Surveillance around the world is increasing. Since the last decade, it has been growing in more and more countries. The noose is being tightened gradually, then all at once – if things continue at this pace, in a few years, it should already be beyond what most people consider bearable today.
No single actor is building “the surveillance stack.” There is no central planning office, no master document, no coordinated rollout. What there are, instead, is dozens of separate proposals, each justified on its own narrow terms, each pushed by different actors with different motivations. They look unrelated until you sketch them on the same page. Then the architecture becomes uncomfortably clear: the pieces being built independently fit together with the precision of a designed system, because the underlying problem each is “solving” is the same problem. Ordinary people have private spaces of action governments and corporations can’t easily monitor, and the people building the pieces don’t want that to remain true.
What follows is my attempt to organize the threats by source, distinguish what’s already deployed from what’s merely proposed, and resist the temptation to either catastrophize or dismiss. Each item is something operating today, currently in legislative motion, or seriously proposed as of mid-2026.
Governments — the identity layer
The identity layer establishes who you are at every level of the stack: which SIM card, which app store account, which OS, which developer published the apps you run. None of these alone is total surveillance. Together, they make every device an identifiable extension of a real human, available to be cross-referenced.
SIM card KYC is required in over 150 countries already. The United States is now considering an FCC proposal from April 2026 that would extend identity verification to phone number issuance — bringing the U.S. in line with most of the rest of the world rather than ahead of it. Final rule earliest 2027, with litigation likely.
App store age verification is rolling out across U.S. states with staggered deadlines. Texas SB2420 took effect January 2026 but is currently enjoined by a federal court on First Amendment grounds. Utah’s compliance deadline is May 2026 with enforcement starting December 2026. Louisiana follows in July 2026. California’s AB 1043 starts January 2027. The mechanism is uniform: upload a government ID to Apple or Google, possibly with a biometric selfie, before creating or modifying accounts.
OS-level age attestation is the next layer up. California AB 1043 requires operating systems themselves to verify and expose user ages to apps. The federal Parents Decide Act would mandate verified rather than self-attested age. Brazil has already passed similar legislation. The architecture shifts the trust anchor from “user chooses what to share” to “OS chooses for the user, and the manufacturer holds the keys.”
Developer KYC is the part that closes the F-Droid-style distribution loophole. Google Android requires developer identity verification starting September 2026 in Brazil, Indonesia, Singapore, and Thailand, going global through 2027. Apps from unverified developers cannot be installed on certified Android devices via normal channels. ADB sideloading and an “advanced flow” remain as escape hatches for technical users; the median user loses sideloading entirely.
Foreign service KYC completes the picture. The UK Online Safety Act requires age verification for adult sites; Reddit, X, Grindr, Tinder, and Discord all now require ID for UK users. The EU’s age verification “mini wallet” became feature-ready April 2026. Australia bans under-16s from Facebook, Instagram, TikTok, X, YouTube, Snapchat, Reddit, Threads, Twitch, and Kick as of December 2025.
Governments — the communications layer
This is the most-defended layer, and the one where resistance has the best track record. The proposals keep coming back; they keep being beaten back; they keep returning in slightly modified forms.
Mandatory client-side scanning of encrypted messages is the EU’s signature push. Chat Control 1.0 was rejected by the European Parliament by a single vote in March 2026. Chat Control 2.0 is in trilogue throughout 2026, and the framing has shifted from “mandatory scanning” to “risk mitigation measures” — which pressures platforms to scan voluntarily without explicit mandate. Same destination, softer mechanism.
CA mandates and TLS interception have been attempted multiple times. Kazakhstan tried in 2015, 2019, and 2020; each attempt was defeated by Mozilla and Google blocking the cert. The EU’s eIDAS Article 45 was partially defeated in 2024, with the legal text now explicitly preserving browser independence — but the implementing acts are still being negotiated at ETSI. Russia’s Trusted Root CA exists but is honored only by domestic browsers (Yandex, Atom).
Network-level filtering and deep packet inspection is the durable infrastructure that’s been built across most jurisdictions. Russia has TSPU boxes at every ISP. China’s Great Firewall actively attacks obfuscated protocols within minutes of new server activation. The UK has SNI-based blocks. France has lobbied against deployment of Encrypted Client Hello because it would break their court-ordered website blocks. Italy’s Piracy Shield blocks at the network level with no judicial review.
