The surveillance ratchet: what the UK and EU tell Australians about where our online laws are heading

They behave like a ratchet — built to turn one way and lock, easy to introduce and almost impossible to wind back. Three levers, really: who you must prove you are before you go online, whether the state can read what you send, and whether your face can be tied to a permanent record. The UK and EU are pulling all three at once — the closest thing Australia has to a weather report.

Lever one: age verification

In July 2025 the UK’s Online Safety Act began requiring “highly effective” age checks on adult content — ID, a card or a facial scan, not a self-declared birthday. Ofcom opened dozens of investigations and issued fines; a repeal petition drew hundreds of thousands of signatures as VPN sign-ups spiked. Then, in late March 2026, the principle jumped from the website to the device: Apple’s iOS 26.4 update asked every UK iPhone and iPad user to prove they were over 18, or have content filters switched on automatically. UK law didn’t require this of operating systems; Apple did it pre-emptively.

Watch the move: once “prove your age to see this” is accepted for one kind of content, it’s available for every kind — and Australia is several steps in. The world-first ban on under-16s holding social accounts took effect on 10 December 2025; by mid-January eSafety reported some 4.7 million under-16 accounts removed. By late March it had teeth — investigations into five platforms over weak checks, fines reaching A$49.5 million, and codes pushing age-assurance into search, app stores and messaging. The porn-only rule and the kids-only rule were the thin end. The principle is the wedge.

Lever two: the war on encryption

Late in 2024 the UK Home Office secretly ordered Apple, under the Investigatory Powers Act (the “Snooper’s Charter”), to crack its strongest iCloud encryption. Apple refused, pulled Advanced Data Protection from UK users, and went to court — a fight still running in 2026. Signal and WhatsApp say they’d quit a market before weakening end-to-end encryption.

The EU has pushed the same lever differently. Its “Chat Control” plan would force messaging apps to scan your messages on the device, before encryption — client-side scanning, which experts agree breaks encryption whatever it’s called. In a knife-edge vote, the European Parliament chose in late March 2026 to let the “voluntary” scanning permission lapse, and the interim regime expired in early April. Germany had already refused on constitutional grounds, likening blanket scanning to opening everyone’s post just in case. A reprieve, but not a burial: the permanent regulation is still alive in negotiations, with a decisive round expected mid-2026. That is how a ratchet behaves.

Within weeks of that vote, the same capability resurfaced in Britain wearing a child-safety badge. At London Tech Week on 8 June 2026, Prime Minister Keir Starmer gave Apple, Google and the rest three months to build “device-level controls” that stop children taking, sharing or viewing nude images — and if they refuse, the government will legislate, with fines and even jail for executives. The catch: to catch one image you must inspect every image on every device — client-side scanning by another name, the very thing the EU had just declined to mandate. Apple and Google already ship versions of it. Ministers insist nothing leaves the device and that adults can opt out — but only by first proving to the state they’re adults. The opt-out from surveillance is more surveillance; a scanner trained on nudity today can be retrained on anything tomorrow.

On this lever Australia didn’t follow — we led. The Assistance and Access Act 2018 already lets agencies compel “designated communications providers” — telcos, device makers and app developers, onshore and off — to access encrypted data, penalties in the millions. Britain’s fight with Apple is the UK catching up to a power we legislated six years earlier — and the device-scanning push shows where that road leads.

Lever three: your face and your file

Facial recognition is the part of the ratchet you can actually see. London’s Met has run live facial recognition since 2020, scanning roughly a million faces in 2025 alone. Permanent cameras went up in Croydon in October 2025; a national rollout with 40 camera vans followed in January 2026; and by early 2026, 13 of the 43 English and Welsh forces were using it, with a national matching service due for testing this year. A pilot becomes a network becomes a fixture.

Australia hasn’t banned it — it’s routine in airports and venues. The OAIC found Bunnings and Kmart breached the Privacy Act by scanning every customer who walked in, since biometric data needs consent. But those rulings weren’t a ban, and retailers are now lobbying to loosen the rules.

Then the file that makes a face useful: digital ID. The UK’s “BritCard” was meant to be mandatory for the right to work until three million people signed against it; the EU’s Digital Identity Wallet must be offered by every member state by end-2026; and Australia’s Digital ID Act, in force since December 2024, opens myID — already 15 million users — to the private sector from 30 November 2026. Each is sold on convenience, which is how the ratchet is always marketed.

The pattern: scope always widens after launch

Every one launches narrow, aimed at someone almost nobody will defend — child abusers, terrorists, fraudsters, kids at risk. That framing gets it passed. But the infrastructure doesn’t vanish; it sits there, fixed and paid for, and the only question is what else to point it at.

• Age checks arrive for pornography, then reach social media, search and app stores — and finally the device’s operating system — within months.

• Facial recognition starts as a handful of trials and ends as a national network with its own fleet of vans.

• “Voluntary” digital ID begins in government and is wired into banking, renting and age-gating.

• Client-side scanning is rejected in one country and, weeks later, reintroduced next door under a friendlier name.

The categories expand. The cameras and databases never contract. That is the ratchet.

Why this matters in Australia

It’s comforting to file this under “overseas news.” Don’t. On encryption Australia was upstream; on age verification and digital ID we’re in step — and the London device-scanning fight is the one to watch, because we already have the machinery to compel it and the codes to host it.

The deeper risk isn’t any single measure — the harms these laws target are real, and reasonable people can debate any one on its merits. The risk is cumulative: once the rails are laid, expanding their use costs almost nothing — no new infrastructure, just a new line in a regulation. And for businesses, each system is a fresh attack surface: a store of customer faces or verified identities is a liability the moment it exists.

What you can do now

You can’t repeal the ratchet from your living room, but you can refuse to be an easy target.

For individuals:

• Harden the device, not just the apps. A hardened handset such as a GrapheneOS phone strips out the tracking an ordinary phone leaks by default.

• Use genuinely private communications. End-to-end encrypted messaging keeps your conversations yours, whichever way the debate lands.

• Add hardware security keys. A physical key shuts down the phishing and account-takeover no policy will fix for you.

• Leave a smaller shadow. Share less, favour privacy-preserving age checks where they exist, and add a private SIM or Faraday pouch if your threat model calls for it.

For businesses:

• Collect less. You can’t be compelled to hand over — or breached out of — data you never held. Data minimisation is now a security control.

• Encrypt by default and know your exposure. Work out whether you fall within reach of a “designated communications provider” notice, and what your vendors must do.

• Get ahead of the obligations. The new age-assurance codes and any biometric deployment carry real Privacy Act duties; treat identity data as a liability, not an asset to hoard.

• Bring in expertise early. A risk audit, system hardening and a virtual CISO cost far less before an incident than after one.

A final word

The surveillance ratchet only turns one way, which is why the time to harden is before the next click, not after it. The UK is showing us the next few notches — most recently scanning on every phone — and on more than one lever Australia is already there. At Xiph Cyber we’ve made this case, and supplied the tools, for years: hardened devices, encrypted communications, security keys, and the consulting to use them well. To get ahead of where these laws are heading, contact us at enquiries@xiphcyber.com.