An overview of legal acts, bills, and initiatives that threaten encryption.
An encryption backdoor is a way to bypass authentication and access encrypted data in specific services. In other words, it is a weakness that the service provider intentionally creates to allow easy access to protected information.
Encryption backdoors are quite similar to vulnerabilities. Theoretically, they both provide an uncommon way to enter a system. However, the difference is that backdoors are there on purpose, whereas vulnerabilities are unintentional.
Encryption is a method of securing information. Thanks to this tool, text becomes a cipher that can only be read with a special decryption key. Think of Morse code – without understanding the system, it’s just a set of random clicks and taps.
Encryption provides the highest quality of protection. Modern algorithms use 256-bit decryption keys. This means that they are virtually uncrackable — not even by supercomputers.
Protecting data this way has become instrumental in everyday digital communication. Apps and services handle a lot of sensitive user data like passwords, banking credentials, and private communications. These services widely use encryption to protect user data from falling into the wrong hands.
A number of democratic governments claim that encryption interferes with effective law enforcement. According to them, criminals use encryption to make digital evidence unreachable to authorities and protect themselves from criminal persecution. This is why governments suggest creating secure backdoors so authorities could bypass encryption when there’s a legal reason to do so.
Yes, the need for effective law enforcement is understandable. But there is no such thing as a secure backdoor. Encryption backdoors would force service providers to corrupt their encryption algorithms. They would also order the deliberate vulnerabilities for law enforcement to use.
Unfortunately, once a vulnerability is put in place, everyone can use it. That means cybercriminals too. They could use the backdoor to spy on unsuspecting targets and steal sensitive information. The practical effect of encryption backdoors would mean the end of unbreakable encryption.
Different countries have different laws, obviously. While some governments offer a pretty liberal attitude toward data encryption regulations, others remain high-handed. To better understand these contrasts, we’ve prepared for you an overview of encryption laws and regulations across the globe.
Laws on encryption in:
Choose a country to see detailed info
The law was adopted on December 9, 2018. It aimed to provide police with more freedom to investigate criminals who use encrypted communications software.
The Australian Senate passed the bill on August 25, 2021. The bill grants law enforcement agencies the power to disrupt data by modifying, copying, or deleting it. This would help in stopping serious offenses online.
The law was passed in 1998. It allows intelligence and security authorities to intercept and record communications with prior authorization from an independent commission. Furthermore, if an electronic communications network is necessary for interception, the head of the intelligence or security authorities can send a request for technical assistance to a network operator or provider. Failure to comply with such a request is considered a criminal offense and is punishable by a fine of up to €20,000. You can read the full document here in French.
The law was passed in 2005. It allows the king to pass administrational and technical measures aimed at communications operators to identify end users and their location, listen to their communications, and record them. Under the royal Order of October 12, 2010, these measures include being able to transmit the content of a call when the operator has used encryption. To comply, operators and service providers need to be able to decrypt any encryption they use. The full document is available here in French.
The Constitution was passed in 1988 and is Brazil’s supreme law. Article 5 of the Constitution guarantees “secrecy of correspondence and of telegraphic, data and telephonic communications is inviolable, except, in the latter case, by court order, in the situations and manner established by law for purposes of a criminal investigation or the fact-finding phase of a criminal prosecution.”
The law was passed in 2018. It’s a comprehensive data privacy law that aims to protect “the fundamental rights of freedom and privacy and the free development of the personality of the natural person.”
Lexology, a comprehensive source of international legal updates and analysis, writes: “However no explicit right to encryption exists in Brazil, although its constitution guarantees the secrecy of correspondence and telegraphic, data, and telephonic communications.”
The Carnegie Endowment for International Peace, a think tank, writes: “The encryption debate in Brazil focuses on balancing the needs of law enforcement and the promotion of secure encryption systems. One of the main issues is the use of end-to-end encryption by communications applications (apps). Some companies have adopted technological architecture that inhibits the government’s ability to obtain access to communications data that could be of use to officials investigating and prosecuting criminal activities.”
