The right to use strong encryption technology—like the encryption that secures your iPhone or protects your Whatsapp messages—isn’t only under political attack in the U.S. Governments in the U.K., Germany, France, and other European countries have recently taken steps toward undermining encryption. Although these local debates have engaged a wide range of policymakers, privacy advocates, and internet companies, they’ve been taking place largely in isolation from one another, with limited sharing of information, arguments, and advocacy tactics between those countries’ policy communities. That’s why OTI has begun a series of papers that will fill in some of those gaps by recounting the legal landscape and most recent political rhetoric around encryption in various European capitals. Today we are releasing the first paper in our series, on the crypto debate in the United Kingdom, with additional papers on France and Germany to be published in coming weeks.

The U.K. is in many ways the frontline of the “crypto war” in Europe. Both David Cameron and Theresa May have called loudly for a means to access any and all encrypted communications, calls that have been intensifying over time as a continuing series of terror attacks has rocked the nation. At the end of 2016, the U.K. enacted a complete overhaul and expansion of its surveillance laws, called the Investigatory Powers Act (IPA), but the law raises more questions than it answers about how far the government can go in demanding that private tech companies assist with its surveillance.

In light of government leaders’ public demands for broad access to encrypted data, demands that have been widely read as a call for providers to insert surveillance backdoors into their products or to stop offering unbreakable encryption in their products, the key question becomes:

Can the U.K. government use the IPA—will it use the IPA—to require companies that currently offer unbreakable encryption to undermine that encryption?

The frightening answer is: we don’t know. And we may not have any way of finding out.

The IPA certainly contains new provisions authorizing the government to compel private companies to create and maintain the ability to ensure government access to communications that are carried over their services, via so-called “technical capability notices.” How these provisions might apply to encryption is unclear, however. The law applies broadly to any online service that enables people to communicate, and includes the power to demand the “removal of electronic protections.” That description would seem to indicate that end-to-end encryption is one viable target of this power.

The situation gets more complicated from there. To accompany the law, the government will release a set of Codes of Practice, and in the draft code around technical assistance, the government’s power to compel the removal of electronic protections is limited to cases where those protections were applied by provider itself or on its behalf. Yet this language is unclear: arguably, the user applies the encryption to his or her encrypted Whatsapp messages because that encryption happens on the user’s phone; the same argument could apply to the encrypted data on an iPhone. Yet one could also argue that because that encryption technology is offered and enabled by Facebook and Apple, respectively, then it was “applied” by them. Meanwhile, the government has done little to offer any clarity on this score. Although it has repeatedly disclaimed any intent to “require backdoors” or “ban encryption,” it also has carefully avoided clearly answering how exactly a company such as Facebook would have to respond to a technical capability notice demanding access to end-to-end encrypted Whatsapp messages, or Apple to a demand for access to encrypted iPhone data. Nor are we likely to find out, if and when such notices are served, since they are issued under a cloak of secrecy, and the recipients are gagged from discussing the notice or how they responded to it.

The IPA also codifies an extremely broad and vague new authority to hack into devices for both law enforcement investigations and foreign intelligence gathering, including explicit authorization for the hacking of devices in bulk, authority that will similarly operate under a strict layer of secrecy. In the U.S. debate, many have discussed targeted hacking of suspects’ devices as a less privacy-invasive alternative to demanding backdoors into every encrypted service and device. Yet it seems like the U.K. wants to have its cake and eat it too, by authorizing broad technical mandates as well as allowing untargeted mass hacking—making the U.K. the most hostile anti-encryption government in Western Europe, at least for the moment.

After analyzing the fight over the IPA’s passage and its meaning, and the history and politics around the encryption fight in the U.K., OTI came away with six key lessons for pro-encryption advocates both inside and outside the U.K.: