Encryption: What moved and what stalled in 2025??

Encryption is far from a new topic in Brazil. For years, it has been shaped by disputes between public security and digital security. But what, in fact, really moved forward in this debate in 2025?

Encryption returned to the policy agenda in 2025, but far less centrally than the digital landscape actually demands. Caught between old disputes and new omissions, the issue reappeared more at the margins than at the core of public policy. What does this reveal about Brazil’s political agenda?

An old yet timely reminder: what encryption is and why it matters

Encryption is an essential tool for protecting the confidentiality, integrity, and authenticity of data in an increasingly digital world. In simple terms, it transforms readable information into code that can only be accessed by those who hold the decryption key. Once encrypted, data become unreadable to anyone without the decryption key, including service providers themselves. This means that information is protected not only against external interception, but also against unauthorized internal access, ensuring that communications are neither altered nor improperly accessed.

End-to-end encryption is one of the most consequential applications of this technology, as it ensures that only senders and recipients have access to the content. It is especially important in contexts of political persecution, gender-based violence, attacks against journalists, or state repression, as it provides a safe space for reporting abuses, social organizing, and resisting intimidation. By protecting information against interception, encryption enables secure communication, preserves privacy, and supports the exercise of fundamental rights, especially in hostile or high-risk environments..

However, in regulatory and policy debates, encryption is often mistakenly framed as an obstacle to criminal investigations and public security. This perspective ignores the fact that, in practice, encryption strengthens the structural security of systems, protects critical infrastructure, prevents large-scale leaks of sensitive data, and preserves the integrity of communications among citizens, companies, and the State itself.

Within this debate, which agendas have incorporated discussions on encryption, and how has it been taken up?

What were the main encryption-related issues on Brazil’s political agenda in 2025?

In 2025, encryption appeared in Brazil’s public debate in a fragmented and secondary manner, often treated as a technical detail rather than as rights-enabling infrastructure.. This becomes clearer when we look at the three main topics discussed throughout the year: (i) the reorganization of the federal cybersecurity policy, (ii) the progress of legislative initiatives on digital security, and (iii) legislative responses to increasing online risks faced by children and adolescents. Take a look:

•  E-Ciber: Launched in August 2025, E-Ciber updates the federal strategy around four pillars: protection of society (with a focus on vulnerable groups), security of essential services and critical infrastructure, cross-sector cooperation, and technological sovereignty. It defines around 40 strategic actions, detailed in the National Cybersecurity Plan, but does not explicitly mention encryption as a minimum protection standard. This omission is not merely rhetorical. In 2025, the National Cybersecurity Committee (CNCiber) formally established a working group to draft and debate a National Cybersecurity Plan, confirming that the agenda was still under construction and in dispute.
• Post-quantum encryption and ABIN: A second key development in 2025 was the return of post-quantum encryption as an object of strategic concern for the State. In early December, the Brazilian Intelligence Agency (ABIN) included the transition to post-quantum encryption among its priority technological challenges for 2026, acknowledging that technological evolution will put pressure on current security standards. Thus, while the State recognizes strong encryption as a strategic necessity, everyday legislative discourse often continues to treat encryption as synonymous with suspicion. This contradiction helps explain why, in 2025, the public debate largely “stalled.” Encryption is mobilized to protect sovereignty and the State, but relativized when it protects people.
• Cybersecurity Legal Framework and National Cybersecurity Plan: The draft bill and the proposed Legal Framework seek to structure digital security policy by creating national programs and supervisory authorities. Although these initiatives refer to confidentiality, integrity, and authenticity, they do not include encryption as a mandatory principle or guideline, leaving gaps regarding effective protection, due process, and limits on surveillance. In the Legislature, 2025 was also the year in which Bill No. 4,752/2025 advanced in the Senate. The bill establishes the Cybersecurity Legal Framework and creates a national program focused on digital security and resilience. It was approved by the Constitution and Justice Committee (CCJ) on December 10, 2025, with emphasis on coordination and the institutional design of a national authority in this field.
• Artificial Intelligence: The cybersecurity debate linked to the AI bill in 2025 does not explicitly defend encryption, failing to establish minimum protections for data and communications. At the same time, the bill does not prohibit the use of invasive surveillance mechanisms – such as facial recognition or monitoring tools – in criminal investigations, leaving privacy risks and threats to the protection of vulnerable groups unaddressed. 
• Protection of children and adolescents: In 2025, debates on protecting children and adolescents online intensified, with bills and public hearings emphasizing punitive responses and platform obligations. Age verification requirements may come to demand the use of encryption as a security tool for communicating age-related signals. A particularly emblematic negative example is Bill No. 4,323/2025, introduced on August 29, 2025, which proposes criminalizing “real-time cyber grooming” and increasing penalties when the offender uses “anonymization tools, encryption, false identities, or any form of digital concealment.” This represents a dangerous shift. Instead of precisely targeting harmful conduct, the bill communicates that the use of encryption itself may be a sign of guilt – as if the security standard adopted by millions of people were an exceptional tactic reserved for criminals.
• MJSP Ordinance No. 961 and the use of technologies in public security: In late June, the Ministry of Justice and Public Security (MJSP) issued an ordinance establishing guidelines for the use of information technology solutions in criminal investigations and public security intelligence activities. The aim is to standardize procedures and impose minimum controls within security forces linked to the MJSP, as well as initiatives financed by the National Public Security Fund and the National Penitentiary Fund, both managed by the Ministry. Although the ordinance does not mention encryption, it reinforces judicial oversight over access to confidential data through such technologies, restricting their use to criminal investigations. While unprecedented, it is essential to ensure the effective implementation of these measures and, consequently, that intrusive tools are used only when their legality, necessity, and purpose are clearly demonstrated. To some extent, the initiative responds to reported abuses of illegal surveillance under the Bolsonaro administration, which are the subject of ADPF 1143 before Brazil’s Supreme Federal Court. Although important, the ordinance has limited scope and institutional stability, and may be overridden by federal legislation or reversed by a future administration.

Encryption: deliberate erasure or a ‘natural’ forgetting?

Despite the discussions presented, encryption remained in the background of political and legislative debates in 2025. This may indicate several points or hypotheses:

• The persistence of a political and institutional culture that sees encryption more as an investigative problem than as protective infrastructure. In this framing, the topic reappears primarily when associated with “concealment,” which shifts the debate away from what should be central: reducing systemic risks, protecting victims, and securing essential services.
• Beyond institutional culture, another factor helps explain this erasure as the prevalence of a reactive, short-term policy approach with strong populist and punitive appeal. This logic favors immediate-impact responses that promise more surveillance, punishment, and control rather than sustained investment in structural security policies grounded in strong encryption. Within this framework, it is politically easier to advance measures that expand monitoring powers than to defend encryption as a baseline infrastructure that reduces systemic risks, protects victims, and prevents large-scale harm.
• Encryption has also remained diffuse because the Brazilian debate continues to be compartmentalized. It appears in public security, cybersecurity, data protection, child protection, and AI, but is almost never treated as infrastructure common to all these agendas. Each sector discusses the topic using its own terms and priorities, and, in the end, the country does not consolidate a minimally consistent public orientation regarding where encryption should be standard and which exceptions would be acceptable.
• Keeping encryption in a gray zone can be politically convenient. Explicitly defending strong encryption requires facing difficult disputes over surveillance, state limits, and platform responsibilities, and rejecting easy solutions based on broad access to data and communications. In moments of high legislative pressure, it is simpler to avoid these conflicts than to bear their costs and consequences – consequences that include encryption being weakened by dominant populist approaches in Congress, which view surveillance and punishment as the solution to any digital or public security problem.

Putting encryption at the center of the game: building Brazil’s 2026 policy agenda

If 2025 made it clear that encryption is still treated as a peripheral issue, 2026 needs to be the year it returns to the center of public decision-making. Protecting communications, sensitive data, and critical infrastructure is not just a technical choice – it is a political decision about the kind of digital and democratic environment Brazil wants to build.

By recognizing strong encryption as a pillar of digital security, the country strengthens rights, reduces systemic risks, and avoids reactive responses based on improvised surveillance. To deepen this agenda and broaden informed public debate, it is also worth consulting the article published on Jota about where encryption fits into the legislative discussion on the Cybersecurity Legal Framework.