This year’s Europol report has now labelled end-to-end encryption and limited bulk metadata collection as a major factor in enabling cybercrime. They join the European Commision’s plans to mandate encryption backdoors for law enforcement officicals.
Criminals are increasingly exploiting end-to-end encrypted apps to impede police investigations, according to Europol’s 2025 Internet Organized Crime Threat Assessment (IOCTA).
The report also warns that current metadata collection practices are too limited, further complicating the work of law enforcement. This is why Europol highlights the need to establish lawful access by design to encrypted communications, alongside EU standards for the targeted retention and access to metadata.
Europol’s recommendations echo the EU Commission’s plan for creating an encryption backdoor for law enforcement – something experts are said to be “deeply concerned” about.
As for metadata collection, Europol’s proposed changes directly conflict with the functionality of no-logs VPN providers. They want longer and consistent retention of metadata such as KYC data and IP logs across EU member states.
"When content is blocked by E2EE, metadata becomes essential for mapping networks and identifying “When content is blocked by E2EE, metadata becomes essential for mapping networks and identifying suspects. However, the current legislative landscape lacks harmonized rules, and this results in fragmented national policies,” reads Europol’s IOCTA report.
Metadata refers to all pieces of information that aren’t the content. This includes IP addresses, location, phone numbers, who you have spoken with, and when, but also the size of your data packets, the patterns they move to, timestamps, and so on.
Thanks also to AI-powered tools, metadata tracking is enabling law enforcement (or any other third party with the necessary skills) to get a pretty accurate picture of people’s online behaviors even without accessing the encrypted content.
Authorities know that, and that’s why they are pushing for new data retention obligations to be enforced. “Crucial metadata, such as subscriber information or IP logs, is often subject to short or inconsistent retention periods,” said the Europol assessment, advocating for clear standards “for the targeted retention and/or expedited access to essential metadata.”
Again, that’s something technologists have long warned against, and that could make the work of no-log VPN and other privacy software impossible.