The War on End-to-End Encryption – What’s Next?

Ding Dong, the Witch Is Dead…ish

Recently, we received news that the European Parliament struck a serious blow against mandatory back-doors in end to end encryption, most notably exemplified by repeated “Chat Control” legislative proposals. CyAN has repeatedly argued against these, and against other similar backdoors. [1] [2] [3].

I am fully aligned with CyAN’s board-sanctioned position on why end-to-end encryption and online privacy must be safeguarded, and recently had a conversation with ITSP magazine’s Marco Ciappelli on the topic. The inviolability and confidentiality of information – whether in transit or at rest, and the strongly related concept of allowing individuals to remain anonymous online if they so choose, are cornerstones of security and safety for both persons and organisations. They are also crucial parts of our ability to speak and act freely as citizens of liberal democratic societies.

Unfortunately, it should be noted that the idea of legally mandated technological sabotage of communications security mechanisms is far from dead. Rather, the recently passed amendment severely restricts when law enforcement can surveil communications, and inhibits such measures. Still, it does a great job reconciling the understanding of the need to protect vulnerable populations such as discriminated-against minorities and children online, with the vital concepts of security and privacy. Importantly, it avoids the trap of the false dichotomy, often pushed by pro-backdoor advocates, that “if you insist on privacy, you support child porn/drug trafficking/money laundering/terrorism”.

Companies Care About Privacy, Right?

It’s not just laws, though – Meta (Facebook) just announced that it would be dropping end-to-end encryption in Instagram instant messaging. Why is this? Interesting timing for such an announcement indeed. Obviously, Facebook has an interest in collecting data for its commercial use – something that’s in the past had awful results, exemplified by Christopher Wylie’s book “Mindf*ck” about Cambridge Analytica’s abuse of such data in the run-up to Brexit. Meta’s consistently displayed a cavalier attitude towards its impact on society, whether in its cavalier approach to fighting disinformation in Myanmar or its handling of accusations of how it treats data collected by users of its smart glasses. I don’t trust them.

Only Read This if You’re 18 or Over

Encryption backdoors aren’t the only threat. The past two years have seen a dramatic rise in moves to mandate age verification online, whether by companies (as in Discord’s catastrophic attempt to require age verification by Peter Thiel-backed provider Persona) or by governments – Australia being one of the first to require age verification to access social media and adult content online. France, the UK, the US, the European Union, and other states have either passed such laws or are in the process of doing so.

It’s the Conspiracy, Stupid

Stop here if you’re not comfortable going down a rabbit hole.

While I initially thought the rise of anti-privacy moves might be a coincidence, driven by a lot of well-meaning idiots, I no longer believe this. Many tech firms increasingly seem comfortable with killing off security and anonymity of their consumers at the same time as we’re being hit by a barrage of regulatory attempts to do the same. Again – this concerns both encryption backdoors and age verification requirements.

US Big Tech has often at best been cozy with the US Trump administration and several of the groups that underpin its “ideologies” – such as the Heritage Foundation. This think tank has frequently supported anti-democratic initiatives such as European fringe groups and right wing governments such as that of Hungary’s Viktor Orbán that are openly hostile to many of the liberal ideals espoused by the European Union and like-minded societies (and which, in the case of Orbán and Slovakia’s Robert Fico, supported Chat Control, quelle surprise). The foundation also actively argues for age verification online, understandable insofar that this has the potential to hurt marginalised groups such as trans people and minorities, whom Heritage Foundation-supported policies such as Project 2025 (pdf) seem committed to discriminating against. Remember – killing privacy and anonymity has real-world consequences for real people.

Many key figures in the tech oligarch-o-sphere, such as Marc Andreessen and Peter Thiel, major investors in many of the technologies that would benefit from mass surveillance and age verification (Palantir, Persona), have also voiced their opposition to liberal democratic ideas that run contrary to the weird, often inconsistent and incoherent pseudo-techno-libertarian-feudal “philosophies” they espouse.

