Tug of War for Privacy: AI-enabled Surveillance Versus End-to-End-Encryption (E2EE)
Justin Park
Introduction
Following the September 11 attacks of 2001, the USA PATRIOT (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism) Act was signed into law within weeks, carrying a name that told a political narrative before a word of it was read. The Act dramatically expanded the federal government's authority to intercept communications and share intelligence across agencies with limited democratic oversight. The acronym implied that to be a patriot was to support this, and to resist it was to side with the enemies. It framed the sacrifice of privacy as a civic duty. Two decades later, billions of people send private messages every day through platforms protected by end-to-end encryption (E2EE), a technology that ensures no actors outside of the sender and recipient can intercept the message's content. WhatsApp alone serves over two billion users worldwide (Statista, 2024), and for the first time in history, truly private communication has become an accessible commodity for ordinary people, not a luxury reserved for dissidents and security professionals. E2EE messengers created a privacy that the surveillance architecture established by the PATRIOT Act could not overcome. E2EE, when properly implemented, is effectively unbreakable. For a period following its mass adoption with WhatsApp and its successors, the relationship between state surveillance power and individual privacy maintained a tug of war (Kaye, 2017). The government demanded backdoors in the name of national security while libertarians and technologists fought back, and the math gave the advocates of privacy enough leverage to resist. That equilibrium is now collapsing because of artificial intelligence; mass surveillance is now possible without looking at the content of the message. This paper argues that AI is reshaping the privacy-security, E2EE-intelligence balance on two fronts: as a surveillance tool capable of extracting meaningful intelligence from fully encrypted communications without the need for decryption, and as a driver of comprehensively defensive privacy tools. Existing governance frameworks are insufficient to either development. Without proactive policy, AI breaks the equilibrium, granting an unprecedented concentration of surveillance power to a small number of state and corporate actors, stripping individual users of their leverage for privacy.
The Development of End-to-End Encryption
Cryptography has always been an instrument of power. Wartime codes and intelligence communications have historically been controlled by states precisely because the ability to communicate secretly conferred strategic advantage. With the development of public-key cryptography in the 1970s, the public gained access to algorithms that allowed two parties to establish secure and private connections. States lost their monopoly on strong encryption. E2EE works by establishing two private keys for the sender and receiver respectively, encrypting the message at every stage of communication. Even the service provider cannot access the content of the message (Signal Foundation, 2016). What made the technology even more revolutionary was how efficient it was. Decrypting the messages without the key essentially requires near-infinite compute, while encrypting was a simple mathematical algorithm. The algorithm gave structural advantage to the communicators over interceptors. Before Edward Snowden exposed the extent to which the U.S. government invaded Americans' privacy, E2EE existed primarily at the margins of consumer technology. It was technically demanding to deploy and computationally more expensive for the era's computing limits. It was largely irrelevant to a general public that had no particular reason to believe their communications were being surveilled. Government tolerated its existence. Snowden changed that. His 2013 disclosure of the NSA's PRISM program revealed the reality of mass surveillance of civilian communications (Greenwald and MacAskill, 2013), triggering a genuine societal reckoning with the tradeoffs citizens had implicitly accepted in the name of national security (Kaye, 2017). WhatsApp's adoption of the Signal Protocol in 2016 brought E2EE to over a billion users, transforming encryption from a niche security feature into an expected daily commodity (Signal Foundation, 2016). The Snowden effect created the demand that technology companies were ready to supply. The proliferation of private communications strained the existing surveillance architecture.
