Beklager, indholdet på denne side er ikke tilgængeligt på dit valgte sprog.

Din IP:Ukendt

·

Din Status: Ukendt

Spring til hovedindholdet


Privacy and encryption: Laws and regulations around the world

An overview of legal acts, bills, and initiatives that threaten encryption.

encryption backdoors phone police hacker

Encryption backdoors – what are they?

An encryption backdoor is a way to bypass authentication and access encrypted data in specific services. In other words, it is a weakness that the service provider intentionally creates to allow easy access to protected information.

Encryption backdoors are quite similar to vulnerabilities. Theoretically, they both provide an uncommon way to enter a system. However, the difference is that backdoors are there on purpose, whereas vulnerabilities are unintentional.

Why is encryption important?

Encryption is a method of securing information. Thanks to this tool, text becomes a cipher that can only be read with a special decryption key. Think of Morse code – without understanding the system, it’s just a set of random clicks and taps.

Encryption provides the highest quality of protection. Modern algorithms use 256-bit decryption keys. This means that they are virtually uncrackable — not even by supercomputers.

Protecting data this way has become instrumental in everyday digital communication. Apps and services handle a lot of sensitive user data like passwords, banking credentials, and private communications. These services widely use encryption to protect user data from falling into the wrong hands.

Why encryption backdoors are a threat

A number of democratic governments claim that encryption interferes with effective law enforcement. According to them, criminals use encryption to make digital evidence unreachable to authorities and protect themselves from criminal persecution. This is why governments suggest creating secure backdoors so authorities could bypass encryption when there’s a legal reason to do so.

Yes, the need for effective law enforcement is understandable. But there is no such thing as a secure backdoor. Encryption backdoors would force service providers to corrupt their encryption algorithms. They would also order the deliberate vulnerabilities for law enforcement to use.

Unfortunately, once a vulnerability is put in place, everyone can use it. That means cybercriminals too. They could use the backdoor to spy on unsuspecting targets and steal sensitive information. The practical effect of encryption backdoors would mean the end of unbreakable encryption.

vpn encypt tunnel scheme en

Laws and regulations on encryption around the world

Different countries have different laws, obviously. While some governments offer a pretty liberal attitude toward data encryption regulations, others remain high-handed. To better understand these contrasts, we’ve prepared for you an overview of encryption laws and regulations across the globe.

encryption backdoors world map

Laws on encryption in:

Choose a country to see detailed info

Laws on encryption backdoors in Australia

Key takeaways

  • The Assistance and Access Act endangers the security of everyone who uses online services. It also significantly weakens online privacy.

  • The Surveillance Legislation Amendment Bill may allow the Australian government to access users’ data without their consent.

The Assistance and Access Act

The law was adopted on December 9, 2018. It aimed to provide police with more freedom to investigate criminals who use encrypted communications software.

The Australian Computer Society, a trade association for IT professionals, laid out the drawbacks of the law: “It is likely not possible to build in functions to get around encryption without building in systemic weakness or vulnerability into a given product or service. The current approach of the legislation exposes internet and private telecommunications users – business and personal alike – to the potential for very real risks to their privacy and reliability of these services.”

The Surveillance Legislation Amendment (Identify and Disrupt) Bill

The Australian Senate passed the bill on August 25, 2021. The bill grants law enforcement agencies the power to disrupt data by modifying, copying, or deleting it. This would help in stopping serious offenses online.

Digital Rights Watch, an Australian charity organization that aims to educate and uphold the digital rights of Australian citizens, criticized the bill. They said: “The Australian government has new laws on the books to hack your computer, your online accounts, and just about any piece of technology and networks you come into contact with.” The bill provides new powers to law enforcement agencies: Data Disruption Warrants, Account Takeover Warrants, and Network Activity Warrants.

  • The Data Disruption Warrant enables agencies to “add, copy, delete or alter” data on devices.

  • The Account Takeover Warrant enables law enforcement agencies to take control of an account and even lock its holder out of it.

