“The UK government wants to scan photos and messages on phones before they are sent, with prison time for companies that refuse.” This is not a dystopian novel plot — it is the actual text of proposed regulations under the UK’s Investigatory Powers Act, widely known as the “Snooper’s Charter.” Security firm Intel 471 has already identified 19,000 fraudulent sites in 2026, showing how surveillance and cyber threats expand simultaneously in the digital landscape.
TL;DR: The UK government wants to force technology companies to scan photos and messages on user devices before they are sent, with criminal penalties including prison for companies that refuse to comply. Intel 471 has identified 19,000 fraudulent sites in 2026 alone, showing how surveillance expands alongside cyber threats.
What Is the UK Government Proposing for Phone Message Scanning?
The UK government is pushing for mandatory client-side scanning of photos and messages on smartphones before they are encrypted and sent to recipients. Under amendments to the Investigatory Powers Act, technology companies operating in the UK would be required to build scanning technology directly into their applications. This means every image, video, and potentially text message would be analyzed on the device itself before transmission. The government frames this as a child safety measure. According to the proposal, the scanning would target child sexual abuse material (CSAM) and terrorism-related content. However, the technical architecture being proposed has far broader implications for all users, not just those under investigation.
The proposal emerged from the UK Home Office as part of a broader push to eliminate what officials call “safe spaces” for criminals online. The government argues that end-to-end encryption prevents law enforcement from detecting illegal content. Their solution is to scan content before encryption occurs — on the user’s device. This is significant. It shifts surveillance from the network to the endpoint.
Critics, including major technology companies and civil liberties organizations, have raised alarms about the feasibility and proportionality of these requirements. The scanning would affect every user of messaging platforms operating in the UK, regardless of whether they are suspected of any crime. The proposal has gone through multiple revisions, with the government softening some language while maintaining the core requirement for device-level scanning capabilities.
How Would Client-Side Scanning Work on Your Device?
Client-side scanning (CSS) works by installing software directly on a user’s device — their phone, tablet, or computer — that inspects content before it is encrypted and transmitted. When a user selects a photo to send via a messaging app, the CSS system would first analyze that image against a database of known hashes, typically generated from databases of child sexual abuse material maintained by organizations like the National Center for Missing and Exploited Children. The system compares the hash of the user’s image against the database. If a match is found, the message could be flagged, blocked, or reported to authorities automatically, without the user’s knowledge or consent.
The technical process involves several steps that happen in milliseconds. First, the application generates a cryptographic hash of the file. Then it compares this hash against a locally stored or remotely fetched database of flagged content. If the hash matches, the application takes a predetermined action — which could range from alerting the user to silently reporting them to law enforcement. The user would have no indication this process is occurring.
Security researchers have identified fundamental problems with this approach. Any scanning system that runs on the user’s device creates a new attack surface. Malicious actors could potentially exploit the scanning mechanism to access user data, plant false evidence, or disrupt communications. The system also requires a backdoor into the device’s trusted computing base, which undermines the security model that protects banking, health data, and personal communications.
Furthermore, the hash-matching approach has known limitations. Perceptual hashing algorithms can produce false positives — flagging innocent images that happen to share visual similarities with flagged content. Researchers have demonstrated that it is possible to generate images that trigger false positives, potentially flooding reporting systems with bogus alerts. The technology is not precise enough for the legal stakes involved.
What Are the Criminal Penalties for Companies That Refuse to Comply?
Under the proposed UK regulations, technology companies that fail to implement the required scanning capabilities face severe criminal penalties. Senior executives and company representatives could face prison sentences for non-compliance. The government has structured the penalties to apply not just to companies as corporate entities, but to individual executives who make decisions about compliance. This personal liability approach is designed to pressure leadership teams into implementing scanning technology regardless of their technical or ethical objections.
