Signal, the encrypted messaging app used by over 100 million people worldwide, has issued one of its most direct public statements to date, calling the UK government's demand for device-level message scanning "dangerous" and warning that any such mechanism could be "repurposed for state censorship and surveillance." The statement comes as the Starmer administration escalates pressure on tech companies to implement child safety controls that critics say amount to a backdoor into end-to-end encrypted communications.
What the UK Is Demanding
The UK government's position has hardened considerably in recent months. Prime Minister Keir Starmer has given Apple and Google a three-month ultimatum to implement default child safety controls across their platforms, including the ability to detect and block nudity in images sent between users. The government has indicated this must cover all apps - including encrypted messengers - or legislation will follow.
The Online Safety Act, which passed in 2023, already gave Ofcom the power to require platforms to scan for child sexual abuse material (CSAM). The technical implementation of that scanning on end-to-end encrypted services is where the conflict with companies like Signal has always been sharpest. Signal's protocol, by design, means that only the sender and recipient can read the contents of a message. Any system that scans message content before it is encrypted - known as client-side scanning - necessarily reads the message outside of the encrypted envelope, breaking the mathematical guarantee that end-to-end encryption provides.
Signal's Response: The "Repurposing" Argument
Signal's statement did not simply reject the UK's demand as technically difficult. It went further, making a political argument: that once a scanning infrastructure is built and embedded in devices or messaging platforms, it does not stay targeted. Governments change. Laws change. The same system built to detect child abuse imagery can, Signal argued, be retargeted to detect political dissent, monitor journalists, or flag communications about sensitive topics - depending on who controls it and under what legal framework.
This "repurposing" argument has been made before by cryptographers and digital rights organizations, but hearing it from Signal - a company that operates in the UK and serves British users - gives it particular weight at this moment in the policy debate. Signal has previously threatened to exit markets, including Canada, where similar backdoor requirements were proposed.
Big Brother Watch, the UK civil liberties organization, joined Signal in opposing the measures, calling them a surveillance infrastructure dressed in child safety language. NymVPN also issued a public statement opposing the scanning requirements, noting that tools built for one purpose are routinely deployed for others once the technical capability exists.
The Pattern: UK Building Layer by Layer
The Signal dispute is not an isolated incident. It is the latest confrontation in a sustained UK government effort to bring encrypted communications under some form of state oversight. The National Crime Agency has previously labeled end-to-end encryption a child safety threat, framing it as a tool that protects abusers rather than a security technology that protects ordinary users. That framing has become the dominant government narrative.
At the same time, the UK has been building out adjacent infrastructure. A consultation on mandatory age verification for VPN users closed in May 2026, signaling government interest in requiring identity checks even for tools used to protect privacy. The House of Lords has approved provisions that would block VPN access to social media for under-16s. Starmer's ultimatum to Apple and Google extends that ambition to the operating system level - the deepest layer of the device stack.
Taken together, these measures suggest a coherent strategy rather than a series of disconnected proposals: require age verification at the network level (VPNs), at the platform level (social media), and now at the OS and application level (messaging apps). Each layer adds a component of the infrastructure that critics say amounts to a national surveillance and content-control system built incrementally under child safety justifications.
The Three-Month Window
Apple and Google have three months to respond to Starmer's ultimatum. Signal, as a third-party app rather than an OS provider, sits in a legally ambiguous position - it could be required to comply under the Online Safety Act's CSAM provisions, but compliance would require either breaking its encryption or implementing client-side scanning that Signal says is technically equivalent to breaking it.
The company has not announced an exit from the UK market. But its language in the current statement - describing the demanded mechanism as "dangerous" - leaves little room for technical compromise. If the UK government moves to legislation rather than voluntary compliance, Signal will face the same choice it considered in Canada and that it has made in other contexts: comply, redesign the product for the UK market only, or leave.
Signal's president Meredith Whittaker has been consistent on this point for years: the organization will not introduce backdoors or scanning capabilities under any framing, because doing so would destroy the trust that makes the product what it is. A Signal that scans messages before encrypting them is not, in any meaningful sense, Signal.
What Is at Stake Beyond the UK
Other governments are watching. The EU's Chat Control proposal - which would mandate client-side scanning across European messaging platforms - has been stalled for years partly because of resistance from member states and civil society. The UK's push to extract compliance from Apple, Google, and Signal could provide a working precedent that revives similar efforts in Brussels. Conversely, if Signal holds its position and the UK backs down or fails to legislate effectively, it would weaken the case for scanning mandates across other jurisdictions.