  • The Network Activity Warrants allow access to networks if there is suspicion of serious online offenses. Yet the term “serious” has a variety of definitions in the legislation.

Laws on encryption backdoors in Belgium

Key takeaways

  • The Organic Law on the Intelligence and Security Services allows authorities to block or record communications.

  • The Law on Electronic Communications could force service providers to decrypt any encryption they use.

The Organic Law on the Intelligence and Security Services

The law was passed in 1998. It allows intelligence and security authorities to intercept and record communications with prior authorization from an independent commission. Furthermore, if an electronic communications network is necessary for interception, the head of the intelligence or security authorities can send a request for technical assistance to a network operator or provider. Failure to comply with such a request is considered a criminal offense and is punishable by a fine of up to €20,000. You can read the full document here in French.

The Law on Electronic Communications

The law was passed in 2005. It allows the king to pass administrational and technical measures aimed at communications operators to identify end users and their location, listen to their communications, and record them. Under the royal Order of October 12, 2010, these measures include being able to transmit the content of a call when the operator has used encryption. To comply, operators and service providers need to be able to decrypt any encryption they use. The full document is available here in French.

The Code of Criminal Procedure

The code allows magistrates and other officials to order a special subject of a search warrant or services or applications that encrypt data to provide information on how to access encrypted content. You can access the full text of this code here in French.

Laws on encryption backdoors in Brazil

Key takeaways

  • Article 5 of the Constitution ensures the right of private communication. Suspending this right is only possible in the case of a criminal investigation.

  • The encryption debate in Brazil focuses on finding the balance between the needs of law enforcement and the promotion of secure encryption systems.

The Constitution of the Federative Republic of Brazil

The Constitution was passed in 1988 and is Brazil’s supreme law. Article 5 of the Constitution guarantees “secrecy of correspondence and of telegraphic, data and telephonic communications is inviolable, except, in the latter case, by court order, in the situations and manner established by law for purposes of a criminal investigation or the fact-finding phase of a criminal prosecution.”

The General Data Protection Law

The law was passed in 2018. It’s a comprehensive data privacy law that aims to protect “the fundamental rights of freedom and privacy and the free development of the personality of the natural person.”

Lexology, a comprehensive source of international legal updates and analysis, writes: “However no explicit right to encryption exists in Brazil, although its constitution guarantees the secrecy of correspondence and telegraphic, data, and telephonic communications.”

The Carnegie Endowment for International Peace, a think tank, writes: “The encryption debate in Brazil focuses on balancing the needs of law enforcement and the promotion of secure encryption systems. One of the main issues is the use of end-to-end encryption by communications applications (apps). Some companies have adopted technological architecture that inhibits the government’s ability to obtain access to communications data that could be of use to officials investigating and prosecuting criminal activities.”

Laws on encryption backdoors in Canada

Key takeaways

  • The Canadian Charter of Rights and Freedoms limits law enforcement’s access to encrypted data.

  • The Criminal Code states no legal action could force someone to provide a backdoor to encrypted data. However, there are exceptions.

The Canadian Charter of Rights and Freedoms

The Charter was signed in 1982. It protects the right to “freedom of thought, belief, opinion and expression, including freedom of the press and other media of communication.” It also states that “everyone has the right to be secure against unreasonable search or seizure.”

The Criminal Code

The Criminal Code came into force in 1985. It states that no legal act can force operators to make the decryption of protected content easier. There are, however, special cases. The code enables assistance or production orders. They may be used against third parties to facilitate law enforcement’s attempts to access encrypted data.

The Digital Charter Implementation Act

It’s composed of three parts:

The Consumer Privacy Protection Act 2022 makes a distinction between de-identified and anonymized personal data, and situations where businesses don’t have to get explicit consent for the collection of personal data. It also protects the data of children.

The Personal Information and Data Protection Tribunal Act creates a legal basis for financial penalties for ignoring orders or not complying with the act.

The Artificial Intelligence and Data Act will require “high-impact” AI applications to follow as yet unwritten regulations to ensure risks of harm or bias are identified and mitigated.

