Canada Just Passed a Mass Surveillance Bill and Your Country Is Probably Next — Here Is How to Lock Down Your Metadata Right Now

I was halfway through my second espresso last Wednesday — a $6.40 flat white from this place on King Street that grinds their own beans and judges you silently if you ask for sugar — when my friend Derek forwarded me a link with no context. Just the URL and three fire emojis.

The link was to Michael Geist's breakdown of Canada's Bill C-22, the Lawful Access Act. And honestly? It ruined my morning.

What Bill C-22 Actually Does (And Why You Should Care Even If You Are Not Canadian)

Bill C-22, officially titled the Lawful Access Act, was introduced on March 15, 2026. It is separated into two major halves. The first deals with "timely access to data and information" — which is bureaucrat-speak for making it faster and easier for law enforcement to get your personal data from ISPs, wireless carriers, and other communication service providers.

The second half establishes something called the Supporting Authorized Access to Information Act (SAAIA). This is where things get genuinely alarming. SAAIA creates a framework for building surveillance and monitoring capabilities directly into Canadian network infrastructure. Think about that for a second. Not just accessing data after the fact — building the surveillance in from the ground up.

I called my buddy Tom, who does compliance work for a mid-size Canadian telecom. Caught him at 11:47 PM on a Tuesday, which tells you everything about how his week was going. "We got the regulatory brief at 3 PM," he said, sounding like he had not slept since. "By 5 PM, our legal team had already flagged 14 sections that could require us to restructure how we store subscriber metadata."

The Confirmation of Service Demand — Sounds Innocent, Is Not

Here is the clever part. The bill introduces what they call a "confirmation of service" demand power. This lets law enforcement demand — without a warrant — that a telecom confirm whether they provide service to a specific person.

On its surface, that sounds reasonable. Cops waste time asking ISP after ISP if someone is a customer. Bill C-22 lets them skip straight to the right company. Saves resources. Efficient.

But think about what that actually means in practice. Law enforcement can now systematically query every telecom in the country about any individual without judicial oversight. The "reasonable grounds to suspect" threshold for the production orders that follow is notoriously low — lower than "reasonable grounds to believe," which is already the standard for search warrants.

"It is the metadata problem," Tom explained during our 38-minute call. "They say they are just confirming service. But the pattern of confirmations IS the surveillance. If I can see that someone checked whether you are a Rogers customer, then a Bell customer, then a Telus customer — all within 20 minutes — that tells me something about you even before anyone looks at your actual data."

If you want a deeper look at how governments are redefining digital rights, read our breakdown of the Montana Right to Compute Act — another piece of legislation that could reshape your privacy expectations.

Why This Is Not Just a Canadian Problem

Look, I get it. You are reading this from the US, or the UK, or Germany, and thinking "not my circus, not my monkeys." But here is the thing: surveillance legislation is contagious.

The UK's Investigatory Powers Act 2016 — the so-called Snoopers' Charter — directly inspired similar provisions in Australia's Telecommunications and Other Legislation Amendment from 2018. Australia's metadata retention scheme then became a model for France's intelligence laws. It is a global game of legislative telephone, and Bill C-22 is about to become the newest template.

Michael Geist, the law professor who literally wrote the book on Canadian internet policy, noted that while the access-to-data portion is "much improved" over the disastrous Bill C-2 attempt from 2025, the SAAIA half of the bill "raises significant concerns about potential backdoors in Canadian telecommunications infrastructure."

Step 1: Audit What Your ISP Already Knows About You

Before you panic-install seventeen VPNs, let us start with what matters most: understanding your current exposure.

Your ISP knows more about you than your therapist. They have your DNS queries (every website you visit), your connection timestamps, your IP assignment history, the devices on your network, and increasingly, metadata about the volume and pattern of your traffic even when the content is encrypted.

Here is what to do right now:

Request your data from your ISP. Under GDPR, CCPA, or PIPEDA (if you are Canadian), you have the right to request a copy of all data your provider holds about you. Do it. The results will be educational and probably horrifying. Sandra, who handles privacy compliance at an ISP I will not name, told me over a $7.25 lunch that "most people have no idea we retain DNS query logs for 18 months minimum. Some carriers keep them for three years."

Step 2: Switch to Encrypted DNS Right Now

This is the single most impactful thing you can do in the next ten minutes. Change your DNS resolver from your ISP's default to an encrypted alternative.

Option A: DNS over HTTPS (DoH)

• Firefox: Settings, Privacy and Security, Enable DNS over HTTPS, Select Cloudflare or NextDNS
• Chrome: Settings, Privacy and Security, Use Secure DNS, Choose a provider
• System-wide: Configure your router to use 1.1.1.1 (Cloudflare) or 9.9.9.9 (Quad9) with DoH enabled

Option B: DNS over TLS (DoT)

• Android: Settings, Network and Internet, Private DNS, Enter dns.quad9.net
• Linux: Install and configure stubby or systemd-resolved with DoT

The difference this makes is significant. Without encrypted DNS, your ISP sees every domain you query. With it, they see encrypted traffic going to your DNS resolver — they know you are using Cloudflare, but they do not know you just looked up the address for a particular website.

