The Canadian government is facing pushback to amend a bill that opponents say would allow the government to circumvent encryption in devices and platforms. Tech companies, including Apple, have threatened to pull out of Canada if the bill passes.

Bill C-22 was introduced in March, titled “An Act respecting lawful access.” The bill aims to amend various laws “to modernize certain provisions respecting the timely gathering and production of data and information during an investigation.” Companies, however, say that the bill would weaken encryption used on various platforms, exposing customers to risks such as hackers.

Apple, which uses encryption to protect customers’ data, said in a statement, “at a time of rising and pervasive threats from malicious actors seeking access to user information, Bill C-22, as drafted, would undermine our ability to offer the powerful privacy and security features users expect from Apple. This legislation could allow the Canadian government to force companies to break encryption by inserting backdoors into their products – something Apple will never do.”

The statement added, “We will continue our longstanding cooperation with governments to help protect public safety while also advocating tirelessly against any measures that would put users’ personal data at risk.”

Signal, the encrypted messaging app, has said that it would pull out of Canada if the bill is passed. Signal vice-president of strategy and global affairs Udbhav Tiwari said the company “would rather pull out of the country than be compelled to compromise on the privacy promises we have made to our users.” He added, “Bill C-22 could potentially allow hackers to exploit these very vulnerabilities engineered into electronic systems, with private messaging services serving as an ideal target for foreign adversaries.”

“End-to-end encryption is incompatible with exceptional access, no matter how creative the route taken to achieve it,” Tiwari said. “Provisions that enable the deliberate engineering of vulnerabilities into critical infrastructure like Signal are a grave threat to privacy everywhere.”

Windscribe, a Canadian-based VPN service, said in response to Signal’s warning, “We won’t be far behind if C-22 passes. In its current state, VPNs would almost certainly require us to log identifying user data. Signal isn’t headquartered in Canada so they can just shut off Canadian servers, but our HQ is. We pay an ungodly amount of taxes to this corrupt government, and in return they want to destroy the entire essence of our service to basically spy on its own citizens. Not happening. We’ll move HQ and take our taxes elsewhere.”

Tobi Lutke, the CEO of Shopify, wrote, “C-22 is looking like a huge mistake. It worries me a great deal. There is so much nonsense in there that It may well end up dealing a death blow to Canadian tech viability.” He added in a separate post, “C-22 must be scrapped.”

Rachel Curran, Meta’s head of public policy in Canada, warned in a committee hearing earlier in May that the bill “could conscript private companies into service as an arm of the government’s surveillance apparatus – with expansive scope and insufficient safeguards.” Meta is the owner of encrypted messaging service WhatsApp. She added, “As drafted, the bill could require companies like Meta to build or maintain capabilities that break, weaken, or circumvent encryption or other zero-knowledge security architectures, and force providers to install government spyware directly on their systems.”

The bill was introduced by Public Safety Minister Gary Anandasangaree. A spokesperson for Anandasangaree said on Wednesday, “We want to reassure Signal and all service providers that we are not legislating to require them to install capabilities to enable surveillance and any assertions otherwise are false.”

Under the bill, “core providers,” which will be defined at a later date, would be required to retain metadata for up to a year. Tech experts warn that such a backlog would be a valuable target for hackers. Anandasangaree said the government would work with those opposing the bill to strengthen it, and said it was an “encryption-neutral” bill that would give law enforcement tools to keep Canadians safe.

The legislation states, “A core provider is not required to comply with a provision of a regulation made under subsection (2), with respect to an electronic service, if compliance with that provision would require the provider to introduce a systemic vulnerability related to that service or prevent the provider from rectifying such a vulnerability.”