Windscribe pays a lot in taxes to Ottawa. The Toronto-based VPN provider built its business on a strict no-logs policy that has withstood court tests. Now that policy stands in direct conflict with proposed federal legislation. So the company says it will move its headquarters if the law passes unchanged.
Signal reached the same conclusion first. The encrypted messaging service, which prides itself on end-to-end encryption that even its own engineers cannot break, warned it would exit the Canadian market rather than weaken its core protections. Windscribe quickly echoed that stance. The two companies, though different in scale and focus, have drawn a sharp boundary.
At issue is Bill C-22, introduced in March 2026 and now under committee review. The legislation, formally titled the Lawful Access Act, would require telecoms, internet firms and other electronic service providers to retain user metadata for up to a year. It would also compel companies to make technical changes enabling police and intelligence agencies to access data more readily. The Globe and Mail first reported Signal’s position after Vice President of Strategy and Global Affairs Udbhav Tiwari spoke plainly.
“We would rather pull out of the country than be compelled to compromise on the privacy promises we have made to our users,” Tiwari said. He added that the bill could force the introduction of vulnerabilities. “Bill C-22 could potentially allow hackers to exploit these very vulnerabilities engineered into electronic systems, with private messaging services serving as an ideal target for foreign adversaries.”
End-to-end encryption, he noted, cannot coexist with exceptional access. Any route to it creates risk. Provisions that deliberately engineer weaknesses into systems like Signal represent a grave threat to privacy everywhere.
Windscribe’s reaction came via X. The company stated it would not lag far behind. “In its current state, VPNs would almost certainly require us to log identifying user data,” the post read. Then came the sharper language. “Signal isn’t headquartered in Canada so they can just shut off Canadian servers, but our HQ is. We pay an ungodly amount of taxes to this corrupt government, and in return they want to destroy the entire essence of our service to basically spy on its own citizens. Not happening. We’ll move HQ and take our taxes elsewhere.”
The message landed with force. And it wasn’t alone.
Public Safety Minister Gary Anandasangaree has pushed back. He described the bill as encryption-neutral during a Commons committee hearing. A spokesperson later told reporters the government is not requiring companies to install surveillance capabilities. Assertions to the contrary are false, the spokesperson said. Yet Apple, Meta and the Canadian Chamber of Commerce have issued similar warnings. So have two chairs of U.S. congressional committees.
The Electronic Frontier Foundation called the measure a repackaged version of last year’s failed Bill C-2. That earlier proposal collapsed under privacy backlash. Bill C-22 keeps the core elements with only modest adjustments. It demands metadata retention for a full year. Metadata can reveal who communicates with whom, approximate locations and timing patterns even when message content stays hidden. The bill also grants the Minister of Public Safety authority to order companies to build access mechanisms. These orders come with a condition. They must not create a systemic vulnerability. The definitions of both systemic vulnerability and encryption remain vague enough to invite broad interpretation.
“Surveillance of encrypted communications is fundamentally a systemic vulnerability,” the EFF wrote in its analysis. “When you build these systems, hackers will come.” The organization highlighted risks of expanded information sharing with foreign governments, including the United States. EFF detailed how the legislation could conscript private companies into extended government surveillance roles with insufficient safeguards.
Meta’s head of public policy in Canada, Rachel Curran, testified before the committee. She warned the bill could require companies to break, weaken or circumvent encryption or zero-knowledge architectures. It might even force installation of government spyware directly on systems. Apple has taken a comparable position. The Canadian Chamber of Commerce raised concerns about weakened encryption and deterred investment.
Two U.S. House committee chairs sent a letter to Canadian officials in early May. They expressed worry that the bill would expand surveillance powers in ways that create cross-border risks to American security and data privacy. The letter highlighted potential compulsion of American companies to build backdoors. Such changes could introduce vulnerabilities exploitable by hackers, adversaries and cybercriminals. Paubox covered the letter and its implications for cybersecurity norms.
