The Dangerous Truth Ottawa Doesn’t Want You to Know: Canada’s Hidden Surveillance Takeover
TekhnocyteJune 20, 20269 Mins read 
Four federal bills. Each one sounds reasonable. Together they’re something else entirely.
Signal | tekhnocyte.com
The Short Version The federal government has quietly introduced four bills that, on their own, each sound defensible. Bill C-8 secures critical infrastructure. Bill C-22 modernizes law enforcement access. Bill C-34 protects kids online. Bill C-36 strengthens privacy oversight. Read them together and a different picture emerges: mandatory logging of every Canadian’s communications metadata, government-mandated backdoors into encrypted apps, forced identity verification to use social media, and a single cabinet-appointed commission to oversee all of it. No one bill does everything. That’s the point. This is what a surveillance state looks like when it’s assembled piece by piece rather than announced all at once.
Most Canadians caught one headline out of Ottawa this month: kids under 16 are getting banned from social media. Maybe you shrugged. Maybe you agreed with it. Either way, you probably moved on.
That’s exactly what the government is counting on.
That headline is one tile in a much larger mosaic. When you step back and look at all four pieces together, it forms something that should make every Canadian uncomfortable regardless of where they sit politically. Over the past twelve months, the federal government has introduced four pieces of legislation that individually sound reasonable enough. Together, however, they construct the most comprehensive digital surveillance infrastructure Canada has ever attempted.
Before we go any further, let’s be clear about where this analysis comes from, because the “misinformation” label gets thrown early and often when anyone raises these concerns.
The Sources Behind This Analysis
The critics cited throughout this piece aren’t conservative commentators or conspiracy blogs. The Electronic Frontier Foundation is a decades-old digital rights organization that has fought government surveillance and corporate overreach with equal aggression across Republican and Democrat administrations alike.
Professor Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa. He testified before Parliament’s own Standing Committee on Public Safety and National Security and has been pushing back on surveillance legislation regardless of which party introduced it.
Citizen Lab, based at the University of Toronto’s Munk School, conducts peer-reviewed academic research tracking state surveillance globally and has documented abuses by governments across the political spectrum. The Canadian Civil Liberties Association, meanwhile, has been defending Charter rights since 1964.
These people have no partisan agenda. They’re raising alarms because the legislation raises alarms.
So here’s what’s actually being built.
Bill C-8: The Pipes
Introduced June 2025 | Passed 2026
Bill C-8, formally the Critical Cyber Systems Protection Act, sounds like exactly what you want government doing: protecting banks, energy grids, and telecom networks from cyberattacks. On the surface that’s a fair description. The bill amends the Telecommunications Act and creates mandatory cybersecurity obligations for operators of Canada’s essential services.
The part that got less attention is that organizations subject to this bill must comply with confidential cybersecurity directions issued by the federal government, and must maintain all cybersecurity records in Canada in a prescribed manner and location.
Confidential directions. No public disclosure, no parliamentary oversight of the specific orders, no sunlight. The government now has a legal mechanism to issue secret instructions to the companies that run Canada’s telecom infrastructure. That’s not a conspiracy theory; it’s in the text of the bill.
Think of C-8 as the plumbing. It doesn’t surveill you directly. Instead, it gives the government control of the pipes.
Bill C-22: The Wiretap
Introduced March 12, 2026 | Currently in committee
This is the centrepiece, and it’s moving fast. Formally titled the Lawful Access Act, Bill C-22 has two parts, and the government has been hoping you only notice the first one.
Part 1 makes some genuine improvements over earlier attempts. For instance, access to subscriber information now requires judicial oversight rather than warrantless demands. The government has been pointing to this loudly.
Part 2 is where things go sideways.
The Metadata Problem
Buried in the second half of the bill is a mandatory metadata retention regime. Under this provision, every telecom provider, messaging app, email service, and cloud platform operating in Canada must record and retain metadata on all their users for up to one year. Not suspected criminals. All users. No individualized suspicion required.
What’s metadata? It’s who you communicated with, when, from where, for how long, and on what device. Professor Geist testified before Parliament’s Public Safety committee in May 2026 and described what that looks like at scale: on a mobile network, metadata includes every cell tower your phone connects to, and when.
Retained across an entire population for a year, that data becomes what he called “a comprehensive surveillance map of virtually every Canadian” — covering where they go, who they talk to, and what their daily life looks like — with no requirement that any of those people be suspected of anything.