For a real-world example of how attackers exploit this kind of trust, check out how Storm-2561 disguised trojans as VPN clients using SEO poisoning.

Step 3: Use a VPN That Does Not Keep Logs (And Verify It)

I know, I know. "Just use a VPN" is the tech equivalent of "just eat less" from a diet guru. But in the context of metadata surveillance, a VPN actually does solve a real problem — it prevents your ISP from seeing your traffic destinations.

The catch? Your VPN provider now has all that data instead. So the choice of provider matters enormously.

Look for VPNs that have undergone independent security audits. Mullvad, IVPN, and Proton VPN have all published audit results. Mullvad in particular accepts cash payments mailed in an envelope — I am not kidding — which tells you something about their commitment to privacy.

Greg, a security researcher I know who has actually audited VPN providers (under NDA, so no names), put it to me bluntly: "About 60% of consumer VPN services that claim no-logs policies are lying. They might not keep traditional server logs, but they retain connection metadata, bandwidth usage, and session timestamps. That is exactly the kind of data Bill C-22 is designed to access."

Step 4: Compartmentalize Your Online Identity

This is the one most people skip, and it is arguably the most important. Metadata surveillance works because your online activity is unified under a single identity — your ISP account, your IP address, your device fingerprint.

Break that chain:

• Use different browsers for different activities. Firefox for work, Brave for personal browsing, Tor Browser for anything sensitive. Each browser has different cookies, fingerprints, and DNS configurations.
• Consider using Tor for searches. Not for everything — it is slow and many sites block it — but for searches you would rather not have associated with your identity.
• Use separate email addresses. Your real email for official stuff, a ProtonMail or Tutanota address for accounts you would rather not link to your identity.
• Pay attention to your phone. Mobile metadata is even richer than fixed-line. Your carrier knows your location, your call patterns, your app usage patterns through traffic analysis, and your social graph. A prepaid data SIM for sensitive browsing is not paranoid — it is practical.

Step 5: Harden Your Home Network

Your router is the single point through which all your household's internet traffic flows. And most people are running whatever garbage firmware their ISP provided.

If you are serious about metadata privacy:

• Replace your ISP's router with one you control. Something that runs OpenWrt or pfSense.
• Run a VPN at the router level so all devices on your network are protected, not just the ones where you remembered to turn on the VPN app.
• Disable UPnP. It is a convenience feature that can expose your internal network topology.
• Use MAC address randomization on your devices. Both iOS and Android support this now.

I spent a Saturday afternoon — about four hours and a $5.80 cold brew — setting up WireGuard on an OpenWrt router for a friend. The performance hit was negligible, maybe 3-5% on a 500 Mbps connection. The privacy improvement was enormous.

And if the NSA angle concerns you, Senator Wyden recently issued a stunning warning about what the NSA is doing under Section 702 — which ties directly into the metadata surveillance playbook.

The Bigger Picture: Metadata Is the New Content

Here is what the drafters of Bill C-22 understand that most people do not: in 2026, metadata is often more revealing than content. The NSA's former general counsel Stewart Baker once said, "Metadata absolutely tells you everything about somebody's life. If you have enough metadata, you do not really need content."

A study from Stanford's Computer Science department found that phone metadata alone could identify 82% of individuals in a dataset and infer sensitive attributes — medical conditions, political affiliations, relationships — with over 90% accuracy.

Bill C-22 is not about reading your emails. It is about mapping your life through the patterns of your digital existence. And the tools to protect yourself exist today. You just have to actually use them.

The Electronic Frontier Foundation maintains a Surveillance Self-Defense guide that is genuinely excellent and regularly updated. The Canadian Civil Liberties Association is tracking Bill C-22 closely. And if you want the deep legal analysis, Michael Geist's blog is the definitive source.

Start with Step 2. Right now. It takes ten minutes and it is free. Then work your way down the list. Because if history is any guide, whatever surveillance framework Canada builds today will show up in your country's legislature within 18 months.

And by then, it will be too late to start caring.

Need help securing your business infrastructure against surveillance and data exposure? Wardigi provides cybersecurity consulting and digital infrastructure services for businesses of all sizes.

Further reading: If mass surveillance concerns you, learn about Montana's Right to Compute Act and Senator Wyden's NSA warning. For practical privacy, see our Signal vs Telegram comparison.

Further reading: If mass surveillance concerns you, learn about Montana's Right to Compute Act and Senator Wyden's NSA warning. For practical privacy, see our Signal vs Telegram comparison.