Following the abhorrent terrorist attack in Manchester earlier this week that deliberately targeted children, the UK government is reportedly preparing new surveillance legislation.
The proposed measures would require internet companies to weaken encryption when served with a Technical Capability Notice (TCN), allowing messages to be intercepted by surveillance agencies.
Digital rights campaigners, including the Open Rights Group (ORG), have strongly criticised the approach. Whenever a terror attack occurs, governments often use heightened public fear to justify intrusive surveillance measures. The UK government has previously faced criticism for proposals to force companies to build permanent “backdoors” into their software for unrestricted access. Such backdoors create significant risks: they leave systems vulnerable by providing an open exploit that other parties could discover and exploit.
Security agencies in the United States reportedly hoarded vulnerabilities for their own use rather than disclosing them to manufacturers. When those tools leaked, the consequences were severe: one leaked vulnerability was used in the WannaCry ransomware attack, which disrupted computers worldwide and took critical systems in the UK’s National Health Service offline.
Creating permanent backdoors is widely viewed as dangerous, and the UK government appears to be shifting toward a narrower model. The new legislation would require weakening encryption only when a TCN is issued, rather than mandating constant access. However, it remains unclear how such a mechanism would work in practice without introducing new security weaknesses.
One technical proposal involves using a secondary encryption key held by the software or hardware manufacturer that could override standard protections when legally required. That “master key” model poses its own dangers: if the key were leaked, stolen, or misused by an insider, a large number of users and systems could be compromised.
The Open Rights Group has published a detailed and critical response, arguing that governments should prioritise protecting digital security rather than creating powers that undermine it. The ORG notes that the WannaCry incident illustrates how tools intended for intelligence use can be repurposed by criminals with damaging effects.
While intelligence and law enforcement agencies argue that targeted access is necessary to prevent and investigate serious crimes, privacy advocates and many technologists warn that deliberately weakening encryption—whether permanently or temporarily—creates systemic risks. Any mechanism that allows access by authorities also expands the attack surface for malicious actors, increases the potential for abuse, and may erode public trust in digital services.
Policymakers face a difficult balancing act: they must protect public safety and enable lawful investigations while preserving the integrity and security of digital infrastructure. Clear legal safeguards, strict oversight, transparency around the use of access powers, and robust accountability mechanisms would be essential to mitigate risks. Equally important is ensuring that any technical approach reflects current cryptographic best practices and is designed to minimise exposure to misuse, theft, and error.
There are also practical questions about implementation. Introducing a process for legally compelled decryption raises issues about jurisdiction, cross-border data flows, and the responsibilities of multinational technology providers. How companies would comply without weakening security for users globally, and how courts and oversight bodies would review and approve requests, are unresolved matters.
Our deepest sympathies go out to the families and friends affected by the Manchester attack. We hope those responsible are brought to justice, and we also hope that responses to such tragedies balance security needs with strong protections for digital rights and safety.
What are your thoughts on these surveillance proposals? Let us know in the comments.