Policy & Law

Britain's Online Safety Act and the Fight Over Client-Side Scanning

July 4, 2026 8 min read Haven Team

The UK's Online Safety Act gives Ofcom the power to order a messaging platform to scan messages for illegal content using "accredited technology," even when the platform is end-to-end encrypted. Apple's response, when this power was first floated in draft form, was to say it would rather pull iMessage and FaceTime from the UK entirely than build the scanning capability. The standoff hasn't resolved. It's a live case study in what happens when a law and a cryptographic guarantee cannot both be true at once.


The Online Safety Act became law in the UK in October 2023, and Ofcom has spent the years since building out the codes of practice that give it teeth. Section 121 of the Act is the one that matters for encrypted messaging: it lets Ofcom issue a notice compelling a provider to use "accredited technology" to identify child sexual abuse material or terrorism content on its platform, whether or not the platform encrypts messages end to end.

The Act does not technically say "break encryption." That's a deliberate drafting choice, and it's also the entire controversy. The law is written to be technology-neutral, which sounds reasonable until you ask what technology could satisfy it on a platform that, by design, cannot read message contents.

Why "just scan for CSAM" doesn't work on an encrypted platform

There are two ways to scan a message for illegal content. Server-side scanning happens after the message reaches the provider's infrastructure, which requires the provider to be able to read it, meaning it isn't end-to-end encrypted in any meaningful sense. Client-side scanning happens on the sender's or recipient's device, before encryption or after decryption, comparing the content against a database of known illegal material (usually via a hash-matching system similar to Apple's abandoned 2021 CSAM detection proposal) and reporting matches to the provider or a third party.

Client-side scanning is the version privacy engineers object to hardest, and for a specific technical reason: it requires software running on your device, under someone else's control, inspecting your content before you've had a chance to decide whether you trust the recipient with it. We've written in detail about how client-side scanning actually works and why the "it only flags known bad content" framing understates what the infrastructure enables once it exists.

The scanner has to trust something

Every client-side scanning proposal needs a database of what counts as illegal content, updated by someone. Whoever controls that database controls what the scanner flags. A system built to catch CSAM hash matches is architecturally identical to a system that could be repurposed to catch a leaked document, a protest flyer, or a political meme, the difference is entirely in who's allowed to update the list.

Apple's threat, and why it was credible

When the Investigatory Powers Act amendments and the Online Safety Act's technical notice powers were both moving through Parliament, Apple submitted formal evidence stating it would remove iMessage and FaceTime from the UK market rather than degrade their encryption globally to satisfy a UK-only requirement. This wasn't posturing for effect. Apple had already pulled Advanced Data Protection, its end-to-end encrypted iCloud backup option, from new UK accounts in early 2025 after receiving a technical capability notice under the Investigatory Powers Act demanding backdoor access.

That's the pattern worth tracking: rather than build a backdoor for one jurisdiction and ship it everywhere (which is technically what most of these architectures require, since maintaining two encryption standards for one product is its own security liability), major providers have so far chosen to withdraw features from the UK market instead. It's a real cost to UK users, and it's also the strongest evidence available that "compliant but still encrypted" isn't actually on the table for these providers.

How this compares to the EU's chat control proposal

The UK's approach and the EU's long-running chat control regulation are aimed at similar goals through different legal mechanisms. The EU proposal, in its various drafts, has more explicitly named client-side scanning ("upload moderation") as the compliance mechanism, which made it an easier target for direct opposition from Signal and others who said plainly they'd leave the EU market rather than implement it. The UK's Online Safety Act is technology-neutral by design, which makes it harder to challenge on the same grounds, since Ofcom can argue it isn't mandating any specific technique, only an outcome.

UK Online Safety Act EU Chat Control Proposal
Mechanism named in the text Technology-neutral "accredited technology" requirement Explicit upload/detection order mechanism in most drafts
Regulator Ofcom Varies by draft; EU-level coordinating body proposed
Provider response so far Feature withdrawal (Apple ADP), litigation, ongoing enforcement delay Public threats to exit the market (Signal, others)
Status as of this writing Enforceable codes in effect for parts of the Act; encryption-specific notices contested Repeatedly stalled in Council negotiations, not adopted

What this means if you're choosing a messaging app

Legal jurisdiction is now a real part of a messaging app's threat model, not an abstract compliance detail. A provider that operates primarily in a jurisdiction pushing hard for scanning mandates faces different pressure than one incorporated elsewhere, and a provider's public response to a technical capability notice, comply quietly, comply loudly, or withdraw the feature, tells you more about its actual priorities than its marketing copy does.

It's also worth separating two different questions that get collapsed together in most coverage: whether a law can compel a specific company to weaken a specific product, and whether the underlying cryptography of a protocol like the Signal Protocol or MLS can be broken by legislation at all. It generally can't, mathematically. What a law like this can do is compel the company that controls the client software to add a scanning step before encryption happens, which is a different attack on the same guarantee: not breaking the lock, but installing a camera pointed at it before it closes.

Legislating "accredited technology" instead of naming client-side scanning directly doesn't change what the only available technology actually is.

This is a live fight, not a settled one, and the outcome will shape what messaging looks like for a market of roughly 68 million people, with knock-on effects for how providers architect products meant to work globally. Worth watching, and worth factoring into any decision about which encrypted service you trust with real conversations.

The precedent question nobody's answered yet

Regulators in other jurisdictions are watching this dispute closely for a reason that has nothing to do with child safety specifically: whichever way it resolves becomes a template. If Ofcom successfully compels a scanning mechanism without technically naming client-side scanning in the statute, other governments drafting their own online safety legislation get a working example of language that survives legal challenge while achieving the same practical outcome. If Apple's withdrawal strategy holds and providers keep choosing market exit over compliance, that becomes the counter-template: proof that a determined provider can make a technology-neutral mandate practically unenforceable by simply refusing to ship the feature it implicitly requires.

Neither outcome is guaranteed, and the current state is closer to a standoff than a resolution. Ofcom has enforcement powers it hasn't yet used against a major encrypted messaging provider specifically over this issue, and providers have made public threats they haven't yet had to fully carry out. The gap between threatened response and actual enforcement action is where this sits right now, and it's worth checking back on periodically rather than assuming either side's stated position is the final word.

Try Haven free for 15 days

Encrypted email and chat in one app. No credit card required.

Get Started →