Windscribe brings a distinct perspective. Founded in Toronto in 2016, the company maintains a lean operation focused on practical privacy tools. Its no-logs policy faced a real test in 2025 when Greek authorities sought user data. Courts found nothing to hand over. The company had logged nothing. That outcome reinforced its public claims. Relocating headquarters would allow it to preserve that architecture outside Canadian legal reach. Shutting down local operations entirely remains an option but moving the HQ offers a cleaner separation.
Observers note this isn’t the first time Canada has tried such measures. Successive governments have returned to lawful access ideas over more than a decade. Each attempt met resistance. Previous versions stalled. Bill C-22 follows a familiar pattern yet arrives amid heightened global tension over encryption. The United Kingdom’s demands on Apple for access to encrypted iCloud data led the company to withdraw a security feature rather than comply. Signal itself once warned it would exit Sweden over comparable proposals. That threat contributed to long delays in the Swedish bill.
So the threats carry weight. Companies aren’t bluffing when they say compliance would destroy their product. For Signal, any mandated access mechanism would mean ceasing to offer the service users chose. For a VPN like Windscribe, mandatory logging of identifying data would erase the anonymity that defines its value. Users seeking to protect their traffic from surveillance or censorship would lose a trusted Canadian option.
Parliamentary committee hearings continue. Amendments remain possible. Yet the government’s responses so far suggest little appetite for major changes. Officials repeatedly insist critics misunderstand the bill. They point to its aim of updating outdated laws to combat modern crime and national security threats. Digital networks have evolved. Law enforcement tools have not kept pace, ministers argue.
But the pushback grows louder. Cybersecurity experts, human rights groups and now multiple technology providers line up against the current text. Michael Geist, a leading technology law professor, compared the government’s handling to its approach on the Online News Act. Dismissal of expert concerns, he wrote, follows a troubling playbook. His detailed critique appeared on his site and Substack just days ago. Michael Geist’s analysis traces how warnings from Signal, Apple, Meta, U.S. lawmakers and cybersecurity advisors have all been waved aside.
Canadians could face a practical outcome. Secure services might simply become unavailable. Or available only in weakened form. VPN users might turn to providers based elsewhere. Messaging apps that refuse to comply could disappear from Canadian app stores or servers. The bill’s broad language on electronic service providers leaves room for regulators to include many categories later. Messaging platforms, operating systems and apps could fall under future definitions.
Windscribe’s CEO Yegor Sak has spoken before about the company’s commitment. In past statements he made clear that if Canadian jurisdiction prevents upholding the privacy policy, the company will not remain based in Canada. The recent X posts align with that long-held view.
The situation carries irony. Canada positions itself as a defender of democratic values and digital rights on the world stage. Yet this legislation risks isolating the country in technology policy. Allies to the south already voice alarm over potential spillover effects. European debates on chat control and scanning proposals face similar criticism. The pattern repeats. Governments want visibility into encrypted channels. Providers say visibility cannot come without breaking the encryption that makes those channels safe.
TechRadar first connected the Windscribe response directly to Signal’s statement in coverage published today. The article noted the company’s Greek court validation and the logistical differences between the two firms. TechRadar reported that committee hearings began May 7 and the bill remains in review.
Whether lawmakers will heed the warnings or proceed with only cosmetic tweaks will shape the outcome. History suggests confrontation. Companies have shown they will follow through. Signal delayed features or limited availability in other jurisdictions rather than compromise. Apple litigated in the UK. Windscribe, with its headquarters on the line, now signals the same resolve.
The stakes extend beyond one country. Each backdoor created anywhere weakens security everywhere. Each metadata store becomes a target. The companies say they see no path to compliance that preserves their promises. So they prepare to leave. The Canadian government insists they are mistaken. The coming weeks in committee may decide which side holds.
But one fact already stands clear. Privacy-focused services will not quietly accept mandates that undermine their foundations. Windscribe and Signal have made that plain.
from WebProNews https://ift.tt/fkjzoml
