Keir Starmer pays foreign chipmakers to surveil British children.
That was not how the announcements were framed at London Tech Week. The framing was sovereignty — £1.1 billion to “build globally competitive AI hardware companies in the UK” — and safety — criminal liabilities for Apple and Google if they fail to “detect and block nude images for children.” Two branding exercises, one structural outcome: public money flows to American chip companies, and those same companies are ordered to build scanning infrastructure into every device a British child touches.
The money first. Of the £1.1 billion committed, £400 million is a procurement opportunity for UK chip makers, though Mark Boost, who runs the UK cloud platform Civo, pointed out that much of it had already been announced in previous budgets. The genuinely new money came from elsewhere: AMD’s “up to £2 billion” for AI research partnerships with Cambridge and Imperial, and Nebius’s approximately £1.7 billion to build UK AI infrastructure — which the Guardian reported consists, in practice, of Nvidia chips. The government also announced a “strategic industry partnership” with Arm Holdings, the Cambridge chip designer that listed on Nasdaq in 2023, without specifying terms. This is the firm the business secretary told parliament last week the UK would have vetoed a foreign sale of — a claim that does rather more work as a press-release line than as a description of what actually happened, given that SoftBank bought Arm in 2016 with no objection, and SoftBank then moved to sell it to Nvidia in a deal that collapsed under regulatory scrutiny in 2022, with no British veto exercised in any instance.
Treating AI compute as national infrastructure is the right instinct. Boost called it “genuinely encouraging.” The trouble is that beneath the sovereignty language, the money flows to firms whose supply chains, shareholders, and strategic interests are not British. AMD is headquartered in Santa Clara. Nebius builds on Nvidia silicon — and Nvidia’s GPUs are, at this moment, the chokepoint through which all AI compute must pass, with export controls set in Washington, not Westminster. The TSMC fabs on which Nvidia’s supply chain depends answer to Taiwanese and American geopolitics, not Downing Street calendars. The sovereignty being purchased is the sovereignty to rent American hardware at American prices, subject to American export policy, with a British flag stickered on the rack.
Canada announced a comparable national AI strategy earlier this month, and the structural problem is the same. Governments spend public money to build “sovereign” AI capacity on silicon they do not design, fabricate, or control. Sovereignty, in both cases, describes an aspiration rather than a capability. What was announced in London is not a British semiconductor industry — the thing the £1.1 billion is supposed to buy — but a package of British-branded infrastructure on somebody else’s silicon, integrated by the established overseas vendors and rented from hyperscalers. Boost, the man in the room who actually provisions the infrastructure the government claims to be building, said the default flow of the money is to “the usual suspects” unless the contracts are structured deliberately. The contracts were not announced. The £1.7 billion from Nebius is Nvidia chips. The £2 billion from AMD is partnership money with the universities that, under the Bayh-Dole model the UK has been importing since the Lambert Review, will produce research that spinout companies will commercialize and then sell. Britain is doing what it has done for forty years of technology policy: funding the basic research, providing the prestige environment, and then watching the value walk out the door. This is the DARPA-to-commercial-extraction pipeline, and Britain’s version of it — the research-council grant to university lab to venture-funded startup to American-acquirer sequence — is now so institutionalized that it can be announced at London Tech Week as a victory for British AI.
Now the surveillance. The government said Apple and Google must deploy technical solutions to detect and block nude images for children, with criminal penalties for non-compliance. This goes further than the under-16 social media ban the government is pushing ahead with despite American objections — it requires pre-emptive scanning of content on platforms that are, or claim to be, end-to-end encrypted. Signal said the requirement would usher in a “dystopian combination of age verification and content scanning” that could lead to “mass censorship capabilities.” Mullvad, the Swedish VPN provider, made the same argument. The objection is not rhetorical. To detect an image on an encrypted platform, you must scan it before or after encryption — client-side scanning, meaning software running on the user’s device that inspects every image against a classifier and reports matches to a server. Apple proposed this for CSAM detection in 2021, then abandoned it after security researchers demonstrated the architecture could be repurposed for arbitrary content surveillance. You cannot build a scanner that detects only child sexual abuse material and reliably declines to detect political dissent. The mathematics of the thing does not permit it. You cannot build a door that only opens for the good guys. This is a cryptographic fact, not a policy preference, and it was settled long before this government took office.
The age verification requirement compounds the defect. To enforce an age threshold, companies must determine whether a user is a child. The methods available: government-issued ID, which many children do not have and which requires storing identity documents in ways that create exactly the data-security hazards the government claims to prevent; AI-powered facial age estimation, which children in Britain have reportedly defeated by painting on moustaches; or app-store-level verification, as Meta has proposed, which would hand Apple and Google — the two firms the government is threatening with criminal liability — control over the identity layer of the British internet. Each option either does not work, or works by centralising surveillance in the firms least accountable to British law. Meta’s suggestion is the platform incumbent’s standard move when regulation threatens to impose costs on platforms: shift the cost to the layer below you, then argue that the layer below you is better positioned to absorb it. The layer below Meta is Apple and Google. They will resist, and the implementation will stall, and the criminal-liability timeline will extend, and in the interim children will remain unprotected while the architecture for a general surveillance apparatus will have been debated into existence. The scanner does not know what statute it is enforcing. It knows what it was told to look for, and what it is told to look for is a policy decision that changes with the government.
