Compliance rules requiring encryption backdoors — not just for attachments, but for text; not just for communications apps, but mobile devices, clouds, and SaaS apps — are being hotly debated in just about every corner of the planet.
Although much of the compliance community is focused on European Union debates right now, encryption companies are just as concerned with legislative efforts in Australia, which is seen as likely to be the first country fully embracing encryption backdoors. Canada, Japan, and various other countries are also considering such moves, along with some legislators in the United States.
[ Learn about alternatives to encryption backdoors and how a push for backdoors might run afoul of First Amendment rights in the US ]
But in Europe, the lack of agreement among EU member countries, in addition to the UK, will likely mean that those countries will create their own encryption backdoor rules, with no attempt to make the rules consistent, either in terms of requirements or in penalties for non-compliance.
“We are looking at a diverse panoply of [encryption] laws across countries, regions, and states,” said Brian Levine, an Ernst & Young (E&Y) managing director overseeing cybersecurity strategies. “This is a matter of balancing safety versus security, and remembering that they are not the same thing and there is value to both.”
A steamy mess
A more blunt assessment came from Audian Paxson, the principal technical strategist for Ironscales, an enterprise cloud email security company.
The encryption backdoor global compliance situation in 2025 will be “a big three-dimensional hot steamy mess, and it’s a joke. It’s also going to be, to a certain degree, futile,” Paxson said. “The feasibility for the countries in the EU to come together is unrealistic. And fragmented laws don’t have a lot of teeth.”
For enterprise CISOs, this issue will be tricky. These compliance regulations will not have direct jurisdiction over enterprises, but they will have a potentially massive secondary effect. The rules will directly apply to the vendors that enterprises contract with for everything from messaging apps to cloud environments, mobile devices, VPNs, SaaS platforms, and potentially even IoT and IIoT devices. Anything that can transmit data may be caught in the regulatory maze by at least some of these geographies.
The CISOs need to protect all manner of sensitive and restricted data, especially in highly-regulated verticals such as healthcare and finance, along with aerospace and others who might have government or military contracts requiring security clearances.
These backdoor rules will generally require some employees or contractors of that vendor to have unlimited access to the unencrypted version of all transmissions. That is so that those workers can then share the files with law enforcement.
The risk for CISOs is either that one of those vendor or law enforcement workers is untrustworthy and steals or sells that data, or that the vendor or law enforcement body is breached and the data gets into the open that way.
“It’s always hard to prevent the bad actions of a privileged insider,” Levine said.
CSAM argument is flawed
The key talking point of legislators arguing for encryption backdoors is that it will attack things such as child pornography, known in encryption circles as CSAM (child sexual abuse material).
Many in cryptography find that argument to be flawed. “Scanning files for CSAM and comparing those hashes to hashes of known CSAM is not an effective way to limit this form of illegal content because most CSAM is new content,” said Augustine Fou, an independent cybersecurity researcher who is about to offer his own enterprise B2B encryption app. “Child abusers want new CSAM content, not old ones, so comparing to known hashes does not reduce illegal activity.”
Paxson agreed, adding that the child pornographers will quickly move out of regulated environments, either to the dark web or various private encrypted channels. “All of the good guys will try to play by the rules, but the criminals they are targeting will simply move to their decentralized encryption,” Paxson said. “The criminals will react faster than everybody else. The attackers are smart enough to go to quantum level encryption.”
E&Y’s Levine, a former prosecutor with the US Justice Department, disagreed with both points. Levine argued that the entities that collect these hashes, primarily the FBI and the National Center for Missing and Exploited Children, are collecting new images and files constantly and adding them to their databases. “They have the known hash value of all of that child porn. These databases are being updated every day,” he said.
More critically, Levine said, the fact that these criminals will move off the public platforms to the dark web or their own private environments is precisely the goal. Although the criminals will continue to create and sell their files, they will be separated from their child victims and will therefore be unable to groom them into making such videos or photos. “That’s the point. These kids aren’t on the dark web” or in the private environments.
Georgianna Shea, the chief technologist at the Foundation for Defense of Democracies, which calls itself a nonpartisan think tank focused on national security and foreign policy, said that the likely patchwork of new encryption backdoor rules will become almost-unworkable for enterprise CISOs.
“I am not going to continually re-architect based on an infinite number of standards that crop up,” Shea said, adding that she expects CISOs to “start tagging data to remove European information.”
Her biggest concern is losing control of highly confidential data. “Someone has to look at that image. Who is looking at it? Who gets access to it? How does that impact your customers who have given that trust to you?” Shea said, asking what happens if the data does get into the wrong hands. “Did you just lose that customer if they end up suing you? Is China going to end up with your secret formula? What is at fault there? What are the access controls? The adversaries, the bad guys, they always find a way around it.”
Richard Blech, CEO of encryption company XSOC, said the encryption backdoor compliance efforts “are not feasible or practical at all. Once the door is open, the door is open to everybody. Australia is heavily pushing toward some kind of backdoor or at least the ability to eavesdrop. They may be the first to break through, long before anyone in the EU even gets close,” Blech said.
One approach for enterprise CISOs is to create their own secure communication channels with customers and business partners in impacted geographies, Blech said, for example, using an enterprise-grade VPN to tunnel into a secure area in the enterprise’s on prem environment. Then all communications could theoretically be protected.
That is, he added, “just as long as the VPN itself does not have a backdoor. There have been some discussions with AES having some vulnerabilities there.”
One major encrypted messaging app, Signal, has already discussed plans to help customers steer clear of these pending encryption backdoor rules. “Signal provides a built-in censorship circumvention feature and also includes support for a simple TLS proxy that can bypass these blocks in many circumstances and let people communicate privately,” said a Signal blog post.
Signal did not reply to a message left by CSO to comment on the post.
Blech, after reading Signal’s blog said: “Yeah, they probably didn’t talk to their lawyers about that. But with the initiative taken, the legal aspects notwithstanding, it seems to be a workable approach.”