Canada’s Bill C-22 and the security cost of collecting more data

Canada's proposed Bill C-22, also known as the Lawful Access Act, 2026, is generating concern among companies like Tailscale due to its implications for privacy and data security. The bill aims to update lawful access rules for the digital age by requiring electronic service providers to develop capabilities for government access to data, potentially mandating metadata retention for up to a year. This broad definition encompasses a significant portion of the modern internet, sparking worries about increased data retention and security risks as companies may be forced to store sensitive information they otherwise would not. Tailscale, a Canadian VPN service, emphasizes its commitment to privacy by not logging customer traffic and maintaining end-to-end encryption, arguing that Bill C-22 could undermine such security architectures by requiring unnecessary data collection. The company advocates for amendments to the bill to ensure lawful access is limited to specific investigations with legal authorization, to protect encryption, and to avoid creating new vulnerabilities. This debate is part of a global trend where governments are striving to balance public safety with the protection of individual privacy and secure digital infrastructure.