REMINDER: the community is in read-only mode until July 2nd. This is part of our platform upgrade! Learn more in the FAQs →
Forum Discussion
Solved
1Password's stance on Canada's Lawful Access Bill C-22?
I'm sorry if these touches in a topic that bends to the political, but this is something that I don't think we as keepers of people's most important and sensitive information should be just standing ...
Hey skippingrock! We’ve seen the concerns about Canada’s Bill C-22 and appreciate the discussion. We also want to clarify how the bill relates to 1Password.
The short answer here is that based on how it’s currently written, Bill C-22 would not require 1Password to provide access to customer vault data. It is focused on subscriber information and metadata, not sensitive data such as passwords, vault contents, encryption keys, and emergency kits.
Bill C-22 also includes safeguards meant to prevent companies from being required to introduce systemic vulnerabilities or backdoors for officials to gain access to such sensitive information. Since 1Password is designed so that we cannot access your vault data in the first place, doing so would mean weakening our encryption.
We are continuing to monitor Bill C-22. If anything changes that would weaken customer privacy or security, we would challenge or appeal those requirements. Protecting your data by design is core to how 1Password works, and we won’t compromise on that.
Is this the final word from 1password? If so, I will be obligated to encourage my security department to consider the following scholarly remarks that directly contradict your assessment and put into question the ability of your team to asses state level threats.
Apple Inc. stated plainly and in no uncertain terms:
This Bill Allows the Government of Canada to Force Companies to Break Encryption by Inserting Backdoors into their Products
Professor Michael Geist noted that while sections of the bill suggest providers don't have to comply if an order creates a "systemic vulnerability," sections 12 and 13 "make compliance unconditional and provide that orders prevail over inconsistent regulations". He argued this leaves the intended safeguards existing "in name only" because they are "largely cloaked in secrecy"
Citations
- Apple Inc. Testimony of Erik Neuenschwander, Standing Committee on Public Safety and National Security (SECU), House of Commons, 26 May 2026, https://www.ourcommons.ca/Committees/en/SECU.
- "Parliamentary consultation session." Meeting 37 of the House of Commons Standing Committee on Public Safety and National Security. 2026.
- Bill C-22: An Act respecting lawful access. First Reading, March 12, 2026, Forty-fifth Parliament. https://www.parl.ca/Content/Bills/451/Government/C-22/C-22_1/C-22_1.PDF.
Yes, I would say that this is far from being "Solved".
My guess is that they don't want to take a public stance because it may cause a user base panic. I have shared my letter, that I sent to AgileBit's legal team and privacy officer and their response which pretty much mirrors this one, with Professor Geist; in his words he says:
"I don't agree with them. …"
He goes on to say that 1Password is pretty clearly an ESP (Electronic Service Provider) and the metadata requirement and who is included in that is defined by regulation that could be extended to 1Password without any parliamentary debate. He also says the vulnerability concerns are real.
Thankfully the government is starting to feel the pressure, even though they still deny the stance being taken by those companies that are entrusted with our privacy. I would have hoped that 1Password/AgileBits, a Canadian company who by their very nature hold a huge chunk of that private electronic data that we care about, would have been a strong voice for this as well.
1Password is one of the few apps that I allow continued access to data on my phone so that my sensitive information is kept up to date. With Metadata, would my accessing of a my account in various locations be part of that metadata? Who knows, the issue too is that we have no idea what metadata these ESPs have or could have.
More and more I'm wanting to have the ability to have local vaults again in 1Password.
