Canada cannot build digital sovereignty by making Canadian infrastructure less trustworthy.
That should be obvious.
A country that wants more domestic cloud capacity, more domestic software companies, more domestic AI infrastructure, and more control over its digital future needs people to trust the systems built here.
Bill C-22 exposes the tension underneath that ambition.
The government describes the bill in familiar language. Modernization. Public safety. Lawful access. Technical assistance. A better framework for police and intelligence agencies dealing with modern digital systems.
That language sounds procedural.
The technical implications are not.
A huge amount of ordinary digital life depends on strong encryption, even when we do not think about it.
It protects bank accounts, medical records, corporate backups, legal communications, journalists, source code, personal photos, authentication systems, business secrets, and ordinary messages between ordinary people.
A country that weakens confidence in encryption weakens everything built on top of it.
This is especially strange at a time when Canada keeps talking about digital sovereignty. The point of digital sovereignty is supposed to be that Canada can rely on infrastructure aligned with Canadian interests, Canadian law, and Canadian resilience. And these are legitimate goals.
But domestic capacity only matters if people believe the systems are safe to use.
A Canadian cloud provider does not become trustworthy merely because its servers are in Canada.
A Canadian messaging app does not become trustworthy merely because the company is Canadian.
A Canadian identity provider does not become trustworthy because the policy language says “sovereignty.”
Trust depends on architecture.
If a provider can be compelled to maintain access capabilities, redesign systems around interception, preserve more data than it otherwise would, or make private systems more legible to the state, then the infrastructure has changed.
It now has a legal attack surface.
And that matters.
Security people already understand technical attack surfaces. Open ports. Vulnerable dependencies. Misconfigured buckets. Exposed admin panels. Weak keys. Bad defaults.
Lawful access can create another kind.
A mandated access path may begin as a tool for authorized investigators. But once it exists, it becomes something other actors can target, pressure, abuse, expand, or leak.
There is no “good guys only” backdoor.
There is only a capability.
And once built, the capability becomes part of the system.
End-to-end encryption only works because the provider cannot read the message.
That is the whole point.
Signal cannot hand over a message it cannot see. WhatsApp cannot produce message contents it doesn’t possess. Strong device encryption works on the same basic principle. The security guarantee comes from the absence of provider access.
Once a legal framework requires providers to preserve some path for lawful access, the guarantee changes.
Maybe the change is direct. Maybe it is indirect. Maybe it appears through client-side scanning, key escrow, compelled updates, metadata retention, device access, administrative interfaces, or some other carefully lawyered mechanism.
The technical shape can vary.
The trust problem does not.
If users believe a system was designed so that someone else can get in, they will treat the system differently. So will companies. So will foreign customers. So will security researchers. So will adversaries.
This is where the sovereignty argument starts to collapse.
Because Canada wants people to trust Canadian infrastructure.
But trust cannot be ordered into existence through policy.
Imagine trying to sell a Canadian cloud platform to European customers after Canada develops a reputation for compelled interception. Imagine asking a privacy-conscious startup to host sensitive customer data here if Canadian law creates uncertainty around encryption. Imagine asking journalists, lawyers, engineers, or dissidents to trust a Canadian messaging service if the country’s lawful access framework is seen as hostile to strong privacy guarantees.
The problem isn’t solely domestic. Digital infrastructure is global by default. Reputation travels far and fast.
If Canada becomes known as a jurisdiction where secure systems may need to be redesigned for state access, that affects Canadian companies. It affects exports. It affects credibility. It weakens the argument that domestic digital capacity is safer or more sovereign.
A sovereign system people do not trust is not very sovereign.
Supporters of lawful access will say these powers are needed because criminals use encryption too. And that’s true. But criminals also use roads, phones, banks, and cash. That doesn’t mean every system should be redesigned around permanent state access.
Law enforcement has hard problems. I won’t deny that.
The question is whether the proposed solution damages the security properties everyone else depends on.
Encryption doesn’t only protect criminals from police. It protects Canadians from criminals. It protects Canadian companies from foreign espionage. It protects infrastructure from ransomware. It protects children’s photos, business records, private messages, backups, source code, credentials, medical files, and financial systems.
Weakening that foundation in the name of safety is a strange way to protect people.
This is the part government language tends to hide. “Technical assistance” sounds modest. “Lawful access” sounds procedural. “Modernization” sounds responsible.
But software doesn’t care about reassuring nouns.
A system either has a path for access or it does not. A provider either can comply or it cannot. Encryption is either designed so the service cannot read the data, or it is not.
The technical reality is far less flexible than the policy language.
Canada should be especially careful here because it is already structurally dependent on foreign digital infrastructure. Canadian businesses rely heavily on American cloud providers, platforms, app stores, identity systems, productivity software, and AI infrastructure.
If Canada wants more domestic alternatives, it needs a reason for people to choose them.
Trust would be one.
Strong privacy would be one.
A reputation for secure infrastructure would be one.
Clear limits on state access would be one.
Bill C-22 risks moving in the opposite direction.
It tells the market that Canadian digital infrastructure may come with obligations to remain accessible to the state. Even if those obligations are narrower than critics fear, the uncertainty itself becomes corrosive.
Security depends on clarity.
Ambiguity is expensive.
Engineers building secure systems need to know whether they are allowed to build systems the provider itself cannot access. Customers need to know whether their data can remain unreadable to the service. Foreign partners need to know whether Canadian infrastructure introduces legal exposure they would not face elsewhere.
If the answer is unclear, people route around the risk. That is how trust fails.
Not always through one dramatic scandal. Often through quiet procurement decisions, cautious lawyers, foreign customers choosing another region, security teams rejecting a vendor, engineers avoiding an architecture because compliance might later break it.
Sovereignty is not just where the servers sit.
It is whether the system can be trusted when pressure arrives.
A country serious about digital sovereignty should be strengthening encryption, not treating it as an obstacle to be worked around. It should be making Canadian infrastructure boringly trustworthy. It should create conditions where Canadian providers can say, clearly and credibly, that they cannot read customer data because the system was designed that way.
That should be a selling point.
Instead, Bill C-22 risks making trust conditional.
Strong encryption is not anti-Canadian.
It is one of the few things that makes Canadian digital infrastructure worth trusting in the first place.
A country cannot build sovereign digital infrastructure by making that infrastructure less trustworthy.