Weirdly, Andreessen seems to be an opponent of the UK’s Online Safety Act, at the same time as calling online safety teams “the enemy” (partial paywall). If nothing else, this is an example of how tech billionaires’ attitudes towards rights and safety are often neither coherent nor consistent. In Thiel’s case, there’s a significant amount of incredibly weird religious extremism and obsession with eschatology thrown into the mix.

A growing number of accusations maintain (that the rise of anti-privacy, anti-security laws and corporate policies is actually part of a coordinated global lobbying strategy. The TBOTE Project has a good overview on both their website and on GitHub, specifically about Meta’s investments in such lobbying.

This thus presents us with a terrifying prospect. There is there a genuine trend of anti-privacy, anti-security legislation and corporate moves to undermine the safety that these capabilities engender. Worse, it’s the result of a perfect storm of multiple interest groups working towards the same end – the aforementioned useful idiots, if-you’ve-done-nothing-wrong-you-have-nothing-to-hide types, extremist religious zealots crusading against what they see as “immorality” online (porn? LGBTQ+? Women? Ew!), autocrats and authoritarianism fanboys, TechBros wanting all the data, you name it. Even though many of these don’t immediately seem like natural allies, politics and shared goals make strange bedfellows.

So…What Can We Do? Quite a Bit.

First, write your politicians. In the case of Chat Control, sites like Fight Chat Control make it very easy to identify your elected representatives, and to draft factual, polite, concise emails to them that you can edit to your liking. You won’t always get a response – in fact of the over 60 MEPs I wrote to asking them to oppose Chat Control in 2015, I received a response from…one. Nonetheless, volume matters – one person asking a politician to vote a certain way means nothing. A million of us is another issue entirely.

You can donate to, and share information about, others who are active in this fight. Organisations like the Electronic Frontier Foundation, EPIC, and Encryption Europe all take highly principled stands in favour of your rights, and are active in lobbying for constructive, reasonable rules and standards.

Most importantly, vote with your wallets. Whenever possible, use and support communications tools that take an uncompromising stance on security and privacy – and avoid those who don’t. For me, this means using software like Signal instead of WhatsApp. The Signal Foundation has consistently supported users’ digital rights, going so far as to threaten to leave Sweden if legally pushed to implement backdoors by that country’s government.

Signal got an unjustified bad rap due to the current US Secretary of Defense Pete Hegseth’s laughable OPSEC failure in 2025. He not only violated official communications retention rules and circumvented military restrictions on use of unsanctioned tool, but also failed to realise that he had included a journalist in the “private” chat group in which military operations were being openly discussed. Ironically, this is a point in favour of Signal!

Signal is an outstanding tool, with a look & feel very similar to WhatsApp. It is free of the baggage of corporate control by a US tech giant – with serious accusations regarding lack of WhatsApp privacy being raised in a recent lawsuit against Meta, WhatsApp’s owner. Signal also does not include the annoying and privacy-questionable “AI assistant”. Interestingly, WhatsApp is banned by many entities with strong communications security needs, not least of which the US House of Representatives on its devices.

Don’t just use it yourself – talk to your friends, neighbours, and colleagues about why privacy and security matter. Use simple concepts, not ideological generalisations. Explain why scammers can target them, and why companies collecting data results in more spam. With people who have lived under authoritarian governments like many of our older neighbours in Catalonia, you can even appeal to their memories of state surveillance and oppression. These are much easier in a panopticon. Crucially, if you stop using a commercial tool, whether it is for-pay or “free” (hint: you’re paying with your data), try and let their public relations people know why you’re abandoning it. Consumer pressure does matter – companies are not immoral, they are amoral, and care about money. If something they do is costing them money, they’re more likely to stop doing it.

Sadly, while US residents may not realise it due to the near omnipresence of iOS devices and iMessage, daily life in much of the world still requires WhatsApp. I could not function in Spain without it. Still, if you use Signal whenever possible, and convert only a few users to Signal every year, it’s a very good start. WhatsApp has had several significant outages in the past; each of these is a good opportunity to pick off a few more users. If I can get my 85-year-old father on Signal, you can too.