Canada’s Bill C-22 and the security cost of collecting more dataAperture beta is now available. Start building with AI safely in minutes.READ MORE ->

Blog|insightsMay 26, 2026<br>Canada’s Bill C-22 and the security cost of collecting more data

Tailscale was founded in Canada. We’re a Canadian company that serves users and customers all over the world.<br>That’s why we’re paying close attention to Bill C-22, Canada’s proposed Lawful Access Act, 2026 . The bill is Canadian, but the issue is a global trend. Governments around the world are trying to update lawful access rules for the Internet era. Some of those efforts are reasonable. Some go too far, especially when they push companies to retain more data, build surveillance capabilities, or make secure systems easier to access by design.<br>Bill C-22 is part of that larger pattern. It would affect Canadian companies like Tailscale. It would affect any company serving people in Canada. More broadly, it affects the privacy and security expectations of everyone who relies on modern encrypted services.<br>Police and intelligence agencies need tools to investigate serious crimes. Sometimes that means asking service providers for records. When a request is specific, lawful, and authorized by a court, providers should respond with data they actually have.<br>Bill C-22 goes beyond that and the wording is worrying.<br>What Bill C-22 would change<br>The bill would create a lawful access framework for “electronic service providers.” That definition is broad. It covers services that create, store, process, transmit, receive, or make available digital information, including services provided to people in Canada or by companies doing business here. It might sound like that's just traditional phone companies or ISPs. But no: it's a large part of the modern Internet.<br>Under the bill, “core providers” could be required to develop, assess, test, and maintain technical capabilities for government access. They could also be required to install, use, operate, or maintain equipment that enables government access to information. The bill also allows regulations requiring retention of categories of metadata, including transmission data, for up to one year.<br>Governments worldwide have spent years pushing for lower data retention in the name of user privacy, starting with the GDPR. This kind of mandatory data retention is the exact opposite, giving tech companies a reason to maintain all kinds of personal information they shouldn't, in the name of compliance.<br>That should concern anyone who cares about security and privacy. At Tailscale, we’re concerned too.<br>What Tailscale’s VPN does and doesn’t collect<br>Tailscale’s VPN is not an anonymity service. We’re an identity-aware network for secure connectivity. We know the information needed to run our service: accounts, devices, the IP addresses those devices connect from, operating systems, connection state, and some basic connection information. That’s how NAT traversal, reliability, abuse prevention, and support work.<br>But there are important things the product doesn't do.<br>Tailscale's VPN doesn't inspect customer traffic. Nor does it log browsing activity, or public DNS queries, or the contents of communications. Traffic inside a tailnet is encrypted end-to-end with WireGuard, and customer private keys never leave customer devices. Even our relay servers don’t have the keys needed to decrypt what they carry.<br>That isn’t a policy preference we can casually reverse. It’s how the product is built. Tailscale’s VPN is open source, so people don’t have to take our word for it: the code that handles encrypted connections is available to inspect. Taking extreme technical care about privacy is what makes Tailscale, a Canadian product, so loved by users worldwide.<br>Why metadata retention is a security problem<br>Bill C-22 risks turning data minimization from a security virtue into a compliance problem.<br>There’s a big difference between preserving data for a specific investigation and requiring providers to collect or retain data in bulk because it might be useful later. The first can be targeted and accountable. The second changes the design incentives for every service in scope.<br>Once a law requires a company to retain more metadata, the company now has a new database. That database needs access controls, audit logs, backups, operators, retention systems, legal processes, and incident response plans. It becomes part of the attack surface. It becomes a temptation for theft or misuse.<br>The safest database is the one you never created.<br>This isn’t an abstract concern. Security systems are strongest when they collect less, expose less, and make sensitive access paths unnecessary. Laws that require the opposite create long-term risk. They may be intended for lawful use, but the systems they require add to the attack surface like any other system. They too must be protected from improper permissions, bugs, and attackers.<br>Tailscale complies with lawful, specific requests for data we...