The year is 2026, and the British government wants to read your messages. Not metaphorically. Not in some dystopian hypothetical. Right now, through multiple overlapping legal instruments, the UK is conducting the most aggressive assault on end-to-end encryption of any Western democracy. And it’s working.
Phil Zimmermann was investigated as an arms dealer in the 1990s for releasing PGP — software that let ordinary people encrypt their emails. The US government classified strong encryption as a munition. They lost that fight. Thirty years later, a different government is trying the same thing with different tools. And this time, they’re not bothering with the pretence of public debate.
The Secret Order Apple Can’t Talk About
In January 2025, the UK Home Office issued a Technical Capability Notice (TCN) under the Investigatory Powers Act — the law everyone calls the Snooper’s Charter, because that’s what it is. The TCN demanded that Apple build a backdoor into iCloud’s Advanced Data Protection, the feature that end-to-end encrypts your backups.
Here’s the part that should make your blood run cold: the order originally applied to all Apple users globally. Not just Brits. Americans. Europeans. Everyone. A British Home Secretary, operating in secret, tried to compromise the security of billions of people worldwide.
Apple, to their credit, refused to build the backdoor. Instead, they withdrew Advanced Data Protection from UK users entirely. If you’re in Britain and you want Apple’s strongest encryption on your iCloud data, you simply can’t have it. The UK government didn’t technically break encryption — it just made Apple remove it from the menu.
The legal battle is ongoing. Apple appealed to the Investigatory Powers Tribunal, which at least had the decency to reject the Home Office’s demand for the entire case to be heard in secret. A seven-day public hearing was scheduled for early 2026, structured around “assumed facts” — a legal contortion necessary because the government maintains the right to neither confirm nor deny the TCN even exists.
Meanwhile, reports from the EFF suggest the government quietly rewrote the order in late 2025 to target only British users — a tactical retreat, not a surrender. US lawmakers, including House Judiciary Chair Jim Jordan, demanded a briefing by March 2026 on what the UK was doing with American citizens’ data. The diplomatic pressure helped narrow the scope. It didn’t kill the demand.
Advanced Data Protection remains unavailable in the UK. That’s not a temporary situation. That’s the new normal.
Signal’s Line in the Sand
Signal’s president, Meredith Whittaker, has been unambiguous: Signal will leave the UK before it compromises its encryption. This isn’t corporate posturing. Signal is a non-profit whose entire reason for existing is genuine end-to-end encryption. Asking Signal to weaken its protocol is like asking a hospital to make patients sicker.
The threat comes from the Online Safety Act’s Section 122, which gives Ofcom the power to compel platforms to scan private messages — including encrypted ones. The technical reality is simple: you cannot scan content that is truly end-to-end encrypted. To comply, Signal would need to implement client-side scanning — examining messages on your device before encryption. Security researchers universally regard this as a backdoor by another name. UCL researchers have called it the equivalent of a “mandatory wiretap.”
As of May 2026, Ofcom hasn’t pulled the trigger. The regulator publicly claims its measures “do not recommend that providers break end-to-end encryption.” But the legal power exists, and Ofcom is expanding CSAM monitoring duties to more platforms throughout 2026. The gun is loaded. It’s pointed at encrypted messaging. They just haven’t squeezed the trigger yet.
WhatsApp has made similar threats. Remember that WhatsApp uses the Signal Protocol — the same cryptographic foundation. Compromising it doesn’t just affect one app. It undermines the security architecture that protects billions of conversations daily.
The Online Safety Act: Surveillance as Child Protection
Every government that wants to break encryption uses the same justification: protecting children. It’s the argument that no politician can publicly oppose, which is precisely why it’s so dangerous. The Online Safety Act weaponises child safety to create a legal framework for mass surveillance of private communications.
Section 122 makes no exception for encrypted communications. The government has said it won’t invoke these powers until “appropriate technology” exists — a meaningless deferral, since client-side scanning technology already exists. Apple built and then abandoned its own CSAM scanning system in 2021, not because it didn’t work, but because they recognised the privacy implications were unacceptable.
Some services have already left. Smaller encrypted cloud providers like Krakenfiles have exited the UK market rather than face compliance demands they can’t meet without gutting their security. They won’t be the last.
