential target for cyberattacks.
“Bill C-22 could potentially allow hackers to exploit these very vulnerabilities engineered into electronic systems, with private messaging services serving as an ideal target for foreign adversaries,” he added in a text message.
Signal was founded in 2012 and is not linked to major tech companies. It has millions of Canadian users and is used for secure communication by journalists, dissidents, government agencies, private citizens and politicians.
The bill would require telecoms, internet companies and other electronic service providers to make changes to their systems to give surveillance capabilities to police and the Canadian Security Intelligence Service to combat threats and criminal activity.
Signal runs on its own centralized servers. The only user data it stores are phone numbers, users’ last login information and the date they joined the service. Users’ contacts, chats and other information are stored by users themselves, on their phones.
The bill would require “core providers” – which would later be defined through regulations – to retain metadata for up to a year.
The metadata would not include e-mails, web-browsing history, social-media activity or text messages, but it could include information about which telephone numbers have been in touch with each other, and data allowing someone’s location to be pinpointed.
“End-to-end encryption is incompatible with exceptional access, no matter how creative the route taken to achieve it,” Mr. Tiwari added in a statement. “Provisions that enable the deliberate engineering of vulnerabilities into critical infrastructure like Signal are a grave threat to privacy everywhere.”
Last year, a Signal chat between U.S. national security officials and Defence Secretary Pete Hegseth mistakenly included a journalist. The chat specified timings of warplane launches and when bombs would drop in planned attacks on Yemen’s Houthis.
At a Commons committee hearing on Bill C-22 earlier this month, Public Safety Minister Gary Anandasangaree, who introduced the bill, was asked about its impact on encrypted services, and described it as “encryption-neutral.”
Tech companies, including Apple, and the Canadian Chamber of Commerce have warned the lawful access regime proposed by the bill could weaken or break encryption.
Meta, which owns encrypted messaging service WhatsApp, testified earlier this month to a Commons committee examining the bill. Rachel Curran, the tech giant’s head of public policy in Canada, warned that the bill “could conscript private companies into service as an arm of the government’s surveillance apparatus – with expansive scope and insufficient safeguards.”
“As drafted, the bill could require companies like Meta to build or maintain capabilities that break, weaken, or circumvent encryption or other zero-knowledge security architectures, and force providers to install government spyware directly on their systems,” she said.
Signal’s Meredith Whittaker on AI and the tension between privacy and public safety
Simon Lafortune, a spokesperson for Mr. Anandasangaree, said Wednesday: “We want to reassure Signal and all service providers that we are not legislating to require them to install capabilities to enable surveillance and any assertions otherwise are false.”
The broadly worded bill could lead to the rollout of forced metadata collection for messaging apps, said Kate Robertson, a senior research associate at the University of Toronto’s Citizen Lab whose expertise includes cybersecurity, state agencies’ use of personal data and surveillance activities.
Ms. Robertson said that when recently pressed to commit to protection for encryption, “government officials were reticent.”
“Encrypted communication systems are a lifeline for human rights defenders, journalists and dissidents around the world,” she said.
Matt Hatfield, director of OpenMedia, a non-profit that advocates for widespread and affordable internet access, said “Signal, WhatsApp and other encrypted messaging services could clearly be scoped into Bill C-22 under its current definitions of electronic service providers.”
“A future public safety minister could issue orders to them requiring them to retain user metadata,” Mr. Hatfield said in an e-mail.
Michael Geist, Canada Research Chair in internet and e-commerce law and professor at the University of Ottawa, said he expected private messaging services to become a high-value target for law enforcement if the bill becomes law, including for obtaining metadata.
He said that currently, courts focus on obtaining data itself, but the lawful access regime would mandate permanent structural changes to company systems.
“There is a significant difference between court-ordered disclosures and mandates to retrofit or change technical structures,” he said.