The European Union already tried this model. As a result, the Court of Justice of the European Union struck down the EU’s Data Retention Directive, ruling that general and indiscriminate retention of every user’s telecommunications metadata was a disproportionate interference with the fundamental right to privacy. Germany’s Federal Constitutional Court reached the same conclusion. Nevertheless, Canada’s Bill C-22 builds the exact blanket model those courts rejected.
The Backdoor Problem
Then there’s the backdoor mechanism. The bill gives the Minister of Public Safety the power to demand that any email provider, messaging app, cloud service, or social media platform introduce a backdoor surveillance capability into their systems. The government’s safeguard language says these backdoors can’t introduce a “systemic vulnerability,” a phrase that security experts have pointed out is technically incoherent. A backdoor is a systemic vulnerability by definition.
The government’s public line has been that this only affects criminals and that law-abiding Canadians have nothing to worry about. Then the RCMP appeared before the same committee and clarified the actual intent: law enforcement wants this bill specifically because it would provide access to encrypted communications. The Minister of Public Safety separately claimed Canada was simply trying to match U.S. metadata retention laws. There are no such U.S. laws. He made it up.
Signal has said it will leave Canada rather than comply. Apple, DuckDuckGo, and others have additionally raised formal objections. The U.S. House Judiciary Committee wrote to express concern, and the Canadian Chamber of Commerce opposes it as well. In fact, opposition to this bill spans left, right, tech industry, civil liberties organizations, and foreign governments. That breadth of opposition is worth sitting with for a moment.
Bill C-34: The ID Check
Introduced June 10, 2026
Here’s the one that made the news: the Safe Social Media Act. Ban kids under 16 from social media. Protect the children. Hard to argue with, right?
Here’s what the headlines missed. To ban under-16s, you have to verify the age of everyone.
That’s not a side effect or an unintended consequence. That’s just how age-gating works. You cannot identify a fifteen-year-old without also establishing that everyone else is not a fifteen-year-old. In practice, enforcing an under-16 restriction means platforms must identify who is over 16 as well, which creates an age-verification requirement for all users.
The practical result is that sometime between late 2026 and mid-2027, every Canadian who logs into Instagram, TikTok, X, Snapchat, Facebook, YouTube, Reddit, or Discord will be asked to prove how old they are.
A New Regulator With Broad Powers
The bill also creates the Digital Safety Commission of Canada, a new federal regulatory body empowered to set age-verification standards, require platforms to implement “adequate” age-verification or age-estimation measures, and enforce compliance with financial penalties up to three percent of global revenue. Notably, what counts as adequate is left largely for the Commission to define.
Age estimation is one of the accepted methods. That means scanning your face, or algorithmically profiling your posts, messages, and contacts to infer your age from your behaviour. As Geist noted, that approach isn’t really age estimation. It’s surveillance dressed up as child protection.
Bill C-36: The Super-Regulator
Introduced June 16, 2026
Bill C-36 is the stitching that holds all of this together. It takes the Digital Safety Commission created by C-34 and dramatically expands its mandate, renaming it the Digital Safety and Data Protection Commission of Canada and handing it jurisdiction over private-sector privacy enforcement as well.
The result is a single body of five individuals, appointed by the Governor in Council (meaning appointed by cabinet), responsible for regulating online speech and content moderation across Canada’s largest platforms, setting age-verification standards, overseeing how every organization in Canada handles personal information, and conducting investigations, audits, and formal adjudications.
Five unelected appointees. One commission. Total jurisdiction over what you say online and how your data gets handled.
How Canada Compares
Every comparable democracy keeps these functions separate. The EU, for example, maintains distinct bodies for data protection and online content. Similarly, the UK keeps the Information Commissioner’s Office and Ofcom as separate regulators. Australia also splits privacy oversight from online safety between two different commissioners. Canada, by contrast, is consolidating everything into one cabinet-appointed body, which means one minister, and ultimately one Prime Minister, with their hand on the dial.
What This Looks Like Assembled
None of these bills individually is a digital ID law. There’s no bill called the Digital ID Act. There doesn’t need to be.
C-8 gives the government confidential control over Canada’s telecom infrastructure. C-22 then requires that infrastructure to log every Canadian’s communications metadata for a year and lets the government demand backdoor access to any digital service. C-34 requires every Canadian to prove their identity to use social media, creating the data collection trigger point. Finally, C-36 consolidates enforcement of all of it into a single cabinet-appointed commission.
The grid doesn’t need a name. It just needs to be built.
