UK Online Safety Bill Encryption: Law Threatens End-to-End Encrypted Messaging

The UK Online Safety Act included provisions that could require messaging platforms to scan encrypted messages for illegal content, effectively creating a backdoor in end-to-end encryption. Signal and WhatsApp threatened to withdraw from the UK rather than compromise encryption. The Act grants Ofcom the power to issue technology notices requiring platforms to use "accredited technology" to scan content, even in encrypted communications. Cryptographers and security experts warned that any system capable of scanning encrypted content fundamentally breaks the security guarantee of end-to-end encryption, creating vulnerabilities exploitable by hackers and hostile governments. The government argued the provisions were needed to combat child exploitation, but technical experts stated it was impossible to build a system that scans for illegal content without undermining encryption for all users. After intense pushback, the government acknowledged the technology to safely scan encrypted messages does not yet exist, but the powers remain in the Act, creating an ongoing threat to encrypted communications in the UK.

The ramifications of this incident extend beyond the immediate data exposure. Privacy regulators in multiple jurisdictions have opened investigations, and affected individuals are organizing collective action to demand accountability and meaningful remediation. The case highlights systemic weaknesses in how organizations handle personal data and the gap between corporate privacy promises and operational reality.

For impacted individuals, immediate action is critical. Filing a data subject access request forces the company to disclose exactly what data they hold about you, providing the foundation for deletion requests, regulatory complaints, and potential legal action. Below, we outline the specific data types at risk and the concrete steps you can take to protect yourself.