28 Nov 2025 | Digital rights, Europe and Central Asia, News, United Kingdom
Index on Censorship has today published a new report entitled Breaking encryption is legally and practically unworkable which sets out our position on why governments should not break end-to-end encryption (E2EE).
Major service providers such as WhatsApp – which alone services 42 million users in the UK – Telegram, and Signal, use E2EE, allowing their users to securely send private messages that only they can read. E2EE works by scrambling the contents of a message into unintelligible code using a pair of cryptographic keys. In systems protected by E2EE, only the sender and the recipient hold the keys needed to decrypt the message, meaning that no one else – not even the service provider itself – can access its contents.
E2EE is an essential factor in protecting individuals and businesses from hacking, identity and personal data theft, and fraud, and it is a critical tool used by individuals for whom their safety and security depend on their communications being private and secure. This includes journalists communicating with their sources, dissidents under authoritarian regimes, human rights defenders, and victims in victim support groups.
The report builds upon years of work by Index on Censorship, parliamentarians, and independent counsel at Matrix Chambers to clearly and unequivocally demonstrate that “Technology Notices” that can be issued by Ofcom under s. 121 of the Online Safety Act 2023 (the “OSA”) are fundamentally incompatible with international and domestic human rights laws: their effect would amount to ending access to end-to-end encrypted messaging in the United Kingdom, contravening Articles 8 and 10 of the European Court of Human Rights and breaching Ofcom’s obligations under the Human Rights Act 1998, fundamentally alter the face of digital communications in the United Kingdom, and leave the UK government vulnerable to a barrage of diplomatic and international legal disputes.
At Index on Censorship, we have published censored writers across the globe since 1972. Today, we’re using encrypted messaging apps to keep in touch with our network of correspondents around the world, from Iran, to Afghanistan, to Hong Kong.
We were vindicated in raising the alarm over the government’s ongoing crusade against encryption, its potential abuse under the IPA, and we have repeatedly called for Ofcom’s power to issue Technology Notices to be removed from the OSA given their legal and practical failings.
While the OSA’s aims are commendable, the road to mass censorship is paved with good intentions, and the Government still has the chance to avoid this legal headache and practical international embarrassment.
Read the report here or flip through it below.
21 Oct 2025 | News
Today marks the fifth Global Encryption Day.
Organised by the Global Encryption Coalition (GEC), a network of 466 civil society organisations, companies, and individual cybersecurity experts from 108 countries, Global Encryption Day aims to draw global attention to the risks of rushing through legislation to add technological “back doors” to encrypted messaging services like WhatsApp and Signal as well as cloud-based data services.
In democratic countries, the reasons for wanting to break encryption are well-intentioned – everyone wants to stop child sexual abuse and thwart terrorist attacks. Also, the security services are clearly interested in doing it. The problem is that there is no way to provide back-door access to encrypted data and communications without compromising the privacy and security of everyone who uses them.
Since it was established five years ago, the GEC has challenged legislative proposals for encryption in countries including Australia, Brazil, France, India, Sweden, Turkey, the UK, and the USA. In 2021, the Coalition successfully pressured the Belgian Government to scrap a proposed law to enable backdoor end-to-end encryption.
Index published a piece by the New European’s political editor James Ball recently on age verification. He wrote: “It is the case that since end-to-end encryption has become the default online, intelligence agencies are very keen to find ways to circumvent it – and to make the internet possible to monitor again.”
In the UK, the government is trying to break encryption. We wrote earlier this year about the government’s attempts to get access to Apple’s encrypted data. Our CEO Jemimah Steinfeld also wrote recently about threats to encryption in the Online Safety Act.
She wrote, “In a tolerant, pluralistic society, this may seem unthreatening, but not everyone lives in such a society. Journalists speak to sources via apps offering end-to-end encryption of messages. Activists connect with essential networks on them too. At Index we use them all the time.”
The Coalition is using a parrot (see above) as the emblem of Global Encryption Day. You may see posts on social media inviting users to “meet the parrot that knows too much. Curious, chatty, and ready to repeat everything it hears”.
Index believes encryption needs preserving. Help up support Global Encryption Day today.
15 Aug 2025 | Digital rights, Europe and Central Asia, News, United Kingdom
The Online Safety Act could have been worse. When it was still a bill, it included a provision around content deemed “legal but harmful”, which would have required platforms to remove content that, while not illegal, might be considered socially or emotionally damaging. We campaigned against it, arguing that what is legal offline must remain legal online. We were successful – “legal but harmful” did not make the final cut.
Still, many troubling clauses did make their way into the Act. And three weeks ago, when age verification rules came into force, people across the UK began to see the true scope of the OSA, a vast piece of legislation which already is curtailing our online rights.
Setting aside the question of how effective some of these measures are (how easy is it, really, to age-gate when kids can just use VPNs, as we saw a few weeks back?), many of our concerns focus on privacy.
Privacy is essential to freedom of expression. If people feel they are being monitored, they change how they speak and behave. Of course, there is a balance. We use Freedom of Information requests to hold power to account, so that matters of national importance aren’t hidden behind closed doors. But that doesn’t mean all speech should be open to scrutiny. People need private space, online as well as off. It’s a basic right, and for good reason.
We’ve landed in a strange place in 2025. Never before in human history have we had such powerful tools to access people’s inner lives. But just because we can doesn’t mean we should. The OSA empowers regulators and platforms to use those tools, mostly in the name of child safety (with national security also a stated goal, albeit one that seems secondary), and that’s not good.
To be clear: I empathise with concerns around child safety. We all want an internet that is safer for children. But from every conversation I’ve had, and every piece of research I’ve seen, it won’t make much of a difference to the online experience of our children. There are too many loopholes and the only way to close them all is to further encroach on the privacy of us all. Even then there will still be get-arounds.