Laws on encryption backdoors in China

Key takeaways

  • Laws in China impose a range of restrictions on the manufacturing, import, export, and use of encryption.

  • The commercial use of encryption technologies requires certification from the government.

The Cryptography Law of the People’s Republic of China

The law took effect in 2020. It recognizes three different types of cryptography: core, common, and commercial. Core and common cryptography are used to protect the state secrets of the Chinese government, while commercial cryptography is used to protect the information of citizens and businesses. More importantly, the new law also states that it welcomes foreign providers of cryptography services. But is that really the case?

While this might look like an appealing opportunity for encryption businesses, there are certain limits. According to the Chinese authorities, the commercial use of encryption cannot harm the state or public security. Furthermore, encryption technologies must be handed over to the government for certification.

The Data Security Law of the People’s Republic of China

This law was enacted in 2021. It governs the creation, use, storage, and exploitation of data within China. The law states that both domestic and foreign entities can collect data only locally if it involves a Chinese citizen. Foreign authorities also cannot request data about Chinese citizens without getting permission from the Chinese government.

The Cybersecurity Law of the People’s Republic of China

This law states that “Network operators shall provide technical support and assistance to public security organs and national security organs that are safeguarding national security and investigating criminal activities in accordance with the law.

Critical information infrastructure operators that gather or produce personal information or important data during operations within the mainland territory of the People’s Republic of China shall store it within mainland China. Where due to business requirements, it is truly necessary to provide it outside the mainland, they shall follow the measures jointly formulated by the State cybersecurity and informatization departments and the relevant departments of the State Council to conduct a security assessment.”

Laws on encryption backdoors in Denmark

Key takeaways

  • Laws in Denmark allow the interception of private communications if there is a legal precedent. It remains unclear whether these legislations apply to encryption.

  • Due to strict interpretation of GDPR, private email communications must be encrypted.

The Act on Electronic Communications Networks and Services

It states that ISPs have to ensure that their equipment or systems are set up in such a way that the police are able to access information about telecommunications traffic and intervene in the “secrecy of communications.” This can be done in criminal cases. You can read the law in Danish here.

The Administration of Justice Act

It states that individuals other than suspects and accused ones (including private entities) may be required to hand over private data if it could help a criminal investigation. It is not clear whether this would include decryption keys. The law is available in Danish here.

Mandatory email encryption

Mandatory email encryption in Denmark came into force on January 1, 2019. Businesses in Denmark must protect sensitive personal data in emails with adequate encryption due to a strict interpretation of the General Data Protection Regulation (GDPR).

According to Tue Goldschmieding, a partner at the Danish law firm Gorrissen Federspiel, “Though the Danish Data Protection Agency does not explicitly require end-to-end encryption when sending emails containing special categories of data, the recommendation is very firm and should be interpreted as a de facto requirement.”

Laws on encryption backdoors in Egypt

Key takeaways

  • Telecom operators and ISPS can use data encryption only after receiving the government’s approval.

The Telecommunication Regulation Law

It prevents Telecom operators and service providers from using encryption equipment without specific clearance from the governmental agencies and requires them to provide all technical assistance. This includes software to enable governmental agencies to exercise their powers within the law. You can read the full text of this law here.

Laws on encryption backdoors in the European Union

Key takeaways

  • The European Union resolutions endorse strong encryption as a means to protect people’s fundamental rights.

  • The EU Commission’s ambition to increase the protection of children’s privacy could pose a risk to end-to-end encryption.

The Council Resolution on Encryption

The draft was introduced on November 24, 2020 and adopted on December 14, 2020. In this resolution, “the Council underlines its support for the development, implementation and use of strong encryption as a necessary means of protecting fundamental rights and the digital security of citizens, governments, industry and society.”

Ray Walsh, a digital privacy expert from ProPrivacy, wrote in response to the Draft Council Resolution: “Providing backdoors into people’s messages creates ongoing access for government agencies to everyone’s private messages, without reducing the ability for criminals to send encrypted messages via other covert means on the dark web.”

