OTTAWA — The Liberal government’s sweeping border-security bill will make Canadian companies build in ways for police to tap into their customers’ internet traffic, damaging the firms’ competitiveness in places that value privacy more highly, cybersecurity leaders warn.

More than that, it could harm Canada’s attractiveness as a place to start or expand businesses that rely on tight security.

“We’re probably not their first choice most of the time. Giving people more incentive to not start that business in Canada doesn’t seem like a good choice,” said Avery Pennarun, chief executive and co-founder of Tailscale. The Toronto-headquartered company—a unicorn that raised $230 million in a Series C investment round in the spring—sells virtual private network (VPN) tools for corporate clients. Pennarun co-founded it after a long stint with Google in the United States.

“This would hurt Canada’s competitiveness because we would be less trustworthy in the eyes of our customers. It actually discourages innovation in Canada,” said Ian Paterson, CEO of Vancouver cybersecurity company Plurilock.

The proposed law, called Bill C-2, will be back on Parliament’s agenda when it reconvenes this month. The bill follows through on several measures the government under Justin Trudeau promised the U.S. last year in hopes of averting tariffs that were purportedly to punish Canada over cross-border smuggling and crime. The tariffs came into effect last month anyway.

Civil-liberties advocates have focused most of their attention on Part 14 of Bill C-2, which would let police and security agencies get access to basic user information, without warrants, from any company that serves the public. That includes not only internet providers, but potentially any firm that deals with customers electronically or keeps electronic records.

The section’s critics warn that such details could let investigators learn a great deal more about a person’s life and activities, all without a judge’s oversight.

Bill C-2’s Part 15, though, is about monitoring people’s digital dealings in detail. The authorities would still need warrants for it, but to make such monitoring easier, Part 15 creates a whole new law, the Supporting Authorized Access to Information Act, that says the government can require providers of electronic services to put “any device, equipment or other thing” into their systems so law enforcement can easily tap them.

“If you require an organization to build in a back door, it will be misused both by what we call insider threats as well as weaponized by foreign actors,” said Paterson.

Public Safety Minister Gary Anandasangaree is the bill’s sponsor; his department objects to the term “back door.”

A back door is “an undocumented, private, or less-detectable way of gaining remote access to a computer, bypassing authentication measures, and obtaining access to plaintext,” spokesperson Max Watson wrote in an email in response to questions from The Logic. That’s one definition from the Canadian Centre for Cyber Security.

Instead, Bill C-2 would “require select electronic service providers to explicitly build capabilities in their systems to enable law enforcement agencies and the Canadian Security Intelligence Service to effectively receive information and data they are legally authorized to obtain (for example, pursuant to a warrant, or other lawful authority),” Watson wrote. Which, in the government’s view, is not a back door.

Terminology aside, “special devices from the government are just absolutely going to have security holes in them,” said Pennarun. “There’s no chance that they’re going to do it right, because they have no incentive to do it right, because it’s not their business at stake.”

One provision in the law says the government couldn’t make providers “introduce a systemic vulnerability in electronic protections related to that service.” That is, the authorities couldn’t force them to install devices or software that were known to be dangerously buggy or insecure. But that provider would have to know about the flaw, and bad actors don’t advertise the ones they find.

Pennarun and Paterson each pointed to a catastrophic hack of U.S. telecom providers revealed last fall. A Chinese hacking group nicknamed Salt Typhoon had broken into numerous companies, including big-name firms like Verizon and AT&T, as long ago as 2022. One of Salt Typhoon’s paths into those networks was infrastructure that U.S. authorities use to tap telecom traffic, which telecom operators are required to provide under a 1994 law called the Communications Assistance for Law Enforcement Act.

The same hacking group compromised a Canadian telecom company in February, according to the Canadian Centre for Cyber Security, which did not name the company.

As great a change as the act represents, Watson said Canada is unusual in not having a law requiring companies to let police and national security forces into their systems, meaning Canadian authorities “are operating under a legal framework that has not kept pace with technological change.”

The government isn’t worried about any harms to Canadian business, he added.

“Canada is the only country among the G7, Europe, and the Five Eyes that does not have lawful access technical capability legislation. As such, there should be no impact on the ability of Canadian enterprises seeking to do business in other jurisdictions,” he wrote.

Other jurisdictions do indeed have laws on this general subject, though they don’t necessarily allow what Bill C-2 would. The European Union, for instance, is debating what to do about the fact that its member states do not have access to many popular messaging apps even so, and that security built into wireless protocols makes legal interception of mobile communications generally difficult.

The EU has a policy roadmap—a plan to come up with plans—that emphasizes caution with new technological ways of intercepting data. “Lawful access to data must remain targeted and limited to specific communications on a case-by-case basis,” that document says.

Cybersecurity risks need to be considered alongside the limits Canadian authorities struggle with, said Charles Finlay, a lawyer and director of the Rogers Cybersecurity Catalyst at Toronto Metropolitan University.

“Our security adversaries, our criminal adversaries, are exceptionally well-resourced,” Finlay said. “They are highly motivated, they are very innovative, they are determined and they are overwhelmingly successful.”

Finlay acknowledged the risks of building access methods into key communication networks— “I think [adversaries] will identify back doors that are created in technology, even for legitimate purposes”—but that’s only part of the picture.

“Our security services in Canada are badly under-resourced,” he said. “Not just from a personnel or technology perspective, but from a statutory perspective.” And unlike in the United States these days, Canadian law enforcement operates largely independently from political control, he added.

The parts of Bill C-2 with privacy and cybersecurity implications should nevertheless get hard looks from MPs, Finlay said. “This is a very broadly written statute” that would give police and security agencies significant new powers that perhaps should be curtailed, he said.

Pennarun said he sympathizes with police’s need to get data to catch criminals, but the Canadian government’s approach, though it’s billed as a modernization, is actually archaic—a digital version of physical wiretapping to listen in on phone calls.

A law could instead require providers to make copies of possible evidence rather than forcing them to install government-mandated technology, he said.

“In the modern world, the idea that the government has a device that you can insert into your digital system that can do a better job of capturing digital data and sending it to you than the provider can is kind of nonsense,” he said.

He’s especially affronted by provisions in the law forbidding providers from revealing that they’ve installed taps.

Certain “core providers”—likely starting with telecom companies but not necessarily limited to them, according to Public Safety’s Watson—can be permanently tapped and they’ll be named in public regulations. Other companies, if they’re tapped temporarily, wouldn’t be able to say so.

The prohibition extends to discussing vulnerabilities they’ve found in the government’s tapping systems.

(The Canadian Telecommunications Association, which represents Bell and Rogers and several other telecom companies, is still studying the legislation and has no views yet on its implications for the group’s members, senior vice-president Eric Smith wrote in a statement to The Logic.)

Though it’s based in Canada, Paterson’s company Plurilock does the bulk of its business in the United States, and it works in India as well.

“We should think hard about how to align our values, particularly around privacy and data security, with the markets that we want to go to,” he said.