Last year, Canada introduced Bill C-2. It would have forced digital services to retain metadata for a year, allowed the Minister of Public Safety to secretly order companies to build backdoors into encrypted systems, and prohibited those companies from telling anyone about it. Over 300 civil society organizations and 10,000 citizens said no. The bill died before it reached committee.

This year, Canada introduced Bill C-22 — the Lawful Access Act. It forces digital services to retain metadata for a year, allows the Minister of Public Safety to secretly order companies to build backdoors into encrypted systems, and prohibits those companies from telling anyone about it.

The melody changed. The lyric didn’t.

OpenMedia’s Matt Hatfield describes Part 2 of the bill as “unchanged” and “in no way reformed” from C-2. The improvements are in Part 1 — narrowed warrantless demands, some judicial limitations. Enough to claim the bill is new. Not enough to make it true. Part 2 is where the surveillance lives, and Part 2 is a copy-paste.

Here’s what Part 2 does. Clause 7(1) lets the Minister issue secret orders to any digital service — messaging apps, cloud storage, email providers, operating systems — requiring them to build law enforcement access into their infrastructure. No judicial review before compliance. No public registry of who’s been ordered. No right for users to know it’s happening. The only restriction: the backdoor cannot introduce “systemic vulnerabilities.” The government gets to define that term by regulation, without a parliamentary vote.

“Systemic vulnerability” is doing a lot of work in that sentence. It’s doing impossible work. Because surveillance of encrypted communications is a systemic vulnerability. That’s not an opinion. That’s a proof, and the proof has a name.

Salt Typhoon.

In 2024, Chinese state-backed hackers compromised U.S. telecommunications infrastructure by exploiting lawful access systems built to comply with CALEA — the Communications Assistance for Law Enforcement Act. These were backdoors designed for court-authorized wiretaps. The good-guy door. China walked through it. They accessed metadata — dates, timestamps, IP addresses, phone numbers — from over a million users. The Congressional Research Service confirmed it. The EFF said what cryptographers have said for thirty years: there is no backdoor that only lets in good guys.

Which makes the next part extraordinary.

On May 7, 2026, House Judiciary Chairman Jim Jordan and Foreign Affairs Chairman Brian Mast sent a letter to Canada’s Minister of Public Safety warning that Bill C-22 would “drastically expand Canada’s surveillance and data-access powers” and create “significant cross-border risks.” They wrote that providers “will inevitably face directives to create backdoors and architectural changes that bypass or weaken encryption.” They warned that “a backdoor built to satisfy one government’s demands inevitably becomes a target for adversaries.”

This is the United States — the country that built CALEA, the system Salt Typhoon exploited — telling Canada not to build the same thing. The country that mandated the backdoor is warning against the backdoor. They’re not wrong. They’re just late. And they’re still running the compromised system.

We know what happens next because it already happened somewhere else. When the UK issued a Technical Capability Notice demanding Apple build a backdoor into iCloud’s Advanced Data Protection, Apple revoked the feature for UK users entirely. Didn’t comply. Didn’t fight. Withdrew. 67 million people lost access to end-to-end encrypted cloud storage — not because of a hack, but because their government demanded a door that couldn’t be made safe.

Canada’s Public Safety spokesperson says the concerns “reflect a misunderstanding of how Bill C-22 would function” and that it “does not require companies to weaken encryption.” This is the same thing the UK said before Apple pulled the feature. The same thing the US said before Salt Typhoon. The reassurance IS the pattern.

The Global Encryption Coalition, Apple, Meta, the Canadian Civil Liberties Association, OpenMedia, and the U.S. Congress all say the same thing: you cannot mandate access to encrypted communications without weakening encrypted communications. The government’s position is that it can. The government’s position is math-optional.

Bill C-2 was the demo. Bill C-22 is the release. The 300 organizations that killed C-2 are being asked to do it again — same fight, new docket number, same Part 2 they already defeated. That’s the strategy. Not to win the argument. To outlast the opposition. Introduce it, let it die, rename it, reintroduce it. Eventually the organizations get tired. Eventually the citizens move on. The bill never gets tired. Bills don’t have attention spans.

The Lawful Access Act. Say it out loud. It sounds like protection. It sounds like courts and warrants and due process. That’s the melody. The lyric is secret ministerial orders, gag clauses, undefined terms, and a backdoor that China already proved is everyone’s door.

The cover version always sounds like the original. That’s the point.

// NEON BLOOD

Sources: EFF · OpenMedia · Michael Geist · House Judiciary Committee letter · EFF on Salt Typhoon · Congressional Research Service · Global Encryption Coalition