On 16 October 2025, SFLC.in hosted a panel discussion on “Rights, Risks and the Future of Encryption”. The aim of the session was to discuss why breaking E2EE should not be viewed as a net good, especially when legal mandates to protect children from sexual abuse material or to combat terrorism present breaking E2EE or client-side scanning a a solution to such problems. The discussion focused on how such legislative mandates fail to consider its technological and the rights-based implication.
The session was moderated by Ms. Mishi Choudhary, Founder of SFLC.in and Senior Vice President and General Counsel at Virtru. The panel was composed of a distinguished set of international experts –
- Udbhav Tiwari, VP, Strategy and Global Affairs at Signal
- Hera Hussain, Founder and CEO of CHAYN
- Tom Bowman, Policy Counsel at the Center for Democracy and Technology
- Ellie McDonald, Policy and Advocacy Lead at Global Partners Digital
Introduction
The session began with Mishi emphasizing that encryption is not merely a technical tool but rather a civilizational bulwark – a threshold through which privacy, free speech and democratic spaces either survive or erode. It is a rights-enabler, not a luxury. Strong encryption is one of the few reliable tools left that can restrict state or corporate power. Once the integrity of an encrypted channel is concessioned, the boundaries between lawful access and pervasive surveillance becomes dangerously porous. The strength of the encryption will directly impact the security and well-being of the marginalized, the dissenting and the vulnerable. Today, it doesn’t seem like there is any jurisdiction where we can arguably say that the rights are not under risk.
Opening Statements
Hera Hussain – Having founded CHAYN in 2013, Hera has been at the forefront of advocating for encryption as a feminist issue. Especially in the context of online gender based violence (“OGBV”) across the world, it is evident that there is a cultural disconnect. Organisations working on OGBV have a lot of concerns around encryption, in terms of child protection, catching criminal gangs and trafficking. Further, she stated that there are nuances to this issue that digital rights organisations are privy to, but are not flowing into the OGBV space. Like Mishi mentioned herself earlier, Hera affirmed that privacy is increasingly under attack across the globe. In her experience, she observed that a few misconceptions exist, firstly that encryption was invented by tech companies in Silicon Valley to make money. According to her, reality is a lot more complex, nuanced and encryption has its own long history. Secondly, the conversation often steers to the point that if a person has nothing to hide then they have nothing to worry about, particularly in relation to mandates that undermine encryption. Finally, there is no other way in which criminal activity can be identified and restricted given the huge scale of technology or artificial intelligence generated gender based violence.
Tom Bowman – Tom began his opening statement emphasising that encryption is the foundational block of trust, safety and security for everyone online. It helps in ensuring privacy and security of various aspects of a person’s life such as their bank accounts, medical records and personal communications. Essentially, it is the underpinning of democracy and the essential armor of the digital 21st century. His hope for the audience is that they are able to take away three key points from this session –
- first, people in power have wrongly framed encryption as a choice between security and privacy. This is a false choice, the real one is between a secure digital world and an insecure digital world. Measures that work against encryption are not a scalpel, but a sledgehammer.
- Secondly, one cannot build a secure backdoor for only the “good guys”. It is a universal key, a vulnerability that will eventually fall into wrong hands.
- Thirdly, when democratic states frame policies against encryption, they set a very dangerous precedent that paves the way for autocrats. He highlighted that it is necessary to address criminality but the way forward should not entail undermining encryption. In his opinion, a better solution to this could be resourcing traditional investigative methods. Encrochat, SkyECC etc have been used by law enforcement in the past to crack down on criminal activity, without threatening encryption.
Ellie McDonald: Ellie began her opening statement by underscoring that encryption is a critical enabler of human rights and a cornerstone of digital security. Further, Ellie highlighted that there are blunt and subtle threats to undermine encryption. She characterised these as ‘subtle’ because of their sophisticated nature that utilize terms and phrasings that avoid public scrutiny, and often lack democratic accountability. While some of them are well-intended, Ellie emphasised that it poses a systemic threat to everyone’s security and entrenches harm. She further added that safety is often used as a justification for these measures, however, such framing lacks the shield and protection that encryption provides to the marginalized. Responses to such issues are often followed by a flawed assessment of the problems that are at stake.
Udbhav Tiwari: In his opening statement, Udbhav focused on what Signal is observing around encryption. He stated that things are going great for Signal, more people are coming to realise the consequences of privacy and protection of privacy. He has also observed the return of worrying and old legislation that were earlier discussed and dismissed earlier in the ‘90s. He noted that client side scanning (screening of content before it is encrypted) and general deployment of agentic systems are the two more real risks and threats. These remain entirely outside of Signal’s control as they will be deployed on operating systems on which the Signal Messenger is run.
How are WhatsApp and Signal different?
Udbhav Tiwari stated that Signal is special because it does not collect a lot of information that other applications do. Many messengers deploy end-to-end encryption (“E2EE”) for many platforms, but the metadata (the fact that a message was sent, what time it was sent, the profiles, profile pictures, associations of the profiles etc.) is not E2EE. Signal has designed its entire system in a way that not only makes the content of a message invisible but also metadata to the service. Signal can only see whether the phone number has a Signal account, when it was created, and when it was last online. This is the only information that Signal has access to and can provide to governments as well. Signal enjoys the reputation in the technical community because it has had to innovate in some interesting yet technical ways to perform underlying functionality of a messaging service without being able to view the metadata.
