In Defense of Encryption
Sally Wentworth: CEO of the Internet Society and the Internet Society Foundation.
Encryption, or the simple process of scrambling and obfuscating data so that it becomes unreadable by third parties, keeps us, our loved ones, and our communities safe by protecting everything from private messages to online banking details and medical records. It is the bedrock of trust in our digital society, and it is critical to ensuring personal security as much as it is a fundamental necessity for national security.
Despite all this, encryption faces unprecedented threats from established democracies, which inadvertently pave the way for despots around the world to follow. Specifically, in these countries, policymakers often present strong encryption as being at odds with effective law enforcement. But this is a misguided choice. The reality is that we need legislation that protects people online while also maintaining the security infrastructure that safeguards our data. Neither of these objectives is incompatible with the other.
Policymakers continue to claim that creating “backdoors” for law enforcement—allowing governments exceptional access to encrypted communications—is necessary to help catch criminals. However, cybersecurity research has consistently demonstrated the impossibility of creating a backdoor that only “good guys” can use. A backdoor is just a backdoor.
The Salt Typhoon case, where a state-sponsored hacking group from China gained access to U.S. communication systems by exploiting backdoors originally created for U.S. law enforcement and intelligence agencies, should have been enough to prove that there is no way to control who exploits embedded system vulnerabilities. No matter how noble the intent, such tools will inevitably become weapons that can be misused by criminals, hostile state actors, and malicious hackers.
Consider here the proposed EU regulation on child sexual abuse, more commonly referred to as “chat monitoring,” which obliges service providers to scan private communications for materials related to child sexual abuse. While the goal of protecting children from sexual exploitation is urgent and critical, this proposal would undermine the confidentiality provided by end-to-end encryption.
Under this regulation, service providers would be required to implement client-side scanning—technology that examines messages on users’ devices before they are encrypted and sent. If breaking encryption is like opening an envelope while a message is passing through the postal service, client-side scanning is akin to someone reading over your shoulder as you write the message. The result is the same: a loss of privacy and confidentiality. Furthermore, client-side scanning would not halt child sexual abuse materials as perpetrators can evade detection by compressing images or copying and pasting them into another file format.
Once such systems are in place, they create new vulnerabilities that have implications for freedom of expression. There is no guarantee, for example, that they won’t be used to scan for other types of content—such as political dissent, union organizing, or information that recalcitrant power players want to suppress.
Others also face disproportionate harm due to weakened encryption. When communications are compromised, journalists lose the ability to protect their sources, thwarting efforts to expose corruption. Medical professionals need encryption to maintain patient confidentiality. Lawyers require encryption to preserve attorney-client privilege. Businesses need encryption to protect trade secrets. Governments rely on it to maintain national security. For individuals fleeing domestic violence or living in societies where their identity exposes them to danger, encrypted messaging can be a matter of life or death.
Yes, children also need encryption. Research conducted by the UK Information Commissioner’s Office found that encryption enhances children’s safety online by preventing sexual predators from obtaining sensitive information that could be used for grooming. Ironically, breaking end-to-end encryption under the guise of “protecting children” would expose them to greater harm.
Here, public pressure can make a difference. The Australian government has not yet compelled tech companies to change their services under the controversial 2018 encryption legislation that grants it power to issue “technical capability notices,” likely because authorities are aware of the political risks associated with wielding such powers. In the UK, after civil society rallied against the Online Safety Bill, major companies promised they would prefer to withdraw their services rather than comply with orders that undermine encryption.
As the proposed chat control moves through the EU legislative process, member countries are battling over encryption. Poland, the Czech Republic, the Netherlands, and Finland have opposed this legislation in the European Council on the grounds that it threatens privacy, raises national security concerns, and is primed for abuse. However, Denmark, France, Hungary, and other countries support it, believing these risks are acceptable trade-offs to safeguard children.
The outcomes of these political disputes will be felt beyond Europe. End-to-end encrypted messaging services are used globally, and pressure from a major market like the EU could force companies to compromise the security and privacy of their products, putting users at risk worldwide.
As the world celebrates Global Encryption Day this year, we must recognize that this discussion is not about abstract technical specifications; it is about ensuring the Internet is safe, secure, and deserving of everyone’s trust. When it comes to protecting children, this means regulatory controls that genuinely safeguard their wellbeing, not providing false comfort while creating systemic vulnerabilities; law enforcement directed by evidence, not mass surveillance; cross-border cooperation to ensure the rapid removal of known child sexual abuse materials; and robust support for victims and prevention campaigns.
In other areas as well, we need solutions to address online harms without undermining privacy, confidentiality, and freedom of expression. The digital future worthy of our highest aspirations depends on encryption. If we want an Internet that benefits everyone—where people everywhere can connect, communicate, and create safely—we must not allow this foundation to erode.
