An executive from Signal has warned that the encrypted messaging app would pull out of Canada if forced to comply with Ottawa’s proposed legislation on lawful access, which he says could compromise the privacy of his company’s customers.
Udbhav Tiwari, Signal’s vice-president of strategy and global affairs, told The Globe and Mail that the company has significant concerns about measures in Bill C-22, also known as the Lawful Access Act, and would “rather pull out of the country than be compelled to compromise on the privacy promises” it has made to its users.
Bill C-22 passed second reading in the House of Commons in April and is now under study by the public safety and national security committee. Tiwari said the bill could threaten the use of encryption, a concern echoed by U.S. lawmakers and other tech companies.
Tiwari also said changes that would be required of electronic service providers under the bill could create vulnerabilities and make private messaging services a potential target for cyberattacks by foreign adversaries.
Signal is an open-source, fully encrypted messaging service that runs on centralized servers maintained by Signal Messenger. Founded in 2012, the company is based in the United States but has millions of users in Canada.
The only data it stores on its servers are phone numbers, the date a user joined the service, and information on the last login. Users’ contacts, chats, and other communications are only stored on users’ phones, and they have the option to set the app to automatically delete conversations after a certain period of time.
Signal uses end-to-end encryption, meaning the company cannot access private conversations or calls made on its app, guaranteeing its users’ privacy.
Bill C-22 would expand law enforcement’s authority to access digital information and subscriber information. It would require digital service providers to retain metadata about user activities for up to a year, and compel telecommunications and online service providers to grant authorities access to user data.
The federal government has said the bill aims to provide tools to security agencies to better tackle crime in a digital environment.
Without judicial authorization, security agencies could ask an electronic service provider whether it offers services to a specific individual, based on a “reasonable suspicion” that a crime has or will be committed. With the information provided, police could then seek judicial authorization for a production order to obtain a range of data on the subscriber.
While testifying before the public safety committee earlier this month, Public Safety Minister Gary Anandasangaree said Bill C-22 does not support the creation of “back doors” into platforms and will not require service providers to provide decryption of end-to-end encryption systems. He also told the committee on May 5 that the bill safeguards against “systemic vulnerabilities” that could be exploited by criminals.
Commenting on Signal’s warning that it would back out of Canada, Conservative MP Jacob Mantle said every MP in Canada uses Signal, “precisely because they believe it is safe (confidential) to use.”
“No one wants Gary reading their messages,” Mantle wrote in a May 15 post on X.
The Epoch Times contacted Signal and Anandasangaree’s office for comment but did not hear back by publication time.
More Pushback
VPN companies and other tech firms have also voiced concerns about the potential for Bill C-22 to compromise their users’ privacy.
Canadian VPN service Windscribe says it will consider moving its headquarters out of Canada if the bill passes.
“In its current state, VPNs would almost certainly require us to log identifying user data,” the company said in a May 14 post on X. It added that that, unlike U.S.-based Signal, which can turn off its Canadian servers if Bill C-22 passes, Windscribe is headquartered in Canada.
“We pay an ungodly amount of taxes to this corrupt government, and in return they want to destroy the entire essence of our service to basically spy on its own citizens,” the company said. “Not happening. We’ll move HQ and take our taxes elsewhere.”
Panama-based VPN service NordVPN also says it would consider pulling out of Canada if Bill C-22 is passed in its current form to protect its users’ privacy.
“Should Bill C-22 pass in its current form and if we are subjected to mandatory obligations, there isn’t a scenario in which we would compromise our no-logs architecture or encryption protections,” NordVPN said in a May 15 post on X.
Also commenting on the privacy concerns around Bill C-22, tech giant Shopify CEO Tobi Lutke said the legislation “must be scrapped.”
In voicing concerns that the bill contains several troubling provisions for the industry at large, Facebook’s parent company Meta told MPs at a public safety committee meeting last week the bill would require companies to serve as “an arm of the government surveillance apparatus.”
As drafted, it could require companies like Meta to “build or maintain capabilities that break or undermine encryption and force providers to install government spyware directly on their systems,” said Rachel Curran, Meta’s head of public policy.
U.S. lawmakers also wrote a letter to Anandasangaree on May 7 saying the bill could impact the security and data privacy of Americans.
Public Safety Canada said in social media post on May 12 that Bill C-22 would not require electronic service providers to keep all user data for a year, but would only require providers to keep “specific metadata of greatest value to investigators.”
Noé Chartier, Paul Rowan Brian, and Reuters contributed to this report.
Friends Read Free
Copy
Facebook
Tweet