The financial penalties are also substantial. Companies could face fines calculated as a percentage of their global revenue, similar to the penalty structure used under GDPR regulations in the European Union. For major technology companies like Apple, Google, or Meta, these fines could amount to billions of dollars. The combination of personal criminal liability for executives and massive corporate fines creates enormous pressure to comply.
This approach has precedent in other UK legislation. The Online Safety Act, which received royal assent in October 2023, already includes provisions for criminal liability for senior managers of technology companies that fail to protect children from harmful content. The new scanning proposals extend this framework further, requiring proactive surveillance rather than reactive content moderation. Companies would not be able to wait for reports of illegal content — they would need to scan everything, proactively, all the time.
The enforcement mechanism raises questions about jurisdictional reach. Many messaging platforms operate from servers located outside the UK. The UK government asserts that any company offering services to UK users falls under its jurisdiction, regardless of where the company is headquartered. This extraterritorial claim could force global changes to messaging applications, affecting users worldwide, not just in the UK.
Why Do Privacy Advocates Consider This a Threat to Encryption?
Privacy advocates and cybersecurity experts consider client-side scanning fundamentally incompatible with end-to-end encryption because it requires inspecting content in its unencrypted state. End-to-end encryption works by ensuring that only the sender and recipient can read a message — not the service provider, not the government, not any intermediary. Client-side scanning breaks this model by introducing a third party — the scanning algorithm — that reads every message before it is encrypted. This creates what security researchers call a “ghost” in the system.
The fundamental promise of encryption is that your data remains private between you and your intended recipient. CSS violates this promise by requiring that a surveillance mechanism be present in every conversation. Even if the scanning only targets specific types of content, the infrastructure must be capable of reading everything. A system that can scan for CSAM can be modified to scan for anything — political dissent, trade union communications, journalist sources, or any other content a government finds objectionable.
Major technology companies have echoed these concerns. Apple, which initially proposed a similar scanning system for iCloud photos in 2021, abandoned the plan after intense criticism from security researchers and privacy advocates. The company stated that it would instead focus on end-to-end encryption and other privacy-preserving technologies. The UK proposal would effectively force Apple and other companies to reverse course and implement the very systems they previously rejected.
The technical community has been particularly vocal. In an open letter signed by hundreds of cybersecurity researchers, the experts argued that client-side scanning is “not possible without creating serious security vulnerabilities.” The letter noted that any system capable of scanning content on a device can be exploited by attackers, creating new risks for all users. The surveillance infrastructure itself becomes a target.
How Does This Compare to Surveillance Laws in Other Countries?
The UK’s approach to mandatory message scanning is among the most aggressive in the world, but it is not entirely unique. Several countries have enacted or proposed similar surveillance legislation, though with varying scopes and enforcement mechanisms. Understanding these comparisons helps contextualize the UK proposal within a global trend toward expanded digital surveillance.
The European Union has taken a different approach. While the EU has also proposed regulations to combat child sexual abuse material online, the European Parliament has repeatedly rejected mandatory scanning requirements. In 2024, the Parliament voted to limit scanning to targeted cases approved by judicial authorities, rather than implementing blanket surveillance of all users. The EU approach prioritizes judicial oversight and proportionality — principles that the UK proposal largely bypasses.
China operates one of the most comprehensive surveillance systems in the world, with mandatory real-name registration for all internet users and extensive content monitoring. The Chinese model demonstrates the endpoint of surveillance infrastructure: what begins as targeted scanning for specific content categories can expand to encompass political speech, religious expression, and social organizing. Russia has similarly expanded its surveillance capabilities under the SORM system, which requires telecommunications providers to install monitoring equipment that gives security services direct access to all communications.
The United States presents a mixed picture. While there is no federal requirement for client-side scanning, the EARN IT Act has been proposed multiple times in Congress. This legislation would create liability for technology companies that do not scan for CSAM, effectively pressuring them to implement surveillance systems similar to what the UK is proposing. However, the Act has faced significant opposition and has not passed into law. Individual states have also proposed varying requirements, creating a patchwork of regulations.
