An upcoming Canadian law, Bill C-2, aimed at enhancing border and national security, is drawing sharp criticism from privacy-focused organizations who warn it could severely compromise digital privacy and encryption under the guise of anti-money laundering reforms.
One of such warnings comes from Matthias Pfau, co-founder of German encrypted email provider Tuta (formerly Tutanota). Pfau centers on concerns that Bill C-2, officially titled the Strong Borders Act, could quietly empower Canadian authorities with sweeping surveillance capabilities. Though publicly framed as a security and anti-money laundering measure, privacy advocates argue the bill contains hidden implications for electronic communications, encryption, and government overreach.
Bill C-2, introduced in the Canadian House of Commons on June 3, 2025, is a multi-part omnibus bill encompassing over 16 legislative areas. Among its broad-ranging provisions, Part 15, known as the Supporting Authorized Access to Information Act, establishes a legal framework that allows Canadian ministers to issue confidential orders to Electronic Communication Service Providers (ECSPs). These could include email services, messaging apps, cloud storage platforms, and other encrypted communication services.
Critically, under Section 7 of Part 15, these secret orders can compel providers to facilitate access to communications, with no requirement for public disclosure or judicial review. The orders are protected by confidentiality clauses, and non-compliance may trigger administrative penalties. Tuta likens this mechanism to the U.S. Foreign Intelligence Surveillance Act (FISA) and the U.K.’s Investigatory Powers Act, both heavily criticized for enabling opaque mass surveillance.
Tuta outlines three primary concerns with Bill C-2:
- Secret Government Orders: The legislation would authorize ministers to issue classified demands to ECSPs, effectively enabling surveillance without transparency or court oversight.
- Ambiguous Encryption Safeguards: While the bill appears to forbid “systemic vulnerabilities,” it does not define the term, leaving room for future reinterpretation that may allow targeted backdoors without additional legislative approval.
- Potential for Silent Backdoors: Future governments could exploit the law’s vague language to mandate covert access mechanisms under the claim that such demands do not create systemic weaknesses.
Canada’s alignment with other Five Eyes intelligence partners such as the U.S., U.K., and Australia has prompted concern that the country is following an increasingly surveillance-heavy policy trajectory. Recent actions in the U.K., where the government pressured Apple to disable cloud encryption, serve as a real-world example of such powers being exercised.
Tuta, known for its commitment to privacy and end-to-end encryption, has long been a vocal opponent of legislative proposals that could compromise user confidentiality. The company emphasizes that laws like Bill C-2 are not just theoretical threats; they risk eroding public trust in secure digital communications globally.
The potential reach of Bill C-2 is broad. By defining “core providers” loosely and placing obligations on them to “assist” with authorized access, it could cover everything from major telecoms to niche encrypted platforms. Furthermore, the law permits these obligations to be enacted via regulation, sidestepping public legislative scrutiny. This mirrors similar controversial provisions in Australia’s TOLA (Telecommunications and Other Legislation Amendment) Act, which drew international criticism for its vague mandates on encryption access.
For Canadian users of encrypted services, and international users relying on Canadian-based platforms, this proposed law introduces significant uncertainty. If passed in its current form, it may force companies to choose between complying with secretive surveillance orders or exiting the Canadian market altogether.
Leave a Reply