London lawmakers insist their sweeping rules will shield children from harm online. Yet a pointed new analysis from Signal argues the opposite. The measures don’t deliver safety. They install the architecture for routine government access to private conversations.
The document, released today by the encrypted messaging service, lays out in stark terms why client-side scanning and related mandates erode the very foundations that keep users secure. Short version: once you scan before encryption, privacy evaporates. So does trust in the entire system.
But first, the context. The UK’s Online Safety Act, passed in 2023 and now advancing through phased enforcement, tasks regulator Ofcom with forcing platforms to prevent illegal content. That includes child sexual abuse material and terrorism promotion. Sounds straightforward. The catch lies in encrypted services. To inspect content that only the sender and recipient can read, companies face an ugly binary. Break end-to-end encryption across their global user base. Or deploy on-device scanning that examines messages, photos, and files before they ever leave the phone.
Signal’s critique lands at a moment when enforcement ramps up. Ofcom has issued warnings and begun fining adult sites over age verification failures. Recent coverage from Computer Weekly notes persistent concerns that the Act could still compel scanning of encrypted messages despite earlier government retreats on the most aggressive language. Commentators detect little immediate appetite for full client-side scanning mandates given the backlash, yet the legal powers sit there, dormant but available.
And the technical reality hasn’t changed. Scanning on the client device creates new attack surfaces. Adversaries could exploit the scanner itself. False positives would flag innocent family photos or political discussion. Once the capability exists on billions of devices worldwide, authoritarian regimes won’t hesitate to repurpose it. The UK sets a precedent others will copy.
Exactly what critics warned.
Signal isn’t alone. The Electronic Frontier Foundation has repeatedly called the legislation incompatible with end-to-end encryption. In detailed examinations, EFF writers describe how the law could mandate general monitoring of user content and undermine private conversation technologies. Their 2023 update following passage of the bill remains relevant: backdoors in encryption don’t protect children. They expose everyone. See the full argument here.
What’s striking about the Signal paper is its focus on the false dichotomy presented by officials. Safety versus privacy is a manufactured choice, the authors contend. Strong encryption already protects children and adults alike from hackers, identity thieves, and oppressive governments. Introducing scanning weakens that shield without guaranteeing results against determined offenders who simply move to other tools.
Consider the mechanics. End-to-end encryption ensures that messages are scrambled on the sender’s device and only decrypted on the recipient’s. No intermediary, not even the service provider, holds the keys. Client-side scanning demands that a detection algorithm run locally first. The algorithm must be updated regularly. It requires access to raw user data. And any hash database of prohibited content becomes a target for reverse engineering. Researchers have demonstrated repeatedly how such systems can be fooled or abused.
The paper draws on years of expert consensus. Computer security professionals from Cambridge, Stanford, and elsewhere have testified that no safe version of mass client-side scanning exists. Ross Anderson, the late security engineering professor, once dismissed the notion of surveillance that respects privacy as magical thinking. His view echoes through the current debate.
Yet British officials press ahead. They point to horrific cases of online grooming and exploitation. No one disputes the horror. The disagreement centers on method. Does the response justify placing scanning software on every smartphone and laptop in the country? On every app that wants to operate legally in the UK?
Global consequences follow. Services like Signal, WhatsApp, and iMessage serve hundreds of millions outside Britain. If they alter their core encryption model to satisfy UK regulators, those changes ripple everywhere. A British teenager’s safety measure becomes a vulnerability for dissidents in Beijing or Moscow. That’s not theory. It’s the logical outcome of uniform technical standards under legal coercion.
Companies have said as much.
Signal’s leadership previously stated they would exit the UK market rather than compromise their protocol. Similar warnings came from Meta on behalf of WhatsApp. The threat isn’t idle. Smaller services would fold or comply, concentrating users on fewer platforms that might eventually bend. The result? Less competition, more centralized control, and ironically, easier surveillance for those who master the remaining systems.
Recent developments show the tension hasn’t eased. In early 2026 coverage, analysts highlighted how the Act’s age verification requirements already pressure platforms toward greater data collection. Facial scans, ID uploads, credit card checks. Each adds databases of personal information that hackers love to target. Ofcom’s own past data breach offers a cautionary tale. Now layer on potential message scanning. The attack surface balloons.
