Ireland Wants Police Access to ALL Encrypted Messages
Disclosure: This article contains affiliate links. We may earn a commission at no extra cost to you.
The Irish government just announced plans to give police unprecedented surveillance powers. Under the proposed Communications (Interception and Lawful Access) Bill, law enforcement will be able to use spyware to access your devices, deploy IMSI catchers to track your phone, and intercept all forms of communication - "encrypted or not."
This isn't just an Irish issue. Ireland is the European headquarters for Apple, Google, Meta, Microsoft, and dozens of other tech giants. What happens in Ireland doesn't stay in Ireland - it sets precedents for the entire EU and potentially influences how these companies handle privacy globally.
In this article, we'll break down exactly what Ireland is proposing, explain the surveillance technologies involved, and discuss what this means for your privacy - even if you don't live in Ireland.
What Ireland is Proposing
On January 20, 2026, Irish Minister for Justice Jim O'Callaghan announced government approval for new surveillance legislation. The Communications (Interception and Lawful Access) Bill will replace the outdated 1993 Act, which was written before the internet, smartphones, and encrypted messaging existed.
Here's what the new law would allow:
1. Police Spyware
The bill provides a legal basis for covert surveillance software - commonly called spyware. This software can:
- Gain access to some or all data on your device
- Covertly record communications made using a device
- Disrupt the functioning of IT networks "used for unlawful purposes"
In plain terms: Irish police could install software on your phone or computer that reads your messages, accesses your files, and monitors your activity - all without you knowing.
2. IMSI Catchers (Stingrays)
The legislation explicitly authorizes electronic scanning equipment that can locate and record identifier data from mobile devices. These are commonly called IMSI catchers or Stingrays.
We'll explain exactly how these work in a moment, but the key point is: these devices can identify every phone in a specific area, allowing police to track who was at a particular location at a particular time.
3. All Communications, Encrypted or Not
Perhaps the most concerning provision is this statement from the government announcement:
From the official press release:
"The legislation will provide for a clear statement of general principle that lawful interception powers apply to all forms of communications, whether encrypted or not, and can be used to obtain either content data (the substance of a communication) or related metadata."
This means WhatsApp, Signal, iMessage, Telegram - if you use it to communicate, Ireland wants the legal authority to intercept it.
4. Metadata Collection
Beyond message content, the law explicitly covers metadata: phone call times, email timestamps, sender/receiver information, device geolocation, and IP addresses. Metadata often reveals more about your life than message content itself.
What is an IMSI Catcher?
An IMSI catcher (International Mobile Subscriber Identity catcher), also known as a Stingray, cell-site simulator, or fake base station, is one of the most powerful surveillance tools available to law enforcement.
How IMSI Catchers Work
Your mobile phone is constantly searching for cell towers to connect to. It automatically connects to the tower with the strongest signal. An IMSI catcher exploits this behavior:
- Mimics a cell tower: The device broadcasts a signal that looks like a legitimate cell tower
- Forces connection: It broadcasts a stronger signal than real towers, forcing nearby phones to connect
- Captures identifiers: When your phone connects, it transmits its IMSI (subscriber identity on SIM) and IMEI (device hardware identity)
- Forwards traffic: The device then passes your connection to a real tower, so you don't notice anything unusual
| Data Captured | What It Reveals |
|---|---|
| IMSI | Your SIM card identity - links to your phone number and account |
| IMEI | Your device's unique hardware ID - identifies your specific phone |
| Location | Your precise position when connected |
| Call metadata | Who you called, when, and for how long |
| SMS content | Text messages (if not using encrypted apps) |
The Dragnet Problem
Here's the privacy concern: IMSI catchers don't just target one person. They capture data from every phone in range. If police deploy one outside a protest, political meeting, or journalist's office, they collect identifiers from everyone present - not just their target.
The Irish bill mentions using these devices "in specific defined locations (e.g., outside a single property)" - but the technology doesn't discriminate. Every phone in that area gets swept up.
Privacy Risk: IMSI catchers can also force your phone to downgrade from 4G/5G to 2G, where encryption is weaker or nonexistent. This makes it easier to intercept actual call content, not just metadata.
Can They Really Break Encryption?
The bill's claim to access "all forms of communications, whether encrypted or not" sounds alarming. But it's important to understand what this actually means technically.
What They Can Do
End-to-end encryption (like Signal, WhatsApp, or iMessage) is mathematically secure. Police can't break the encryption itself. However, they have several ways around it:
- Spyware: Install software on the device that reads messages before they're encrypted or after they're decrypted
- Compel providers: Force service providers to assist with interception (though providers like Signal can't comply even if ordered to)
- Exploit vulnerabilities: Use security flaws in devices or apps to gain access
- Metadata: Even if they can't read your messages, they can see who you're talking to, when, and how often
What They Can't Do
If you use a properly implemented end-to-end encrypted service, and your device isn't compromised by spyware, authorities cannot read your message content in transit. The math is sound.
The danger is at the endpoints - your device and the recipient's device. That's why spyware provisions are so concerning. Why break encryption when you can just read the screen?
Why Ireland Matters Globally
You might be thinking: "I don't live in Ireland, why should I care?" Here's why this matters to everyone:
Ireland is Europe's Tech Hub
Due to favorable tax laws and EU membership, Ireland hosts the European (and often global) headquarters of:
- Apple - European HQ in Cork
- Google - European HQ in Dublin
- Meta (Facebook, Instagram, WhatsApp) - European HQ in Dublin
- Microsoft - European HQ in Dublin
- Amazon - Major operations in Dublin
- X (Twitter) - European HQ in Dublin
- TikTok - European data operations in Dublin
When Ireland passes laws affecting these companies, it influences how they operate across Europe - and often globally.
