Its far worse than the Patriot Act.

Its legislation that attempts to weaken and break encryption so that law enforcement and others can access encrypted communications. It also seeks to require mandatory suspicionless metadata for all online services.

The legislation was explicitly written to target both telecom companies and every online service.

Citizen Lab has a good writeup on the legislation here: https://citizenlab.ca/research/analysis-of-proposed-surveill...

Basically the same idiocy that the British gov't has also tried to enact around making actually encrypted communication impossible, and giving them the rights to access metadata on the public's communications without warrant, etc.

https://www.parl.ca/DocumentViewer/en/45-1/bill/C-22/first-r...

It's online and easy to read, and is a modernizing of laws around online systems. It is a deeply imperfect bill -- personally I think it is basically DOA and will not receive assent -- but a lot of the reaction to it are classic partisan hysterics (you can already see a bunch of those people throughout this discussion).

https://www.parl.ca/DocumentViewer/en/45-1/bill/C-22/first-r...

The parts that are garnering a lot of negative feedback is

1) requiring core providers (a list as yet undefined), and any others if specifically directed to, to maintain a rolling year of metadata that the government can request on a targeted individual with a warrant. This is obviously at odds with "no log" VPNs in particular. And let's be real: 99% of the industry already logs everything.

2) "the development, implementation, assessment, testing and maintenance of operational and technical capabilities, including capabilities related to extracting and organizing information that is authorized to be accessed and to providing access to such information to authorized persons;"

The #2 could potentially imply secondary decryption keys and the like, though the bill explicitly says the requirement cannot impose a systematic vulnerability, and the government has pointed to that and said they want no such thing.

So VPN providers are saying "we don't want to log", and encryption providers are saying "be much clearer in what you mean by systematic vulnerability. Define this explicitly".