Executives from Apple and Google urged the federal government to tighten rules in its proposed lawful access legislation to avoid creating vulnerabilities in their products, arguing so-called “backdoors” into encrypted data systems could be exploited by cyber criminals.
Bill C-22 would lead to the creation of regulations requiring “core” telecommunications providers to create “capabilities” for law enforcement to access information, and for the retention of user metadata for up to one year. Ministerial orders could then be given to other providers without judicial oversight.
Although the government has said the bill is “encryption neutral” and that it won’t push providers to create a “systemic vulnerability,” the companies added to the growing chorus of concerns that the current language in the legislation — including the definition of a “systemic vulnerability” — is broad enough that encryption could still be at risk.
“Speaking as an engineer, we do not know of a way to deploy encryption technology that provides access only for the good guys without creating new ways for the bad guys to break in,” Erik Neuenchwander, Apple’s senior director of user privacy and child safety, told the House of Commons public safety committee.
“In other words, when you build a backdoor into an encrypted device, anyone can walk through.”
He pointed to the 2024 Salt Typhoon cyberattack on U.S. government systems that exploited access points created under that country’s own lawful access bill.
“That law was narrower than Bill C-22,” he said. “So imagine what could happen if more companies were required to create these vulnerabilities.”
Neuenchwander wouldn’t say if Apple would consider leaving Canada if the current legislation passes, or if it would be forced to end encryption services in Canada like it did in the United Kingdom last year, after a British government demand for access to encrypted cloud-stored data.
Jeanette Patell, the director of government affairs and public policy at Google Canada, also wouldn’t say how Google would respond, but noted the legislation may force it to break its own precedent by allowing law enforcement to circumvent end-to-end encryption for its products.
She said the bill as written “goes well beyond lawful access regimes in other G7 democracies, and risks creating new surveillance infrastructure that would introduce serious security vulnerabilities, undermine user trust and hinder our ability to innovate and offer pro-privacy technologies.”
The proposed ministerial powers under the bill “could give the government the power to secretly force companies to redesign products, to include invasive surveillance capabilities, and to do so without sufficient safeguards or oversight,” Patell added.
“Ministerial orders are not only alarming, but also unnecessary,” she said. “Canada already has an effective, transparent system where law enforcement can apply to the courts for reasonable assistance orders subject to judicial oversight.”
Katherine Charlet, Google’s senior director of privacy, safety and security, noted the potentially “boundless” powers granted under C-22 could have implications beyond Canada.
“Google and other companies are global companies,” she said. “Canadians interact with people all over the world, and so there are global impacts of a proposal such as this one.”

The executives said protections around encryption and more specific definitions were necessary for the bill itself, rather than waiting for future regulations to provide that clarity.
Neuenchwander added the government’s stated intentions of not seeking to create “backdoors” or weaken encryption “aren’t coming through clearly in the language from our perspective” and need to be made more explicit.