Canada Wants Digital Sovereignty. Bill C-22 Pulls the Other Way

Ethan Plant

SubscribeSign in

Canada Wants Digital Sovereignty. Bill C-22 Pulls the Other Way<br>Encryption, lawful access, and the hidden contradiction in Canada’s digital sovereignty strategy

Ethan Plant<br>May 14, 2026

Share

Canada cannot build digital sovereignty by making Canadian infrastructure less trustworthy.<br>That should be obvious.<br>A country that wants more domestic cloud capacity, more domestic software companies, more domestic AI infrastructure, and more control over its digital future needs people to trust the systems built here.<br>Bill C-22 exposes the tension underneath that ambition.<br>The government describes the bill in familiar language. Modernization. Public safety. Lawful access. Technical assistance. A better framework for police and intelligence agencies dealing with modern digital systems.<br>That language sounds procedural.<br>The technical implications are not.<br>A huge amount of ordinary digital life depends on strong encryption, even when we do not think about it.<br>It protects bank accounts, medical records, corporate backups, legal communications, journalists, source code, personal photos, authentication systems, business secrets, and ordinary messages between ordinary people.<br>A country that weakens confidence in encryption weakens everything built on top of it.<br>This is especially strange at a time when Canada keeps talking about digital sovereignty. The point of digital sovereignty is supposed to be that Canada can rely on infrastructure aligned with Canadian interests, Canadian law, and Canadian resilience. And these are legitimate goals.<br>But domestic capacity only matters if people believe the systems are safe to use.<br>A Canadian cloud provider does not become trustworthy merely because its servers are in Canada.<br>A Canadian messaging app does not become trustworthy merely because the company is Canadian.<br>A Canadian identity provider does not become trustworthy because the policy language says “sovereignty.”<br>Trust depends on architecture.<br>If a provider can be compelled to maintain access capabilities, redesign systems around interception, preserve more data than it otherwise would, or make private systems more legible to the state, then the infrastructure has changed.<br>It now has a legal attack surface.<br>And that matters.<br>Security people already understand technical attack surfaces. Open ports. Vulnerable dependencies. Misconfigured buckets. Exposed admin panels. Weak keys. Bad defaults.<br>Lawful access can create another kind.<br>A mandated access path may begin as a tool for authorized investigators. But once it exists, it becomes something other actors can target, pressure, abuse, expand, or leak.<br>There is no “good guys only” backdoor.<br>There is only a capability.<br>And once built, the capability becomes part of the system.<br>End-to-end encryption only works because the provider cannot read the message.<br>That is the whole point.<br>Signal cannot hand over a message it cannot see. WhatsApp cannot produce message contents it doesn’t possess. Strong device encryption works on the same basic principle. The security guarantee comes from the absence of provider access.<br>Once a legal framework requires providers to preserve some path for lawful access, the guarantee changes.<br>Maybe the change is direct. Maybe it is indirect. Maybe it appears through client-side scanning, key escrow, compelled updates, metadata retention, device access, administrative interfaces, or some other carefully lawyered mechanism.<br>The technical shape can vary.<br>The trust problem does not.<br>If users believe a system was designed so that someone else can get in, they will treat the system differently. So will companies. So will foreign customers. So will security researchers. So will adversaries.<br>This is where the sovereignty argument starts to collapse.<br>Because Canada wants people to trust Canadian infrastructure.<br>But trust cannot be ordered into existence through policy.<br>Imagine trying to sell a Canadian cloud platform to European customers after Canada develops a reputation for compelled interception. Imagine asking a privacy-conscious startup to host sensitive customer data here if Canadian law creates uncertainty around encryption. Imagine asking journalists, lawyers, engineers, or dissidents to trust a Canadian messaging service if the country’s lawful access framework is seen as hostile to strong privacy guarantees.<br>The problem isn’t solely domestic. Digital infrastructure is global by default. Reputation travels far and fast.<br>If Canada becomes known as a jurisdiction where secure systems may need to be redesigned for state access, that affects Canadian companies. It affects exports. It affects credibility. It weakens the argument that domestic digital capacity is safer or more sovereign.<br>A sovereign system people do not trust is not very sovereign.<br>Supporters of lawful access will say these powers are needed because criminals use encryption too. And that’s true. But...