The Charter was signed in 1982. It protects the right to “freedom of thought, belief, opinion and expression, including freedom of the press and other media of communication.” It also states that “everyone has the right to be secure against unreasonable search or seizure.”
The law took effect in 2020. It recognizes three different types of cryptography: core, common, and commercial. Core and common cryptography are used to protect the state secrets of the Chinese government, while commercial cryptography is used to protect the information of citizens and businesses. More importantly, the new law also states that it welcomes foreign providers of cryptography services. But is that really the case?
While this might look like an appealing opportunity for encryption businesses, there are certain limits. According to the Chinese authorities, the commercial use of encryption cannot harm the state or public security. Furthermore, encryption technologies must be handed over to the government for certification.
It states that ISPs have to ensure that their equipment or systems are set up in such a way that the police are able to access information about telecommunications traffic and intervene in the “secrecy of communications.” This can be done in criminal cases. You can read the law in Danish here.
It prevents Telecom operators and service providers from using encryption equipment without specific clearance from the governmental agencies and requires them to provide all technical assistance. This includes software to enable governmental agencies to exercise their powers within the law. You can read the full text of this law here.
The draft was introduced on November 24, 2020 and adopted on December 14, 2020. In this resolution, “the Council underlines its support for the development, implementation and use of strong encryption as a necessary means of protecting fundamental rights and the digital security of citizens, governments, industry and society.”
Governments across Europe are seeking to build a robust policy response to the scourge of child sexual abuse material (CSAM) online. And EU policymakers have honed in on the usual targets of such legislation: private messaging platforms like Signal, WhatsApp, Snapchat, and Facebook.
Before starting to supply cryptography services or export cryptography products and services, a person must inform the Prime Minister. Failure to do so can be punished by up to two years imprisonment and a fine of up to €30,000. The original text of this law is here.
Under certain circumstances, the code obliges the provider’s cryptology services to deliver to government agents the means of enabling the decryption of the data encrypted by their services within 72 hours or decrypt the data themselves. The full text is here.
The code states that refusing to give the judicial authorities the “secret convention for deciphering a means of cryptology” likely to have been used to prepare, facilitate, or commit a crime or misdemeanor is punished by three years imprisonment and a €270,000 fine.
If the refusal to cooperate happens at the time when this information would have made it possible to prevent the commission of a crime or misdemeanor or to limit its effects, the penalty is increased to five years imprisonment and a fine of up to €450,000.
In 2019, the German government started exploring the idea of enforcing encryption backdoors in communication platforms. In response, numerous tech companies, organizations, and academics signed an open letter, which criticized these plans, arguing that: “We believe that the proposed reform would abruptly lower the security level of millions of German Internet users, create new entry points for foreign intelligence services and cybercriminals, and massively damage Germany’s international reputation as a leading location for a secure and privacy-driven digital economy.”
In 2020, a regional court in Cologne ordered Tutanota, an end-to-end encrypted email provider, to monitor an account belonging to a user. According to Tutanota, it plans to appeal the ruling, but must abide by the court’s decision, meaning it must develop the monitoring functionality.
Matthias Pfau, the co-founder of Tutanota, said: “This decision shows again why end-to-end encryption is so important. According to the ruling of the Cologne Regional Court, we were obliged to release unencrypted incoming and outgoing emails from one mailbox. Emails that are encrypted end-to-end in Tutanota cannot be decrypted by us.”
Sven Herpig and Julia Schuetze, cybersecurity experts, have summarized the public discourse and policy regarding encryption backdoors: “Public debates in the aftermath of violent events about extending the powers of law enforcement and intelligence agencies in cyberspace are limited to government hacking, not backdoors. From operational, institutional, policy, and legal views, Germany continues to adhere to the encryption policy it adopted in 1999: fostering strong encryption but enabling its intelligence and law enforcement agencies to conduct government hacking, at least on the national level.”