Encryption as a feminist issue and how the vulnerable members of society make use of encryption
In her response, Hera began by acknowledging that child protection and online violence against gender minorities are important issues that should be tackled, however, she emphasized that privacy is intrinsic to doing any work with survivors of gender based violence (“GBV”). On the flip side, there is a lot of GBV that is propagated through private channels or software like Telegram. It is critical to ensure that safety is extended to everyone. Secondly, there are criminals that thrive on encrypted platforms. While there are predators that thrive on private networks, the idea is that vulnerability also comes from real marginalized members of society (like sharing information about abortion in a country where abortions are illegal). Then, on the issue of catching predators, she cited a recent case of Pelicot in France, the website Coco.fr, which was up and running for around 14 years, before it was taken down in France. Many predatory networks predate digital technology and can be countered with stronger investigations. Often predatory participants market themselves on open networks before going to encrypted networks, so that is a point where law enforcement can focus. While some criminals may not be caught if they use encrypted technology, everyone else needs it to ensure that their communications remain private and secure.
Udbhav added that the example about abortion care is poignant as related instances have happened multiple times in the past year in the US alone, where Facebook has turned over information to law enforcement of people seeking abortion care. The examples for what happens if you are not encrypted and do something the state deems ‘against the state’, are unfortunately increasing.
On trends, legislative changes or demands in relation to encryption
Ellie stated that such developments are being tracked on the multilateral and internationally affecting legislations, like EU chat control or the UN Cybercrime Convention. What is concerning is the more nebulous and difficult to dissect nature of many of these new legislations. These subtly erode digital rights, and may be picked up in other states. {@chat: “tellingly, government and military accounts are exempt from the current EU Chat Control proposal”}
On the need for high cybersecurity thresholds for the citizens and the government
Tom began his response by highlighting that top White House officials use Signal, because they know that encryption for communication is the most secure form of communication. According to him, this is the main reason why the debate is really about ‘security vs insecurity’ and not ‘security v privacy’. Referring to Ellie’s response to the previous question, he has found such subtly-worded legislations are the most concerning ones, like TAKE IT DOWN or the Stop CSAM Act. He has seen, especially in recent years, that these acts inspire copycat acts, like the UK Investigatory Powers act 2016, which had provisions (power to issue technical assistance notices that could undermine service providers ability to provide secure services) lifted and placed into Australia’s federal Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, which is now being considered by Canada for their new legislation. UK’s 2016 Act also can be applied extra-territorially. He further added that such legislative instances should not set an example for the rest of the world, because they are slowly, subtly but significantly undermining encryption.
On alternative data access strategies that law enforcement can utilize that allows encryption to exist with their goals
Udbhav stated that there is ample evidence that law enforcement has far more data than they know what to do with, and encryption doesn’t create any meaningful barriers to investigation. Further, traditional investigation methods are also there, and can be used in parallel with existing legal powers.
Tom, agreeing with Udbhav’s point, commented that there is enough data already, scanning the entire internet is not going to help. Another thing is increasing reporting mechanisms, which is not prevented by encryption at all. Individuals can still report people to law enforcement.
Hera stated that traditional methods of investigation and forensic techniques can be effective to deal with issues like GBV or CSAM. Additionally, she recommended that increasing awareness on the reporting mechanisms available to the general public would also be quite helpful. Instead of increasing reliance on access powers, resourcing traditional investigation methods could be a more effective.
What are two simple things that everyone should pay attention to when it comes to encryption?
Ellie suggested that paying attention to the work of the Global Encryption Coalition (“GEC”) and its individual members. The GEC has been collecting knowledge about threats, and raised awareness and advocacy. She highlighted that leveraging the support of governments that are not monolithic as well as gathering external support has been helpful in cases of the EU Chat Control or UN Cyber Crime Convention.
Tom impressed on observing measures introduced by governments instead of focusing on what they say. He also urged that people should beware of service providers that claim to offer encryption but are slowly implementing AI-assisted chat features. It would be helpful for people to know about GEC’s advocacy on the same.
Hera emphasized on thinking about the foundations and principles behind encryption. For people who are not aware about it altogether, one can increase awareness by introducing them to safer and more secure alternatives and help them make small steps – “ladders”. According to her, it is important to adopt a more welcoming approach to small changes.
Udbhav urged that more people should use encrypted platforms, so that it becomes harder to restrict. It wouldn’t have been possible to implement E2EE if they had asked for permission before developing it. Understanding the purpose of encryption,i.e., to maintain privacy. Any solutions or discourse that go against this core purpose are negating encryption as a whole.
On privacy as an ecosystem issue and how to tackle it on a multi-stakeholder level
Tom stated that its important to have face-to-face conversations that demystify encryption. It is not about keeping secrets and rather about securing your rights. To the extent possible, he emphasised that its important to have direct conversations on why encryption matters and then bring those conversations to legislators and other influential stakeholders. Unfortunately, there is not a lot of education and awareness about how encryption works and what it entails. Finally, he underscored the importance of building awareness amongst the general public as well, who could then bring this issue to the attention of their representatives.
Ellie suggested that it is important to highlight the positive stories on how encryption protects people, how it helps enable actualisation for queer youth, how it helps victims of GBV, etc. It is a net good.
According to Udbhav, there isn’t enough of a realisation of just how widely used encryption is, with around 70% of pages that are loaded are encrypted (from 14% around 7-10 years ago). The only way to go back on encryption is if people actively try to step in its way. Encryption is now a necessary and active part of everyone’s life, and it will always exist. If it is banned, the good people cannot access its benefits, but the bad actors will continue to communicate with whoever they want to.