EU Precedent Setting
The Irish bill references the EU Commission's June 2025 "Roadmap for lawful and effective access to data for law enforcement." This is part of a broader EU push to address encrypted communications. What Ireland does will likely influence similar legislation across the bloc.
The bill also mentions compliance with the Council of Europe's Budapest Convention on Cybercrime, which has 68 member countries. Ireland is positioning this legislation as meeting international obligations, making it a template for others.
The "Going Dark" Narrative
Law enforcement worldwide uses the "going dark" argument: criminals are using encryption, and police are losing visibility. The EU Commission's roadmap states that "around 85% of criminal investigations now rely on electronic evidence."
This creates pressure across all democratic countries to expand surveillance powers. Ireland isn't alone - the UK's Online Safety Act, Australia's encryption laws, and similar proposals in other countries follow the same pattern.
The Safeguards (And Their Limits)
To be fair, the Irish proposal does include oversight mechanisms:
- Judicial authorization: For the first time, judges (not just ministers) will authorize interception requests
- Serious crime threshold: Powers are limited to "serious crime and threats to national security"
- Independent oversight: The Independent Examiner for Security Legislation will monitor the law's use
- Complaints process: A referee process for citizens who believe they were improperly surveilled
- Privileged material: Special considerations for legally privileged communications
Why Safeguards Often Fail
History shows that surveillance powers tend to expand over time, and safeguards erode:
- Mission creep: Powers granted for terrorism get used for minor crimes
- Rubber-stamp courts: Specialized surveillance courts rarely deny requests (the US FISA court approved 99.97% of requests in 2020)
- Secret interpretation: How the law is actually applied is often classified
- Bulk collection: IMSI catchers inherently collect data on everyone, not just targets
Historical Context: The bill replaces Ireland's 1993 interception law. In 33 years, we've gone from landline wiretaps to device-level spyware. What will "reasonable" surveillance look like in 2059?
How Can You Protect Your Privacy?
No security measure is 100% effective against state-level surveillance with legal authority and spyware capabilities. However, these steps significantly increase your privacy:
1. Use End-to-End Encrypted Messaging
Signal remains the gold standard. Unlike WhatsApp (owned by Meta), Signal is open-source, non-profit, and designed from the ground up for privacy. Even if authorities compel Signal to hand over data, there's nothing to hand over - they don't have your messages or metadata.
2. Use a VPN
A VPN encrypts your internet traffic and hides your IP address from websites and your ISP. While it won't stop spyware on your device, it:
- Prevents your ISP from logging which websites you visit
- Hides your real IP address from websites
- Encrypts traffic on untrusted networks
- Makes mass surveillance more difficult
We recommend NordVPN for its strong no-logs policy, fast speeds, and consistent security audits.
Check Your VPN: After connecting to your VPN, visit myip.foo to verify your IP address is hidden. Use our DNS leak test and WebRTC leak test to ensure complete protection.
3. Keep Devices Updated
Spyware often exploits known vulnerabilities. Software updates patch these holes. Enable automatic updates on all devices and install them promptly.
4. Use Strong Authentication
- Strong, unique passwords for every account (use a password manager)
- Two-factor authentication (2FA) - preferably hardware keys or authenticator apps, not SMS
- Biometrics with caution - in some jurisdictions, police can compel fingerprint/face unlock but not passwords
5. Be Aware of Your Threat Model
Most people aren't targets of state surveillance. But if you're a journalist, activist, lawyer, or work with sensitive information, take extra precautions:
- Use separate devices for sensitive work
- Consider GrapheneOS or other security-focused mobile operating systems
- Assume your phone's location is always tracked
- Meet sensitive contacts in person when possible
Common Questions
Is Ireland banning encryption?
No. The bill doesn't ban encryption or require backdoors. Instead, it gives authorities legal powers to access communications through other means: spyware, compelling service providers, and intercepting at endpoints. Encryption itself remains legal.
When will this law take effect?
The government has approved developing the legislation, but the actual bill hasn't been drafted yet. Minister O'Callaghan stated he intends to publish the General Scheme during 2026 and will "consult widely with stakeholders." It could be 2027 or later before it becomes law.
Does this affect tourists and visitors?
If you're in Ireland, you're subject to Irish law. Your communications while in the country could potentially be intercepted under these powers. However, the stated purpose is serious crime and national security, not tourists checking email.
What about business communications?
The bill mentions that authorities will "work with the technology sector in Ireland which is a key stakeholder." For businesses, this raises questions about confidentiality, trade secrets, and legal privilege. The bill does mention "explicit statutory obligation to outline any issues that may arise with regard to privileged material."
Can I detect if spyware is on my device?
Sophisticated state-level spyware like Pegasus is extremely difficult to detect. Signs might include unusual battery drain, data usage, or device behavior. Tools like Amnesty International's Mobile Verification Toolkit can help, but there's no guaranteed detection method.
Conclusion
Ireland's proposed surveillance law represents a significant expansion of police powers into the digital age. The combination of spyware, IMSI catchers, and explicit authority over encrypted communications creates a comprehensive surveillance toolkit.
While the bill includes judicial oversight and limitations to serious crime, history teaches us that surveillance powers tend to expand, and the technology involved - especially IMSI catchers - is inherently indiscriminate.
For individuals, the message is clear: don't rely on the law to protect your privacy. Use encryption, verify your VPN isn't leaking, keep devices updated, and be conscious of your digital footprint.
For the tech industry and civil society, Ireland's legislation deserves close scrutiny during the drafting process. The decisions made in Dublin will echo across Europe and potentially worldwide.
Protect Your Privacy Today
Start by checking if your current setup is secure. Visit myip.foo to see what information websites can see about you. Test for DNS leaks and WebRTC leaks to ensure your VPN is working properly.