The UK government’s position is logically incoherent. They claim to support strong encryption while simultaneously creating legal instruments that make strong encryption illegal in practice. It’s the regulatory equivalent of saying “we support free speech, but everything you say will be monitored.”
The European Front: Chat Control and ProtectEU
The UK isn’t alone. The EU has been pushing its own version of this fight through the Child Sexual Abuse Regulation — universally known as “Chat Control.” The proposal would have mandated client-side scanning of encrypted messages across the bloc.
Five hundred and two cryptography and IT security scientists signed an open letter calling client-side scanning “technically unfeasible” and warning it would create vulnerabilities exploitable by criminals and hostile states. The European Parliament pushed back hard. Germany’s Federal Constitutional Court ruled that mass surveillance of encrypted communications likely fails constitutional standards. The mandatory scanning mandate was blocked.
But the EU didn’t give up. It rebranded. In April 2025, the European Commission launched ProtectEU, a new “internal security strategy” built around the law enforcement concept of “Going Dark” — the idea that encryption is making criminals invisible. The strategy calls for a Technology Roadmap on encryption access by Q2 2026, with a target of deploying decryption capabilities to Europol by 2030.
The High-Level Group behind ProtectEU has coined the phrase “lawful access by design” — requiring all internet service providers to build their systems so that encrypted data can be accessed on demand. If that sounds like “backdoors by design,” that’s because it is. They just workshopped the branding.
The European Court of Human Rights has previously ruled that mandating encryption backdoors violates the European Convention on Human Rights. Whether that precedent holds against the sustained political pressure of ProtectEU remains to be seen.
Why This Matters Beyond Privacy
The standard response from surveillance advocates is: “If you’ve got nothing to hide, you’ve got nothing to fear.” This argument is intellectually bankrupt and historically illiterate.
Encryption isn’t a luxury. It’s critical infrastructure. It protects banking transactions, medical records, legal privilege, whistleblower communications, journalistic sources, and every business that handles sensitive data. When you break encryption for governments, you break it for everyone — including the criminals and hostile state actors the government claims to be protecting you from.
The UK government’s own National Cyber Security Centre has acknowledged this. GCHQ knows that backdoors are security vulnerabilities. They pursue this agenda anyway, because the institutional incentive to access communications outweighs the institutional incentive to protect them.
Consider the precedent. If the UK can compel Apple to build a backdoor, China can too. Russia can too. Every authoritarian regime on earth is watching this case. The UK isn’t just undermining its own citizens’ security — it’s writing the playbook for every government that wants to surveil its population.
Hal Finney understood this in the 1990s when he became the first person to receive a Bitcoin transaction from Satoshi Nakamoto. Erik Voorhees understood it when he built ShapeShift. Phil Zimmermann understood it when he released PGP and faced a federal investigation for his trouble. The cypherpunks saw this coming decades ago. Encryption is a human right because privacy is a human right. You don’t get to have one without the other.
What Happens Next
The Apple tribunal case will be the most significant legal test of government encryption powers in a generation. If the IPT upholds the TCN regime, the UK will have established that the government can secretly compel any technology company to compromise its encryption — with criminal penalties for even revealing that the order exists. Every encrypted service operating in the UK will face the same choice Apple faced: comply, remove your security features, or leave.
Ofcom will continue expanding its enforcement of the Online Safety Act throughout 2026. At some point, the regulator will have to address the elephant in the room: you cannot enforce content scanning obligations on encrypted platforms without breaking encryption. The deferrals and careful language will eventually run out.
The EU’s ProtectEU roadmap will produce its encryption technology assessment by mid-2026. Whatever it recommends will set the trajectory for European encryption policy for the next decade.
And ordinary people will continue using WhatsApp and iMessage without knowing that their governments are systematically dismantling the security those services provide.
The UK government isn’t just winning this fight. It’s winning it quietly, through secret orders and obscure tribunals and carefully worded legislation. That’s the most dangerous part. By the time most people realise what’s happened, the infrastructure of surveillance will already be built.
Phil Zimmermann called PGP “Pretty Good Privacy.” In 2026 Britain, even pretty good privacy is too much for the government to tolerate.
Related: Capability Apartheid: Anthropic Built a Genius, Then Decided You Get the Lesser One — the same gatekeeping logic, now applied to AI itself.
Leave a Reply