VPN and circumvention restrictions are the natural extension. The UK House of Lords accepted an amendment to extend age verification to VPNs. Russia blocks most foreign VPN services. Pakistan, India, and Iran restrict VPN usage. The pattern is consistent: as content blocks expand, circumvention tools come under pressure next.
Governments — the device layer
This is where the real frontier is. The communications layer can be defended cryptographically. The device layer cannot, because the device sits inside the cryptographic boundary by definition.
OS-level content scanning mandates are the explicit version. The UK Home Office’s December 2025 proposal demands that Apple and Google add nudity detection to iOS and Android, with content blocked by default unless users prove adulthood via biometrics or ID. Officials have indicated this could become mandatory for any device sold in the UK. The architectural significance is that scanning happens at a layer beneath apps, which means encrypted messengers and custom WebViews offer no protection — the scan happens after rendering, before any encryption applies.
Mandatory preinstalled software is the Russian model, in production since 2022. All devices sold in Russia must ship with Yandex Browser and Kaspersky Internet Security. The infrastructure required for any country to mandate domestic browsers and CAs preinstalled exists; what’s missing is political will, which can change quickly.
Locked bootloader mandates haven’t been legislated anywhere yet, but the technical capacity exists in every device shipped in the last five years. A future mandate would close the custom-ROM escape hatch — GrapheneOS, LineageOS, /e/OS — that currently lets technical users opt out entirely.
Governments — the reporting and accountability layer
This layer is the most nascent. Most of the technical infrastructure exists; what’s missing is the legal hooks that turn it from corporate convenience to government surveillance pipeline.
“Trusted flagger” infrastructure is being built into the EU’s Digital Services Act framework. It empowers designated organizations with privileged platform access. Currently for content takedowns. The scope can expand.
Lawful intercept and assistance laws already exist in most Western democracies. The UK Investigatory Powers Act, Australia’s Assistance and Access Act, and U.S. national security letters can compel manufacturers to add capabilities to existing products for specific surveillance targets. Currently used narrowly. The legal authority for broader use exists and has been tested in court.
Compelled data exfiltration is the bluntest form. The UK demanded Apple break iCloud encryption in October 2025, with the order limited to UK users. Apple has threatened to withdraw encrypted services rather than comply. The standoff is ongoing.
Corporations — the default surveillance layer
Where governments need legislation, corporations need only feature releases. Most of the surveillance infrastructure currently in homes was installed voluntarily, often as a convenience feature.
On-device AI surveillance is the new frontier. Microsoft Recall takes screenshots of your screen every few seconds, runs OCR and image classification on them, and stores the results in a local encrypted database. Apple Intelligence and Visual Intelligence run on-device classification of photos and screen content. Google does the equivalent across Photos, Lens, and various assistant successors. The architectural pattern is the same: classification runs locally, results stay on device — for now. The reporting hooks aren’t built into these features today. They’re one regulation away.
Always-on listening devices are now standard hardware in homes, cars, and most TVs. Amazon Alexa, Google Assistant, Apple Siri, Samsung TVs, Tesla and Mercedes voice systems. Apple, Amazon, and Google were all caught in 2019 with contractors listening to recordings, including, by their own admission, sex, drug deals, and confidential business. The technical capacity for ambient surveillance of homes is already deployed. The constraint is policy, and policy is changeable.
Cloud sync defaults quietly moved most consumer data to corporate servers over the last decade. iCloud Photos, Google Photos, OneDrive, Dropbox all default to uploading content where it’s scannable, subpoenable, and subject to terms-of-service-based access. The “off by default” stance has eroded across all major platforms.
Telemetry is universal at this point. Windows, macOS, iOS, and Android all phone home extensively by default. Crash reports, usage analytics, performance data. Most can be disabled but require expertise. Some enterprise versions cannot disable it.
Corporations — the platform control layer
Surveillance is one threat. Distribution gatekeeping is another. Both reduce the space of practical alternatives, and they reinforce each other.
App store gatekeeping is the original platform control mechanism. Apple controls iOS distribution. Google controls Android distribution for certified devices. Both have removed apps under government pressure in China and Russia, including encrypted messengers and VPNs. Android’s new developer verification extends this control to sideloaded apps as well.
Browser engine restrictions are how Apple maintains its iOS chokepoint. The EU Digital Markets Act explicitly forbade banning third-party browser engines. As of mid-2026, fifteen months after the law took effect, no major browser has shipped a non-WebKit engine on iOS. Apple’s compliance architecture requires browser vendors to build a separate EU-only app, abandon their existing users, and wait for a content filtering API that won’t ship until March 2026. The EU fined Apple €500 million in April 2025 for non-compliance. Apple is appealing.
