LegislationMay 21, 20266 min read

Bill C-22 Doesn't Read Your Texts. It Doesn't Have To.

The bill explicitly excludes the content of communications from mandatory retention. What it would require — who you talked to, when, where you were, what device you used — is the data that intelligence professionals call "the more important half" of surveillance. Here is what a year of that data reveals about an ordinary Canadian.

The big thing

Bill C-22 mandates the retention of metadata, not message content. But metadata is what intelligence services call "the more important half" of surveillance — it reveals associations, movements, beliefs, and patterns of life.

Why it matters

The bill's defenders point to the content exclusion as a privacy safeguard. The intelligence community has been on record for over a decade saying the opposite: that metadata is more useful than content for understanding a person.

Go deeper

Who you called and when — every call, every duration.
Every cell tower your phone connected to — location every 5–15 minutes, year-round.
Every device you used and the unique identifier of each one.
Every IP address you connected to — which website, which app, which service.
By week 6 of analyzed metadata, a competent analyst can usually identify a person's job, sleep schedule, religion, who they live with, and their political associations.

Yes, but

The bill states law enforcement still needs a production order to access this data, with a "reasonable grounds to suspect" threshold. Content access still requires a full search warrant.

The bottom line

The choice of words — "metadata, not content" — is technically accurate and substantively misleading. The retention IS the surveillance; the access threshold is a second question.

How we reported this

All technical descriptions of metadata categories are drawn from Bill C-22 (first-reading text) and the federal Lawful Access backgrounder. Quotes from Stuart Baker (NSA general counsel) and Michael Hayden (NSA / CIA director) are taken from public on-record events (NYU School of Law debate Oct 1, 2013; Johns Hopkins University remarks April 2014). The Stanford MetaPhone study is Mayer & Mutchler, PNAS 2016. We did not contact any of the named officials for this article; their quoted statements are well-attested across multiple sources.

Bill C-22 (Lawful Access Act, 2026) does not require police to read the content of your communications. It requires "core providers" to retain metadata — who you contacted, when, where, on which device — for one year, on every Canadian. Two former directors of the U.S. National Security Agency have been on record since 2014 that metadata is operationally equivalent-to or more useful than content for surveillance. A Stanford study found that five days of phone metadata is sufficient to identify medical conditions, religious affiliation, and sexual relationships. This article walks through what one year of that data reveals about an ordinary person — not as accusation, but as illustration of what becomes knowable about every Canadian under the bill as drafted.

Bill C-22 metadata privacy surveillance lawful access civil liberties

What the bill says metadata is

Bill C-22's metadata definition covers four overlapping categories. The bill text refers to "transmission data" — the technical record of what was sent, when, between which endpoints, and via which protocol. The bill additionally lists subscriber information (the user behind a device or service), device identifiers (every IMEI, MAC address, advertising ID, account handle), and "location information sufficient to determine the location of a communication."

The bill explicitly excludes the content of communications from mandatory retention. The Public Safety Minister has emphasized this distinction in House debate. A warrant is still required to access the substantive content of a phone call, text, or email.

That exclusion is technically accurate. It is also, on the intelligence community's own record, the less important half.

What the intelligence community has said about metadata

**Michael Hayden** ran the National Security Agency from 1999 to 2005 and the Central Intelligence Agency from 2006 to 2009. At a Johns Hopkins University event in April 2014 — speaking publicly, on the record — he said: "We kill people based on metadata." The statement was a defense of the operational value of metadata-only intelligence, not a critique.

**Stuart Baker** was general counsel of the NSA. At a New York University School of Law debate in October 2013, also on the record, Baker said: "Metadata absolutely tells you everything about somebody's life. If you have enough metadata, you don't really need content. … It's sort of embarrassing how predictable we are as human beings."

These are not civil-liberties activists speaking. They are two of the most senior practitioners of modern signals intelligence in the United States, describing why metadata is the form of surveillance their agencies prioritized.

The Stanford MetaPhone study — what 5 days of metadata reveals

In 2014–2015, Stanford computer scientists Jonathan Mayer and Patrick Mutchler conducted a controlled study published in PNAS in 2016. They recruited volunteers who agreed to share their phone metadata — call records and contact information only, no content — for analysis.

From an average of five days of metadata per participant, the researchers identified, with high confidence: - Medical conditions (calls to specific medical specialists at characteristic intervals) - Religious affiliation (call patterns to congregations and clergy) - Sexual relationships (calls to crisis lines, intimate partners) - Gun ownership (calls to firearm dealers and ranges) - Marijuana use (calls to known dispensaries)

Five days. Not a year. And the Mayer-Mutchler study was a research analysis, not an intelligence-grade analytic platform — modern systems are materially more sophisticated.