The EU Commission’s proposal

Governments across Europe are seeking to build a robust policy response to the scourge of child sexual abuse material (CSAM) online. And EU policymakers have honed in on the usual targets of such legislation: private messaging platforms like Signal, WhatsApp, Snapchat, and Facebook.

It will require messaging platforms to access private data and messages to detect instances of child sexual abuse. The theory is that we will continue to enjoy the privacy and security afforded by encryption while also preventing criminals and abusers from exploiting online platforms, thanks to technical shortcuts.

But this is wishful thinking. The only way for service providers to comply with the EU regulation would be to weaken end-to-end encryption for everyone. You can find the full proposal here.

Laws on encryption backdoors in France

Key takeaways

  • The Internal Security Code forces cryptology service providers to decrypt data if the French government demands that.

  • The Penal Code states that a refusal to decrypt required data may result in imprisonment or fines up €450,000.

The Law on Confidence in the Digital Economy

Before starting to supply cryptography services or export cryptography products and services, a person must inform the Prime Minister. Failure to do so can be punished by up to two years imprisonment and a fine of up to €30,000. The original text of this law is here.

The Internal Security Code

Under certain circumstances, the code obliges the provider's cryptology services to deliver to government agents the means of enabling the decryption of the data encrypted by their services within 72 hours or decrypt the data themselves. The full text is here.

The Penal Code

The code states that refusing to give the judicial authorities the “secret convention for deciphering a means of cryptology” likely to have been used to prepare, facilitate, or commit a crime or misdemeanor is punished by three years imprisonment and a €270,000 fine.

If the refusal to cooperate happens at the time when this information would have made it possible to prevent the commission of a crime or misdemeanor or to limit its effects, the penalty is increased to five years imprisonment and a fine of up to €450,000.

Laws on encryption backdoors in Germany

Key takeaways

  • The government’s idea to implement encryption backdoors faced a huge backlash in 2019.

  • Germany continues fostering strong encryption but enables its intelligence and law enforcement agencies to conduct government hacking, at least on the national level.

Discussions about encryption

In 2019, the German government started exploring the idea of enforcing encryption backdoors in communication platforms. In response, numerous tech companies, organizations, and academics signed an open letter, which criticized these plans, arguing that: “We believe that the proposed reform would abruptly lower the security level of millions of German Internet users, create new entry points for foreign intelligence services and cybercriminals, and massively damage Germany’s international reputation as a leading location for a secure and privacy-driven digital economy.”

In 2020, a regional court in Cologne ordered Tutanota, an end-to-end encrypted email provider, to monitor an account belonging to a user. According to Tutanota, it plans to appeal the ruling, but must abide by the court’s decision, meaning it must develop the monitoring functionality.

Matthias Pfau, the co-founder of Tutanota, said: “This decision shows again why end-to-end encryption is so important. According to the ruling of the Cologne Regional Court, we were obliged to release unencrypted incoming and outgoing emails from one mailbox. Emails that are encrypted end-to-end in Tutanota cannot be decrypted by us.”

Sven Herpig and Julia Schuetze, cybersecurity experts, have summarized the public discourse and policy regarding encryption backdoors: “Public debates in the aftermath of violent events about extending the powers of law enforcement and intelligence agencies in cyberspace are limited to government hacking, not backdoors. From operational, institutional, policy, and legal views, Germany continues to adhere to the encryption policy it adopted in 1999: fostering strong encryption but enabling its intelligence and law enforcement agencies to conduct government hacking, at least on the national level.”

Laws on encryption backdoors in Hong Kong

Key takeaways

  • The National Security Law allows authorities to access people’s personal data. This legislation is a clear threat to encryption.

  • The Personal Data Ordinance aims to protect private data. Yet there have been many exemptions.

The National Security Law

This National Security Law was passed on June 30, 2020 by the Standing Committee of the National People’s Congress. The law aims to resolve the anti-extradition bill protests of 2019. The legislation, among others, established the crimes of secession, subversion, terrorism, and collusion with foreign organizations.

The National Security Law allows authorities to surveil, detain, and search people who are suspected of a crime. It also lets law enforcement require content publishers, hosting services, and ISPs to block, remove, and restrict content that’s deemed in violation of the crimes.

The law gives a straight backdoor to what people do and say online. Many pro-democracy news media portals have been closed since 2020, and many people were arrested.

It is the first and longest-used personal data privacy legislation in Asia. Enacted in 1996, with the purpose “to protect the privacy of individuals in relation to personal data, and to provide for matters incidental thereto or connected therewith.” However, it has a long list of exemptions when authorities can access and share personal data.

Laws on encryption backdoors in Ireland

Key takeaways

  • Officers with a search warrant can require the disclosure of electronic communications. This includes decrypting data that could help a criminal investigation.

  • Garda, the national police in Ireland, wants new laws which would demand the owners of encrypted devices to hand over their passwords or encryption keys.

The Electronic Commerce Act

The legislation came into force in 2000. The act states that law enforcement can require disclosure of private electronic communications in case of a criminal investigation. However, this doesn’t include codes, passwords, algorithms, and private cryptographic keys. You can find the full text of this document here.

The Criminal Justice (Offences Relating to Information Systems) Act

The legislation came into effect in 2017. You can read it here. The act states that a person who possesses data that could help a criminal investigation may be required to provide access to their computer. Failure to comply with such a requirement is a criminal offense, punishable with a class A fine or imprisonment for a term not exceeding 12 months, or both.

Discussions about encryption

In February 2020, Garda Commissioner Drew Harris mentioned a new law that the national police want: “A new law to allow ‘backdoor’ access to personal devices. iPhones, Whatsapp, and online storage should have a ‘back door key’ to allow police to fight serious crime.”

Laws on encryption backdoors in Italy

Key takeaways

  • The Criminal Procedure Code allows law enforcement to demand data decryption if it could help a criminal investigation.

  • The Privacy Code states that internet service providers must comply with law enforcement requests to access the metadata that relates to a person who could be involved in criminal activity.

The Criminal Procedure Code

According to the relevant provisions of the Italian Criminal Procedure Code and Legislative Decree No. 271 of 1989, cloud service providers (CSPs) and agencies for services and payment (ASPs) can be required to provide the metadata relating to customers’ communications within a criminal investigation as follows:

  • Seizure of data in possession of CSPs or ASPs within criminal proceedings. The judicial authority has the power to order the seizure of any information that CSPs possess.

  • Access to customers’ data by LEAs. For the purpose of preventing crimes by criminal associations and international terrorist organizations or crimes committed for terrorism purposes through electronic devices, CSPs or ASPs could be ordered to trace telephony and data communications and to authorize access to data relating to such communications.

The Privacy Code

The code states that service providers must comply with law enforcement requests for users’ activity records, known as metadata, under a variety of circumstances, including in the course of a criminal investigation or “for the purpose of preventing crimes by criminal associations and international terrorist organizations.”

Despite civil society protests, there was virtually no public or parliamentary debate on the measure, which had been added to unrelated legislation following a European Council directive before passage. The DPA expressed its objection to the bill, citing its incompatibility with EU law and case law.

Laws on encryption backdoors in Mexico

Key takeaways

  • None of the Mexican legal acts require implementation of backdoors to encrypted content. This is indicative of the situation not being too severe in this regard.

  • Mexico has various laws on interception of communications. This is a pretty common practice across the globe.

The National Code for Criminal Procedure

It allows authorities to intercept private communications when such action could help a criminal investigation. Moreover, the law could demand ISPs to grant access to private communications in a timely manner. The law is available here in Spanish.

The Federal Police Law

It enables the Federal Police to request surveillance of private communications when investigating a crime. You can read the law here in Spanish.

The National Security Law

When there’s a threat to national security, this law gives the authorities permission to intercept private communications. The law is available here in Spanish.