What does a less private internet look like? Just consider a few ways we use it: we send sensitive data, like bank details, ID documents and health records, to name just three. That data needs to be private. We talk online about our personal lives. In a tolerant, pluralistic society, this may seem unthreatening, but not everyone lives in such a society. Journalists speak to sources via apps offering end-to-end encryption of messages. Activists connect with essential networks on them too. At Index we use them all the time.
The OSA is already eroding privacy. Privacy is being compromised by the OSA’s age-gating requirement under Section 81, which mandates that regulated providers use age-verification measures to ensure children – defined as those under 18 – don’t encounter pornographic content.
This means major platforms like TikTok, X, Reddit, YouTube and others must comply. Several sites already have profiles of us, based on information we’re had to upload to register, and the tracking of our online habits and patterns. Now our profiles will grow bigger still, and with details like our passports and driving licences. Although the OSA says age verification information should not be stored we already know that tech is not infallible and this additional data could be extremely powerful in the wrong hands. We’ve seen enough major data breaches to know this isn’t a worse-case abstraction.
But it could get worse. Section 121 of the OSA gives Ofcom the power to require tech companies to use “accredited technology” to scan for child abuse or terrorism-related content, even in private messages. Under the OSA, technology is considered “accredited” if it has been approved by Ofcom, or a person designated by Ofcom, as meeting minimum standards of accuracy for detecting content related to terrorism or child abuse. These minimum standards are set by the Secretary of State. By allowing the government to mandate or endorse scanning technology – even for these serious crimes – the OSA risks creating a framework for routine, state-sanctioned surveillance, with the potential for misuse. Indeed, while the government made assurances that this wouldn’t undermine end-to-end encryption, the law itself includes no such protection. Instead, complying with these notices could require platforms to break encryption, either through backdoors or invasive client-side scanning. Ofcom has even flagged encryption itself as a risk factor. The message to tech companies is clear: break encryption to show you’re doing everything possible. If a company doesn’t, and harmful content still slips through, they could be fined up to 10% of their annual global revenue. They’re damned if they do and damned if they don’t.
Yes we want a safer internet for our children. I wish there were a magic bullet to eliminate harm online. This isn’t it. Instead, clauses within the OSA risk making everyone less safe online.
Sometimes we feel like a broken record here. But what choice do we have, when the attacks keep coming? And it’s not just the OSA. The Investigatory Powers Act, formerly dubbed the “Snooper’s Charter”, has also been used to demand backdoors into devices, as we saw with Apple earlier this year.
So, we’re grateful that WhatsApp recently renewed a grant to support our work defending encryption and our privacy rights. As always, our funders have no influence on our policy positions and we will continue to hold Meta (WhatsApp’s parent company) to account just as we do any other entity. What we share is a core belief: privacy is a right and should be protected. And at Index we work on a core principle: human rights are hard won and easily lost. Now is not the time to give up on them – it’s the time to double-down.
7 Apr 2025 | News, Statements, United States
The court responsible for hearing Apple’s challenge against the UK Government demanding that it breaks encryption has rejected the Home Office’s bid to have the case heard in secret.
Earlier this year, the UK Government ordered Apple to grant it access to encrypted data stored by Apple users worldwide in its cloud service. The order, known as a Technical Capability Notice, was made under the Investigatory Powers Act 2016. In response, Apple pulled its Advanced Data Protection service from the UK, stating it would never build a “back door” into its security measures.
Apple is challenging the Technical Capability Notice in the Investigatory Powers Tribunal, with the Home Office seeking to have the proceedings held entirely in secret.
Big Brother Watch, Open Rights Group and Index on Censorship made a submission to the court, arguing against proceedings taking in place in secret and in favour of open justice. Today, the Tribunal has rejected the Home Office’s application, stating it did not accept “that the revelation of the bare details of the case would be damaging to the public interest or prejudicial to national security”.
Rebecca Vincent, Interim Director of Big Brother Watch:
“This judgment is a very welcome step in the right direction, effectively chipping away at the pervasive climate of secrecy surrounding the Investigatory Powers Tribunal’s consideration of the Apple case. The Home Office’s order to break encryption represents a massive attack on the privacy rights of millions of British Apple users, which is a matter of significant public interest and must not be considered behind closed doors. We are heartened that the Tribunal responded to the important legal arguments we made on the basis of open justice and that our submission calling for proceedings to be opened to the public has made a difference. We will keep campaigning to protect privacy rights in the face of these and other threats to encryption — as once it is broken for anyone, it is broken for everyone.”
Jim Killock, Executive Director of Open Rights Group:
“This is bigger than the UK and Apple. The Court’s judgment will have implications for the privacy and security of millions of people around the world. Such an important decision cannot be made behind closed doors and we welcome the IPT’s decision to bring the hearing into the open so that there can be public scrutiny of the UK government’s decisions to attack technologies that keep us safe online.”
Jemimah Steinfeld, CEO of Index on Censorship:
“This is a victory for those of us who campaign for privacy rights. It was incredibly sobering that a case about our privacy was being conducted both in private and in secret. So we’re pleased to see a course change here. That said, the battle is not yet won. The arguments to break encryption do not just relate to this specific case and we are having to constantly make the case for why encryption is vital in our democracy; nor does this judgment stipulate that the case will be held fully in the open moving forward – as it should be – only that we can know the “bare details”. We welcome this news but we continue to fight for full transparency here.”
NOTES
- The full judgment can be found on the Investigatory Powers Tribunal here
- Spokespeople are available for interview – please [email protected]
