Between authoritarian politics and corporate self-interest, basic freedoms should be protected
What is it with Ireland’s political class and the prospect of “updating” laws that touch on basic freedoms? The word seems to function less as a promise of common-sense modernisation than as a licence for blundering do-goodery that slides, all too easily, into authoritarian overreach.
Last year, the government’s plan to “update” hate speech laws resulted in a bill so sweeping it would have criminalised speech deemed subjectively offensive, even where the speaker had no intent to stir up hatred. Simply possessing material that might incite hatred could have triggered a two-year prison sentence. It was, as many noted, a 21st-century echo of the country’s old Committee on Evil Literature, which once banned the sale and distribution of “unwholesome literature”.
Now, in its latest effort to bring an ageing law up to date — this time the catchily titled Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993 — the government is once again reaching far beyond what is necessary or proportionate, quietly preparing to grant itself unprecedented powers over private digital communications.
In a speech last week, Justice Minister Jim O’Callaghan announced plans to overhaul the law in this area, expanding its scope to cover encrypted messaging services like WhatsApp, Signal, and iMessage. The existing legislation, he argued, is “quaint”, ill-suited to the realities of digital communication, and inadequate for law enforcement in an age of terrorism, organised crime, and encrypted apps.
Under the proposed Communications (Interception and Lawful Access) Bill, the Gardaí, Defence Forces and police ombudsman will be empowered to intercept live conversations on encrypted messaging platforms — not just WhatsApp or iMessage, but also Instagram DMs, gaming consoles, satellite networks and even connected car systems. At present, Gardaí can’t obtain warrants to intercept messages sent via such technologies. The reforms, long lobbied for by senior figures within An Garda Síochána, aim to remedy what security officials regard as a dangerous shortfall: the 1993 legislation no longer reflects how people communicate.
O’Callaghan has promised that privacy will be respected. Yet his own framing casts doubt on whether this basic freedom can, or should, continue to take precedence when lives are at stake. “We need to recall that the countervailing balance to the individual right to privacy is frequently the collective right to security,” he said. He also spoke of “delivering technology solutions to enable encrypted data to be accessed in a lawful manner”, while working “in close partnership with communications service providers”.
The logic of his proposal leads inescapably to one conclusion: if the state can’t access encrypted messages in transit, it must do so before they are encrypted or after they are decrypted; that is, on the user’s own device. This is the core mechanism behind client-side scanning (CSS), a controversial technique that remains the only technically plausible way to access encrypted communications without breaking encryption itself.
Proponents describe CSS as a compromise: a way to retain end-to-end encryption while still giving law enforcement access to dangerous material. In reality, CSS is bulk interception in all but name: automated, distributed, and silent. Rather than simply reading messages in transit, it opens up the entire contents of a personal device to remote inspection. And because it operates via software, its scope can be expanded at any time. In theory, a single update could quietly shift the target from illegal content per se to lawful political dissent of whatever kind the government of the day deems “problematic”.
That’s a worrying possibility, not least because freedom of expression and privacy are mutually reinforcing rights. No one can speak freely if they fear their thoughts and associations may be scanned, flagged, or misinterpreted by opaque systems beyond their control.
It’s true the proposals include safeguards. The minister has promised judicial authorisation and insists interception powers will be narrowly applied. But such checks are only as strong as the architecture they govern. Once CSS software is installed, the risk is that it becomes exploitable by others. Rare is the bad actor who goes cap in hand to a judge, pleading for a warrant.
Back in 2021, Apple abandoned attempts to introduce its own CSS software after fourteen top computer scientists found its plans were unworkable, open to abuse, and threatened internet security. Their paper, Bugs in our pockets: the risks of client-side scanning, identified 15 ways that states, malicious actors, and even targeted child abusers, could exploit the technology to cause harm. Even the UK’s own Information Commissioner’s Office has said that encrypting communications actually strengthens online safety for children by reducing their exposure to threats such as blackmail.
Perhaps most troubling is that, far from being an isolated national reform, Ireland’s proposals are aligned with a broader European trend. In his speech, O’Callaghan expressly endorsed the European Commission’s 2025 Roadmap for Lawful Access to Data, which calls for “technology solutions” to access encrypted data — including tools for digital forensics, remote data collection, and decryption — all while apparently safeguarding “cybersecurity and fundamental rights”.
Although the Roadmap avoids directly naming CSS, it calls for targeted lawful access “by design”, including the development of a technology roadmap and support for tools that can retrieve and analyse encrypted data. It also commits the Commission to considering whether new legislation is needed to ensure all communication providers operating in the EU comply with lawful interception obligations.
O’Callaghan’s approach positions Ireland as an early adopter of this new surveillance regime, and a proving ground for the Commission’s vision of “lawful and effective access” — a phrase which, in this context, recalls George Orwell’s reminder in Politics and the English Language that the defence of the indefensible is rarely attempted without recourse to cloudy euphemism.
Will Big Tech play ball? Don’t count on it. During the passage of the UK’s Online Safety Act through Parliament in 2023, Signal and WhatsApp publicly threatened to leave the UK if they were forced to weaken encryption or build government backdoors into their messaging services. In 2024, Apple warned Parliament that the UK government should not decide “for citizens of the world whether they can avail themselves of the proven security benefits that flow from end-to-end encryption”. Yet soon after, under the sweeping surveillance powers of the Investigatory Powers Act 2016, authorities issued a legally binding demand requiring Apple to implement code allowing law enforcement access to encrypted iCloud backups. Apple’s response? It pulled its Advanced Data Protection feature from the UK market, and is now mounting a legal challenge.
We’re now living through a shift in which the rights of the individual survive, if at all, as a by-product of corporate self-interest
But before we get too excited, let’s be honest about what this resistance represents. The defence of privacy is no longer being led by citizens as principled guardians of one of the basic liberties underpinning free expression. It’s now being propped up by global tech giants, desperate to protect their brand and business model. “Tech bros of the world, unite! You have nothing to lose but your market capitalisation!” So while their resistance is welcome, our effective dependency on them is also, in some ways, the inevitable denouement of a capitalist system that has enclosed, and in enclosing, commodified, spaces in which online autonomy and anonymity once flourished.
The result of this privatisation of privacy is that we’re now living through a shift in which the rights of the individual survive, if at all, as a by-product of corporate self-interest. It’s time we stood up for freedom for its own sake.