The Federal Telecommunications and Broadcasting Law

It obliges telecommunication service providers to maintain a registry and control of communications made through any line, and under any method. In other words, it enables the authorities to collect user data 24/7. The law is available here in Spanish.

Laws on encryption backdoors in the Netherlands

Key takeaways

  • The Constitution protects everyone’s right to privacy of correspondence. Exceptions are possible in criminal cases only.

  • Research assignment-oriented interception (OOG) allows the government to intercept private communication if it poses a threat to national security.

The Constitution of the Kingdom of the Netherlands

The Constitution states that everyone shall have the right to respect for their privacy. The privacy of correspondence shall not be violated except in cases established in law.

The Intelligence and Security Services Act

The act (accessible here in Dutch) was passed in 2017. It allows the authorities to intercept, receive, record, and listen in on any form of communications or data transmission, including decrypting the intercepted data. The authorities may use this power with the prior permission of a relevant minister.

Research assignment-oriented interceptions (OOG)

The General Intelligence and Security Service (AIVD) is a government agency dealing with domestic non-military threats to Dutch national security. One of the AIVD’s powers is research assignment-oriented interceptions (OOG). This means that the agency can intercept certain communications from the airwaves and on Internet cables for further investigation.

The procedure concerns the data of many people, so strict conditions apply before the agency can use OOG interception. It can only be a tool for investigating threats to national security. The government determines which investigations the AIVD conducts.

Laws on encryption backdoors in Oman

Key takeaways

  • Data encryption is restricted in Oman.

Several sources state that all encrypted communication is prohibited in Oman. Individuals can only rely on encrypted communications with explicit permission from governmental institutions.

Laws on encryption backdoors in Pakistan

Key takeaways

  • After the legal notice by the Pakistan Telecommunications Authority came into force, it banned encryption software in the country.

Several sources state that all encrypted communication is prohibited in Oman. Individuals can only rely on encrypted communications with explicit permission from governmental institutions.

The legal notice by the Pakistan Telecommunications Authority

This notice, issued by the Pakistan Telecommunications Authority (PTA), states that the license and access providers shall ensure that signaling information is uncompressed, unencrypted, and not formatted in a manner that the installed monitoring system is unable to decipher it. It requires internet service providers to report customers using “all such mechanisms including EVPNs (encrypted virtual private networks) that conceal communication to the extent that prohibits monitoring.” According to the notice, anyone using this technology needs to apply for special permission.

Laws on encryption backdoors in Poland

Key takeaways

  • The Surveillance Act could put people’s privacy at risk.

  • The law does not challenge encryption in itself, but gives overly broad powers for the authorities to implement surveillance techniques.

The Surveillance Act

It came into effect on February 7, 2016. The law applies mostly to domestic service providers. However, due to the lack of clarity of the provisions, it is still unclear whether foreign service providers will be caught as well. Main highlights of the act are:

  • The “uniformed” enforcement authorities (e.g. Polish Police, Intelligence Agency, tax intelligence services) will now have increased rights of access to digital data.

  • New rules for handling data containing or likely to contain client-attorney privileged content – investigators will now be able to access all data before the court approves the use of such data in the investigation. This change will make the control exercised by the court an illusion.

  • The issue of encryption is not addressed, so Polish law still allows encryption.

The new surveillance law in Poland will put the right to privacy at risk and with it, other human rights, the realization of which depends on the right to privacy. Unlawful surveillance undermines the right to freedom of expression, potentially leading to self-censorship and limiting the right to seek and impart information of all kinds, regardless of frontiers. The vast scope of data may be “covertly” accessed by the Polish authorities. This new law considerably impairs an individual’s ability to protect their private or confidential information, including legally privileged secrets and intellectual property. You can read the act here.

Laws on encryption backdoors in Portugal

Key takeaways

  • To perform communication interceptions in Portugal, authorization from a judge is always required.

  • Only the police could be authorized to carry such interceptions.

