For the first time, a top EU advisory group has listed virtual private networks (VPNs) among the major challenges faced by law enforcement when investigating criminal activity. The expert panel also named encrypted apps, devices, and new digital communication platforms as part of this growing list of obstacles.
The group, known as the High-Level Group (HLG), was formed by the European Council in June 2023. Its job was to create a long-term strategy to help law enforcement access data more effectively while navigating modern digital tools and protections.
Encryption Still Seen as the Biggest Hurdle
In the group’s final report, released on March 13, 2025, end-to-end encryption was identified as “the biggest technical challenge.” This type of encryption scrambles messages so only the sender and recipient can read them, making it difficult—if not impossible—for authorities to access the content.
The HLG first made headlines in 2023 when a leaked draft revealed the group’s goal: make digital devices like smartphones, smart homes, cars, and even IoT gadgets legally and technically accessible to law enforcement at all times. Privacy advocates quickly criticized this, saying it would amount to government surveillance in people’s pockets.
Mullvad VPN CEO Jan Jonsson voiced strong opposition, telling TechRadar, “It would mean total surveillance and that Europe’s inhabitants carry state spyware in their pockets.”
VPNs Added to the List of Concerns
The final version of the report refines the original ideas but holds onto the core message. For the first time, VPNs are now clearly listed as a problem for law enforcement, not just encrypted apps or email services.
Experts say this shift is connected to the need for metadata—information that doesn’t show message content but includes details like who sent a message, who received it, the time, and the location. VPNs hide users’ IP addresses, making it hard for investigators to track these details.
The report argues that EU lawmakers must find legal ways to ensure some of this metadata is stored by service providers for a set amount of time. The idea is to make it easier to identify suspects without always needing to access encrypted content.
Privacy Services Could Be at Risk
However, this would clash with the design of many privacy-first services. For example, no-log VPNs are built specifically to avoid collecting user data. Requiring them to log and store metadata would go against their core promise to users.
Still, the HLG report calls for a “harmonised and consistent” legal system across the EU for data retention. It says this is needed to help law enforcement work more efficiently, especially across borders.
Protecting Security and Rights
The report also acknowledges the difficult balance lawmakers must strike. While access to data can help with investigations, it should not come at the cost of fundamental rights or the cybersecurity of devices and systems.
Encryption, the report says, is also crucial for protecting users against hackers, espionage, and unauthorized access. This highlights the ongoing debate over whether it’s possible to create “backdoors” into encrypted systems that only governments can use.
Experts like Proton CEO Andy Yen disagree. He stated, “Encryption is math – it either adds up or it doesn’t. You’re not able to create a backdoor that will preserve encryption. It is simply not possible.”
