Signal threatens to leave Canada over proposed lawful access bill

Encrypted messaging platform Signal says it would withdraw from the Canadian market rather than comply with provisions in Ottawa’s proposed lawful access legislation that it believes could undermine encryption and introduce dangerous security vulnerabilities.

In an interview with The Globe and Mail, Signal Vice President of Strategy and Global Affairs Udbhav Tiwari warned that Bill C-22 could force providers to alter their systems in ways that weaken privacy protections and expose messaging platforms to cyberattacks. The comments come as Canada’s Parliament continues reviewing the controversial bill, which has already drawn criticism from Apple, Meta, cybersecurity researchers, and civil liberties groups.

“Signal would rather pull out of the country than be compelled to compromise on the privacy promises we have made to our users,” Tiwari said, adding that mandated surveillance capabilities could create exploitable weaknesses for hackers and foreign intelligence actors.

Signal, founded in 2012, is widely used by journalists, activists, government officials, and privacy-conscious users due to its end-to-end encryption and minimal data retention. Unlike many mainstream messaging services, Signal stores very limited metadata on its centralized servers, retaining only account phone numbers, the last connection date, and registration timestamps. Messages, contacts, and other sensitive data remain stored locally on users’ devices.

The company’s concerns center on Part 2 of Bill C-22, which would require telecommunications providers, internet companies, and other “electronic service providers” to maintain technical capabilities enabling law enforcement and intelligence agencies to obtain data under authorized orders. The legislation would also permit future regulations requiring providers to retain certain metadata for up to one year.

Although Canadian officials insist the bill is “encryption-neutral,” critics argue its broad language could effectively compel companies to weaken or bypass encryption protections.

Tiwari warned that introducing lawful-access mechanisms into encrypted systems would fundamentally conflict with the design principles of secure communications.

“End-to-end encryption is incompatible with exceptional access, no matter how creative the route taken to achieve it,” he said. “Provisions that enable the deliberate engineering of vulnerabilities into critical infrastructure like Signal are a grave threat to privacy everywhere.”

Earlier this month, Apple and Meta publicly criticized the legislation, arguing it could force companies to create encryption backdoors or deploy surveillance tooling within their infrastructure.

Meta’s Rachel Curran told lawmakers during committee hearings that the bill could require firms to “build or maintain capabilities that break, weaken, or circumvent encryption.” The company also warned that mandatory lawful access systems could mirror the kinds of infrastructure weaknesses exploited in recent state-sponsored telecom intrusions, including the China-linked “Salt Typhoon” espionage campaign.

Kate Robertson, senior research associate at the University of Toronto’s Citizen Lab, warned that encrypted communication platforms are essential for journalists, dissidents, and human rights defenders globally. Michael Geist, Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, said the legislation goes beyond traditional court-ordered disclosures by potentially mandating permanent technical modifications to provider systems.

Canadian officials continue to reject claims that Bill C-22 mandates encryption backdoors. Public Safety Minister Gary Anandasangaree previously described the proposal as “encryption-neutral,” while ministry spokesperson Simon Lafortune stated this week that the government is “not legislating to require [providers] to install capabilities to enable surveillance.”