A striking warning has emerged from the government's own security watchdog: encrypted messaging apps like Signal and WhatsApp could technically be treated as "hostile activity" under the National Security Act 2023. This revelation, buried in Jonathan Hall KC's comprehensive review of the legislation, exposes a fundamental tension at the heart of modern digital policy.
The implication is profound yet subtle. While the government isn't actively targeting everyday encrypted communication, the legal framework now exists to potentially classify privacy tools as obstructive to national security. This represents a paradigm shift in how democratic societies balance individual privacy against collective security and the precedent could extend far beyond messaging apps.
🔐 Key Issues at Stake
- Legal Framework: National Security Act 2023 definitions could encompass encrypted communications
- Privacy Tools: Apps like Signal, WhatsApp, and potentially VPNs face scrutiny
- Surveillance Paradox: Weakening encryption may harm rather than help national security
- Future Implications: Precedent could reshape digital privacy landscape
- Democratic Balance: Tension between security imperatives and civil liberties
🔍 What the Watchdog Said
Jonathan Hall KC, the Independent Reviewer of Terrorism Legislation, delivered a sobering assessment in his review of the National Security Act 2023. His analysis reveals how broad statutory definitions could inadvertently or deliberately encompass technologies that millions use daily for legitimate privacy protection.
The core issue lies in the Act's definition of "hostile activity." As Hall KC notes, end to end encryption fundamentally obstructs surveillance capabilities, making it harder for intelligence agencies to monitor communications. Under a strict interpretation of the legislation, this obstruction could be construed as hostile to national security interests.
"The concern is not that the government is immediately targeting Signal users, but that the legal architecture now exists to reframe privacy tools as potential threats to national security," explains Hall KC's analysis.
The Legal Framework Problem
The National Security Act 2023 was designed to address genuine espionage and foreign interference. However, like many security laws, its language is deliberately broad to capture evolving threats. This breadth creates what legal experts call "function creep", the expansion of laws beyond their original intent.
Key concerns identified by Hall KC include:
- Definitional Ambiguity: "Hostile activity" lacks precise boundaries
- Technology Neutrality: Law doesn't distinguish between criminal and legitimate encryption use
- Enforcement Discretion: Broad powers could be selectively applied
- Chilling Effect: Uncertainty may deter legitimate privacy tool development
⚠️ Risks of Downgrading Encryption
The temptation to weaken encryption for surveillance purposes creates a false security dilemma. In reality, strong encryption protects everyone including the very institutions it might theoretically obstruct. Hall KC's review implicitly acknowledges this paradox by highlighting the unintended consequences of treating encryption as inherently suspicious.
Business Vulnerability
Trade secrets and financial data form the backbone of economic competitiveness. UK businesses rely on encryption to protect:
- Intellectual Property: Research, development, and innovation data
- Financial Communications: Banking, trading, and investment information
- Client Confidentiality: Legal, medical, and professional service communications
- Supply Chain Security: Logistics and operational coordination
Weakening encryption standards would expose this information to industrial espionage, potentially by the same hostile actors the National Security Act aims to counter.
Government Communications at Risk
Government itself depends heavily on encrypted communications. Official communications requiring protection include:
- Diplomatic Correspondence: Sensitive international negotiations
- Defence Planning: Military and security operational information
- Policy Development: Pre-announcement government deliberations
- Intelligence Sharing: Coordination between agencies and allied nations
Creating backdoors or weakening encryption standards would make these communications vulnerable to hostile interception, exactly what the National Security Act seeks to prevent.
Citizens' Digital Rights
For ordinary citizens, encryption provides essential everyday protections:
- Financial Security: Online banking and payment protection
- Personal Privacy: Family communications and personal data
- Professional Protection: Journalist sources and whistleblower communications
- Fraud Prevention: Protection against identity theft and financial crimes
News and Media Freedom
Investigative journalism relies on secure communications to protect sources and enable public interest reporting:
- Source Protection: Whistleblowers require anonymity guarantees
- Editorial Independence: Newsrooms need secure internal communications
- Leak Transmission: Secure channels for sensitive document sharing
- International Reporting: Protection for correspondents in hostile environments
As Hall KC's review implicitly acknowledges, treating these legitimate uses as potentially "hostile activity" would undermine press freedom and democratic accountability.
🔄 The Paradox of Surveillance
The central paradox exposed by Hall KC's analysis is that governments simultaneously need and fear encryption. This creates a policy contradiction that the National Security Act's broad definitions fail to resolve.
The Security Argument
Security agencies argue that ubiquitous encryption creates "dark spaces" where criminals and terrorists can operate undetected. From this perspective, encryption represents a challenge to lawful surveillance and criminal investigation. The National Security Act's broad definitions reflect this concern by potentially treating obstruction of surveillance as inherently problematic.
