Breaking news

Canada's Bill C-2 threatens to undermine privacy & encryption.

After UK, USA & Australia, it's now Canada's turn to decide on one of the worst surveillance bills; this time hidden in an anti-money laundering law.

Canada's Bill C-2 threatens to undermine privacy and encryption

At Tuta, we've repeatedly called out against legislation threatening your privacy, and we now have to do so again. Today, we're raising the alarm over Canada's upcoming Bill C-2, a bill to amend Canada's anti-money laundering legislation through updates to the Proceeds of Crime and Terrorist Financing Act. However, while aimed at fighting money laundering, the bill poses one of the most serious threats to digital privacy and security - similar to what we've recently seen in the UK, the USA and Australia.

Canada - another one of the Five Eyes - is planning to update its Bill C-2 with similar threats to your privacy like the UK’s Online Safety Act, Australia’s TOLA, and the American FISA regulation.

While Bill C-2 does not force providers to break encryption, it leaves the option open to (future) governments to abuse this law in exactly this way.

And, as we’ve seen with the UK’s order to Apple to remove encryption from its cloud, this is not an empty threat at all, but something we need to take seriously.

Three core threats of Bill C-2

The dangers of Bill C-2, particularly Part 15 of the legislation, boil down to three core risks:

1. Secret ministerial orders & overreach

Under Section 7(1) of Bill C-2, Canadian ministers would be able to issue secret demands to any Electronic Communications Service Provider (ECSP) - not just to large telecoms or ISPs, but potentially to any provider of encrypted communication including messaging apps, cloud services, or email providers.

These powers would allow the government to compel access in secret, with no meaningful transparency or judicial oversight. This is very similar to FISA in the US, which has been widely criticized for enabling mass surveillance behind closed doors. In short: The Canadian draft law hands sweeping surveillance authority to politicians, with minimal checks and balances.

2. Illusion of protecting encryption

Bill C-2 pretends to protect encryption by stating that the government can’t require companies to create a “systemic vulnerability” - which could be interpreted as a clear “No to backdoors”. However, this supposed safeguard is fundamentally hollow. The term ‘systemic vulnerability’ isn’t defined in the law. Worse, the government reserves the right to define it after the law has been passed, through future regulation. It’s the legal equivalent of telling citizens “We’ll let you know the exact rules only AFTER the law has been passed.”

3. Backdoor access

Without it explicitly undermining encryption, Bill C-2 would quietly open the door for (future) governments to easily introduce secret backdoors. This could be done without requiring new legislation as long as the government asserts (based on its own undefined criteria) that these measures don’t create a “systemic vulnerability”. This is an alarming loophole that could erode the very foundation secure and confidential communication relies upon: end-to-end encryption.

Prying eyes wherever you turn

Canada is joining a growing club of democracies - including the UK (Online Safety Act), Australia (TOLA), and the US (FISA, Cloud Act) - that are giving themselves sweeping powers to force companies to hand out encrypted data. Officials may claim these powers will never be abused, but the UK ordering Apple to remove its cloud encryption is a chilling example of what we are going to see more often in the future: Once the power is there, governments will use it to undermine security and privacy.

For anyone using encrypted, secure services, this uncertainty makes it harder to trust any jurisdiction with vague, unchecked surveillance powers. Trust cannot exist where the law quietly enables government-mandated access to private communications.

Unfortunately, the Canadian Bill C-2 is not a sudden change in politics. We at Tuta have been following surveillance politics for more than a decade now, and it more and more looks like the Five Eyes Alliance is increasing its surveillance measures one country at a time, testing the boundaries each time, with the goal of ultimate, general surveillance. And they are not alone in this movement as we’ve seen with the recent introduction of “ProtectEU”, which we at Tuta are fighting against.

Governments around the world seem to follow what China with its surveillance methods has proven to be possible in a digitalized world - and it’s unbelievably scary. It’s much worse than what Orwell predicted in his novel “1984”.

If you care about privacy, security, and the future of freedom of speech, this is the moment to speak up. Because once these powers are in place, rolling them back becomes almost impossible.

At Tuta, we fight for being able to build an end-to-end encrypted service that respects your privacy and protects your data. And we will continue to oppose any legislation - whether in Canada or elsewhere - that seeks to undermine your human right to privacy.

Illustration of a phone with Tuta logo on its screen, next to the phone is an enlarged shield with a check mark in it symbolizing the high level of security due to Tuta's encryption.