Policy debates around content scanning and government access to encrypted data are often framed as straightforward solutions to complex online harms. The premise is simple: modest technical adjustments can meaningfully reduce serious risks. But access mandates weaken cybersecurity, and our new research shows that – when survey respondents are presented with the realistic tradeoffs – public support for these policy mandates declines. Support seems to rest on unrealistic assumptions about scanning’s effectiveness and overlooks how people actually prioritize privacy, security, and safety.

Our whitepaper analyzes survey data from four Nordic countries. When asked to weigh privacy, security, and safety, a majority of respondents prioritize protecting their data and securing their devices over detecting or preventing the spread of harmful content. Because backdoor access and content scanning require weakening encryption, support for these measures declined when those tradeoffs were made explicit. Additionally, respondents had no consensus on which institutions they would trust to oversee systems with backdoor access to digital content. This fragmentation matters: any system with such expansive access would require credible, durable governance in order to be seen as legitimate.

These findings point to a disconnect between policymakers and the public. Respondents define safety as protection from adversarial harms – hacking, fraud, and unauthorized access – while policymakers often focus on preventing the spread of harmful content. Policies that degrade baseline security in the name of safety risk undermining the very outcome they seek to achieve. Addressing harmful content is important, but solutions should not come at the expense of privacy and security.

Addressing serious online harms is necessary. But framing the issue as a tradeoff between privacy and safety obscures an important reality: for most users, security is safety. Policies that weaken encryption or introduce systemic access mechanisms are unlikely to deliver their intended benefits and are likely to erode public trust.

A More Grounded Approach

Given this uncertain effectiveness and fragmented trust, our whitepaper presents the following recommendations based on our survey results to policymakers to adopt a more grounded approach to harmful online content regulation. Rather than broad mandates, they should:

• Start with a presumption of strong security. Encryption and device security should be treated as baseline protections. Proposals that alter these systems must meet a high bar: clear necessity, narrow scope, and demonstrated proportionality, supported by rigorous cybersecurity and privacy impact assessments that account for system-wide risks.
• Prioritize targeted, case-specific tools. System-wide mandates are technically blunt and politically fragile. More effective approaches focus on specific actors and investigations—such as lawful endpoint access, improved investigative coordination, and disruption of criminal networks—without introducing persistent vulnerabilities.
• Require evidence before imposing mandates. Many proposals rely on optimistic assumptions about performance. Policymaking should instead be grounded in empirical validation, with transparency around error rates and ongoing evaluation. Where evidence is limited or speculative, systemic mandates should not proceed.

‍