Lord Hanson of Flint stood before the House of Lords in 2024 and said: 'We have set a date of April 2026, and we expect to act extremely speedily once we have had the report back.' That date is this month. The UK government is not vague about what comes next. The Ofcom assessment of how to compel encrypted messaging platforms to implement client-side scanning — scanning messages on users' own devices before they are encrypted — is not a consultation. It is the mechanism that triggers enforcement.

The landscape here is unusually clear. Three encrypted messaging platforms dominate UK user adoption: Signal (approximately 85 million global users, unknown UK-specific base but substantial), WhatsApp (encrypted by default for 2 billion users globally), and iMessage (encrypted for Apple users). Telegram, which does not use end-to-end encryption by default, sits outside the conflict. The legal framework is Section 121 of the Online Safety Act 2023, which grants Ofcom authority to require any online service 'facilitating communication' to install what the regulator calls 'accredited technology' to detect terrorism content or child sexual abuse material. In the UK's regulatory structure, Ofcom answers to the Home Office. The Home Office has already signalled its intention to act rapidly once the Ofcom report arrives. There is no ambiguity in the sequence or the intent.

Ofcom's formal deadline is April 2026 — this month. The agency has already previewed its thinking: it is considering what it calls 'hash matching,' a euphemism for client-side scanning using perceptual hashing to detect illegal content before encryption. Ofcom's public framing claims this would not require services to 'break end-to-end encryption.' This is technically dishonest. As Robin Wilton, Senior Director for Internet Trust at the Internet Society, explained to researchers: 'That would mean the service would have to have a client-side component to do that scanning.' A client-side component that scans messages before they are encrypted is, by definition, the installation of surveillance infrastructure on users' devices. Alec Muffett, a security engineer who spent years at Facebook building encryption systems, told Computer Weekly that Ofcom's proposals display 'a horrifying lack of safety by design,' and that the framing of hash matching as a technical solution obscures the real mechanism: 'Perceptual hashing is just a fancy name for what we used to call fuzzy matching with digital fingerprints, and even if we ignore the problem of false positives, we are left with the risk of creating an enormous cloud surveillance engine.' What Ofcom is proposing is not a technical problem waiting for a clever solution. It is a choice to build surveillance into the infrastructure.

The Why Now is calendar-driven and procedural, but the underlying pressure is global. The UK government has been pushing encryption restrictions since the Investigatory Powers Act of 2016. What changed is the Online Safety Act created a new legal mechanism — Section 121 — that applies not just to the telecom infrastructure but to software platforms themselves. Apple already folded under this pressure in February 2025, disabling end-to-end encryption for iCloud users in the UK. Two encrypted file-sharing services, Krakenfiles and Nippydrive, have already left the UK market entirely — a signal that even smaller providers see the enforcement vector as real. The Ofcom report was scheduled for April 2026 specifically to allow time for Home Office policy work; the government made clear it would not wait for broad industry consensus. Meanwhile, the UK's National Security Technology Centre released guidance in January 2026 suggesting that creating tools like Signal or WhatsApp could constitute 'hostile activity' — reframing encryption itself as a security threat rather than a privacy tool. The framing shift is complete. Now comes enforcement.

Who wins and who loses is binary. Signal loses UK market access if it follows through on Meredith Whittaker's public commitment to exit rather than comply. The UK loses a platform used by journalists, activists, and ordinary people who depend on strong encryption for communication security. Apple loses competitive advantage (it has already been neutered in the UK). WhatsApp, owned by Meta, faces a choice between compliance and exit — Meta has not made Signal's commitment public, which suggests it may negotiate a compromise that maintains access while installing scanning infrastructure. The Home Office wins the ability to claim that encrypted messaging is now subject to surveillance. The UK government wins the ability to monitor communication patterns at scale. And ordinary UK residents get the surveillance apparatus built into their devices whether they consent or understand it, because app store enforcement is the likely mechanism — Google and Apple remove non-compliant apps from their UK stores, and compliance becomes mandatory for any app that wants market access.

Our read: This is not a close call. Ofcom will issue a report that recommends client-side scanning under Section 121. The Home Office will move rapidly on enforcement. Signal will exit the UK market as stated. WhatsApp and iMessage will negotiate some form of compliance that preserves access while installing surveillance infrastructure. The architecture of encrypted communication in the UK will shift from user-controlled to infrastructure-controlled, and the precedent will be used by other jurisdictions — Sweden's parliament is already considering identical legislation, and the EU's Chat Control proposal sits in the background as a parallel track. Two things would change this assessment: if Signal stays and negotiates a technical compromise that does not install client-side scanning (unlikely — the security model does not allow it), or if the Ofcom report recommends against enforcement under Section 121 (possible if the Home Office faces unexpected civil-society or industry pressure, but not probable given the government's clear public timeline and the precedent already set by Apple's capitulation). The third signal to watch is whether Proton, which has not yet been required to implement scanning in the UK, receives a notice in the coming months — that would indicate scope expansion is already underway.

Watch for these four indicators in the coming weeks and months: First, the Ofcom report release, expected this month — whether it formally recommends Section 121 enforcement and whether it uses soft language ('hash matching') or hard language ('client-side scanning'). Second, Signal's response — whether Meredith Whittaker follows through on the exit threat or negotiates a compromise. Third, the Home Office's public comment on enforcement timeline once the report is received; Lord Hanson said 'extremely speedily,' which in UK government terms likely means within 6–12 months. Fourth, App Store enforcement mechanics — watch for any indication that Ofcom or the Home Office is negotiating with Apple and Google to force removal of non-compliant apps from UK app stores, which would be the enforcement mechanism that requires no new legislation.