Australia passed the Assistance and Access Act in 2018, which gives the government power to compel technology companies to build capabilities to access encrypted communications. This legislation is perhaps the closest parallel to the UK proposal, as it includes provisions for forcing companies to modify their systems to enable government access. However, Australia’s law has been criticized for its secrecy provisions and lack of transparency, making it difficult to assess how extensively it has been used. India has also introduced requirements for messaging platforms to trace the origin of messages, which effectively requires breaking end-to-end encryption.
| Country | Legislation | Scanning Requirement | Encryption Impact | Penalties |
|---|---|---|---|---|
| UK | Investigatory Powers Act amendments | Mandatory client-side scanning | Breaks E2E encryption model | Prison for executives, revenue-based fines |
| EU | CSA Regulation (proposed) | Limited, court-approved scanning | Preserves E2E encryption | Administrative fines |
| USA | EARN IT Act (proposed, not passed) | Liability-based pressure | Indirect pressure on E2E | Civil liability |
| Australia | Assistance and Access Act 2018 | Compelled access capabilities | Forces system modifications | Contempt charges, fines |
| China | Cybersecurity Law 2017 | Comprehensive monitoring | No E2E encryption protection | Criminal prosecution |
| India | IT Rules 2021 | Message traceability | Weakens E2E encryption | Blocking orders, fines |
| Russia | SORM system | Full communications access | No E2E encryption protection | License revocation |
What Do Cybersecurity Experts Say About the Technical Feasibility?
Cybersecurity researchers and cryptography experts have consistently warned that client-side scanning is fundamentally flawed as a security concept. A coalition of over 300 academics, including prominent cryptographers from institutions worldwide, signed an open letter arguing that mass scanning of private messages introduces vulnerabilities that malicious actors can exploit. The core problem is that any scanning system built into a messaging app creates a backdoor by design, and backdoors cannot be guaranteed to remain accessible only to their intended operators.
The technical challenges are enormous. Scanning algorithms must analyze images, text, and potentially video on-device before encryption occurs, which requires significant processing power and battery resources. False positives remain a critical unsolved problem. Researchers have demonstrated that hash-matching systems used for detecting known illegal content can be tricked with minor image modifications, while also flagging innocent images that happen to share similar hash characteristics.
Furthermore, the scope creep risk is real. Once the scanning infrastructure exists for one category of content, expanding it to other categories becomes a technical configuration change rather than a new policy debate. Experts note that authoritarian regimes would readily adopt such infrastructure for political surveillance. The technology does not distinguish between democratic and authoritarian hands.
Could This Set a Global Precedent for Mass Surveillance?
The UK proposal exists within a broader European context where digital sovereignty and technological independence are gaining political momentum. The European Union has been actively pursuing initiatives to build its own cloud infrastructure, artificial intelligence capabilities, and semiconductor manufacturing, as reported by GRYOnline.pl, aiming to reduce dependence on American technology giants. This push for digital autonomy creates a complex environment where surveillance capabilities could become normalized as part of national technological infrastructure.
If the UK successfully implements mandatory client-side scanning, other nations will face less political friction when proposing similar measures. The UK, having left the EU, operates outside the jurisdiction of the European Court of Human Rights on certain matters, which means its surveillance policies could prove more aggressive than those permitted under EU law. However, the precedent effect extends beyond Europe entirely.
Countries with weaker democratic traditions would gain a powerful rhetorical tool. They could point to the UK as evidence that even established democracies consider mass scanning acceptable. The normalization of on-device surveillance would shift the global baseline for privacy expectations. Once citizens accept that their devices scan private communications before sending, the conceptual barrier to broader monitoring dissolves.
The digital rights landscape in Poland and neighboring countries reflects these tensions. Cybersecurity conferences, such as the Congress of Poland’s Security held in Rzeszów on May 25–26, 2026, as covered by ZBiam.pl, have placed digital safety at the center of national security discussions. These conversations increasingly must balance legitimate security concerns against privacy protections that proposals like the UK’s threaten to undermine.