Deployment of E2EE and Backlashes
Subsequently, E2EE posed immense threats to law enforcement and intelligence agencies. James Comey, a former director of the FBI, delivered a speech in 2014 at the Brookings Institution, introducing the phrase "going dark" to describe the existential crisis in investigative capability posed by the proliferation of E2EE (Comey, 2014). Even when lawfully authorized to retrieve messages, investigators could find only unintelligible texts. The political response was aggressive, and manipulative in some cases. The United Kingdom launched the "No Place to Hide" campaign, supported by the Home Office, deliberately associating E2EE with child predators across public advertising spaces (Pfefferkorn, 2022). The UK government found it easier to convince the public that E2EE is a criminal's tool than to find a way to decrypt E2EE. Stanford Law scholars characterized it as a voyeuristic and cynically designed propaganda effort that deliberately misrepresented the underlying technology and the population it actually served (Pfefferkorn, 2022). The campaign sought to discourage the public from using E2EE themselves and to reduce the political cost of attacking E2EE service providers. Australia went directly after the service providers, passing the Assistance and Access Act in 2018 (Hardy, 2022). The Act required service providers to provide backdoor access to law enforcement, breaching the full privacy of E2EE. The EU's attempted Chat Control regulation sought to mandate scanning of private messages for child sexual abuse material (CSAM), a requirement structurally incompatible with true E2EE (Electronic Frontier Foundation, 2026). The CSAM and terrorism arguments were not entirely false, though they were exaggerated and propagated for political purposes. At the end of the day, it was an attempt to shift the political cost of defending encryption onto libertarians and service providers. The struggle culminated in 2016, when the FBI sought a court order compelling Apple to develop software that could bypass the encryption of the San Bernardino attackers (EPIC, n.d.). The confrontation crystallized the stakes: full encryption cannot coexist with comprehensive intelligence. For a period, the equilibrium held. AI has since shifted it.
Development of AI as a Surveillance Tool
E2EE grants its users insurmountable structural leverage. It is computationally less demanding to send and receive fully encrypted messages than to attempt decryption. This shifts the cost to law enforcement. The critical moment of change arrived when it was found that encryption need not be broken to be undermined. Contemporary AI surveillance operates primarily on the informational layer above the content of the texts, called metadata (Schneier, 2015). Even if the encrypted message is inaccessible, the conditions of its transmission (when, where, how often, and so on) are not. Following this realization, surveillance implementation occurred quite quickly: the infrastructure to use AI for surveillance was already there. The vector embedding techniques (such as word2vec) that support modern large language models were already being used in surveillance applications well before the first release of an LLM. Intelligence actors widely used sentiment analysis and keyword expansion, drawing on the same mathematical foundations that later produced what we now call AI. LLMs made the job infinitely easier. Former NSA General Counsel Stewart Baker articulated the surveillance logic of metadata, stating that metadata absolutely tells you everything about somebody's life (Schneier, 2015). AI-powered algorithms can extrapolate social relationships and behavioral patterns from who communicates with whom, when, for how long, and with what frequency. Early surveillance systems relied on keyword searches and rule-based filters derived from the contents of the message. Now, AI enables surveillance and predictions without reference to message content (Feldstein, 2019).
AI as Cryptographic Defense
All that being said, AI is not a unidirectional threat to encryption. AI presents a more substantive defensive role in privacy. Federated learning can enable AI models to be trained and used across distributed datasets without centralizing the underlying data. Differential privacy techniques allow statistical analysis of populations without exposing individuals. These are AI-adjacent privacy technologies in a meaningful sense. Their maturation could restructure the terms of the surveillance debate entirely, satisfying child protection and security objectives without requiring the backdoor access that cryptographers consistently identify as structurally untenable. Nevertheless, there is a stark asymmetry in who gets to use the underlying technologies. The asymmetry is simply that ordinary citizens cannot surveil governments or major technology platforms. The government and technology platforms have the technical capacity to use AI algorithms to surveil, while citizens do not. The asymmetry is intensified when one considers the cost of running an AI model. Operating an architecture that is entirely secure and private is incredibly inconvenient and costly. Governments and the largest technology corporations, in contrast, possess resources that no individual user or even civil organization can match. In any contest, the prevailing side will be the one that can sustain the most extended computation, structurally predetermining the winner as the government. E2EE before AI-enabled surveillance yielded structural advantages to users, disproportionately shifting the cost of decryption to the surveillance organizations. This dynamic is reversed as AI-enabled surveillance resets the structure to the favor of organizations with more resources, further centralizing surveillance powers.
