Encrypted Messaging and the Online Safety Act
How the Online Safety Act grappled with end-to-end encrypted messaging — the tension between child safety and privacy, and where the debate now stands.
End-to-end encryption (E2EE) protects the privacy of billions of people who use messaging apps, but it also means that platforms like WhatsApp, iMessage, and Signal cannot see — and therefore cannot proactively scan — the content of messages for child sexual abuse material. The Online Safety Act generated significant controversy over whether it would require platforms to break encryption. This guide explains where things stand after the Act passed and Ofcom issued its first guidance.
What end-to-end encryption means
End-to-end encryption means that a message is encrypted on the sender's device and can only be decrypted by the recipient's device. The platform transmitting the message — WhatsApp, Signal, iMessage, and others — cannot read the content, even if ordered to. This protects users from surveillance, corporate data mining, and government access. It also means that platforms offering E2EE messaging cannot, using current mainstream technology, scan message content for CSAM without either breaking the encryption or accessing content on the device before it is encrypted.
Key takeaway: End-to-end encryption is a genuine privacy protection — the platform cannot read messages, and that protects all users including children.
The Online Safety Act and the 'spy clause' controversy
During the Online Safety Act's passage through Parliament, a provision — sometimes called the 'spy clause' — would have required platforms to use 'accredited technology' to detect CSAM even in encrypted messages. WhatsApp, Signal, and other platforms threatened to withdraw UK services rather than break encryption. The government ultimately accepted that the provision should only be invoked when technically feasible. As of 2025-26, Ofcom has acknowledged that no such technology currently exists at scale that can scan E2EE content without breaking encryption.
Key takeaway: The 'accredited technology' power exists in the Act but is not being used — no currently available technology can scan E2EE without breaking it.
Current platform positions
WhatsApp and Signal have stated they will not implement client-side scanning (scanning content on the device before it is encrypted) and will not weaken their encryption. Apple reversed a planned client-side scanning feature (CSAM Detection) following security and privacy concerns before the Act became law. iMessage uses E2EE by default for Apple-to-Apple messages. The practical position is that E2EE messaging platforms are in compliance with the Act as it is currently being enforced, because the accredited technology provision is dormant.
Key takeaway: WhatsApp, Signal, and iMessage are not currently required to scan encrypted messages — the dormant provision applies only when feasible technology exists.
What platforms can and do detect
While E2EE protects message content in transit, platforms can still act on other signals. WhatsApp uses metadata analysis (who is messaging whom, at what frequency) and user reports to identify suspicious patterns and accounts. When a user reports a message, that message is decrypted on the reporting user's device and shared with the platform's Trust and Safety team. Platforms can also detect and hash CSAM in non-E2EE elements of their service — such as public posts, profile images, and unencrypted media.
Key takeaway: Platforms can detect CSAM in non-encrypted spaces and via user reports — they are not entirely blind, even with E2EE.
Implications for child safety
The tension between encryption and child safety is real and unresolved. CSAM is shared via encrypted messaging, and platforms cannot currently detect it without user reports or non-E2EE elements. For parents, this means that private messaging apps represent the highest-risk environment because neither the platform nor you can monitor content. Open family conversations about what to do if someone sends uncomfortable messages, encouraging children to use the in-app report feature, and maintaining trust-based relationships remain the most practical safeguards.
Key takeaway: Encrypted messaging is the hardest environment to monitor — trust-based conversation with your child is the most effective safeguard.
What the Act does
Includes a power to require platforms to use accredited technology to detect CSAM in encrypted messaging, if and when technically feasible.
Requires platforms to act on user reports of CSAM regardless of whether E2EE is used.
Obliges messaging platforms to have accessible reporting tools for harmful content.
What the Act does not do
Understanding the limits of the Act helps you set realistic expectations when using complaint and reporting processes.
Currently require E2EE messaging platforms to scan message content — the accredited technology provision is not being invoked.
Require platforms to break or weaken end-to-end encryption.
Resolve the underlying tension between strong encryption and proactive content detection.
Practical steps
Talk to your child about what to do if anyone sends them an uncomfortable or inappropriate message — they should screenshot and tell a trusted adult.
Enable content reporting within messaging apps — on WhatsApp, you can report a chat, which shares the last five messages with WhatsApp's Trust and Safety team.
Be aware that group chats — even on E2EE platforms — can expose children to strangers if they are added by peers.
For younger children, consider whether E2EE messaging apps are appropriate — supervised use of messaging is reasonable for primary-school-age children.
Frequently asked questions
Is WhatsApp safe for children to use?
WhatsApp requires users to be 16 to sign up (in the UK, under GDPR age of consent for data processing). Children under this age should not have a WhatsApp account under the platform's own terms. For teenagers of appropriate age, WhatsApp's encryption provides genuine privacy protection, but parents should discuss what to do if strangers attempt contact or inappropriate content is received.
Can the government read my encrypted messages?
Not currently. The Online Safety Act's accredited technology provision has not been invoked and is subject to a 'technical feasibility' condition. Under current technology, E2EE messages cannot be read by the platform or government without breaking the encryption or scanning on the device. Ofcom has acknowledged this position.
Sources and further reading
Related guides
Last reviewed: 19 April 2026
This is practical educational content to support families. For case-specific concerns about a child's safety, contact the NSPCC helpline on 0808 800 5000 or your local safeguarding team.
Was this page helpful?