Strong encryption is a cornerstone of digital security—and it’s under attack by government policies worldwide. Weakening encryption immediately compromises citizens’ privacy, undermines marginalized communities’ ability to communicate safely, erodes cross-border trust, increases compliance uncertainty for businesses. Led by ethical operators in the Internet infrastructure industry, the VPN Trust Initiative (VTI) promotes online safety and privacy by improving transparency, standards, and public understanding across the VPN industry—while protecting the rights of everyday Internet users.
Around the world, policymakers are advancing measures that would erode encryption in the name of safety. This commonly-argued justification is a false proposition: public safety depends on secure technology; there is no safety if the very tools that provide it are weakened.
Goals such as national security, child safety, and law enforcement are important, of course, and VTI members fully support pursuing effective solutions to achieve them—but not at the cost of weakening everyone’s security, especially when the effectiveness of such measures is uncertain.
VTI urges policymakers to avoid measures that erode encryption and put user safety at risk—because this only empowers and emboldens those who seek to cause harm.
Why Encrypt at All?
Encryption is used to protect everything from personal privacy and human rights to the integrity of financial systems, government operations, critical infrastructure, and national security. Bringing attention on the importance of encryption in modern society to policymakers and the wider public is crucial when pressures in various jurisdictions are rising. Some current examples include:
- The proposed EU Child Sexual Abuse Regulation (often referred to as “Chat Control”) would empower authorities to issue detection orders requiring indiscriminate scanning of private communications, including end‑to‑end encrypted services, while EU’s ProtectEU Internal Security Strategy suggests lawful access by design to encrypted data.
- In the UK, under powers in the Investigatory Powers Act 2016, the government issued an order in February 2025 that led Apple to withdraw its end‑to‑end encrypted iCloud backups (“Advanced Data Protection”) for UK users pending litigation. Policy debates continue alongside the Online Safety Act, whose controversial scanning provisions are not currently being enforced.
- Recurring legislative efforts in the US such as the EARN IT Act would create liability risks for providers without the capacity to scan for child sexual abuse material, indirectly pressuring services to weaken encryption or adopt invasive scanning.
These proposals often assume that capabilities can be engineered to allow “targeted” access to encrypted data without degrading security or privacy for everyone.
In practice, this is simply not how it works. End‑to‑end encryption either preserves confidentiality against everyone during data transmission, or it does not.
Whether framed as backdoors, key escrow, exceptional access, or client‑side scanning, these approaches introduce inherent vulnerabilities that can be discovered, coerced, or repurposed—by insiders, criminals, or hostile states. There is no way to create a selective weakness that only benevolent actors can exploit; it will inevitably be discovered and abused by those with malevolent intent.
Setting aside these systemic risks, determined offenders will most likely adapt to the new reality by shifting to alternative communication channels, such as bespoke encrypted apps and darknet forums. While ordinary users and businesses will be left with weaker security and greater exposure, serious criminals will move further out of reach—and will have a large pool of newly-compromised targets who no longer have robust encryption to protect them.
Backdoors are Dangerous on Today’s InternetCyberattacks are rising at an alarming pace—making a stronger case than ever for bolstering encryption, not weakening it. In 2024, cybercriminals exploited known software vulnerabilities in 26% of all attacks last year, an 8% increase from 2023 (source). The average cost of a data breach reached $4.4 million in 2025 (source).
An encryption security exception is a deliberate technical mechanism built into a system that allows someone other than the intended sender or recipient to access communications or traffic data. This can take many forms: an encryption backdoor, an extra “master key” held by a service provider or a government; modified encryption protocols that silently transmit a copy of decrypted data or systems that store encryption keys for retrieval; client-side scanning that inspects messages before they are encrypted and are analysed remotely; and more. No matter the method or the justification behind it, the core security property that only the sender and receiver can access the content no longer holds in those cases, which means:
- Mandated encryption security exceptions can be exploited by everyone. Once a vulnerability exists, it can be exploited by governments, hostile state actors, cybercriminals, insiders, or the company that built it. No technical means can restrict it to “good guys” only.
- Weakening encryption breaks best-practice security. It goes directly against zero-knowledge architectures and data-minimisation principles, and contravenes the goals of cybersecurity laws and standards such as the EU Cyber Resilience Act, GDPR, and U.S. CISA 2024 guidance.
- Working against future-proofing efforts. EU’s roadmap on post-quantum cryptography and Quantum Europe Strategy foresees investment into stronger encryption technology that should build safety. We cannot have opposing initiatives, one leading in one way and another in the opposite direction.
