Skip to main content
May 11, 2026
Solved

1Password's stance on Canada's Lawful Access Bill C-22?

  • May 11, 2026
  • 3 replies
  • 460 views

I'm sorry if these touches in a topic that bends to the political, but this is something that I don't think we as keepers of people's most important and sensitive information should be just standing by and not getting into the discussion before it is too late. 

As a Canadian and a 1Password being a Canadian based "Electronic Service Provider", based on the law's very loose definition of what an ESP is, I have very grave concerns that just like Apple and Meta the data that is contained within 1Password could be subject to this "unlawful" bill. Even my own company as small as it may be is caught up in the legal definition of an ESP. 

  • There is no scope at what an ESP is and what the government has defined and what their level of Systemic Vulnerability will be.
    • 1Password in its current wording is caught up in this definition 
    • The powers can be extended through regulations an minimal future debate
  • No Guardrails
    • Secret ministerial orders requiring system modifications or re-engineering that could be demanded of 1Password with a gag order 
    • No mandatory oversight
    • Limited ability for 1Password to challenge orders or redefine vulnerabilities 
  • Extensive Realtime access & retention 
    • 1Password would have to build the capability (at its expense) the ability to intercept, decrypt & hand over data
    • Access to metadata, geolocation, in realtime and stored for retroactive access for all users for up to one year (with talk from law enforcement of wanting this to be even longer in the future). 

Basically eroding privacy and security, and weakens encryption and creates a permanent surveillance state power and, because of the conflicting sections of the Bill, the "so called" protections can be overridden by a secret request, 1Password won't be allowed to ever tell us that it had to do any of this for the government, law enforcement, or the Canadian security (spy agencies). 

Now I hear that because of the growing pushback on this bill, that the debate on this bill is going to be now limited to 3 days and a goal of having this law by the end of the month. Has your legal team been studying this bill? What is the 1Password stance on this invasive bill that even Apple,  Meta and US Congress are voicing their concerns of this bill in its current form? If Both Apple and Meta, with huge legal and resources, are concerned that this could force them to weaken encryption, how is 1Password a Canadian company going to be able to ethically stand ground to weakened privacy, security and increased enduring real-time surveillance? 

I remain unconvinced that all the data and access that we all store within 1Password would not be a prime target for access requests. All we have is a verbal promise that the government would never make these kinds of requests. If not now, as Micheal Geist says, in the setting ready and waiting for a "Turnkey Totalitarianism"? 

I think this warrants a response and a position from 1Password before the company no longer has the legal right to do so, don't you? 

https://www.michaelgeist.ca/2026/05/wilful-blindness-how-the-lawful-access-charter-statement-skips-bill-c-22s-most-constitutionally-vulnerable-provisions/ 

https://openmedia.org/press/item/civil-society-to-parliament-kill-bill-c-22 

Best answer by 1P_Blake

Hey @skippingrock! We’ve seen the concerns about Canada’s Bill C-22 and appreciate the discussion. We also want to clarify how the bill relates to 1Password. 

The short answer here is that based on how it’s currently written, Bill C-22 would not require 1Password to provide access to customer vault data. It is focused on subscriber information and metadata, not sensitive data such as passwords, vault contents, encryption keys, and emergency kits.

Bill C-22 also includes safeguards meant to prevent companies from being required to introduce systemic vulnerabilities or backdoors for officials to gain access to such sensitive information. Since 1Password is designed so that we cannot access your vault data in the first place, doing so would mean weakening our encryption.

We are continuing to monitor Bill C-22. If anything changes that would weaken customer privacy or security, we would challenge or appeal those requirements. Protecting your data by design is core to how 1Password works, and we won’t compromise on that.

3 replies

1P_Blake
1P_BlakeAnswer
Community Manager
May 15, 2026

Hey @skippingrock! We’ve seen the concerns about Canada’s Bill C-22 and appreciate the discussion. We also want to clarify how the bill relates to 1Password. 

The short answer here is that based on how it’s currently written, Bill C-22 would not require 1Password to provide access to customer vault data. It is focused on subscriber information and metadata, not sensitive data such as passwords, vault contents, encryption keys, and emergency kits.

Bill C-22 also includes safeguards meant to prevent companies from being required to introduce systemic vulnerabilities or backdoors for officials to gain access to such sensitive information. Since 1Password is designed so that we cannot access your vault data in the first place, doing so would mean weakening our encryption.

We are continuing to monitor Bill C-22. If anything changes that would weaken customer privacy or security, we would challenge or appeal those requirements. Protecting your data by design is core to how 1Password works, and we won’t compromise on that.

May 27, 2026

Is this the final word from 1password? If so, I will be obligated to encourage my security department to consider the following scholarly remarks that directly contradict your assessment and put into question the ability of your team to asses state level threats. 

Apple Inc. stated plainly and in no uncertain terms:

This Bill Allows the Government of Canada to Force Companies to Break Encryption by Inserting Backdoors into their Products

Professor Michael Geist noted that while sections of the bill suggest providers don't have to comply if an order creates a "systemic vulnerability," sections 12 and 13 "make compliance unconditional and provide that orders prevail over inconsistent regulations". He argued this leaves the intended safeguards existing "in name only" because they are "largely cloaked in secrecy"

Citations

  • Apple Inc. Testimony of Erik Neuenschwander, Standing Committee on Public Safety and National Security (SECU), House of Commons, 26 May 2026, https://www.ourcommons.ca/Committees/en/SECU.
  • "Parliamentary consultation session." Meeting 37 of the House of Commons Standing Committee on Public Safety and National Security. 2026.
  • Bill C-22: An Act respecting lawful access. First Reading, March 12, 2026, Forty-fifth Parliament. https://www.parl.ca/Content/Bills/451/Government/C-22/C-22_1/C-22_1.PDF.
June 1, 2026

Good points you're mentioning here.

What I see quite annoying is, that 1Password is collecting really much meta-data, location based data and telemetry data and so on. So it really does have and record a huge amount of data. 

It's like with mails - all they want/need is those meta-data. And with 1Password you will get a 'lot' of that!

June 8, 2026

FYI:  Signal, DuckDuckGo, and NordVPN threaten to exit Canada if metadata surveillance law passes

Why has 1Password not yet publicly stated its position on this issue?