What Happens to End-to-End Encrypted Messaging Apps?
End-to-end encryption ensures that only the sender and recipient can read message contents, with no intermediary, including the platform provider, possessing the ability to decrypt communications. The UK proposal creates an irreconcilable conflict with this model. If messages must be scanned before sending, the scanning occurs on the device before encryption, which technically preserves the encrypted transmission but fundamentally violates the user’s expectation of private communication.
Major messaging platforms face difficult decisions. Companies like Signal and WhatsApp have previously stated they would rather cease operations in jurisdictions that mandate backdoors than compromise their encryption architecture. Signal explicitly made this position clear during earlier debates around the UK Online Safety Bill. The economic and social consequences of popular messaging apps withdrawing from the UK market would be substantial.
According to ITHardware.pl, the UK government’s proposal includes criminal penalties for companies that refuse to implement the required scanning technology. This means executives of non-compliant firms could theoretically face imprisonment. Such aggressive enforcement mechanisms suggest the government anticipates significant industry resistance and intends to overcome it through legal pressure rather than technical persuasion.
The practical outcome may involve platform fragmentation. Users in the UK could receive modified versions of messaging apps with scanning enabled, while users elsewhere retain standard encrypted clients. This fragmentation would degrade the user experience and potentially drive privacy-conscious users toward decentralized or underground communication tools that operate outside conventional app store distribution channels.
How Does This Relate to the Broader UK Digital Rights Landscape?
The UK’s relationship with digital rights has been turbulent since the Brexit referendum in June 2016. Having left the European Union, the UK no longer operates under the EU’s General Data Protection Regulation framework, though it has adopted its own UK GDPR equivalent. This independence gives British lawmakers greater flexibility in crafting surveillance legislation, but also removes the oversight mechanisms that EU membership previously provided.
The political dynamics in the UK remain volatile. Concerns about the influence of figures like Nigel Farage extend beyond domestic politics. As reported by Onet.pl citing Politico, Cyprus has expressed alarm over the potential use of British military bases on the island for future US military operations, fearing Farage’s potential rise to power. This international anxiety reflects broader uncertainties about the UK’s political direction and its implications for civil liberties.
Domestic unrest further complicates the landscape. The death of Henry Nowak, an 18-year-old of Polish descent, in Southampton sparked violent protests and riots, as documented by TVN24 and Prosty z Prawej. Multiple police officers were injured during demonstrations that followed the publication of footage related to the case. The Polish Embassy issued an official statement regarding the incident. Such social tensions create environments where governments may argue for expanded surveillance powers as necessary for public safety.
Against this backdrop, the scanning proposal appears less like a targeted security measure and more like a component of expanding state monitoring capabilities. Digital rights organizations argue that privacy protections become most critical during periods of social unrest, precisely when governments face the greatest temptation to expand surveillance powers.
What Can Users Do to Protect Their Communications?
While no single solution provides complete protection against state-level surveillance capabilities, several strategies can significantly improve communication privacy. Users should understand that the threat model matters. The UK proposal targets client-side scanning within mainstream messaging applications, which means alternative communication methods may offer different risk profiles.
