The Ghost in Your Group Chat: Inside Parliament’s Fight Over Encrypted Messages
Inside the political battle over online safety bills, encryption backdoors, and your right to private messaging.
A government could order a messaging app to add a silent, invisible member to a private group chat. Not a hacker. Not a glitch. A built-in feature, mandated by law, that lets someone read messages no one in the conversation agreed to share. That is the scenario civil liberties groups and tech companies described to the Standing Committee on Public Safety on June 2, 2026, as MPs examined Bill C-22, the lawful access legislation working its way through the 45th Parliament.
The bill’s defenders say it closes a real gap. Police and the government argue C-22 is needed for timely access to evidence in investigations involving child exploitation and terrorism, areas where digital trails currently go cold while officers wait on outdated processes. But the witnesses who testified that day, representing Signal, OpenMedia, the Canadian Bar Association and the Canadian Constitution Foundation, told the committee that the bill’s reach goes well beyond closing gaps. They argued Part 2 of the legislation builds something Canada has never had before: a surveillance architecture baked directly into the country’s communication infrastructure.
“There Is No Backdoor That Only the Good Guys Can Walk Through”
The encryption fight is where the testimony turned sharpest. Witnesses told the committee that Bill C-22 could pressure tech companies to weaken end-to-end encryption or build what amounts to a backdoor, a hidden access point a third party could use to read messages meant to stay private. The example raised in committee was specific: silently adding a ghost participant to an encrypted group chat, an invisible listener no one in the conversation could see or consent to.
Udbhav Tiwari, testifying on behalf of Signal, rejected the premise that such an opening could ever be limited to authorized use.
“There is no backdoor that only the good guys can walk through,” he told the committee.
He went further in remarks the committee heard the same day, framing the issue as a matter of mathematics rather than policy intent: a back door built for the good guys, he said, is simply a vulnerability waiting for the bad guys to find. Mathematics, he argued, does not care about executive intent.
That is not a rhetorical position for Signal. The company has indicated it would exit the Canadian market entirely rather than compromise the architecture of its encryption protocol, the same protocol it offers in jurisdictions around the world without per-country modification. For a platform that positions end-to-end encryption as a non-negotiable design principle, the choice the committee’s questioning posed, in the witnesses’ framing, was stark: weaken the protocol for one country’s law enforcement access, or leave that country’s market rather than create the precedent.
The “Filing Cabinet” Problem
Encryption was not the only flashpoint. A second major thread of testimony centered on metadata retention, the requirement that service providers hold onto information for up to a year even when no investigation is underway. Opponents told the committee that retaining what they called “biographical core” metadata at that scale amounts to a Charter violation, specifically of Section 8, which protects against unreasonable search and seizure.
Matthew Hatfield, testifying on the metadata provisions, offered the committee an image meant to capture what mandatory retention actually does.
“Democracies do not keep a filing cabinet of every citizen’s sensitive information in case it’s useful to spies or police,” he said.
The distinction Hatfield and other witnesses drew was between targeted retention, where data is held because of a specific, justified investigation, and blanket retention, where everyone’s information sits on file by default in case it becomes useful later. It is that second model, witnesses argued, that the bill builds into law.
These characterizations of Bill C-22’s effects, including the surveillance architecture framing and the Charter violation claim, were presented to the committee as the position of the testifying organizations. They are witness allegations about the bill’s likely effects, not findings the committee itself has made.
A Bill Already Reshaped Once
This is not the first time Bill C-22 has been pulled apart in public. The legislation began life folded into the larger Strong Borders Act before the government split it, separating the immigration provisions into their own bill and narrowing C-22’s warrantless access powers to a basic question: can police confirm whether someone is a subscriber to a given service, without a warrant. That narrower framing was meant to address the most acute warrantless-search objections raised against the bill’s predecessor.
The June 2 committee testimony suggests that narrowing did not resolve the underlying tension. The witnesses who appeared that day were not relitigating the warrantless subscriber-confirmation question. They were focused on what remains in Part 2: the metadata retention requirements and the technical capability mandates that could compel companies to build, or enable, the kind of access Tiwari described as mathematically impossible to contain.
Parliament has heard versions of this argument before, from different witnesses, in different rooms, about different bills carrying the same basic shape. What the June 2 hearing added was specificity, an exact technical scenario (the ghost participant), an exact company willing to say publicly it would leave the country rather than comply, and an exact phrase, the filing cabinet, for what blanket metadata retention means in practice. The committee’s work on Bill C-22 continues. Whether Parliament narrows Part 2 further, the way it narrowed the warrantless access provisions before it, is now the question sitting in front of MPs who heard, in plain terms, what the people building the technology say happens if it does not.
Hansard Files spends weeks in the committee record so you don’t have to. If stories like this matter to you, subscribe to keep this work independent.
Related Hansard Files Articles
Source Documents
Standing Committee on Public Safety. (2026, June 2). Evidence, SECUEV40. House of Commons of Canada.
There is no backdoor that bad actors cannot find. Computer games (and consoles) all have cheat codes meant for use by developers. How long does it take for them to become public? Microsoft products have complex license codes that can be generated by software. Operating systems have gaps in them that allow bad actors to insert unwanted code into them to steal information. Why would anyone think that this could not happen to private messaging applications? Why would you think that "lawful" access would not also become "unlawful" access? That the threat of legal action would stop anyone who was willing to break this code from doing so?