17.5 Encryption under pressure
Why this fight matters
Encryption is not a niche concern for the technically minded; it is the foundation that keeps ordinary digital life safe. The same mathematics that protects a criminal's messages also protects your banking, your medical records, your work email, your family photographs, and the messages of journalists, lawyers, doctors, and abuse survivors. There is no version of encryption that is strong against criminals but weak against the state, because the maths does not know who is asking. This is the single most important fact in the entire debate, and most of the disagreement comes from people wishing it were not true.
The UK government, like several others, has long been uncomfortable with strong end-to-end encryption, where only the sender and recipient can read a message and the service provider itself cannot. Law enforcement and security agencies argue, with genuine cases behind them, that it lets serious criminals and abusers operate beyond reach. Technologists, security experts, and civil-liberties groups respond that any mechanism to break or bypass encryption for some inevitably weakens it for all. This page sets out where that conflict now stands in UK law and practice, and what it means for you.
The Investigatory Powers Act and technical notices
The legal centre of gravity is the Investigatory Powers Act 2016, sometimes called the "Snoopers' Charter", which gives the state broad surveillance powers and was strengthened by amending legislation in 2024. Among its tools is the Technical Capability Notice: a secret order that can require a technology company to maintain the ability to provide access to communications — in effect, to ensure it can hand over data when compelled. Such notices are confidential by law. A company that receives one is generally prohibited from disclosing its existence, which means these demands are made and contested almost entirely out of public view.
This secrecy is itself part of the problem. A power exercised in private, that companies may not even acknowledge, cannot be scrutinised by the public, the press, or, in any ordinary way, the courts. We learn of these notices mainly through leaks, through the actions companies take in response, or through litigation that occasionally pierces the secrecy. The 2024 amendments extended and reinforced these powers, including provisions touching on companies' ability to roll out new security features. The cumulative effect is a legal framework in which the government can press companies to preserve access to encrypted data, quietly and without public debate about specific demands.
The Apple encrypted-backup case
The clearest public illustration came in early 2025. It was reported that the UK had served a secret order requiring Apple to provide access to data protected by its Advanced Data Protection feature — an option that applies end-to-end encryption to iCloud backups, so that not even Apple can read them. Rather than build the demanded access, which would have meant weakening the protection for users everywhere, Apple withdrew Advanced Data Protection for new users in the UK and disabled it for existing UK users. The reported demand had sought access to encrypted data globally, not merely for UK users, which raised the prospect of one country's secret order degrading security worldwide.
This episode matters for several reasons. It showed the powers being used against a major company over a real, deployed encryption feature, not as a hypothetical. It showed a company choosing to remove a security feature from an entire country rather than compromise it — leaving UK users with weaker protection than people elsewhere. And it showed how the secrecy works in practice: the demand was not publicly confirmed in the ordinary way, and what is known emerged through reporting and subsequent legal proceedings. The practical upshot for UK users was concrete and adverse: a privacy feature available to people in other countries was taken away from them, as a direct result of government pressure.
Client-side scanning and the messaging power
A second front concerns the Online Safety Act. The Act contains a power that could, in principle, require a messaging service to use "accredited technology" to identify illegal material — most relevantly, child sexual abuse content — including on services that are end-to-end encrypted. The only known way to do this on an encrypted service is so-called client-side scanning: software on your own device that inspects your messages or images before they are encrypted and sent. To its critics, this is a surveillance system installed on every phone, and it breaks the core promise of end-to-end encryption that no one but the participants can see the content.
During the passage of the Act, major encrypted-messaging providers including Signal and WhatsApp stated publicly that they would rather withdraw their services from the UK than build such scanning into them. In response, the government indicated that the power would not be used until scanning could be done in a way that was technically feasible without compromising security — a standard that experts widely regard as not currently achievable. The power nonetheless remains on the statute book, unused but available, a capability that could be activated if the political and technical calculus changes. Its continued existence shapes the behaviour of providers and the expectations of users even while dormant.
Why a backdoor cannot be "for the good guys only"
The recurring official hope is for "exceptional access": a way for authorised authorities, under proper legal process, to read encrypted content, while everyone else remains locked out. The near-unanimous view of the cryptography and security community is that this is not achievable. Any deliberate access mechanism — a key held in escrow, a scanning system, a built-in bypass — is a vulnerability. It can be discovered, stolen, misused, or compelled by another government, including ones with no regard for human rights. A door built for one party is a door, and doors can be opened by whoever finds the key. The history of security is a history of mechanisms intended for narrow use being found and abused more broadly.
This is not technologists being unhelpful or ideological. It is a statement about what is and is not possible. You can have communications that are secure against everyone, or communications that are accessible to some and therefore weaker against all; you cannot have both. Weakening encryption to catch the worst actors also exposes the law-abiding majority — including the very institutions, from banks to hospitals to government itself, that depend on strong encryption to function. The choice is genuinely binary, and pretending otherwise does not make a safe backdoor exist.
What this means for you
The practical situation today is reassuring in one respect and concerning in another. Reassuring, because strong end-to-end encryption remains lawful and widely available in the UK: Signal, WhatsApp, and similar services continue to operate, and using them is entirely legal. Concerning, because the legal pressure is real and ongoing, one major privacy feature has already been withdrawn from UK users, and dormant powers exist that could compel more. The trajectory is towards more pressure, not less.
The sensible response is to use strong encryption now, while you can, and to make it your default rather than something reserved for sensitive moments — guidance set out in 7.1 on messaging and Chapter 3 on encrypting data at rest. Prefer services that are end-to-end encrypted by default and that have shown they will resist compromising their security. Keep your own backups encrypted under keys you control rather than relying solely on a provider's cloud, especially given that one cloud encryption feature has already been pulled in the UK. And, as with digital identity, recognise that this is partly a civic matter: the strength of encryption you will be able to rely on in five years depends in part on whether people understand and defend it now. The consolidated steps are in 17.7.