A year in the life of an ordinary Canadian

Consider any ordinary Canadian — not a target, not a suspect. From one year of the metadata Bill C-22 would require to be retained, a competent analyst could, with high reliability, derive:

- **Place of work and commute pattern** — from the cell-tower trail. The morning trail also reveals daycare drop-off, gym attendance, coffee shops. - **Religious practice** — call frequency to specific congregations, location patterns on Sundays / Fridays / Saturdays at known addresses. - **Medical history** — call patterns to specialists. An oncologist appearing in the call log every 21 days reveals a treatment cycle without ever accessing a medical record. - **Romantic life** — sustained call patterns and overnight cell-tower co-location with a specific other phone. - **Political and union associations** — call patterns to riding offices, organizer lines, recurring location overlap with rally addresses. - **Financial stress or change** — bank-call patterns, calls to creditor lines, location patterns at payday-loan storefronts. - **Substance use** — calls to recovery sponsors or to known dispensaries.

None of this requires reading a single text message. None of it requires intercepting a single call. The metadata, by itself, makes it knowable.

This is not a claim about what police would necessarily do. It is a description of what becomes knowable about every Canadian once the retention is mandated.

What changes under Bill C-22

Today, in Canada, telecom and electronic-service providers retain metadata for variable, mostly-business-driven periods — billing-cycle records for a few months, location trails for a few weeks, IP-assignment logs for varying durations. There is no national mandate that providers retain a uniform year of this data on every customer.

Under Bill C-22, every "core provider" would be required to retain transmission data, device identifiers, and location information for a defined period — up to one year — on every customer. Access by police would still require a production order under the "reasonable grounds to suspect" threshold (a lower bar than the warrant required for content). The Intelligence Commissioner would review ministerial orders under Part 2 (SAAIA) — but not the production-order access to retained metadata.

The substantive change is the retention itself. Once a year of metadata exists on every Canadian, what becomes derivable about every Canadian changes — independent of how strictly access is gated.

Why the "metadata, not content" framing is doing rhetorical work

Michael Geist has been on record since the bill's first reading that the "content exclusion" framing — repeated in the Public Safety Minister's House remarks and in the federal backgrounder — is technically correct and rhetorically misleading.

The Department of Justice's Charter statement on Bill C-22 is, as Geist has noted, silent on the metadata-retention question. The statement addresses the access-threshold change, the Part 2 (SAAIA) ministerial-order regime, and the bill's intersection with the Criminal Code. It does not address whether mandatory mass metadata retention on every Canadian, independent of any individual suspicion, would survive a Section 8 Charter challenge.

The European Court of Justice, ruling on a nearly identical mandatory data-retention regime in 2014 (the Data Retention Directive), found the regime to be a "particularly serious interference" with fundamental rights — even with comparable access thresholds in place. That ruling is examined in detail in the Day 5 article in this series.

What the committee process could change

Bill C-22 is now at the Standing Committee on Public Safety and National Security. Amendments that committee MPs could realistically propose on the metadata-retention question include: a shorter mandatory retention period (90 or 180 days rather than 1 year), differentiated retention by data category (location-data retention shorter than connection-record retention), or a Privacy Commissioner audit role over how the retained metadata is stored.

Under a Liberal majority government, none of those amendments will pass without Liberal-government support. Day 7 of this series catalogues the seven Liberal MPs on the committee whose votes will determine which amendments survive.

Sources & Official Documents

LegislationBill C-22 Just Passed Second Reading. With a Liberal Majority, the Path to Royal Assent Is Now Mostly Clear.
The Lawful Access Act, 2026 cleared a critical procedural hurdle in the House on April 20. Committee review starts next. Five distinct opposition voices — academic, technology-industry, civil-society, U.S. legislative, and Charter-rights — have already weighed in against parts of the bill. Here is where the bill stands, what it would do, and what happens between here and Royal Assent.
LegislationBill C-22 Would Require ISPs to Store Your Metadata for Up to a Year
The Lawful Access Act is back in Parliament with new powers for police and secret orders for telecom providers. Here is what it means for your privacy.
AccountabilityBill C-22 Is at Committee. Here Are the MPs Who Put It There — And How to Reach Them.
Civic transparency on the second-reading record. The bill's sponsor, the Cabinet members who spoke for it on the floor, the Government House Leader who scheduled the debate, and the Liberal members of the Public Safety committee who now control its amendments — each with their public role on C-22 and their public-record contact details. Constituents in any of these ridings can reach the listed MPs directly.

About this article

Parliament Audit is non-partisan and does not endorse or oppose any legislation. This article is based on publicly available legislative documents and parliamentary records; all sources are linked above.

