Published Jul 06, 2026 by Xiph
For more than a decade, police and intelligence agencies have told the same story: encryption is switching the lights off. Criminals are “going dark,” vanishing behind apps no warrant can open, and unless something changes, investigators will be left blind. It is a serious claim made by serious people, and it deserves testing against the evidence. Because the evidence tells a very different story: that we are living through the most information-rich era of surveillance in human history. One recent event — a Chinese intelligence operation that spent years inside the very wiretap systems built for law enforcement — settles it more decisively than a decade of white papers ever could.
The case for “going dark,” taken seriously
The phrase came out of the FBI, in congressional testimony as early as 2010. Director James Comey made it famous in October 2014, days after Apple and Google switched on device encryption by default: agencies, he argued, hold the legal authority to intercept communications but increasingly lack the technical ability to act on it. Eighteen months later came the FBI’s court fight with Apple over a dead terrorist’s iPhone, and the debate went global.
Australia didn’t follow that debate — we ran ahead of it. In 2017, Prime Minister Malcolm Turnbull announced laws to compel access to encrypted messages — “the laws of mathematics are very commendable,” he allowed, but the only law that applied here was the law of Australia. The Assistance and Access Act followed in 2018, the first law of its kind in the democratic world, compelling “designated communications providers” to help access encrypted data. In April 2024, ASIO Director-General Mike Burgess used a National Press Club address to ask big tech for “accountable encryption” — lawful, targeted access under warrant. Unaccountable encryption, he argued, hands terrorists and spies a safe room — though he insisted he wanted no “back doors or systemic weaknesses that break the internet.”
Be fair: the argument is not invented. End-to-end encryption genuinely closed a window that used to be open: a warrant served on a telco in 2005 produced the content of calls and texts; served on Signal or WhatsApp today, it produces very little. The cases agencies cite — terrorism, child exploitation, espionage — are real, and specific investigations really do get harder. But the question was never whether encryption ever frustrates an investigation — it is whether “dark” describes the world investigators actually work in.
The counter-case: the brightest era in surveillance history
It does not — and the strongest rebuttal came not from activists but from scholars and intelligence insiders. As early as 2011, privacy scholar Peter Swire argued this era was better described as a “golden age of surveillance” than as law enforcement going dark. In 2016, Harvard’s Don’t Panic report — signed by cryptographers, academics and serving members of the US intelligence community — agreed: encryption dims some channels, but the trend is towards vastly more data about everyone, not less.
Metadata — who contacted whom, when, from where — cannot go dark, because networks need it to function. Most cloud backups are not end-to-end encrypted, so messages protected in transit sit readable on a server. Every new device is a new witness: cars log journeys, watches log heartbeats, doorbells log faces. And a data-broker industry sells location trails scraped from apps to anyone with a credit card.
Now the Australian ledger. Since 2015, our metadata retention scheme has required every carrier to keep two years of records — who you called and messaged, when, for how long, and which cell tower you were near — available to around 20 enforcement agencies without a warrant, and self-authorised roughly 300,000 times in a single reported year, drug cases dominating the tally and terrorism a small fraction. A detective in 1996 could tap a phone line. A detective in 2026 can reconstruct almost every hour of a suspect’s month from data that already exists. Whatever this is, it is not darkness.
Salt Typhoon: the punchline
If the two stories needed a tiebreaker, Beijing supplied it. From as far back as 2019, a group linked to China’s Ministry of State Security — now known as Salt Typhoon — burrowed into major telecom providers, at least nine US carriers among them. They took call metadata on more than a million people and reached the communications of America’s most senior politicians, Donald Trump and JD Vance included. And — the detail that should end the encryption debate — they got inside the “lawful intercept” systems: the wiretap infrastructure carriers must build precisely so that agencies never go dark. For years, a foreign intelligence service could potentially see who was under surveillance and what investigators were collecting.
Read that again. When Chinese hackers are sitting inside the wiretap system, the problem is plainly not too much encryption. It is that a door built into everyone’s communications is a door, no matter whose name is on the key.
