How have major messaging platforms (WhatsApp, Signal, Apple) publicly responded to potential Ofcom technical notices under the Online Safety Act?
Executive summary
Major encrypted messaging providers — WhatsApp, Signal — and device platform owner Apple have publicly opposed provisions in the UK’s Online Safety Act that could let regulator Ofcom compel “accredited” client-side scanning or other measures to inspect end‑to‑end encrypted messages, with firms warning they would refuse to weaken encryption or even withdraw services from the UK rather than comply [1] [2] [3], while Apple framed the proposals as a “serious threat” to encryption and joined other vendors in a public letter urging lawmakers to change the law [4] [5].
1. WhatsApp: categorical refusal and market-exit threat
WhatsApp’s public posture has been to refuse to lower its encryption standards if ordered to do so and to signal willingness to block service in the UK rather than implement technical measures that would undermine end‑to‑end encryption, a stance reported repeatedly by the BBC and consolidated in industry briefings that say WhatsApp joined others in opposing Ofcom’s powers [2] [1] [6].
2. Signal: “walk” from the UK if encryption is compromised
Signal’s leadership has been explicit: they told the BBC they would “walk” from the UK if the Online Safety Bill forced them to weaken user security, framing the potential Ofcom notices as a direct threat to the app’s raison d’être as a secure messenger [2]. That threat persists in later summaries of industry reaction noting Signal among the firms that would withdraw rather than implement client‑side scanning [3] [7].
3. Apple: public alarm, open letter, and warnings about shutting services
Apple moved from private concern to public opposition, co‑signing an open letter with other secure‑messaging vendors arguing the law could empower Ofcom to force proactive scanning of private messages and “nullify” end‑to‑end encryption, and Apple warned the proposals pose a “serious threat” to iMessage and FaceTime privacy [4] [5]. Reporting also captured industry commentary that Apple had suggested it might block or shut services in the UK rather than comply — a scenario widely circulated in technology press coverage [8].
4. Collective industry messaging: joint letters and unified framing
WhatsApp, Signal and Apple have not acted in isolation: they joined broader coalitions of vendors, experts and NGOs raising alarm that the bill lacks explicit protections for encryption and could empower Ofcom to insist on scanning private communications through “accredited technologies,” a phrase that industry interprets as client‑side scanning or backdoors [1] [9] [4].
5. Ofcom’s authority, the absence of accredited tech, and timelines
Despite the outcry, the Online Safety Act retained provisions that allow Ofcom to issue notices requiring measures that could weaken encryption; commentators note there are currently no “accredited technologies” defined and Ofcom’s final guidance was slated for publication in spring 2026, leaving the precise mechanics and legal triggers unclear [3] [9] [7].
6. Government response and the safety argument
UK ministers and the technology secretary defended the law as necessary to protect children and public safety, explicitly contesting the industry framing and arguing that regulator powers are a proportionate route to prevent child sexual abuse material and other harms [10]. This creates a clear public-policy clash: government claims of child‑safety necessity versus industry warnings of systemic privacy and security risks [10] [11].
7. Secrecy, legal constraints, and watchdog alarms
Civil society groups such as Privacy International have amplified a related concern: secret notices could be served anywhere in the world and bind companies to secrecy, preventing public scrutiny even when notices require undermining security — a scenario made salient by leaked reporting and NGO analysis alleging at least one such notice to Apple [12]. That critique feeds the industry narrative that compliance could not be meaningfully debated or disclosed.
8. What's left unsettled: enforcement, tradeoffs and punishment
Finally, while tech companies emphasize technical impossibility and user‑safety tradeoffs, the law includes heavy sanctions for non‑compliance and tools to restrict services — penalties that raise the stakes in public statements and sharpen rhetorical postures on both sides [7] [3]. Reporting to date documents the firms’ public refusals and warnings but leaves open how Ofcom would deploy any notice, what “accredited” scanning would look like in practice, and whether legal or political accommodations will change the standoff [9] [7].