The VTI’s position and recommendations are as follows:
- Reject any legislative or regulatory measures that mandate encryption backdoors, weaken encryption standards, or impose insecure technical requirements.
- Preserve strong encryption standards without exceptions for companies dealing with users data.
- Strengthen targeted and proportionate investigative capabilities that do not require weakening encryption, such as lawful decryption capabilities (e.g. court-authorized access to data that is already stored in decrypted form, or where the key is voluntarily provided, without introducing new vulnerabilities into encrypted systems), metadata analysis, and improved cross-border cooperation.
Privacy—and Therefore Encryption—is a Right in Any Free Society
Encryption is a non-negotiable safeguard for the rights to privacy and freedom of expression. Weakening it exposes all users’ personal data to interception, surveillance, and misuse, eroding trust and undermining democratic freedoms. It is essential for guaranteeing personal data protection rights under frameworks such as the GDPR, CCPA, and other privacy laws. The European Court of Human Rights has affirmed that encryption is fundamental to protecting private communications (source), a view echoed by authorities worldwide. Volunteer experts in encryption and online child safety have published research showing that encryption helps keep children safe online (source).
Encryption protects everyone’s private life, not just those with “something to hide”. If encryption is weakened, a hack can expose everyone’s messages, photos, IDs, and other sensitive data in plain form. Extra access points create extra copies and central troves that are easier to steal or misuse.
Personal data at risk of breach and theft. Chilling effect on speech and press. Weak encryption enables broad monitoring, driving self-censorship and suppressing democratic participation. Encrypted communication channels are also lifelines for minorities, activists, and journalists—particularly in repressive environments, where they provide safe and secure access to information and private dialogue. Weakened encryption therefore compromises journalist–source confidentiality, and exposes whistleblowers and human-rights defenders to retaliation—with disproportionate impacts on marginalized groups.
VTI Advocates for the preservation of privacy by design and default, including strong encryption and strict data minimisation, so that sensitive information is never collected or retained unnecessarily.
Reality Check: Weakening Encryption Won’t Do What You Think It Will
Weakening encryption would harm users’ security but would not solve the problem of online harms or criminality. Bad actors can and will shift to other channels, build their own tools, or move to spaces that are far harder to monitor, such as the darknet. Here is why:
- Encryption is not the root cause of online crime. Blaming encryption only distracts from addressing the true actionable concerns: from inadequate enforcement capacity to gaps in international cooperation. Breaking encryption only exposes vast majorities of law-abiding users while leaving a tiny number of determined offenders largely unaffected—and empowered to carry out attacks with less resistance.
- There’s no way back. Once encryption is weakened, the change is effectively permanent. Technical flaws cannot simply be fixed, and legal powers for exceptional access rarely shrink. Narrow exceptions tend to expand until safeguards disappear. A narrowly defined “exception” today becomes a broader mandate tomorrow, opening the door little by little until the original safeguards are eroded.
- Global domino effect. Anti-privacy legislation sets a dangerous global precedent. Any regime can cite it to justify intrusive surveillance, eroding privacy, chilling free expression, and fragmenting the Internet worldwide.
VTI proposes providing adequate and realistic resources to law enforcement so they can build more advanced forensic technologies and improved reporting channels. International or regional funding and cooperation should be incentives.
We also work to foster public–private collaboration for online safety that does not compromise security—and we encourage others to join us in working with international stakeholders worldwide to avoid fragmentation.
Let’s Solve the Right Problems—Without Creating New Ones
All VTI members are unequivocally opposed to online criminal activity, and support efforts to reduce online harms. That having been said, privacy, security, and trust are as important to the proper functioning of the Internet as the infrastructure on which it is built.
This is why the balance between crime‑fighting and user safety and privacy requires care. Weakening encryption harms the very security it seeks to protect. Most of the users online are not criminals and weakening encryption will unintentionally expose everyone, jeopardising citizens’ security but also undermine national security and digital trust.
There is little evidence that such measures would meaningfully curb harmful activity when determined adversaries can migrate to other tools.
Governments must lead from an informed position in defending strong encryption as a cornerstone of digital rights, economic resilience, and democratic values.
About i2Coalition’s VPN Trust Initiativei2Coalition’s VPN Trust Initiative (VTI) is an industry-led consortium that promotes consumer safety and privacy online by increasing understanding of VPNs and strengthening business practices in an industry that already protects millions of Internet users. The VTI leverages first-hand knowledge to advocate, create, vet, and validate guidelines that strengthen trust and transparency and mitigate risk for users. VTI members stand ready to work with policymakers worldwide to achieve safety without sacrificing the security and privacy of billions of Internet users.
Contact: [email protected]