Tailscale was founded in Canada. We’re a Canadian company that serves users and customers all over the world.
That’s why we’re paying close attention to Bill C-22, Canada’s proposed Lawful Access Act, 2026. The bill is Canadian, but the issue is a global trend. Governments around the world are trying to update lawful access rules for the Internet era. Some of those efforts are reasonable. Some go too far, especially when they push companies to retain more data, build surveillance capabilities, or make secure systems easier to access by design.
Bill C-22 is part of that larger pattern. It would affect Canadian companies like Tailscale. It would affect any company serving people in Canada. More broadly, it affects the privacy and security expectations of everyone who relies on modern encrypted services.
Police and intelligence agencies need tools to investigate serious crimes. Sometimes that means asking service providers for records. When a request is specific, lawful, and authorized by a court, providers should respond with data they actually have.
Bill C-22 goes beyond that and the wording is worrying.
What Bill C-22 would change
The bill would create a lawful access framework for “electronic service providers.” That definition is broad. It covers services that create, store, process, transmit, receive, or make available digital information, including services provided to people in Canada or by companies doing business here. It might sound like that's just traditional phone companies or ISPs. But no: it's a large part of the modern Internet.
Under the bill, “core providers” could be required to develop, assess, test, and maintain technical capabilities for government access. They could also be required to install, use, operate, or maintain equipment that enables government access to information. The bill also allows regulations requiring retention of categories of metadata, including transmission data, for up to one year.
Governments worldwide have spent years pushing for lower data retention in the name of user privacy, starting with the GDPR. This kind of mandatory data retention is the exact opposite, giving tech companies a reason to maintain all kinds of personal information they shouldn't, in the name of compliance.
That should concern anyone who cares about security and privacy. At Tailscale, we’re concerned too.
What Tailscale’s VPN does and doesn’t collect
Tailscale’s VPN is not an anonymity service. We’re an identity-aware network for secure connectivity. We know the information needed to run our service: accounts, devices, the IP addresses those devices connect from, operating systems, connection state, and some basic connection information. That’s how NAT traversal, reliability, abuse prevention, and support work.
But there are important things the product doesn't do.
Tailscale's VPN doesn't inspect customer traffic. Nor does it log browsing activity, or public DNS queries, or the contents of communications. Traffic inside a tailnet is encrypted end-to-end with WireGuard, and customer private keys never leave customer devices. Even our relay servers don’t have the keys needed to decrypt what they carry.
That isn’t a policy preference we can casually reverse. It’s how the product is built. Tailscale’s VPN is open source, so people don’t have to take our word for it: the code that handles encrypted connections is available to inspect. Taking extreme technical care about privacy is what makes Tailscale, a Canadian product, so loved by users worldwide.
Why metadata retention is a security problem
Bill C-22 risks turning data minimization from a security virtue into a compliance problem.
There’s a big difference between preserving data for a specific investigation and requiring providers to collect or retain data in bulk because it might be useful later. The first can be targeted and accountable. The second changes the design incentives for every service in scope.
Once a law requires a company to retain more metadata, the company now has a new database. That database needs access controls, audit logs, backups, operators, retention systems, legal processes, and incident response plans. It becomes part of the attack surface. It becomes a temptation for theft or misuse.
The safest database is the one you never created.
This isn’t an abstract concern. Security systems are strongest when they collect less, expose less, and make sensitive access paths unnecessary. Laws that require the opposite create long-term risk. They may be intended for lawful use, but the systems they require add to the attack surface like any other system. They too must be protected from improper permissions, bugs, and attackers.
Tailscale complies with lawful, specific requests for data we have. That’s not controversial. But we oppose laws that would pressure secure services to collect more data, retain more metadata, weaken encryption, or build access systems that create new targets.
How Bill C-22 should change
Canada should be a great place to build secure infrastructure that protects consumers. Bill C-22, as written, moves in the wrong direction.
The good news is that this is fixable. Parliament can preserve targeted lawful access for serious investigations without forcing secure services to collect more data, weaken their architecture, or create new places for attackers to aim.
At minimum, Bill C-22 should be amended to:
- Remove any requirement to build access tools for hypothetical future lawful access requests. Lawful access should be tied to specific investigations, specific accounts, and specific legal authorization. The law should not require building surveillance tools to enable law enforcement access without a specific case need.
- Remove or sharply limit broad metadata retention. Providers should not be required to collect or retain data they otherwise would not need. Preservation orders should be targeted, not speculative.
- Narrow the scope. Secure software services should not be casually swept into rules designed for telecom infrastructure. The bill should be absolutely explicit about who is covered and why.
- Protect encryption and secure architecture explicitly. Technical capability requirements should not impair security.The law should prohibit compelled weakening of encryption, key escrow, client-side spyware, or product changes that undermine security guarantees.
- Allow transparency reporting. Providers should be able to disclose aggregate information about government requests, orders, and compliance obligations.
- Protect vulnerability disclosure. No law should prevent a provider from disclosing, reporting, or fixing security vulnerabilities.
- Add independent oversight and sunset clauses. Extraordinary powers should be reviewed by independent bodies and expire unless Parliament renews them after evidence-based review.
If you live in Canada and care about privacy, contact your Member of Parliament.
If you don’t live in Canada: the same debate is happening in many countries, with different bill numbers and slightly different wording. Our principle is the same: secure services should not be redesigned to make government surveillance easier.
Canada doesn’t need to choose between public safety and secure infrastructure. Companies can comply with lawful, specific requests without making everyone’s systems easier to attack. Canada can be the country that security and AI companies choose to build in, but only if our laws protect both security and rights.
Build guardrails for lawful investigations. Don’t build backdoors into infrastructure everyone depends on.
Avery Pennarun
