Category: Cyber Security | Published: 2026-06-09
Very few people disagree that children need better protection online. The question that is generating serious controversy in the UK is not whether online child safety matters, but what the government is prepared to do in its name, and what it might cost everyone else in the process.
A proposal announced by Prime Minister Keir Starmer at London Tech Week has opened up one of the most significant debates in technology policy for years. On one side are child protection organisations arguing that stronger action is long overdue. On the other are privacy and security experts warning that the approach could create surveillance infrastructure that undermines digital security for everyone.
What the Government Has Announced
Speaking at London Tech Week, Starmer said the UK would become the first country in the world to make it impossible for children to take, share, or view nude images. Technology companies including Apple and Google are being asked to activate existing safety features or develop new technical measures capable of detecting and blocking such content on devices used by children.
Adults would retain access to this kind of content after completing age verification checks. The government has given technology companies three months to propose workable solutions. If suitable approaches are not forthcoming, ministers have indicated they are prepared to act through legislation, financial penalties, and other enforcement mechanisms.
The Scale of the Online Child Safety Problem
The government's case for action is grounded in genuinely alarming figures. Home Office data cited alongside the announcement indicates that 91 per cent of online child sexual abuse reports recorded in 2024 contained self-generated content, meaning images or videos created by children themselves rather than produced by adults. That figure reflects a significant shift in the nature of the problem and helps explain why the government is focused specifically on device-level controls rather than platform-level moderation alone.
The Online Safety Act, which received Royal Assent in October 2023, has been working its way into force over a phased timetable. By March 2025, platforms were legally required to protect users from illegal harm. From July 2025, highly effective age assurance became mandatory for sites hosting pornographic or harmful content. From January 2026, cyberflashing and encouraging self-harm were designated as priority offences under the Act, triggering the strictest compliance duties. Ofcom is expected to publish guidance on what it terms accredited technologies for encrypted message scanning later in 2026.
The latest proposals from Starmer go further than anything currently required by the Online Safety Act, and they are generating the sharpest pushback yet.
The Technology at the Centre of the Debate
To understand why this is so contested, it helps to understand a technology called client-side scanning.
Most content moderation happens on servers. A platform checks uploaded content against a database of known illegal material after it has been shared. Client-side scanning is different: the scanning happens on the user's device, before content is sent anywhere. The device itself inspects what is being created or stored and takes action, such as blocking an image or sending an alert, before any sharing occurs.
Proponents argue this represents a privacy-preserving compromise. The content never has to leave the device for analysis, which sounds less invasive than server-side checking. The device handles the detection locally.
Critics argue the distinction does not hold up as well as it sounds. When a device scans your personal content on behalf of a third party and reports the results, the fundamental trust relationship between you and your device has changed, regardless of where the processing happens. The device is no longer purely working for you.
Why Signal Is Opposing the Plan
Signal, one of the most widely used encrypted messaging platforms in the world, responded to the proposals with an unusually direct public statement. The company did not dispute the goal of improving online child safety. Its objection was to the mechanism.
Signal's position is that forcing devices to scan content before it is viewed, shared, or stored creates a surveillance infrastructure that goes well beyond protecting children. In the company's words, the approach will not safeguard children but will endanger everyone.
The specific concern Signal raised is about scope creep. Once the technical capability to scan device content exists, and once governments and regulators have the legal power to require its use, the argument for limiting that capability to child protection material becomes harder to enforce over time. Signal noted that mass surveillance and censorship capabilities, however sincerely limited in their original scope, historically have not remained narrowly scoped.
This is not a theoretical concern. The technical infrastructure required to scan for one category of content is the same infrastructure that could, with legal direction, be used to scan for other categories.
The Apple Precedent
Signal's concerns echo what happened when Apple proposed its own system for detecting child sexual abuse material on devices in 2021. The proposal was technically different in its implementation but similar in principle: scanning would happen on the device before content was uploaded to iCloud.
Apple ultimately abandoned the project in 2023 following sustained criticism from privacy researchers, security experts, and civil liberties organisations. The core objection was identical to the one being raised now: even well-intentioned scanning infrastructure creates risks that extend far beyond its stated purpose, and once built, it cannot easily be unbuilt.
The Encryption Problem
Underneath all of this sits a fundamental technical tension. End-to-end encryption, which protects messages so that only the sender and recipient can read them, is one of the cornerstones of secure digital communication. Businesses use it. Journalists use it. Domestic abuse survivors use it. Security researchers use it.
The Online Safety Act grants Ofcom the power to require platforms to use accredited technology to scan messages for illegal content. The problem, which security experts have pointed out repeatedly, is that there is no way to scan encrypted messages without either using client-side scanning, which examines content before it is encrypted and therefore changes the security model, or inserting a backdoor, which breaks encryption entirely.
Both approaches fundamentally undermine what encryption is designed to do. A backdoor that only the government can use does not exist in practice. A vulnerability is a vulnerability, and the same weakness that a regulator could use to access content could in principle be exploited by malicious actors.
Who Supports the Plans
The organisations that work most closely with children who have been exploited or harmed online broadly support the government's direction. The NSPCC, the Internet Watch Foundation, Barnardo's, and the Children's Commissioner for England have all expressed public support for stronger intervention.
NSPCC chief executive Chris Sherwood described the announcement as a major step forward in the fight against online child abuse. These are not organisations with a casual interest in the subject. They deal with the real-world consequences of online child sexual abuse every day, and their support for more robust action carries significant weight.
The genuine tension in this debate is that both sides are arguing from a position of legitimate concern. Online child safety is a real problem with real victims. Privacy and encryption are real protections with real beneficiaries. Proposals that improve one at the cost of the other deserve serious scrutiny rather than dismissal.
What This Means for Businesses
For most businesses, the immediate practical impact of this debate is limited. However, the direction of travel matters. If the UK government introduces legislation requiring device-level scanning, or if Ofcom requires technology platforms to implement accredited scanning technologies under the Online Safety Act, those requirements will eventually affect the tools businesses use for communication, file storage, and collaboration.
End-to-end encrypted messaging platforms and cloud services that currently offer strong privacy guarantees may face legal pressure to modify their security architecture. Understanding how those changes might affect the tools your business relies on, and what alternatives exist, is a sensible part of technology planning.
More broadly, the debate highlights that online child safety and digital security are not separate concerns for businesses. The same encryption that protects personal privacy also protects business communications, client data, and sensitive files. Changes to how encryption is regulated affect everyone who relies on it.
Our Cyber Security page covers the protections we help businesses put in place, including how to evaluate the security of the tools and platforms you use as the regulatory landscape continues to evolve.
A Debate That Is Not Going Away
The three-month deadline the government has set means this debate will produce concrete outcomes relatively quickly. Either technology companies will propose solutions that satisfy ministers, or the government will move towards legislation.
What is unlikely to happen is a clean resolution that satisfies everyone. The tension between online child safety and digital privacy is not a misunderstanding that better technology can fully resolve. It reflects a genuine conflict between two important values, and the decisions made in the next few months will shape how that conflict is managed in the UK for years to come.