Attestation primitives are deployed across browsers and operating systems. Chrome’s Private Access Tokens, Apple App Attest, Android’s Play Integrity API. Currently used for fraud prevention. The Web Environment Integrity proposal in 2023 was the first attempt to expose these to all websites as a generic capability; it was defeated by developer backlash. The underlying primitives remain deployed and waiting for a regulatory hook.
CDN and DNS chokepoints concentrate the web’s traffic in a small number of corporations. Cloudflare, Fastly, Amazon, and Google route most consumer web traffic. Voluntary takedowns under government pressure are increasingly common. Cloudflare has refused to block content multiple times and has done so at least twice — Daily Stormer and Kiwi Farms — both under intense pressure.
Browser vendor concentration is the load-bearing structural issue. Mozilla’s funding is approximately 85% from a Google search deal. The pending Google antitrust ruling could end this deal and eliminate Firefox as a viable independent browser. Without Firefox, only Chromium (Google) and WebKit (Apple) remain as engines, both controlled by companies with significant regulatory exposure. Browser diversity is the structural protection that defeated Kazakhstan and watered down eIDAS. It exists because Firefox exists.
Corporations — the indirect pressure layer
This is the slow-boil version. No single mandate, no single feature release, but a steady accumulation of friction against unsurveilled use.
Insurance and employer requirements increasingly tie economic outcomes to monitored devices. Insurance discounts for telematics-equipped cars and health trackers. Employer monitoring software for remote work. These create economic pressure to accept surveillance even where it’s technically optional.
Banking and payment exclusion is among the most powerful chokepoints because payment infrastructure is functionally unavoidable. Some banks now refuse customers who use Tor, certain VPNs, or hardened browsers. Stripe, PayPal, and others routinely deplatform legal-but-disfavored businesses, often with no recourse.
Captcha and “are you human” walls make the web nominally open but functionally closed for users outside the attested mainstream. Cloudflare Turnstile, hCaptcha, and reCAPTCHA increasingly classify privacy-respecting browsers as suspicious. Hardened Firefox, LibreWolf, and Tor users get challenged repeatedly or blocked outright. No law requires this; it’s emerging from risk-scoring vendors selling fraud-prevention products to platforms.
How the pieces interlock
Each threat above is justified on its own terms, by its own actors, with its own narrow rationale. Read together, they describe a coherent system.
The identity layer creates the prerequisite for the others. Once identity is established at the SIM, account, and device levels, the carve-outs that make surveillance politically viable become possible — powerful users get exemptions, ordinary users get watched. The two-tier structure is what allows surveillance regimes to pass legislatures, because the legislators voting on them aren’t subject to them.
The device layer creates the surveillance endpoint. Once content is scanned on the device before encryption, the cryptographic protections at the communications layer become irrelevant. The encryption is mathematically intact; the endpoint is no longer fully controlled by the user.
The communications layer is the most-defended. Mass scanning has been beaten back repeatedly through organized resistance. This is the layer where the privacy community’s track record is genuinely strong, and where continued vigilance is most clearly load-bearing.
The reporting layer is nascent. Direct OS-to-government reporting hooks haven’t been built at scale yet. The UK’s December 2025 proposal is the leading edge — the first explicit attempt to mandate that the device itself snitch on its owner.
The platform control layer determines whether alternatives can exist at all. Browser diversity, app distribution diversity, and engine diversity are the structural protections. All three are narrowing, and the loss of any one of them substantially constrains the alternatives available to everyone.
A society with all five layers complete has the technical infrastructure for total surveillance with elite carve-outs. We are perhaps 40% of the way there. Whether that infrastructure becomes a dystopia depends on political choices, not technical ones.
What’s been defeated
The trajectory is alarming. The track record is genuinely good.
Kazakhstan’s CA mandate was attempted three times — 2015, 2019, 2020 — and defeated each time when Mozilla and Google added the cert to a blocklist. The Kazakh government eventually gave up.
Apple’s NeuralHash CSAM scanning was withdrawn in 2022 after a year of public backlash from cryptographers, security researchers, and privacy advocates. The infrastructure was built; Apple chose not to ship it.
The EU’s eIDAS Article 45, in its original form, would have forbidden browsers from independently distrusting government-mandated CAs. After two years of campaigning by Mozilla, Cloudflare, the Linux Foundation, EFF, and roughly 400 cybersecurity experts, the legal text now explicitly preserves browser independence.