AI-assisted, human-edited. AI tools help us ingest parliamentary records and draft analysis; an editor reviews every article and verifies key facts against primary sources before publication. Quotation marks are reserved for verbatim text from a primary source. See our methodology and corrections log.

Share:X / Twitter Bluesky Facebook

Get Vote Alerts

Tell your MP what you think

Your MP votes on this. Their constituency inbox is the most-read channel for feedback on bills in committee.

Republish this storyFree, no permission required · CC BY-ND 4.0

You're welcome to run this article in full on your newsroom, blog, newsletter, or paper. Keep the byline and the link back to parliamentaudit.ca. See the full terms.

<!-- Parliament Audit — republished under CC BY-ND 4.0 -->
<article>
  <h1>Bill C-22 Doesn&#39;t Read Your Texts. It Doesn&#39;t Have To.</h1>
  <p><em>By Parliament Audit · May 21, 2026 · 6 min read</em></p>
  <p><strong>Bill C-22 (Lawful Access Act, 2026) does not require police to read the content of your communications. It requires &quot;core providers&quot; to retain metadata — who you contacted, when, where, on which device — for one year, on every Canadian. Two former directors of the U.S. National Security Agency have been on record since 2014 that metadata is operationally equivalent-to or more useful than content for surveillance. A Stanford study found that five days of phone metadata is sufficient to identify medical conditions, religious affiliation, and sexual relationships. This article walks through what one year of that data reveals about an ordinary person — not as accusation, but as illustration of what becomes knowable about every Canadian under the bill as drafted.</strong></p>
  <h2>What the bill says metadata is</h2>
  <p>Bill C-22's metadata definition covers four overlapping categories. The bill text refers to "transmission data" — the technical record of what was sent, when, between which endpoints, and via which protocol. The bill additionally lists subscriber information (the user behind a device or service), device identifiers (every IMEI, MAC address, advertising ID, account handle), and "location information sufficient to determine the location of a communication."</p>
  <p>The bill explicitly excludes the content of communications from mandatory retention. The Public Safety Minister has emphasized this distinction in House debate. A warrant is still required to access the substantive content of a phone call, text, or email.</p>
  <p>That exclusion is technically accurate. It is also, on the intelligence community's own record, the less important half.</p>
  <h2>What the intelligence community has said about metadata</h2>
  <p>**Michael Hayden** ran the National Security Agency from 1999 to 2005 and the Central Intelligence Agency from 2006 to 2009. At a Johns Hopkins University event in April 2014 — speaking publicly, on the record — he said: "We kill people based on metadata." The statement was a defense of the operational value of metadata-only intelligence, not a critique.</p>
  <p>**Stuart Baker** was general counsel of the NSA. At a New York University School of Law debate in October 2013, also on the record, Baker said: "Metadata absolutely tells you everything about somebody's life. If you have enough metadata, you don't really need content. … It's sort of embarrassing how predictable we are as human beings."</p>
  <p>These are not civil-liberties activists speaking. They are two of the most senior practitioners of modern signals intelligence in the United States, describing why metadata is the form of surveillance their agencies prioritized.</p>
  <h2>The Stanford MetaPhone study — what 5 days of metadata reveals</h2>
  <p>In 2014–2015, Stanford computer scientists Jonathan Mayer and Patrick Mutchler conducted a controlled study published in PNAS in 2016. They recruited volunteers who agreed to share their phone metadata — call records and contact information only, no content — for analysis.</p>
  <p>From an average of five days of metadata per participant, the researchers identified, with high confidence:
- Medical conditions (calls to specific medical specialists at characteristic intervals)
- Religious affiliation (call patterns to congregations and clergy)
- Sexual relationships (calls to crisis lines, intimate partners)
- Gun ownership (calls to firearm dealers and ranges)
- Marijuana use (calls to known dispensaries)</p>
  <p>Five days. Not a year. And the Mayer-Mutchler study was a research analysis, not an intelligence-grade analytic platform — modern systems are materially more sophisticated.</p>
  <h2>A year in the life of an ordinary Canadian</h2>
  <p>Consider any ordinary Canadian — not a target, not a suspect. From one year of the metadata Bill C-22 would require to be retained, a competent analyst could, with high reliability, derive:</p>
  <p>- **Place of work and commute pattern** — from the cell-tower trail. The morning trail also reveals daycare drop-off, gym attendance, coffee shops.
- **Religious practice** — call frequency to specific congregations, location patterns on Sundays / Fridays / Saturdays at known addresses.
- **Medical history** — call patterns to specialists. An oncologist appearing in the call log every 21 days reveals a treatment cycle without ever accessing a medical record.
- **Romantic life** — sustained call patterns and overnight cell-tower co-location with a specific other phone.
