According to TechRadar, a new independent report from Jonathan Hall KC, the UK’s Independent Reviewer of State Threats Legislation, warns that developers of apps using end-to-end encryption, like Signal and WhatsApp, could technically be considered hostile actors. The report, reviewing the Counter-Terrorism and Border Security Act and the new National Security Act, highlights the incredibly broad powers granted to authorities. It states that simply making it harder for UK intelligence to monitor communications could fall under the legal definition of “hostile activity,” even without foreign state direction. This comes as Parliament recently debated the Online Safety Act, with MPs pushing for stricter enforcement and a review of encrypted tools like VPNs, while largely ignoring expert warnings about the security risks.
The stark new reality
Here’s the thing: this isn’t just theoretical legal musing. It’s a direct shot across the bow of any company or developer building truly private communication tools. The logic presented is breathtakingly circular. By designing a system that successfully protects user privacy from everyone, including governments, you are automatically assumed to be acting in the interest of a foreign state. It doesn’t matter if that state had no idea you existed. The act of creating strong privacy is, in itself, now potentially suspect. That’s a fundamental shift. It reframes a core digital right—private conversation—as a de facto threat to national security. And once that framing is accepted in law, the path to dismantling that right gets a lot smoother.
A perfect storm of bad laws
But this report doesn’t exist in a vacuum. It’s the ideological fuel for laws that are already on the books. We’ve already seen the Investigatory Powers Act (IPA) used to try and force Apple to weaken iCloud encryption. Now, the National Security Act provides even broader, vaguer powers. And looming over it all is the Online Safety Act, with its yet-to-be-switched-on provisions that experts fear mandate client-side scanning—a system that fundamentally breaks end-to-end encryption. The MPs in this week’s debate seemed frustrated by encryption, viewing it as an annoying obstacle rather than a foundational security feature. They talked about “easy technological fixes.” But as the Internet Society’s rep pointed out, any such backdoor is a gift to hackers. It seems there’s a massive disconnect between the political desire for visibility and the technical reality of security.
Why this is a disaster in waiting
Look, I get the law enforcement argument. Truly, I do. But this approach is so short-sighted it’s painful. Breaking encryption for the “good guys” breaks it for everyone. Jemimah Steinfeld from Index on Censorship nailed it: weakening encryption is itself a national security threat. We’re not just talking about protecting shady characters. We’re talking about journalists, dissidents, whistleblowers, domestic abuse victims, businesses securing their data—basically, anyone who needs a private conversation. In a world of rampant cyberattacks and state-sponsored hacking, why would you deliberately weaken your own population’s digital defenses? It’s like mandating that every front door can be opened with a master key, and then being shocked when burglars get a copy.
The inevitable showdown
So what happens next? We’re headed for a clash. Signal and WhatsApp have already said they’ll pull out of the UK rather than break their encryption. Can you imagine the economic and social chaos if those apps suddenly vanished? And it’s not just chat apps. This logic could extend to any service that prioritizes user privacy. The UK is essentially testing how far it can push before the entire digital ecosystem pushes back. The year ahead is going to be a brutal legal and technical battleground. The question isn’t really *if* there will be a crisis, but when. And how much damage will be done to privacy and security before cooler heads prevail.