EU Chat Control 1.0 was rejected by the European Parliament in March 2026 by a single vote. The voluntary scanning derogation expired in April 2026. The mandatory mass-scanning of encrypted messages — the version that would have ended end-to-end encryption in Europe — is, for the moment, dead.
Web Environment Integrity, Google’s 2023 proposal to let websites verify the browser was unmodified before serving content, was withdrawn after developer outcry. The underlying primitives remain deployed; the regulatory hook to use them generically does not exist.
The pattern is consistent. Resistance works when it’s organized and visible. The defeats stick when they’re loud enough that lawmakers can’t pretend not to notice. The privacy community has won more of these fights than it has lost over the last decade, despite the surveillance trajectory continuing in the background.
What’s rising
The fight isn’t over. The threats currently in motion include:
The UK’s December 2025 OS-level scanning proposal is the most explicit recent attempt to build the device-layer surveillance hook. If it succeeds, it becomes a template other Western jurisdictions will adopt within three to five years.
Chat Control 2.0, via the “risk mitigation” framing, aims for the same outcome as Chat Control 1.0 through softer mechanism — pressure on platforms to scan voluntarily, with the threat of regulatory consequences if they don’t.
The Android developer verification rollout is on schedule for global deployment through 2027. Each milestone closes a loophole that previously existed for pseudonymous and small-scale developers.
Apple’s continued non-compliance with the EU DMA on browser engines is the test of whether DMA enforcement actually produces alternative engines on iOS, or whether compliance theater wins. The outcome over the next 18 months determines whether iOS becomes meaningfully open or remains the closed default.
Mozilla’s funding precarity post-Google-antitrust is the load-bearing question for browser diversity. If Mozilla can’t survive the loss of the Google search deal, the open-browser ecosystem becomes meaningfully more fragile.
AI-enabled mass processing is the technical change that genuinely shifts the balance. Twenty years ago, mass surveillance was constrained by the impossibility of listening to everything. Today, AI can transcribe everything, classify everything, flag everything. The bottleneck that protected mass surveillance from being feasible has been removed.
What you can actually do
The temptation, looking at a list like this, is fatalism. The temptation is wrong. Every defeat above happened because someone fought. Every fight that’s currently winnable is winnable because the people working on it haven’t given up.
Practical things, ordered roughly by leverage:
Run Linux for high-stakes work. It’s the only consumer operating system without vendor surveillance hooks, and the political and economic pressure that keeps it open is durable — the entire enterprise software industry depends on it. Custom-ROM Android (GrapheneOS, /e/OS, LineageOS) is the mobile equivalent for users who care.
Use Firefox, LibreWolf, Mullvad Browser, or Tor Browser. Browser diversity is what defeated Kazakhstan and watered down eIDAS. Keeping non-Chromium browsers economically viable is the single most important consumer behavior for protecting the open web.
Self-host services where you can. The legal and political case for “users running their own software on their own hardware” is much stronger than the case for hosted services. The more your stack supports self-hosting as a first-class deployment mode, the further you stay from platform-level chokepoints.
Support the organizations doing the political fight. Electronic Frontier Foundation, European Digital Rights, Open Rights Group, Mozilla Foundation, Tor Project. These are the actors who win these fights, and they win them with funding and public pressure.
Don’t accept the “game over” framing. Pessimism is a tool of the surveillance state, because hopelessness is what they need to win. The infrastructure is being built; the political constraints on its use are being fought; both are true. The dystopia is the trajectory if no one fights, and people are fighting.
Build software that demonstrates alternatives are possible. Every working privacy-preserving stack that exists is an argument against the inevitability framing the surveillance trajectory relies on. The point is not that everyone will use these alternatives — most won’t. The point is that the alternatives exist as a constituency, that they remain technically viable, and that their existence keeps the political fight alive because there are still people demanding the law preserve their options.
The infrastructure for total surveillance exists, distributed across many actors, each individually constrained but cumulatively comprehensive. Whether that infrastructure becomes a dystopia depends on political choices we’re making right now. We are not in the dystopia. We are in the moment when the dystopia is still optional.
That moment is worth fighting for, and the fight is winnable. It has been won repeatedly, by people whose work made the difference. It can keep being won. The question is whether enough of us notice in time.
This is why we started the Qbix Platform so many years ago, as an open source, federated ecosystem. It enables sensible solutions that can actually balance safety with privacy. Here is an example: