Encryption backdoors: Is digital privacy taking a step backwards?

To understand why encryption backdoors are a privacy risk, you should be familiar with what encryption is. Encryption is a method for protecting digital information by scrambling or ciphering it so it can’t be accessed, changed, or compromised. Encrypted information can only be read by an authorized party who has a decryption key. Most modern algorithms use 256-bit-length keys, making encrypted data virtually uncrackable for cybercriminals. Communication service providers use this method to secure their user’s private data, such as login and banking credentials and digital communications.

A backdoor is a method for bypassing the required authorization and accessing secured data. An encryption backdoor uses an entry point into the encryption mechanism, or a weakness, put in place on purpose by the service provider to allow access to the information that would otherwise be protected from all entities. But this raises a question — why weaken a security mechanism in the first place?

Governments and lawmakers base their proposals for encryption backdoors on the argument that criminals use encrypted communication services, like email and messaging platforms, for unlawful activities. Creating a backdoor would enable the monitoring of communications and, possibly, the detection and prevention of criminal wrongdoing.

However, this is a one-legged argument because if lawmakers can use a backdoor, it means that cybercriminals can use it too. No one can guarantee that hackers will never get their hands on these encryption weaknesses. Backdoors would compromise the main goal of encrypted services — their security, let alone breach the privacy of their users. But let’s look at a real-life example to get a clearer picture.

The recent developments on the EU’s legal front reflect the tendency for lawmakers to push for unrestricted access to encrypted digital communications. In July 2021, the European Parliament passed a regulation, Chat Control 1.0, that allows digital companies to detect and report child sexual abuse on their platforms without fear of violating Europe’s privacy laws. In other words, this bill allows communication services to scan their users’ private communications for explicit material with the aim of curbing child abuse.

In May 2022, the European Commission presented a proposal, known as Chat Control 2.0, that takes Chat Control 1.0 even further. This regulation would make it mandatory for communication service providers to search their users’ private chats, messages, and emails, including encrypted ones, for suspicious content. In essence, this means mandatory mass surveillance using fully automated real-time surveillance technology (artificial intelligence). Suspicious messages flagged by AI would be reported to law enforcement and investigated. The bill was stalled due to fears that it undermines EU’s privacy laws and possibly opens the door for companies to monitor other private communications.

But what would it mean to you, as a user of communication services? Chat Control 2.0 would mandate companies to comb through your private encrypted communications in search of triggers, such as phrases, images, and videos associated with child abuse. Imagine your spouse sending you photos of your child. You look at the photos and text back something perfectly innocent, unaware that AI has just flagged your conversation as suspicious and transferred the images of your child to a special database.

Privacy supporters oppose this large-scale monitoring of communications, including end-to-end encrypted content, saying it’s a breach of privacy. Let’s take the example of Chat Control 2.0:

• Mass monitoring can only be carried out by means of automated technologies, namely AI. Without sufficient context and explicit calibration, AI produces a staggering number of false positives. Photos and videos of children and teenagers, falsely flagged as possible targets of child abuse, will end up in databases where they don’t belong. Innocent people, including minors, might wrongly fall under suspicion because of a phrase or image out of context that triggers the control system.
• The overwhelming majority of people who use email and messaging services aren’t criminals, but their communications will still be scanned for triggers.
• Flagged content will have to be reviewed and investigated by law enforcement officers. A huge number of personal photos, videos, and messages, including those shared among minors, will be reviewed and analyzed by multiple people.

Any type of abuse of children is a serious crime that requires clear, efficient, and concerted action to fight it, concentrating on the root causes and social policies. Scanning millions of messages, most of which have nothing to do with the problem, seems ineffective and raises privacy concerns. Even if the scanning were consensual, the implementation has flaws and is unlikely to produce the desired result of fighting child abuse, namely because:

• Criminal investigators would be flooded with thousands, if not millions, of automated reports, most of which would be criminally irrelevant.
• Criminals who generate abusive content don’t usually share it via commercial email, messenger, or chat services. They typically distribute the content through self-run secret forums and other services that do not fall under the scope of the proposed regulation. Abusers also find ways to bypass control systems by using code words and phrases that do not trigger control systems.
• Scanning private messages and chats does not contain the spread of abusive content. For example, Facebook has been using automated tools to scan Messenger chats for malware links and child abuse images for years, but the number of automated reports has not dropped.
• Chat Control 2.0 does not provide a framework for implementing the monitoring, storage, and reporting of harmful content, leaving it up to companies. This means the content we are trying to stop from being distributed will be widely seen and shared by companies, law enforcement officers, and possibly other stakeholders without specific guidelines on how it should be done.

In 1948, the United Nations declared privacy a human right in its Universal Declaration of Human Rights, Article 12. Most people who use encryption services are law-abiding citizens who have a right to privacy and security as well as the use of the relevant tools. Backdoors violate these rights. If you provide a backdoor to encrypted communication once, pretty soon, no encryption service will be truly private.

Without end-to-end encryption, independent journalists, whistleblowers, and dissidents would not be able to communicate online without facing the risk of arrest. Lots of NGOs working in repressive countries also rely on encrypted communication. Human rights activists, doctors, and lawyers would not be able to confidentially communicate with their clients online or protect them without encrypted services.

The words “privacy” and “anonymity” are often used interchangeably even though they mean different things. This is confusing, especially when discussing encryption services.

Anonymity implies hiding your identity. In the digital world, this could mean creating a fake profile and spreading information without disclosing your true identity. Anonymity plays a major role in whistleblowing movements and the fight for human rights and freedom of speech under restrictive regimes, but it can also become a threat in the hands of criminals. However, it is practically impossible to achieve full anonymity online.

Privacy, on the other hand, is never about hiding something — it’s about what you’re willing to share. It means keeping certain information, like personal chats, images, and videos, to yourself and having control over who can access it. Encryption services provide the privacy that we all need in our digital lives. At NordVPN, we advocate for online privacy and keeping in line with the law.

At NordVPN, we support the right of every internet user to have a private and secure digital life.

NordVPN offers an encrypted VPN service that adds to your online privacy and security. It encrypts all of your online traffic by means of sophisticated algorithms and hides your virtual location by routing your traffic through remote servers, allowing you to browse with increased safety and privacy.