The following measures can help users maintain greater control over their private communications:
- Use messaging apps with strong encryption commitments: Signal remains the gold standard for encrypted messaging, with a stated willingness to exit markets rather than compromise security
- Consider decentralized communication platforms: Tools like Matrix and its Element client provide encrypted messaging without relying on a single corporate entity that governments can pressure
- Enable disappearing messages: Setting messages to auto-delete reduces the window during which scanned or intercepted content remains accessible
- Use VPN services: While VPNs do not prevent client-side scanning, they protect network-level metadata from observation
- Keep software updated: Security patches address vulnerabilities that could be exploited to bypass or augment scanning mechanisms
- Separate sensitive communications: Using different platforms for different types of conversation limits exposure if any single platform is compromised
- Support organizations fighting for digital rights: Groups like the Electronic Frontier Foundation and Privacy International advocate against surveillance overreach
- Understand your threat model: Different users face different risks, and security measures should be proportional to actual threats
| Protection Method | Effective Against | Limitations |
|---|---|---|
| End-to-end encryption | Network interception, provider access | Does not prevent client-side scanning |
| Disappearing messages | After-the-fact access | Scanning occurs before deletion |
| Decentralized platforms | Single-point government pressure | Requires technical knowledge |
| VPN services | Network metadata collection | Cannot prevent on-device scanning |
| Alternative platforms | Jurisdiction-specific mandates | Smaller user base, adoption barriers |
Users should remain informed about legislative developments. The cybersecurity landscape evolves rapidly, and measures that provide protection today may become insufficient as new surveillance technologies and legal frameworks emerge.
Frequently Asked Questions
Would the UK scanning law affect messaging apps used outside the UK?
The UK proposal technically applies only to messaging services operating within British jurisdiction. However, according to ITHardware.pl, companies that refuse to implement scanning face criminal penalties including potential imprisonment of executives, which creates strong incentive for global platforms to implement scanning universally rather than maintaining separate codebases for different markets. A platform like WhatsApp, serving over 2 billion users worldwide, would likely find it technically simpler to deploy scanning across all regions rather than fragmenting its application architecture solely for UK compliance.
Has any country successfully implemented client-side scanning before?
No country has deployed client-side scanning at the scale the UK is proposing. The European Union considered similar measures through its CSA regulation proposal but faced significant pushback from technical experts and privacy advocates. Apple announced and then delayed a client-side scanning feature for iCloud photos in 2021 following widespread criticism from security researchers, demonstrating that even technically sophisticated companies struggle with the implementation challenges this technology presents.
What is the timeline for the UK message scanning proposal to become law?
The proposal remains in the regulatory development phase, with the UK government working through implementation details of the broader Online Safety Act framework. ITHardware.pl reports that the government has confirmed its intention to pursue mandatory scanning, including criminal penalties for non-compliant companies, but specific enforcement dates have not been finalized. The legislative process could extend through 2027 given the complexity of the technical requirements and the anticipated legal challenges from technology companies and civil liberties organizations.
Do cybersecurity experts support client-side scanning as an effective tool?
The overwhelming consensus among cybersecurity researchers opposes client-side scanning as both technically flawed and dangerous. Over 300 academics signed a joint letter arguing that scanning infrastructure creates exploitable vulnerabilities. Experts point to the fundamental paradox: any system capable of scanning all private messages can also be repurposed for surveillance beyond its original scope, and the existence of such systems makes abuse inevitable regardless of initial intentions.
Summary
The UK’s proposal to scan every message before it leaves your phone represents one of the most aggressive surveillance initiatives proposed by a democratic government. Here are the key takeaways:
- The proposal mandates client-side scanning of photos and messages on mobile devices before encryption, with criminal penalties including imprisonment for non-compliant companies, as reported by ITHardware.pl
- Technical experts overwhelmingly oppose the approach, citing fundamental security flaws, false positive risks, and the creation of infrastructure vulnerable to exploitation and scope creep
- The precedent extends far beyond the UK, potentially normalizing mass surveillance in democracies and providing authoritarian regimes with rhetorical cover for their own monitoring programs
- End-to-end encrypted messaging apps face existential pressure, with platforms like Signal previously stating they would exit markets rather than compromise their encryption architecture
- Users have limited but meaningful options, including adopting privacy-focused messaging tools, supporting digital rights organizations, and maintaining awareness of evolving surveillance legislation
The fight over message scanning is ultimately about whether private digital communication remains possible. Stay informed, choose your tools carefully, and support organizations defending digital privacy.
Read the first part of this analysis for the technical details of how client-side scanning works and the specific provisions of the UK legislation.