Sociopolitical Impacts
Following the asymmetry of resources, democratic governments can implement a surveillance environment over dissidents, journalists, and minority communities with limited accountability (Feldstein, 2019). Democratic accountability requires that power be visible and contestable. Surveillance that is technically invisible and legally opaque will further erode the checks and balances that democratic governance depends on. The other lens is more insidious in that it is voluntary. The CEO of Proton, an E2EE provider, Andy Yen, contended that the biggest threat posed by AI to their services is caused by users giving up agency. As users invite AI agents to act on their behalf, they are voluntarily surrendering the informational privacy that E2EE was designed to protect (Yen, 2024). Apple Intelligence, Google Gemini integrated into Gmail, and Microsoft Copilot all process, to varying degrees, the content that encryption locks away from third parties. The encryption remains technically intact; the user simply consents to having the content processed by a platform AI before or after the encrypted transmission occurs. Privacy becomes harder to defend not through legal compulsion but through the accumulated transactions of billions of users choosing convenience over agency and privacy. The result is the same concentration of data and inference power achieved through consent rather than coercion.
Ethical Impact
A democratic governance of the interaction of these technologies should consider its effect on equity as well. AI surveillance does not fall equally across populations, nor can it be fought back equally. Research consistently documents the disproportionate policing of Black and Muslim communities under existing surveillance programs in the United States, and the use of predictive policing tools that concentrate enforcement in already over-policed neighborhoods (ACLU, 2016). The cost of using E2EE services plays a significant factor as well. As AI-enabled attacks on privacy rise, E2EE providers will struggle with two factors that will raise their operating costs. They would need to ensure their services do not leak any data or metadata while complying with law enforcement. Rising costs for E2EE providers will render them less accessible for populations who cannot afford them. Lower-income households will face asymmetric exposure to surveillance. A governance framework that treats privacy as a universal but undifferentiated interest obscures the extent to which surveillance's costs are distributed unequally along existing lines of vulnerability.
Policy Response
One may wonder if privacy and security are truly mutually exclusive. Why can the service providers not create a backdoor that only law enforcement can use? Udbhav Tiwari, Vice President at Signal, refuted the solution commonly sought after. The mathematics of encryption do not distinguish between legitimate and illegitimate access. Mandating backdoors makes every user less secure, including against the criminal actors whose activities governments invoke to justify the mandate. "Vulnerability in one is vulnerability in all," he said (Tiwari, 2024). His position is consistent with the long-standing consensus among cryptographers that exceptional access mandates introduce systemic vulnerabilities. Rather, there are a few things policymakers can do. Legal frameworks should extend meaningful protection to metadata, not just content. The third-party doctrine in U.S. constitutional law (under which information shared with third parties carries no Fourth Amendment protection) is poorly suited to an environment where metadata is as informationally useful and invasive as its content. Furthermore, lawmakers should prohibit the purchase of commercially collected data as a surveillance workaround. The legal restrictions on direct government surveillance are largely ineffective when the same data is purchasable through data brokers at no legal threshold at all (NPR, 2026).