Then the defence dimension. Sir Richard Knighton, the chief of defence staff, announced the Rapid AI Delivery Taskforce — RAID — to develop AI models for the military, while affirming that “humans, not machines, are accountable for decisions.” This is the correct policy, and it was the most honest thing said onstage all week, delivered in the language of a military officer who knows that stating the policy is not the same as implementing it. A taskforce named “Rapid AI Delivery” has, in its name, the tensions that will govern its work: rapid versus tested, delivery versus deliberation, AI versus the humans who are supposed to remain accountable. The gap between the commitment and the mechanism is the space in which every defence AI project since Project Maven has lived: the human is accountable in the announcement; the machine makes the decision at operational speed; the human ratifies it after the fact because there is no time to do otherwise. The defence establishment is the one part of the British state that has demonstrated it can absorb technology without losing the chain of command, and even it is warning that the chain of command is the thing that needs protecting.
There is a final pair of details that reveal the shape of the transaction. Bouke Klein Teeselink of King’s College London said many people are not using AI tools to their full potential and that the private sector would likely embrace AI more efficiently than any government-backed programme. He is probably right about the first claim. He is almost certainly wrong about the second, for reasons that are instructive. The private sector’s “efficiency” at adopting AI is not a property of the private sector as such — it is a property of the specific firms that can afford the compute, the talent, and the integration costs, which are the same hyperscalers and large consultancies that will capture the government’s £400 million procurement commitment. What Klein Teeselink is describing as efficiency is the existing distribution of AI capability — a distribution in which a small number of firms own the infrastructure, rent access to it, and then sell consulting services to the firms that cannot afford to build their own. The government’s “bridge AI” scheme, which gives British companies funds to buy UK-developed AI products, is a demand-side subsidy to that exact arrangement. Most UK-developed AI products run on cloud infrastructure owned by the same firms receiving the government’s procurement commitments. The subsidy flows through British companies to the hyperscalers underneath.
And the £20 million commitment to map how AI is changing entry-level work is useful in the narrow sense and entirely inadequate in the structural sense. Mapping how AI is changing entry-level work does not prevent AI from changing entry-level work in ways that concentrate the gains and distribute the losses. The Doctorow formulation applies directly. As Cory Doctorow has put it, an AI cannot do your job, but an AI salesman can convince your boss to fire you and replace you with an AI that cannot do your job. The mapping exercise will document the displacement. It will not arrest it.
These announcements are not separate policies. They are three faces of the same transaction: the government pays foreign chipmakers to build infrastructure; it orders the platforms to deploy scanning on that infrastructure; it funds military applications that ride the same hardware stack. And all of it is branded sovereignty, safety, and accountability — three words that, in this instance, mean public money to foreign firms, surveillance on children’s devices, and humans responsible for decisions machines have already made.
The British state has now spent several years oscillating between two postures on AI — the boosterish “global AI superpower” frame and the regulatory “safety-first” frame — without ever acknowledging that the two frames are in direct tension. You cannot simultaneously be the jurisdiction that builds the most powerful AI systems and the jurisdiction that imposes the strictest safety constraints on them, because the firms building the systems will choose the jurisdiction with the weakest constraints and the strongest subsidies. The sovereignty language is a rhetorical bridge between the two postures, and it is doing the work of a rhetorical bridge: it looks solid from a distance, and it collapses when you try to drive a lorry across it. The work is to decide which of the two postures is the actual policy and fund it accordingly. The government did not decide. It announced a partnership with Arm, a procurement commitment that was largely pre-announced, and a child-safety mandate that Signal has already said it will not comply with.
Genuine sovereignty would mean domestic fabrication capacity, which £400 million in procurement does not buy when the silicon is American. Genuine child safety would mean device-level parental controls that give families tools without requiring universal scanning — a distinction the government has not bothered to make. Genuine accountability for military AI would mean a technical specification defining the human decision point, not a statement of principle. The government announced money, mandates, and a taskforce. It announced the architecture and called it policy.
Signal and Mullvad are right that scanning mandates are censorship mandates. The consultation on the Online Safety Act’s implementation remains open. The government has already announced the criminal penalties, which tells you what the consultation is worth. But submissions are the only part of the regulatory record that subsequent governments have to read, and the architecture that detects an image to protect a child is the same architecture that detects an image to suppress a citizen. The software does not know the difference, and the government that mandated it has not asked. No scanning architecture whose classifier can be repurposed for content surveillance will meet a child-safety mandate, and no mandate that compels universal scanning is compatible with encryption. The submission should say so.