In 1991, Phil Zimmermann released Pretty Good Privacy — PGP — as free software because the US government was about to mandate backdoors in all secure communications. For his trouble, the federal government investigated him for three years under the Arms Export Control Act. They classified encryption as a munition. A weapon. Because apparently, the ability to have a private conversation is the same thing as shipping missiles to hostile states.
The investigation was dropped in 1996. Zimmermann won. Privacy won. And we all moved on, right?
Wrong.
Bill C-22: The Backdoor Returns
Canada’s Bill C-22 — the “Lawful Access Act, 2026” — is currently working its way through the House of Commons. Its stated purpose is to modernise how law enforcement accesses digital information. Noble enough on the surface. But beneath the language of safety and modernisation lies something deeply familiar: a government demanding the keys to your private conversations.
The bill doesn’t explicitly say “break encryption.” It’s more sophisticated than that. It requires “electronic service providers” — a definition so broad it captures virtually any internet-based business operating in Canada — to build “technical capabilities” that enable law enforcement and CSIS (Canada’s intelligence agency) to access data quickly and consistently.
That’s a backdoor. You can dress it up in whatever parliamentary language you like, but if a system must be built to allow a third party to access encrypted communications, the encryption is broken. By design.
Secret Orders, No Oversight
Here’s where it gets properly dystopian. Bill C-22 allows for ministerial orders to be issued in secret, with approval from the Intelligence Commissioner. Companies could be compelled to weaken encryption without public disclosure. Without telling their users. Without anyone outside the security apparatus knowing it happened.
Google called this out directly: “Secret orders are out of step with other democratic countries and would severely restrict companies’ ability to be transparent with users about how their data is protected.”
The bill also includes provisions for mandatory metadata retention — including device location data — for up to one year. Your phone becomes a government tracking device. Not because you’re suspected of anything. Just because you exist in Canada and own a mobile.
The Tech Giants Push Back
Apple, Meta, and Google are all publicly fighting this. Apple has stated — again — that it will never build a backdoor into its products. Meta has warned about the bill’s “sweeping powers, minimal oversight, and lack of clear safeguards.”
Some companies have indicated they might withdraw services from Canada entirely if the bill passes in its current form. And Apple has form here. When the UK government issued a similar demand under the Investigatory Powers Act in 2025, Apple pulled its Advanced Data Protection feature from UK users altogether. Rather than compromise encryption for everyone, they simply stopped offering it to the British.
That’s not a victory for the UK government. That’s British citizens being made less secure because their own government demanded a backdoor that Apple refused to build.
The Pattern That Never Changes
This is the same fight Zimmermann fought in 1991. The same fight the cypherpunks — Eric Hughes, Timothy C. May, John Gilmore — laid out in the Cypherpunk’s Manifesto. The same fight that the Crypto Wars were supposed to have settled.
The pattern is always the same:
- Government cites a real threat — terrorism, child exploitation, organised crime
- Government proposes breaking encryption to fight that threat
- Security experts explain that you cannot build a backdoor that only good people can use
- Government presses ahead anyway
- Public pushback forces a retreat or compromise
- Wait five years. Repeat from step one.
We’re on at least the fourth cycle now. The UK with the Investigatory Powers Act. Australia with their Assistance and Access Act. The EU with various proposals to scan encrypted messages for CSAM. And now Canada with Bill C-22.
Why This Matters Beyond Canada
If Canada succeeds, it sets a precedent. Every Five Eyes nation — the US, UK, Australia, New Zealand — will point to it as evidence that democracies can mandate lawful access to encrypted communications. The dominoes don’t fall slowly.
And the technical reality hasn’t changed since Zimmermann published PGP’s source code in book form to sidestep export controls: there is no such thing as a backdoor that only governments can use. If a vulnerability exists, it will be found. By criminals. By hostile states. By anyone with sufficient motivation and skill.
Public Safety Minister Gary Anandasangaree has said the government intends to amend the bill to “clarify” definitions of encryption and metadata. That’s encouraging language. But clarifying definitions is not the same as removing the power to compel access. The architecture of the bill still allows secret orders, still mandates technical capabilities, and still treats encrypted communication as a problem to be solved rather than a right to be protected.
The Cypherpunk Position
Eric Hughes wrote in 1993: “Privacy is necessary for an open society in the electronic age… We cannot expect governments, corporations, or other large, faceless organizations to grant us privacy out of their beneficence.”
Thirty-three years later, that’s still the whole argument. Privacy isn’t granted. It’s built. With mathematics. With code. With encryption that works because nobody has the keys except the people communicating.
The moment you build a system where someone else — anyone else — can listen in, you’ve destroyed the thing you claimed to be protecting. You haven’t made citizens safer. You’ve made them vulnerable. To their own government, and to everyone else who finds the door you left open.
Canada’s Bill C-22 is in committee. It can still be stopped, or at least defanged. The tech industry is pushing hard. Privacy advocates are mobilising. The question is whether the Canadian public — and their elected representatives — understand what’s actually at stake.
Phil Zimmermann understood. He risked prison for it. The least we can do is pay attention.
Leave a Reply