Law No. 9

It came to force on February 19, 2007. The law sets out the legal framework for the Portuguese Information Security System (Sistema de Informações/SIS) and for the Portuguese Services for Strategic Defence (SIED). It does not grant powers of interception, encryption or decryption, direct access to communications, or the possibility of requesting such access being granted by electronic communications service providers.

Law No. 53

Released on August 29, 2008, the law establishes the legal provisions applicable to homeland security in Portugal. This law states that access and control of communications may only be carried out following judicial authorization and performed solely by the police.

Laws on encryption backdoors in Singapore

Key takeaways

  • The Criminal Procedure Code gives law enforcement the right to access encrypted information.

  • This code serves as a tool in solving criminal offense cases.

The Criminal Procedure Code

It allows the Public Prosecutor to authorize a police officer or another authorized person to exercise certain powers to access decryption information. These are:

  • To access any information, code, or technology that has the capability of retransforming or unscrambling encrypted data into a readable and comprehensible format or text for the purposes of investigating the arrestable offense.

  • To require any person whom they reasonably suspect of using a computer in connection with an arrestable offense or of having used it in this way.

  • To require any person whom they reasonably suspect to be in possession of any decryption information to grant them access to such decryption information.

Failure to do so is a criminal offense punishable by up to three years imprisonment and/or a fine of up to 10,000 SGD. You can find a copy of the full code here.

Laws on encryption backdoors in Spain

Key takeaways

  • Spanish authorities can request the decryption of data in specific cases and during criminal court proceedings.

The Spanish Constitution

The Spanish Constitution of 1978 states that the secrecy of communications is guaranteed, including postal, telegraphic, and telephone communications, and they can only be infringed upon by judicial resolution. Spain has no legal acts or policies that pursue encryption backdoors.

The Criminal Procedure Law

The Criminal Procedure Law states that the providers of telecommunications services must provide the judge and other relevant authorities with the necessary assistance to facilitate compliance with the telecommunications intervention orders. That means that the authorities can request the decryption of data in particular cases and during criminal court proceedings when the judge has found substantial proof to enforce this duty. The law is available here in Spanish.

Laws on encryption backdoors in Sweden

Key takeaways

  • Swedish law does not require companies to decrypt communications.

  • Any searches or seizures require a prior proportionality test, which weighs the reasons for the measure against the right to privacy.

The Secret Data Reading Act

The act came into force on April 1, 2020. It allows authorities to install spyware on the devices of suspects of a crime. CPO Magazine, a website that covers data privacy and cybersecurity issues, commented: “The new expanded powers have attracted the attention of privacy advocates and human rights activists. They are concerned that Swedish law enforcement agencies will overstep their boundaries and eventually usher in a modern surveillance state in which anyone – even someone not suspected of a crime – might be the subject of digital surveillance.”

The Digital Freedom and Rights Association, an organization that promotes human rights online, was critical of this law: “If someone finds a new vulnerability, this person has a choice. ... This gives the police the possibility to buy unknown vulnerabilities to hack into computers and smartphones. It is actually more profitable not to report them and sell them instead.” In case you would like to read the full text, the law is available here in Swedish.

Laws on encryption backdoors in Taiwan

Key takeaways

  • The Surveillance Act obliges telecommunication companies to assist the government when it needs to decrypt specific information.

  • Telecommunications operators also have to assist law enforcement agencies in setting up and maintaining systems used for surveillance purposes.

The Communications Security and Surveillance Act

It does not specifically address government access to encrypted communications. The legal obligations of telecommunications companies in assisting government surveillance may include enabling the decryption of encrypted communications.

Under Taiwanese law, an interception warrant generally needs to be sought by a prosecutor upon request by the judicial police authorities and issued by a court before interception can commence. The intelligence agency, however, does not appear to need a warrant from the court when intercepting the communications of foreign governments or cross-border terrorist organizations for national security purposes.

Moreover, telecommunications operators are required by the Surveillance Act to assist law enforcement agencies in setting up and maintaining systems used for surveillance purposes. A failure to fulfill the obligations of assisting surveillance is punishable by a fine of 500,000– 2,500,000 TWD (about $15,500–$77,000), an additional accumulative daily fine, and revocation of licenses. The full text of the Surveillance act is available here.