The Reality of Backdoors
However, cybersecurity experts consistently demonstrate that backdoors and encryption weakening create vulnerabilities that malicious actors inevitably exploit:
- Technical Reality: There's no such thing as a "good guys only" backdoor
- Attack Surface: Each weakness multiplies potential entry points
- State Actor Threats: Hostile nations can exploit the same vulnerabilities
- Criminal Exploitation: Organized crime benefits from weakened security standards
The Australian Example
Australia's Telecommunications and Other Legislation Amendment Act 2018 provides a real world example of these tensions. The law requires technology companies to provide access to encrypted communications when presented with warrants. However, implementation has proven complex, with ongoing debates about:
- Technical Feasibility: Whether "selective access" is technically possible
- International Impact: How local laws affect global security standards
- Business Confidence: Tech industry concerns about operating in hostile regulatory environments
- Security Outcomes: Whether the law actually enhances or undermines security
Hall KC's review suggests the UK may face similar contradictions as the National Security Act's implications become clearer.
🌐 Looking Ahead: VPNs and Secure Tunnels
Although Hall KC's official report focuses on encrypted messaging, the logical extension of his analysis encompasses all privacy preserving technologies. Virtual Private Networks (VPNs) represent the next frontier in this evolving policy landscape.
The VPN Vulnerability
VPNs protect browsing activity and identities by routing traffic through encrypted tunnels, making them functionally similar to encrypted messaging apps in terms of their obstruction of surveillance:
- Traffic Encryption: Browsing activity hidden from ISPs and governments
- IP Address Masking: User locations and identities obscured
- Geo-location Bypass: Circumvention of regional content restrictions
- Corporate Security: Remote workers and businesses rely on VPN protection
Regulatory Pressure Points
UK online safety proposals could create indirect pressure on VPN providers through several mechanisms:
- Age Verification: Requirements that VPNs identify users to verify ages
- Content Liability: Holding VPN providers responsible for content accessed through their services
- Compliance Monitoring: Mandating logs and user identification capabilities
- Financial Restrictions: Payment processor or advertising limitations for non-compliant services
These measures wouldn't necessarily ban VPNs outright, but could make anonymous, privacy preserving VPN use effectively impossible for UK residents.
The Framing Problem
Just as Hall KC warns that encrypted apps could be reframed as "hostile activity," VPNs could be cast as obstructive tools if they bypass surveillance or regulation. The precedent is already emerging:
- China: VPNs heavily restricted and monitored
- Russia: Only government approved VPNs permitted
- India: VPN providers required to store user data and government
- UAE: Unauthorized VPN use criminalized in certain contexts
While the UK is unlikely to adopt such extreme measures, Hall KC's analysis suggests that subtler forms of pressure could achieve similar outcomes through legal framing and compliance demands.
Combined Effect: Surveillance Friendly Internet
The convergence of encrypted messaging concerns and VPN regulation could create a surveillance-friendly internet environment where:
- Privacy Tools Stigmatized: Use of encryption and VPNs associated with suspicious activity
- Compliance Pressure: Service providers required to facilitate government access
- Technical Standards Weakened: Security protocols modified to enable surveillance
- International Fragmentation: Different privacy standards create global inconsistencies
This would represent a fundamental shift from the internet's original decentralized, privacy by default architecture toward a more controlled and monitored environment.
Conclusion: The Quiet Erosion of Privacy
Jonathan Hall KC's review of the National Security Act 2023 has illuminated a crucial blind spot in contemporary security policy: the tendency to treat privacy tools as inherently suspicious rather than essential democratic infrastructure. His warning about encrypted apps being classified as "hostile activity" is not alarmist rhetoric but a sober legal analysis of existing statutory language.
The implications extend far beyond messaging apps. As this analysis suggests, VPNs and other privacy tools face similar pressure through what might be called the "hostile activity" paradigm, a subtle reframing that treats obstruction of surveillance as inherently problematic rather than a legitimate democratic right.
The danger is not dramatic crackdowns or authoritarian overreach, but quiet erosion through legal framing and compliance demands. This represents a more insidious threat to digital rights because it maintains the appearance of democratic governance while fundamentally altering the balance between state power and individual privacy.
Hall KC's review serves as both warning and opportunity. By highlighting these tensions now, while democratic institutions remain strong, there's still time to address the encryption paradox through thoughtful policy reform rather than technological fait accompli.
The question is not whether we can have both security and privacy cryptography proves we can. The question is whether democratic societies will choose to preserve both or allow the gradual erosion of privacy in the name of security. Hall KC's analysis suggests that choice is being made right now, often without adequate public awareness or democratic debate.
The stakes could not be higher. As authoritarian regimes worldwide demonstrate the power of surveillance technologies to suppress dissent and control populations, preserving privacy tools becomes not just a matter of individual rights but democratic survival. Hall KC's warning about the National Security Act deserves urgent attention before the "hostile activity" paradigm becomes the new normal.