Signal's statement argues that once a scanner sits on the device with privileged access to plaintext before encryption, the entire threat model of E2EE collapses and the endpoint itself becomes the wiretap. Whittaker frames it as a binary with no middle ground: 'You cannot have a backdoor that only the good guys can walk through.' This restates three years of consistent cryptographic consensus that no version of client-side scanning preserves the security properties Signal exists to provide.
Signal explicitly commits to withdrawing service from the United Kingdom rather than complying with any Section 121 notice mandating scanning. The statement points to Signal's track record — it exited Brazil over similar demands and was prepared to leave the UK in 2023 — establishing that this is operational policy, not rhetoric. The position is that preserving the integrity of the protocol globally outweighs serving any single national market.
The editorial argues the apparent 2023 detente — when the government conceded scanning powers would not be used until 'technically feasible' — was a political deferral that satisfied nobody on the technical side. With Ofcom now drafting the actual Section 121 notices, the deferral has run out of runway and the conflict the Bill always implied is arriving on schedule. The UK is the first G7 country to actually move from statute to operational mandate.
The statement's title — 'Surveillance Is Not Safety' — directly contests the government's framing that scanning private messages protects children or counters terrorism. Signal's position is that building mass-surveillance infrastructure into every device cannot be reconciled with 'safety' in any coherent sense, because the same capability is available to any adversary who compromises the scanner. Branding the mandate as safety legislation obscures that it is a surveillance architecture.
On June 8, Signal published a statement, signed by president Meredith Whittaker, restating its position on the UK's Online Safety Act: if the government uses its powers under the Act to compel client-side scanning, Signal will withdraw its service from the United Kingdom rather than comply. The PDF is short, blunt, and titled — without hedging — *Surveillance Is Not Safety*.
The trigger isn't new legislation. The Online Safety Act passed in 2023. What changed in the last year is that Ofcom, the UK regulator handed enforcement, has moved from consultation to codes of practice, and is now drafting the technical notices that operationalize Section 121 — the clause that lets the regulator require providers to use "accredited technology" to identify CSAM and terrorism content in private messages. The Online Safety Act gave Ofcom the legal hook to require "accredited technology" for scanning private communications, and that hook is now being baited.
Signal's statement reiterates the technical argument the cryptography community has made for three years running: there is no version of client-side scanning that preserves the security properties of end-to-end encryption. Once a scanner sits on the device with privileged access to plaintext before it's encrypted, the threat model collapses. The endpoint becomes the wiretap. Whittaker frames this in the statement as a binary: "You cannot have a backdoor that only the good guys can walk through."
This isn't a stunt. Signal pulled out of Brazil for less. It has already prepared to exit the UK once before — in 2023 during the Bill's final reading — and only stayed because the government quietly conceded the scanning powers would not be "used" until "technically feasible," a face-saving deferral that satisfied nobody on the technical side. The truce was a fiction the moment Ofcom started drafting notices.
The deeper issue is that the UK is the first G7 country to actually hand a regulator the unilateral authority to mandate client-side scanning on private messengers. The EU's Chat Control proposal has been stalled for two years over the same objections. Apple shipped, then withdrew, its NeuralHash CSAM-detection scheme in 2022 after researchers (Mayer, Abelson, Anderson, Rivest, Schneier, Diffie — the cryptography Hall of Fame, basically) published *Bugs in our Pockets*, the canonical paper showing why on-device scanning at scale is unsafe regardless of intent. The empirical track record is unambiguous: every deployed perceptual-hash scanner has been broken, gamed, or repurposed within months of going live.
The community reaction on HN (625 points in under a day, top-of-front-page) is unusually unified for a privacy story. Normally these threads split into the predictable "think of the children" vs "think of the dissidents" trench warfare. This one didn't. The top-voted comments are dominated by engineers walking through, in detail, why Section 121's "accredited technology" language is a euphemism that hands a private vendor (almost certainly a Thorn-adjacent outfit) statutory power to define the scanning algorithm itself. The thing being accredited is a black-box classifier with adversarial robustness measured in days, not years.
What makes Signal's position credible — where Meta's or Apple's wouldn't be — is the org structure. Signal is a US nonprofit funded by a foundation. It has no UK ad revenue to defend, no UK App Store relationship to negotiate. Whittaker can credibly threaten to leave the UK because Signal has no balance sheet exposed to UK enforcement. WhatsApp, Apple Messages, and iMessage all have the same cryptographic position, but their parent companies have material UK businesses and will, when push comes to shove, comply or build a UK-specific build. Signal won't, and that asymmetry is the point of the statement.
If you're shipping anything with E2EE — a messenger, a notes app, a backup product, a healthcare app, a fintech with encrypted document exchange — and you have UK users, you are now inside the blast radius. Section 121 doesn't just target Signal-the-messenger. The Act's definition of "user-to-user service" is broad enough to capture any product where two users exchange encrypted content through your infrastructure. Read the codes of practice now, not when you get a notice.
The practical questions to answer this quarter: Where does your plaintext exist, and for how long? If a UK Ofcom notice landed on your desk tomorrow demanding "accredited" scanning, what would you actually have to build? For most teams the honest answer is "a pre-encryption hook in the client SDK," and that is exactly the architecture every cryptographer in the field has flagged as catastrophic. The second question — and this is where most teams haven't thought it through — is what your UK presence actually consists of. A Companies House registration? A single AWS eu-west-2 region? A contractor in Manchester? Each of those is a different exposure profile.
For open-source maintainers of E2EE libraries (Matrix/Element, MLS implementations, age, Magic Wormhole, etc.) the implication is different but real: your library's UK availability could become a question if downstream products get compelled. Element has already publicly stated it will resist similar mandates. Expect the GitHub release-blocking-by-jurisdiction discussion that happened around US export control in the 90s to come back, but for UK scanning compliance instead.
The interesting question over the next 12 months isn't whether Signal will follow through — they will — but whether any major platform other than Signal will. If Apple or Meta builds a UK-specific scanning build to preserve market access, the Online Safety Act becomes the template every other government copies; if they pull a Signal and refuse, it becomes the template no government dares enforce. The cryptography is settled. The economics and the politics aren't. Watch Apple's next iOS release notes for any UK-specific behavior in Messages — that's where this gets decided, regardless of what any regulator publishes.
From https://www.gov.uk/government/news/new-plans-to-stop-childre...:> Despite [iphone age verification] children can still take, view, share and save nude images. The government therefore wants Apple and Google to block nudity across the whole device by default, so they
So, in this order:1. You need a camera on your computer to allow a third party to verify your age before viewing adult content2. It applies to social media too3. It applies to your operating system too4. Unless you age verify, the law demands your computer must be powerful enough to run an AI, or be
Signal should come out swinging. Here's a pitch.The Government is going to put a snitch on every phone, tape every bedroom, and listen in every evening on every home. Every doctor's visit. Every therapy session. Every pub. Every street. Every store.When the snitches phone home, what you ty
Surveillance replaces ostensible individual fringe threats with a clear dangerous pervasive and (for practical purposes) irreversible threat that monotonically aggregates increasing centralized leverage over every aspect our lives, direct and indirect.Knowledge is power. Forced revelation of our inn
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
I sometimes wonder whether the people in the tech industry who worked on things like secure boot, attestation, and DRM saw this as the inevitability open source advocates always saw it as.Did they think, as they worked to transfer final say from users to corporations, by technical means, that politi