What followed was a quiet reversal of a decade of rhetoric. In December 2024, the FBI and CISA advised the public to use end-to-end encrypted apps — “encryption is your friend,” as one senior official put it. The hunting guidance that followed in August 2025 was co-signed by 13 countries, Australia’s ASD among them, covering more than 80 nations. And in November 2025, Mike Burgess confirmed Chinese state-linked groups, Salt Typhoon included, had probed Australian critical infrastructure — telecommunications networks among the targets. As we argued in SS7 and fake towers, the honest advice now is to assume the carrier layer is compromised, and encrypt so it doesn’t matter.
What better-targeted policing actually looks like
None of this means agencies should shrug while criminals hide behind encryption. It means the remedy is targeting, not weakening — and Australia has already produced the world’s best example. In Operation Ironside, the AFP and FBI didn’t break anyone’s encryption — they built AN0M, their own “secure” app, and let criminal networks distribute it for them. Three years of court-authorised collection later, police had made hundreds of arrests here and more than 800 worldwide, and seized drugs by the tonne. No law-abiding Australian’s messaging was weakened in the process.
Even the case that launched the war on encryption ended the same way. The FBI never needed Apple to build a backdoor into the San Bernardino iPhone; a small Australian security firm, Azimuth, found a targeted way into that one device. Expensive, warranted, specific — that is what lawful access looks like when it doesn’t put every other phone on earth at risk. Device-level capability plainly exists, as the NSO Group litigation laid out in uncomfortable detail; the policy question is only whether access is engineered into everything, or earned against something.
The dragnet alternative fails on its own terms. Every mandated access mechanism is a Salt Typhoon target. Every hoarded database is an Optus or Medibank waiting to happen. Hold “accountable encryption” to Burgess’s own standard: he says he wants no systemic weakness — and Salt Typhoon has just demonstrated that a lawful-access mechanism is a systemic weakness, whoever it was built for.
What you can do now
The policy fight will grind on — the surveillance ratchet maps where it’s heading. In the meantime, take the agencies’ own post-Salt-Typhoon advice.
For individuals:
-
Move anything sensitive to end-to-end encryption. If your calls and messages are encrypted before they touch the network, its owner — carrier, hacker or government — captures nothing useful.
-
Harden the device itself. Encryption protects the pipe, not a compromised handset. A GrapheneOS hardened phone strips out the tracking and attack surface an ordinary phone leaves exposed.
-
Shrink your metadata trail. Your carrier is legally required to hold two years of it. A private SIM breaks the link between your number, your name and your movements.
-
Retire SMS for anything that matters. Texts and SMS two-factor codes travel through the very networks Salt Typhoon lived in. Use encrypted messaging and hardware security keys instead.
For businesses:
-
Treat encrypted communications as infrastructure, not obstruction. Issue proper encrypted comms to executives, legal, finance and anyone handling sensitive IP — the people foreign intelligence services actually target.
-
Collect less, keep less. You cannot be compelled to hand over, or breached out of, data you never held. Post-Optus, data minimisation is a security control, not a compliance nicety.
-
Assume the carrier layer is hostile. Design your communications so the confidentiality lives in your hands, not your telco’s.
-
Get expert eyes on your exposure. A risk audit or a virtual CISO will find the gaps before someone else does.
A final word
The “going dark” story asks Australians to accept weaker security for everyone in exchange for easier access for a few — and Salt Typhoon showed exactly what that trade buys: a foreign power reading the watchers’ own mail. Meanwhile, agencies were never blind: they have metadata by the hundreds of thousands of requests, devices that never stop talking, and operations like AN0M that put real criminals in court without touching anyone else’s privacy. The honest response to real crime was never weaker encryption for all of us. It is better-targeted policing — and stronger encryption for everyone, because the same encryption that frustrates one investigator defeats the spy sitting inside the phone network.
At Xiph Cyber, we’ve been making that case — and supplying the tools — for years: encrypted communications, hardened handsets, private SIMs and the consulting to deploy them properly. To work out where you or your business are exposed, talk to our team about cyber security consulting, or get in touch at enquiries@xiphcyber.com.
Posted in: Security
