No statutory protection or transparency mechanism for end-to-end encryption
OSA s.121 lets Ofcom mandate 'accredited technology' to scan private messaging; Ofcom finalised its Technology Notices guidance in May 2026, and enforcement is deferred only by a ministerial 'technical feasibility' assurance with no legal force. Separately, IPA technical capability notices are secret: Apple withdrew Advanced Data Protection from UK users (Feb 2025), the IPT dismissed Apple's appeal after the Home Office narrowed its order to UK users only, and Privacy International's secrecy challenge was heard in 2026. There is no statutory transparency reporting (even aggregate counts) for TCNs, and no dedicated litigation/defence fund; ORG, PI and Big Brother Watch cover encryption from general budgets.
Every layer of the stack rests on lawful, durable E2EE. The current regime is an uncertainty tax: providers withdraw features (ADP), builders cannot promise UK users lasting security, and secrecy prevents Parliament or the market from weighing the trade-offs.
A statutory amendment protecting E2EE from scanning mandates; annual aggregate transparency reporting on IPA notices; and a philanthropic UK Encryption Defence Fund financing interventions and representation for small providers facing notices.
// Build now: First artefact: philanthropic UK Encryption Defence Fund; the statutory E2EE amendment remains the state-led end-state.
Encryption underpins the whole stack, scanning-mandate and secret-notice regimes are being finalised and litigated this year, but durable protection needs statute and only general-budget campaigners push back.