The Cross-Border Dimension
There’s one more angle worth considering: where does this data actually go? Under C-22’s expanded information-sharing provisions, cross-border data sharing with U.S. law enforcement becomes significantly more integrated. Under the CLOUD Act, U.S. authorities can request data held by American companies operating in Canada. As a result, more integrated data sharing between Canadian and U.S. police could eliminate whatever meaningful digital autonomy Canadians still have, with little practical shield even if the data were stored by a Canadian company on Canadian soil.
Whatever you think of the current U.S. administration, handing that access infrastructure to any foreign government is a one-way door.
Why Should I Care? I Have Nothing to Hide
That’s the response the government is counting on. It’s also the response that has enabled every surveillance state in modern history, and it deserves a real answer.
The “nothing to hide” argument sounds reasonable on the surface. If you’re not doing anything wrong, what does it matter if the government can see your metadata, verify your identity, or access your communications through a backdoor? The problem is that this framing assumes two things that simply aren’t true: that the definition of “wrong” never changes, and that the people holding the keys will always use them responsibly.
The Definition of “Wrong” Shifts
What counts as suspicious, subversive, or criminal is not a fixed point. It shifts with whoever is in power and whatever the political climate demands. We already know from documented disclosures that CSIS conducted intensive surveillance of Indigenous rights organizations in Canada. Not criminals. People exercising Charter rights. If you’d asked those people a decade ago whether they had anything to hide, they would have said no. The infrastructure didn’t care.
A metadata record of your location, communications, and daily movements doesn’t just capture what you’re doing right now. It also captures who you are as a pattern over time. Moreover, that pattern can be interpreted, reinterpreted, and handed to foreign law enforcement agencies whose standards and politics you have no control over. The data collected under innocent circumstances today doesn’t expire when the political situation changes tomorrow.
Backdoors Don’t Have Good-Guy Filters
Then there’s the backdoor problem, which has nothing to do with government intent at all. When you mandate that a door exist in a system, that door exists for everyone who finds it, not just the people who commissioned it. Security researchers have stated this clearly and repeatedly: there is no such thing as a backdoor that only the good guys can use. Indeed, the history of government-mandated backdoors is a history of those backdoors being discovered and exploited by exactly the kind of actors the government claims to be protecting you from.
Privacy Isn’t About Hiding
Consider the more personal version of the argument. Think about how you close the bathroom door even though you’re not doing anything illegal in there. Most people don’t hand their bank statements to strangers even though there’s nothing criminal on them. Privacy isn’t about hiding wrongdoing. It’s about having a space that belongs to you, where you are not observed, logged, and filed. That space is increasingly rare, and these four bills are designed to eliminate what’s left of it.
This Isn’t Just About Today’s Government
The “nothing to hide” response also assumes that you trust every future government with the same infrastructure the current one is building. You might trust Mark Carney, or you might not. Regardless, the surveillance architecture under construction right now doesn’t come with a sunset clause. It will pass to whoever comes next, and to the government after that. Ultimately, you’re not just deciding whether you trust today’s Public Safety Minister with a backdoor into your messaging app. You’re deciding whether you trust every Public Safety Minister for the foreseeable future with that access, including ones nobody has voted for yet.
That’s what’s actually on the table.
What You Can Do Right Now
Bill C-22 is still in committee and has not passed. Contact your MP. OpenMedia has a tool that makes it simple: openmedia.org.
Beyond that, start thinking about your communications infrastructure now. If Signal leaves Canada, what’s your plan? If your VPN provider receives a ministerial direction, do you know where they’re headquartered and what their jurisdiction means for compliance? These aren’t paranoid questions. They’re the questions Signal, Apple, and DuckDuckGo are already asking on your behalf.
Additionally, read the source material. Michael Geist’s blog at michaelgeist.ca has detailed, legally grounded analysis of all four bills. The EFF’s coverage is at eff.org. These aren’t op-eds; they’re line-by-line readings of actual legislation.
The grid isn’t finished yet. Nevertheless, it’s being built in plain sight, one bill at a time, each one announced with a press release about protecting you.
Further reading:
- The Lawful Access Two-Headed Surveillance Monster — Michael Geist
- Canada Is Forging Ahead With Its Dangerous Surveillance Bill — EFF
- Bill C-34: Canada’s New Law Wants Your ID or Your Face to Use Social Media — Reclaim the Net
- Canada’s Digital Super-Regulator — Michael Geist
tekhnocyte.com | Signal
Leave a comment