Due to the growing collection of users’ personal data by companies, confirmed incidences of mass surveillance by government agencies, and increasing occurrence of large-scale data breaches, people today are rightly concerned about their privacy and the security of their data and the information and communications technologies they use on a daily basis. Faced with these multiplying cyberthreats and risks, ordinary users and citizens have come to rely on both law and technology for protection, particularly encryption as a technical remedy. The problem though is that the law and encryption offer protection in diverse ways. Moreover, people’s understanding of the relevant laws and how they actually safeguard privacy and information security is not sufficiently grounded in the legal and socio-technical contexts. Using New Zealand users, developers and regulators as subjects, this paper will discuss what their varying conceptions or notions of privacy and information security are in relation to encryption and compare these with the applicable laws. This paper will explain why the most pertinent laws are not the oft-cited privacy and data protection laws but are those that concern law enforcement and criminal procedure. This paper argues that the rights of the accused and other rules involving criminal investigations and proceedings are germane to the issue of privacy and security in a digital and connected society.