Why the tech industry needs to stand firm on preserving end-to-end encryption

Restricting end-to-end encryption on a single-country basis would not only be absurdly difficult to enforce, but it would also fail to deter criminal activity

01 Aug 2025
 • 
,
5 min. read

The UK Government wants access, when requested, to the end-to-end encrypted messages and data for everyone in the UK. The reasons are to specifically tackle serious crimes, such as terrorism and child sex abuse. The UK Government is not alone in this, of course, as other countries are also grappling with how to address similar problems in their own jurisdictions.

To enforce such a requirement, however, tech companies would need to provide a backdoor – something that is either highly unlikely or never going to happen, at least according to the current stance of most tech companies. The alternative would be to have specific app developers comply with the requirement, but this would only work for local apps tied to a country’s app store location settings.

Demanding the impossible

Put simply, restricting end-to-end encryption on a single-country basis is inherently unenforceable. What happens when someone from another country visits a restricting country? Would they need to unencrypt, download a new app, delete the encrypted content, or use some other method to comply? The only method to enforce such a law would be at the border… can you imagine the lines at ‘device immigration’?

This issue was highlighted when Apple withdrew Advanced Data Protection (ADP) from the UK marketplace back in February. It transpired that the UK Government had issued a non-public notice to Apple under the investigatory Powers Act, asking for access to such data, which would have required a backdoor to be built into Apple’s encryption service. Apple’s response was unequivocal, however: “We have never built a backdoor or master key to any of our products or services and we never will.” ADP uses end-to-end encryption, meaning only the account holder can decrypt files.

Recently, WhatsApp threw their support behind Apple in its fight. The issue of breaking encryption with a backdoor should not be shrouded in secrecy like the non-public notice issued to Apple, as this concerns a fundamental privacy and security issue. There are times for secrecy, and I am sure there will be specific cases when data is accessed using the legislation that could, depending on circumstances, be kept secret. Currently, the tech industry continues to stand by their principles of providing customers privacy and security products without backdoors, which, in my opinion, they should continue to do.

The UK government’s stance, though, is that all people, when physically in the UK and regardless of citizenship, should be answerable to a UK court. Apple’s removal of ADP for UK users does not fulfill the requirement. If you are a UK iPhone user, then ADP has been removed and is now greyed out and no longer available to you. The method used to determine if a user is in the UK seems not to be based on their location – it appears to rely on the ‘country and region’ you have set in your Apple account. Simply switching your country and region to somewhere other than the UK re-enables the option to turn on ADP.

There are some downsides to this, such as the App Store only offering apps from the selected country and region, so you may not be able to download all the apps you need. You can then enable ADP and then switch countries again and ADP remains active. But, if the UK courts and legal system should apply to all those in the UK, then it will need to include visitors and not be based on ‘country and region’. This is not so simple, however: once you enable encryption, to disable it you need to decrypt the data before switching off the encryption, otherwise the encrypted data remains encrypted and unreadable.

Border chaos

It’s not realistic to force everyone entering a country to provide access to their encrypted messages, especially when they’re carrying a device from a country and region where there is no legislation requiring government access to encrypted data. To enforce it at the border, each person entering the country would need to unencrypt end-to-end encrypted data and disable any apps or features that use end-to-end encryption where there is no backdoor. Every border agent will need to be a tech wizard, and if every visitor is carrying two or three devices, the agent will need to go through each device meticulously to ensure compliance. In other words, each border agent might be able process one individual every few hours. Again, can you imagine the chaos and lines at border control?

And then there are people like me. I have two phones, both are on a UK carrier network, one has a country and region setting of the United States and the other to the United Kingdom. ADP is only available to activate on one of them. This means circumventing the current restriction is remarkably simple, and for those who wish to use ADP, whether for legitimate privacy concerns or for criminal activity, there really is no barrier – they just need to seek out this very simple solution.

I am assuming there will never be a requirement that forces all visitors to stop using end-to-end encryption services as they enter the country, especially as the services are legal in the countries they reside in. It’s just too complicated to enforce. And, because it’s far too easy to make yourself appear to be located somewhere other than the UK, then those with criminal intent who wish to use end-to-end encryption will continue to use services designed for use in other countries or will find alternatives that strengthen their security even further. This results in just the law-abiding residents of countries enforcing this type of legislation being subject to government and law enforcement access to their data if required.

The demonstrable ease of bypassing the requirement, coupled with the impossible logistical burden of its enforcement, make that requirement, at least in my mind, fundamentally unfit for purpose.

ESET believes that strong encryption is essential for protecting personal privacy, securing sensitive data, and preventing cybercrime. When one government mandates weakened encryption, others may follow, including those with fewer safeguards for citizens.

 

We must strike the right balance: protecting privacy while ensuring law enforcement has the necessary legal tools to uphold public safety. Instead of backdoors that risk weakening security for everyone, we support a system where law enforcement can access data through court warrants, backed by robust oversight mechanisms in place to ensure both security and safeguards for users.