Encryption is one of the most effective ways to keep data private, secure, and accessible only to those who are meant to see it. However, policymakers are advancing measures that would significantly weaken, or even eliminate, the very protections encryption provides. As debates unfold, the impact reaches far beyond technical discussions — touching on the privacy of individuals, the safety of vulnerable communities, and the trust needed for communication.
Surfshark, alongside fellow VPN Trust Initiative (VTI) members, stands firm in support of strong encryption. We urge policymakers to protect this vital safeguard of privacy.
Surfshark’s CEO, Vytautas Kaziukonis, emphasizes:
“Having end-to-end encryption for communication and other digital services is just essential hygiene. Without it, all other efforts by apps to protect user privacy and security become largely meaningless. Proposals to introduce message scanning would inevitably create vulnerabilities that malicious actors could exploit. There is no such thing as partial encryption: either it is intact, or it is broken. Therefore, weakening encryption risks undermining trust in Europe’s digital infrastructure and setting a dangerous global precedent.”
Why is encryption important?
Encryption is the process of converting information into a coded form. And it’s far more than a technical safeguard — it is a cornerstone of online security, human rights, and trust in the digital age. It plays a significant role in protecting our privacy in the following ways:
- Shield for fundamental rights: encryption directly supports the rights to privacy and freedom of expression, recognized under European human rights frameworks, and is essential to safeguarding democratic governance in the digital era. It is especially vital for journalists, lawyers, doctors, and vulnerable communities whose safety relies on secure, surveillance-free communication.
- Core of digital security: encryption underpins the protection of phones, laptops, messaging apps, banking software, and other critical digital infrastructure. It protects against cyberattacks like ransomware and phishing, ensures stolen devices don’t expose private information, and keeps sensitive data such as payments or health records secure and compliant with regulations. By safeguarding confidentiality and preventing tampering, encryption builds trust, protects privacy, and adds a vital layer of defense for both individuals and organizations.
- Integration in legal frameworks: European policymakers have firmly embedded encryption into legal frameworks, recognizing its central role in protecting information security. Under the General Data Protection Regulation (GDPR), encryption of personal data is explicitly required as a key security measure. EU institutions and governments have also publicly supported encryption in the past.
Why is encryption at risk?
Encryption is facing mounting pressure from legislative and regulatory proposals across multiple jurisdictions. At the same time, regulatory momentum in both the US and the EU is shifting, with institutions on both sides of the Atlantic once again advancing proposals to restrict encryption.
In the EU, measures such as the Child Sexual Abuse Regulation — referred to as Chat Control — seek to mandate scanning of private communications or lawful access into encrypted services. Doing so would undermine one of the most effective safeguards for confidentiality online. Such measures effectively turn secure messaging services into surveillance tools, exposing personal conversations to risks of misuse, false positives, and expanded monitoring beyond the regulation’s original intent.
Rather than targeting suspects, Chat Control weakens the security of everyone’s digital communications — leaving ordinary users, vulnerable communities, and businesses more exposed to malicious actors while determined offenders simply migrate to other platforms. Here’s an excerpt from our conversation with Ryan Polk, Director of Internet Policy at the Internet Society, which highlights this issue:
“Bad government policies and legislation continue to be the largest global threat to encryption. Some governments want to gain access to end-to-end encrypted communications, often for law enforcement purposes. Unfortunately, there is no way to provide law enforcement with a way to access end-to-end encrypted communications without creating a vulnerability that weakens the security and privacy of everyone who uses that service. Any vulnerability created to facilitate law enforcement access would also create a vulnerability that criminals or adversaries could exploit. Yet, despite the dangers that breaking end-to-end encryption would create, some governments are still pursuing this goal.”
Another notable example has been efforts by various institutions to push for a backdoor in the 5G standard. Similarly, during a 2022 Europol meeting, it was suggested that encryption could be bypassed through authorities’ deliberate retention and exploitation of software or hardware vulnerabilities.
The bottom line is this: any attempt to create a backdoor is a direct contradiction of how encryption functions. A backdoor is, by definition, a security vulnerability that compromises the entire system, and even if intended only for lawful access, it will inevitably be discovered and exploited by malicious actors.
What is the best way for everyone to stay protected?
The way forward is to strengthen encryption, not weaken it. Backdoors or client-side scanning create security weaknesses anyone can exploit — not just the “good” actors they’re meant for. Such measures undermine best-practice security principles, conflict with existing laws like GDPR and the EU Cyber Resilience Act, and repeat the mistakes of past lawful-access systems that became liabilities.
At the same time, governments are investing in post-quantum encryption and stronger protections, which contradicts the previously mentioned efforts to weaken encryption. These efforts must align around future-proof security, not contradictory initiatives that weaken it.
To ensure better security and privacy for everyone, the VPN Trust Initiative recommends the following actions:
- Reject any legislative or regulatory measures that mandate encryption backdoors, weaken encryption standards, or impose insecure technical requirements.
- Preserve strong encryption standards without exceptions for companies dealing with users’ data.
- Strengthen targeted and proportionate investigative capabilities that do not require weakening encryption, such as lawful decryption capabilities (e.g., court-authorized);
- Preserve privacy by design and default, including strong encryption and strict data minimization, so sensitive information is never unnecessarily collected or retained.
- Provide resources to law enforcement so they can build more advanced forensic technologies and improved reporting channels. International or regional funding and cooperation should be incentives.
- Foster public–private collaboration for online safety that does not compromise security. Work with international stakeholders worldwide to avoid fragmentation.
A more detailed explanation of these recommendations can be found in the VTI position paper on encryption.
Strong encryption is essential
Surfshark, together with the VPN Trust Initiative, firmly believes that undermining encryption is not an effective way to reduce online harm. There is no way to weaken it for certain aims while keeping it strong for others. If encryption is compromised, it is ordinary citizens that are left more vulnerable — not the bad actors who might simply shift to other methods.
The path forward must focus on strengthening encryption. Robust encryption is essential to protecting human rights, sustaining economic resilience, and preserving trust in digital systems. Governments and policymakers should lead with clarity and commitment, defending strong encryption as a cornerstone of both security and democracy. Anything less risks trading away the safety of the many for an illusion of control over the few.