Conclusion: Struggle for a Solution to a "Problem"
But there is an elephant in the room that none of these proposals confronts directly: is any of this even democratic? The framing that runs through most policy discussions of E2EE (including, candidly, much of this paper to this point) assumes that the proper task is to identify the correct balance between security and privacy and then implement it through regulation. This framing implies condescension, that the policymakers are the ones who ought to make a decision over how much of citizens' privacy must be sacrificed. The government's role in a democratic society is not to determine, on behalf of citizens, how much liberty they should be willing to trade for safety. It is to execute the choices that citizens, through democratic processes, actually make. If a population, with full information about the tradeoffs, decides that it would rather accept a higher risk of terrorist attack than build a permanent infrastructure of mass surveillance, that is a legitimate democratic choice. If it decides the opposite, that too is legitimate. What is not legitimate is the position that the experts are entitled to set the balance themselves because the public cannot be trusted to weigh these questions correctly. The implication is uncomfortable for technocratic policy proposals, including the ones offered above. Prohibiting government data purchases and extending metadata protections are defensible policies, but their legitimacy depends not on their technical merits but on whether they reflect what the governed have actually consented to. The deeper governance failure is not that the privacy-security balance is wrong. It is that the balance has been set by a small number of state and corporate actors operating largely outside democratic deliberation. The first task of policymakers is therefore not to fix the balance, but to simply ask their constituents: do you want this? ________________ Works Cited ACLU (2016) Statement of concern about predictive policing by ACLU and 16 civil rights, privacy, racial justice, and technology organizations. Available at: https://www.aclu.org/documents/statement-concern-about-predictive-policing-aclu-and-16-civil-rights-privacy-racial-justice (Accessed: 4 May 2026). Comey, J.B. (2014) Going dark: are technology, privacy, and public safety on a collision course? Speech at the Brookings Institution, 16 October. Available at: https://www.fbi.gov/news/speeches/going-dark-are-technology-privacy-and-public-safety-on-a-collision-course (Accessed: 4 May 2026). Electronic Frontier Foundation (2026) EU Parliament blocks mass scanning of our chats: what's next? Available at: https://www.eff.org/deeplinks/2026/04/eu-parliament-blocks-mass-scanning-our-chats-whats-next (Accessed: 4 May 2026). EPIC (n.d.) Apple v. FBI. Electronic Privacy Information Center. Available at: https://epic.org/documents/apple-v-fbi-2/ (Accessed: 4 May 2026). Feldstein, S. (2019) The global expansion of AI surveillance. Carnegie Endowment for International Peace. Available at: https://carnegieendowment.org/research/2019/09/the-global-expansion-of-ai-surveillance (Accessed: 4 May 2026). Greenwald, G. and MacAskill, E. (2013) 'NSA Prism program taps in to user data of Apple, Google and others', The Guardian, 7 June. Available at: https://www.theguardian.com/world/2013/jun/06/us-tech-giants-nsa-data (Accessed: 4 May 2026). Hardy, K. (2022) 'Assistance and Access: an Australian template for global encryption policy?', Computer Law & Security Review, 45. Available at: https://www.sciencedirect.com/science/article/pii/S0267364922000073 (Accessed: 4 May 2026). Kaye, D. (2017) Snowden effect: can we undo the damage to American power? Center for Strategic and International Studies. Available at: https://www.csis.org/analysis/snowden-effect-can-we-undo-damage-american-power (Accessed: 4 May 2026). NPR (2026) ICE surveillance, data brokers, and Congress, 25 March. Available at: https://www.npr.org/2026/03/25/nx-s1-5752369/ice-surveillance-data-brokers-congress-anthropic (Accessed: 4 May 2026). Pfefferkorn, R. (2022) The UK has a voyeuristic new propaganda campaign against encryption. Stanford Law School. Available at: https://law.stanford.edu/press/the-uk-has-a-voyeuristic-new-propaganda-campaign-against-encryption/ (Accessed: 4 May 2026). Schneier, B. (2015) Data and Goliath: the hidden battles to collect your data and control your world. New York: W.W. Norton. Cited in Wired. Available at: https://www.wired.com/2015/03/data-and-goliath-nsa-metadata-spying-your-secrets/ (Accessed: 4 May 2026). Signal Foundation (2016) WhatsApp's Signal Protocol integration is now complete. Available at: https://signal.org/blog/whatsapp-complete/ (Accessed: 4 May 2026). Statista (2024) Number of monthly active WhatsApp users worldwide. Available at: https://www.statista.com/statistics/260819/number-of-monthly-active-whatsapp-users/ (Accessed: 4 May 2026). Tiwari, U. (2024) Digital governance and democratic renewal [Public event]. Columbia University, New York. Available at: https://visit.columbia.edu/events/digital-governance-democratic-renewal-udbhav-tiwari-signal (Accessed: 4 May 2026). Yen, A. (2024) Proton CEO Andy Yen interview: AI, privacy, and security. Interview by Semafor, published in ZDNet. Available at: https://www.zdnet.com/article/proton-ceo-andy-yen-interview-ai-privacy-security-semafor/ (Accessed: 4 May 2026).