Bill C22 The Illusion of a Secure Backdoor.png
Real Analysis

Canada’s Bill-C22: The Backdoor All the time Opens Each Methods

0


/script type=”text/javascript” src=”https://app.getresponse.com/view_webform_v2.js?u=S6bT5&webforms_id=A25R”>

 

 

Written by Matt Morgan, Editor at The Daily Bell:

Bill C-22, the lawful access act tabled in the Canadian Parliament on March 12, 2026, will force every Canadian telecom and digital service provider to build surveillance capabilities into their networks. The government insists this will not create what it calls a systemic vulnerability. The government is wrong, and we already know it is wrong, because the same kind of system was built into American telecoms thirty years ago, and Chinese state hackers spent the last two years inside it (among other examples).

Every backdoor built for the state is, eventually, a backdoor used against everyone the state was supposed to protect. There is no version of this bill, no amendment, no oversight regime, that changes that. Every historical instance says the same thing.

Conscription, not access

The phrase lawful access describes something the state already has the power to do: serve a warrant on data that exists, but Bill C-22 does something different.

It compels electronic service providers, defined so broadly the term covers most digital businesses in Canada, to develop and maintain the technical capability for ongoing surveillance, retain a year of metadata on every Canadian, and comply with secret ministerial orders that can be issued without parliamentary review. This close to, if not, the same as conscription. Companies become an extension of the state’s surveillance apparatus, paid for partly by themselves and ultimately by their customers.

Apple, Meta, Signal, NordVPN, and the Toronto-based EasyDNS, have all publicly opposed the bill or threatened to leave the Canadian market. The Canadian Chamber of Commerce, representing 200,000 businesses, has written to the government stating that no comparable Western jurisdiction has adopted lawful access provisions of this breadth. Even the U.S. House Judiciary and Foreign Affairs committees have sent a joint letter warning that the bill threatens U.S. national security. The Canadian government’s response has been to promise it does not intend to mandate backdoors, while reserving to itself the right to redefine the word systemic vulnerability by cabinet order without returning to Parliament.

 

The historical record

The argument against C-22 has already been baked into the news of the last twenty years.

Athens, 2004

In 2003, Vodafone Greece installed Ericsson AXE switches that included lawful intercept functionality, the same kind of capability C-22 would mandate. Vodafone had not even purchased the operational components of the wiretap system. The capability sat dormant in the network, waiting to be activated by Greek law enforcement under court order.

Then, in 2004, unknown attackers (later linked in Greek court warrants to a CIA station officer) installed roughly 6,500 lines of rogue code into the switches, surreptitiously enabled the lawful intercept functionality Vodafone had never authorized, and used it to wiretap the Prime Minister, the Minister of Defense, the mayor of Athens, dozens of senior politicians and military officers, journalists, and human rights organizations. The interception ran for nearly a year before being discovered. Vodafone’s network planning manager, who likely discovered the intrusion, was found hanged in his apartment a day before the breach was reported to the Greek government. The case has never been resolved.

The system was built so the state could surveil its citizens with a warrant. Without a warrant, an unknown actor used the same system to surveil the state. The lawful intercept capability did not have to be enabled to be exploited. The wiring was enough. That is what “systemic vulnerability” means.

 

Washington, 2024

In 1994, Congress passed the Communications Assistance for Law Enforcement Act, which required every telecommunications provider in the United States to engineer their networks for lawful intercept. The architecture C-22 proposes for Canada is, in structure, the same architecture CALEA imposed on the U.S. thirty years ago.

In late 2024, the public learned that a hacking group attributed to China’s Ministry of State Security, tracked as Salt Typhoon, had spent at least one to two years inside the CALEA wiretap systems of nine major American telecoms, including Verizon, AT&T, T-Mobile, Spectrum, Lumen, Consolidated Communications, and Windstream. They obtained call metadata for over a million users, real-time recordings of high-profile political figures including staff for both the Trump and Harris 2024 campaigns, and, most damaging, an almost complete list of the phone numbers U.S. law enforcement was currently wiretapping. That last item gave Chinese intelligence a roadmap of which of its own agents the United States had identified.

By August 2025, the FBI confirmed Salt Typhoon had compromised at least 200 companies across 80 countries. The thirty-year-old American backdoor became, in the end, an open door for Chinese intelligence into the entire U.S. national security apparatus. IrOnIc, the infrastructure built so the FBI could spy on suspected criminals was used by a hostile foreign power to spy on the FBI.

 

Toronto, February 2025

Most Canadians do not know this part…

In June 2025, the Canadian Centre for Cyber Security, an agency of the Government of Canada, issued a joint advisory with the FBI confirming that Salt Typhoon had compromised three network devices belonging to a Canadian telecommunications company in mid-February 2025. The attackers exploited an unpatched Cisco vulnerability that had been publicly disclosed sixteen months earlier, configured a tunnel inside the telecom’s network, and began collecting traffic. The Cyber Centre warned that attacks on Canadian telecoms by Salt Typhoon will almost certainly continue over the next two years.

Eight months after that warning, the same Government of Canada tabled Bill C-22, which will require every Canadian telecom to build the kind of surveillance infrastructure Salt Typhoon was already inside.

The state knows, and it doesn’t care.

 

Once the door is open, the door always opens both ways

Wiring built for the state was used against the state. The infrastructure that was supposed to protect citizens exposed them. Every surveillance capability ever mandated by a government has eventually been used by an adversary of that government against its own people.

The defenders of C-22 will reply, as they have already begun to reply, that the previous failures were technical problems, fixable problems, that the Canadian implementation will be smarter, more secure, more carefully overseen. They said the same thing about CALEA in 1994. They said the same thing about Ericsson’s lawful intercept module in 2003. The answer to the State’s problem is always to grow the State, make the State more secure…do it better next time…and they have always been wrong in the same way. It never sees itself as the problem, or the problem maker.

The bill that promises to make Canadians safer will, inevitably, be the bill that exposes every Canadian’s location, metadata, and communications to whoever wants them most. That is what has happened every other time this has been tried.

There is no backdoor that only lets in the good guys. There never has been.



Source
Las Vegas News Magazine

Continue Reading
You might also like More from author
Leave A Reply

Your email address will not be published.


This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More