Proponents counter that scanning can be narrowly targeted. Only certain keywords or image hashes. Only with judicial oversight. Only for the worst offenses. History suggests such limits erode. Once the infrastructure exists, scope expands. Terrorism definitions broaden. Political speech gets swept in. Content that offends shifting cultural norms triggers blocks. The EU’s parallel struggles with its own chat control proposals, recently stalled in parliament according to EFF reporting from April, illustrate the same pattern. Voluntary scanning measures met resistance. Mandatory versions keep resurfacing.
Beyond the technology sit deeper questions of governance. Who writes the list of prohibited content? How often does it update? What recourse exists for misflagged users? In an era of rapid political change, today’s child protection tool becomes tomorrow’s instrument for monitoring protest organizers or journalists’ sources. Britain’s own history with surveillance, from GCHQ’s role in global signals intelligence to debates over the Investigatory Powers Act, shows how quickly capabilities grow.
Signal’s analysis doesn’t stop at criticism. It offers alternatives. Better funding for law enforcement to pursue real offenders through targeted warrants. Education campaigns that teach families about online risks. Investment in mental health and community support that address root causes of exploitation. These steps avoid the technological arms race that pits governments against the security community.
But such approaches lack the political theater of announcing bold new powers. They require patience and coordination across agencies. Scanning promises quick, visible action, even if the actual reduction in harm proves marginal. Offenders adapt. New encrypted channels appear on the dark web or in foreign jurisdictions. The compliant majority loses privacy for limited gain.
Industry insiders tracking this space note the quiet evolution. Ofcom’s roadmap, updated in late 2024 and referenced in government explainers, pushes child safety duties toward full effect. Categorization of services brings additional transparency rules for larger platforms. Yet the encryption question lingers unresolved in public statements. A UK government explainer emphasizes duties to reduce illegal activity without detailing scanning mechanics.
That’s the rub. Vague language lets regulators interpret powers broadly when political pressure mounts. A high-profile case involving encrypted apps could trigger demands for immediate compliance. Tech firms then face fines up to 10 percent of global revenue or outright service blocks. The calculus favors caution over principle for many executives.
Signal, built on a nonprofit model focused solely on private communication, holds a different position. It can afford to draw a hard line. The organization has open-sourced its protocol and invited scrutiny. Its stance carries weight precisely because it doesn’t sell user data or run advertising. When Signal says the proposal breaks its product, observers listen.
The paper’s release on June 8, 2026, coincides with heightened scrutiny of digital regulation across Europe. Fresh debates in Brussels and national capitals revisit similar terrain. Each jurisdiction claims exceptional circumstances. Each insists its version includes safeguards. Collectively they normalize the idea that private messaging must yield to state inspection.
Users notice. Privacy-conscious individuals already migrate toward tools that promise resistance. Yet mass adoption remains limited. Most people prioritize convenience until a personal breach drives them elsewhere. By then the mandated infrastructure may be locked in.
What comes next matters. If Ofcom chooses restraint, the UK avoids immediate fracture. Encrypted services continue operating. Law enforcement pursues other avenues. But the underlying legal framework stays intact, ready for activation. Future ministers, facing public outrage after an incident, may demand action. The surveillance apparatus waits, pre-installed on devices across the land.
Signal’s document serves as both warning and reminder. Safety cannot rest on the systematic weakening of protections that defend against far broader threats. Criminals exploit weakness. Authoritarians expand it. Everyday citizens lose the ability to speak, organize, or seek help without fear of monitoring.
The choice isn’t between safety and privacy. It’s between genuine security practices that scale globally and short-term political gestures that create permanent vulnerabilities. Britain, long a leader in technology and human rights, now tests which path it will take. The rest of the world watches closely. The outcome will shape digital life for decades.
Whether policymakers heed the technical community’s near-unanimous caution remains uncertain. What is clear is the stakes. Compromised encryption doesn’t isolate harm to one nation or one category of content. It diminishes security for all who rely on digital tools to navigate modern existence. And that group grows larger every day.
WebProNews is an iEntry Publication