The real problem with encryption backdoors

Ben Wolford

Share this page

For decades, law enforcement agencies have lobbied to force technology companies to weaken their own security protocols by adding an encryption backdoor. The FBI has even recently come up with a catchy brand for its anti-encryption campaign: “Going Dark.” Testifying before US Congress last year, FBI Director Christopher Wray called encryption “corrosive”(new window) and a challenge to “public safety and the rule of law.” A bill has also been introduced in Australian Parliament that would compel tech companies to give police access to encrypted data(new window).

Far from disrupting criminals, these proposals endanger anyone who depends on encryption to stay safe online—that is, everyone. On the other hand, there is very little evidence(new window) (if any) that mass surveillance stops terrorism(new window). In fact, those who perpetrated the most recent attacks in Paris and Belgium were already known to intelligence agencies. An encryption backdoor would not have stopped them, and it would not stop future attacks. However, an encryption backdoor would put millions of innocent people at risk of cyber attack.

What is an encryption backdoor?

An encryption backdoor is a deliberate weakness in encryption intended to let governments have easy access to encrypted data. There are a few kinds of encryption backdoors, but one simple method is called “key escrow.” Under a key escrow system, the government creates and distributes encryption keys to tech companies while retaining the decryption keys in escrow. This is why “key escrow” is also sometimes known as “key surrender,” because you are surrendering the privacy of your data.

This is essentially how any encryption backdoor would work: The government retains some form of master key that would allow it to unlock anyone’s personal data.

What kind of encryption are we talking about?

There are many forms of encryption available today. Most encryption is performed on servers around the world, and data encrypted in this way is designed to be easily decrypted. This also makes it much less secure. A stronger form of encryption is end-to-end encryption(new window), which encrypts data even before it is sent to a server. The result of this is that only the sender and the intended recipient are able to decrypt the data. This is the form of encryption that secure communication systems like Proton Mail(new window) or Signal(new window) employ, and this is great for protecting your privacy and keeping your data secure.

When you use end-to-end encrypted services, only you and the other “end” of your conversation have the ability to read your messages. Neither the service provider nor the government nor anyone else can access your data, which is why some government agencies are keen to have backdoor access to end-to-end encrypted services.

Why encryption backdoors are dangerous and don’t work

Unfortunately, there is no such thing as a backdoor that only lets the good guys in. If there’s a “master key” that unlocks millions of accounts, every hacker on the planet will be after it. A compromised encryption backdoor could give cyber criminals access to your bank account, your personal messages and other sensitive information. Don’t think hackers can steal the master key? Think again. Both the CIA and the NSA were breached in 2017 by mysterious organizations(new window) that stole and published the spy agencies’ hacking tools. The same year, cyber criminals stole an NSA exploit and used it in a massive, worldwide ransomware attack(new window). The fact is, if the government or anyone else controls a master key, eventually it will get out.

Hackers aren’t the only threat: Governments may also use encryption backdoors for harm. The US government has already revealed its willingness to spy on citizens without a warrant(new window). If liberal democracies cannot be trusted, what about China, Russia, Saudi Arabia, or countless other authoritarian states? Encryption backdoors could be used by repressive regimes to help them persecute journalists, dissidents, religious minorities, the LGBT community, and anyone else they please.

Moreover, encryption backdoors do not prevent criminals from using encryption some other way. The software to use end-to-end encryption is already out there, and criminals will always have access to strong cryptography. Weakening encrypted services will only put ordinary citizens at risk while doing remarkably little to stop tech-savvy criminals.

It’s time to put the encryption backdoor debate to rest. Any system with a backdoor is fundamentally insecure. If everyday applications and hardware were forced to implement an encryption backdoor, it would jeopardize the basic security of millions of people. Backdoor advocates surely have good intentions—we all want to stop terrorists—but their approach is misguided and dangerous.

We must defend the universal right to security and privacy online(new window). Security starts with education, and that’s why it is important for policymakers to have a basic understanding of encryption so that their decisions can be based on facts, not fear.

Why does privacy matter? Watch the TED Talk (new window)by Proton Mail Founder and CEO Andy Yen to learn more about this issue.

You can get a free secure email account from Proton Mail here.

Protect your privacy with Proton
Get a free account

Share this page

Ben Wolford

Ben Wolford is a writer at Proton. A journalist for many years, Ben joined Proton to help lead the fight for data privacy.

Related articles

The first month of 2023 has brought brutal layoffs from Big Tech, a potential ban of TikTok in the US, and another Twitter breach. But the biggest development of this new year has to be the ascent of ChatGPT.  The chatbot can produce remarkably huma
Hackers were able to steal account details from over 200 million Twitter users and posted the database on a hacking forum in early January 2023. These details include users’ email addresses and Twitter handles, allowing people to potentially identify
From your online shopping receipts to financial statements, your emails contain a great deal of sensitive information about your life, interests, and daily schedule. If you’re concerned about your online privacy, it’s therefore vital to keep your inb
At Proton, we’re committed to building privacy-focused products that are convenient to use and improve your productivity. Last year, we released the new mobile apps for Proton Calendar and Proton Drive, letting you manage your schedule and upload imp
Most email services aren’t secure and limit attachment file sizes, but there are ways to send large files securely. If you’ve ever tried attaching multiple images or video files to an email, you’ll know that it doesn’t always work. We explain ways t
Email wasn’t initially designed to be secure. From spam and phishing attempts to malware, unethical marketers and cybercriminals try to undermine the security and privacy of your inbox every day. Since your inbox stores plenty of sensitive informatio