Laws on encryption backdoors in the United Kingdom

Key takeaways

  • The Investigatory Powers Bill allows the government to order a company to tamper with the security features in their products. The authorities can also prohibit the company from telling the public about the tampering.

  • The Online Safety Bill could pave the way for banning end-to-end encryption.

The Investigatory Powers Bill (IPB)

Also known as the Snooper’s Charter, the act came into force in 2016. It laid out and expanded the electronic surveillance powers of the UK government.

Alec Muffett, a technical advisor and board member for the Open Rights Group, said that the government “will lose the battle because they will never force the global open-source community to comply. <...> It would be an ugly battle, and (win or lose) it would be self-defeating. People would flee a less secure, less competitive Facebook and move to other platforms – ones with less cordial government relationships, or with no corporate presence at all.”

The Online Safety Bill

The draft of the Online Safety Bill became available on May 12, 2021. The bill aims to make the UK the safest place in the world to be online while also defending free expression.

Internet Society, a nonprofit organization, says: “Encryption technology keeps you safe: it secures your transactions, preserves your confidentiality, and in a world of connected objects, it protects your physical safety. Weakening, bypassing, or removing encryption puts everyone, including children, at greater risk: it exposes their communications to third parties, and it deprives children of secure lifelines to help and advise.”

However, Michelle Donelan, Secretary of State for Digital, Culture, Media and Sport, when commenting on the bill in October, 2022, said: “We want it in law as soon as possible to protect children when they’re accessing content online.”

Laws on encryption backdoors in the United States of America

Key takeaways

  • The EARN IT act aims to fight the spread of child sexual abuse material online. Yet it threatens the safety of millions who rely on strong encryption every day.

  • The LAED act is an explicit attack on encryption. It could weaken the lawful use of encryption in communication services.

The Eliminating Abusive and Rampant Neglect of Interactive Technologies Act (EARN IT)

The bill was introduced on March 5, 2020. It seeks to set best practices to detect and report child sexual exploitation materials. Although the act has good intentions, it has received a lot of criticism.

The ACLU's senior legislative counsel Kate Ruane said: “The EARN IT Act threatens the safety of activists, domestic violence victims, and millions of others who rely on strong encryption every day. Because of the safety and security encryption provides, Congress has repeatedly rejected legislation that would create an encryption backdoor.”

Matthew Green, a cryptographer and professor at Johns Hopkins University, called the bill a direct attack on end-to-end encryption. He wrote: “This bill is a backdoor way to allow the government to ban encryption on commercial services. And even more beautifully: it doesn't come out and actually ban the use of encryption, it just makes encryption commercially infeasible for major providers to deploy, ensuring that they'll go bankrupt if they try to disobey this committee's recommendations.”

The Lawful Access to Encrypted Data (LAED) Act

The act was introduced on June 23, 2020. It aims to provide police and security agencies with the ability to quickly access information on a suspect’s encrypted device.

Richie Koch from ProtonMail said: “LAED targets all data that is encrypted, both in transit and at rest. So not only would a tech company be forced to help the FBI break into a smartphone seized from a suspect, but it would also have to build a way to let officials monitor end-to-end encrypted communications, including whoever the suspect is talking to. <...> This law would require any American company with more than 1 million users in the US to be able to decrypt its users’ data and present it to law enforcement.”

Privacy Shield 2.0

President Biden signed an Executive Order to implement Privacy Shield 2.0. The order will create a new body within the U.S. Department of Justice that will oversee how American national security agencies are able to access and use information from both European and U.S. citizens.

Similar reports

Cyber Risk Index

To determine which factor put internet users at a greater cyber risk on a country level, we collected and analyzed data from 50 countries.

National Privacy Test

Thousands of internet users tested their cybersecurity-savvy. Find country rankings by score and average scores in different demographics and categories.

Device sharing and privacy

We analyzed how people share their personal devices and what measures they take to protect themselves and their family online.