- **Political and union associations** — call patterns to riding offices, organizer lines, recurring location overlap with rally addresses.
- **Financial stress or change** — bank-call patterns, calls to creditor lines, location patterns at payday-loan storefronts.
- **Substance use** — calls to recovery sponsors or to known dispensaries.</p>
  <p>None of this requires reading a single text message. None of it requires intercepting a single call. The metadata, by itself, makes it knowable.</p>
  <p>This is not a claim about what police would necessarily do. It is a description of what becomes knowable about every Canadian once the retention is mandated.</p>
  <h2>What changes under Bill C-22</h2>
  <p>Today, in Canada, telecom and electronic-service providers retain metadata for variable, mostly-business-driven periods — billing-cycle records for a few months, location trails for a few weeks, IP-assignment logs for varying durations. There is no national mandate that providers retain a uniform year of this data on every customer.</p>
  <p>Under Bill C-22, every "core provider" would be required to retain transmission data, device identifiers, and location information for a defined period — up to one year — on every customer. Access by police would still require a production order under the "reasonable grounds to suspect" threshold (a lower bar than the warrant required for content). The Intelligence Commissioner would review ministerial orders under Part 2 (SAAIA) — but not the production-order access to retained metadata.</p>
  <p>The substantive change is the retention itself. Once a year of metadata exists on every Canadian, what becomes derivable about every Canadian changes — independent of how strictly access is gated.</p>
  <h2>Why the "metadata, not content" framing is doing rhetorical work</h2>
  <p>Michael Geist has been on record since the bill's first reading that the "content exclusion" framing — repeated in the Public Safety Minister's House remarks and in the federal backgrounder — is technically correct and rhetorically misleading.</p>
  <p>The Department of Justice's Charter statement on Bill C-22 is, as Geist has noted, silent on the metadata-retention question. The statement addresses the access-threshold change, the Part 2 (SAAIA) ministerial-order regime, and the bill's intersection with the Criminal Code. It does not address whether mandatory mass metadata retention on every Canadian, independent of any individual suspicion, would survive a Section 8 Charter challenge.</p>
  <p>The European Court of Justice, ruling on a nearly identical mandatory data-retention regime in 2014 (the Data Retention Directive), found the regime to be a "particularly serious interference" with fundamental rights — even with comparable access thresholds in place. That ruling is examined in detail in the Day 5 article in this series.</p>
  <h2>What the committee process could change</h2>
  <p>Bill C-22 is now at the Standing Committee on Public Safety and National Security. Amendments that committee MPs could realistically propose on the metadata-retention question include: a shorter mandatory retention period (90 or 180 days rather than 1 year), differentiated retention by data category (location-data retention shorter than connection-record retention), or a Privacy Commissioner audit role over how the retained metadata is stored.</p>
  <p>Under a Liberal majority government, none of those amendments will pass without Liberal-government support. Day 7 of this series catalogues the seven Liberal MPs on the committee whose votes will determine which amendments survive.</p>
  <hr />
  <p><small>
    Originally published by <a href="https://parliamentaudit.ca/news/bill-c-22-what-one-year-of-metadata-reveals">Parliament Audit</a>
    under the <a href="https://creativecommons.org/licenses/by-nd/4.0/">CC BY-ND 4.0</a> license.
    <img src="https://parliamentaudit.ca/api/republish-beacon?slug=bill-c-22-what-one-year-of-metadata-reveals" alt="" width="1" height="1" />
  </small></p>
</article>

Consider any ordinary Canadian — not a target, not a suspect. From one year of the metadata Bill C-22 would require to be retained, a competent analyst could, with high reliability, derive:

None of this requires reading a single text message. None of it requires intercepting a single call. The metadata, by itself, makes it knowable.

This is not a claim about what police would necessarily do. It is a description of what becomes knowable about every Canadian once the retention is mandated.

Bill C-22 Doesn't Read Your Texts. It Doesn't Have To.

What the bill says metadata is

What the intelligence community has said about metadata

The Stanford MetaPhone study — what 5 days of metadata reveals

A year in the life of an ordinary Canadian

What changes under Bill C-22

Why the "metadata, not content" framing is doing rhetorical work

What the committee process could change

Sources & Official Documents

More reporting on this

Tell your MP what you think

Bill C-22 Doesn't Read Your Texts. It Doesn't Have To.

What the bill says metadata is

What the intelligence community has said about metadata

The Stanford MetaPhone study — what 5 days of metadata reveals

A year in the life of an ordinary Canadian

What changes under Bill C-22

Why the "metadata, not content" framing is doing rhetorical work

What the committee process could change

Sources & Official Documents

More reporting on this

Tell your MP what you think