This National Security Law was passed on June 30, 2020 by the Standing Committee of the National People’s Congress. The law aims to resolve the anti-extradition bill protests of 2019. The legislation, among others, established the crimes of secession, subversion, terrorism, and collusion with foreign organizations.
The National Security Law allows authorities to surveil, detain, and search people who are suspected of a crime. It also lets law enforcement require content publishers, hosting services, and ISPs to block, remove, and restrict content that’s deemed in violation of the crimes.
The law gives a straight backdoor to what people do and say online. Many pro-democracy news media portals have been closed since 2020, and many people were arrested.
It is the first and longest-used personal data privacy legislation in Asia. Enacted in 1996, with the purpose “to protect the privacy of individuals in relation to personal data, and to provide for matters incidental thereto or connected therewith.” However, it has a long list of exemptions when authorities can access and share personal data.
The legislation came into force in 2000. The act states that law enforcement can require disclosure of private electronic communications in case of a criminal investigation. However, this doesn’t include codes, passwords, algorithms, and private cryptographic keys. You can find the full text of this document here.
The legislation came into effect in 2017. You can read it here. The act states that a person who possesses data that could help a criminal investigation may be required to provide access to their computer. Failure to comply with such a requirement is a criminal offense, punishable with a class A fine or imprisonment for a term not exceeding 12 months, or both.
In February 2020, Garda Commissioner Drew Harris mentioned a new law that the national police want: “A new law to allow ‘backdoor’ access to personal devices. iPhones, Whatsapp, and online storage should have a ‘back door key’ to allow police to fight serious crime.”
According to the relevant provisions of the Italian Criminal Procedure Code and Legislative Decree No. 271 of 1989, cloud service providers (CSPs) and agencies for services and payment (ASPs) can be required to provide the metadata relating to customers’ communications within a criminal investigation as follows:
The code states that service providers must comply with law enforcement requests for users’ activity records, known as metadata, under a variety of circumstances, including in the course of a criminal investigation or “for the purpose of preventing crimes by criminal associations and international terrorist organizations.”
Despite civil society protests, there was virtually no public or parliamentary debate on the measure, which had been added to unrelated legislation following a European Council directive before passage. The DPA expressed its objection to the bill, citing its incompatibility with EU law and case law.
It allows authorities to intercept private communications when such action could help a criminal investigation. Moreover, the law could demand ISPs to grant access to private communications in a timely manner. The law is available here in Spanish.
It enables the Federal Police to request surveillance of private communications when investigating a crime. You can read the law here in Spanish.
When there’s a threat to national security, this law gives the authorities permission to intercept private communications. The law is available here in Spanish.
It obliges telecommunication service providers to maintain a registry and control of communications made through any line, and under any method. In other words, it enables the authorities to collect user data 24/7. The law is available here in Spanish.
The Constitution states that everyone shall have the right to respect for their privacy. The privacy of correspondence shall not be violated except in cases established in law.
The act (accessible here in Dutch) was passed in 2017. It allows the authorities to intercept, receive, record, and listen in on any form of communications or data transmission, including decrypting the intercepted data. The authorities may use this power with the prior permission of a relevant minister.
The General Intelligence and Security Service (AIVD) is a government agency dealing with domestic non-military threats to Dutch national security. One of the AIVD’s powers is research assignment-oriented interceptions (OOG). This means that the agency can intercept certain communications from the airwaves and on Internet cables for further investigation.
The procedure concerns the data of many people, so strict conditions apply before the agency can use OOG interception. It can only be a tool for investigating threats to national security. The government determines which investigations the AIVD conducts.
Several sources state that all encrypted communication is prohibited in Oman. Individuals can only rely on encrypted communications with explicit permission from governmental institutions.
This notice, issued by the Pakistan Telecommunications Authority (PTA), states that the license and access providers shall ensure that signaling information is uncompressed, unencrypted, and not formatted in a manner that the installed monitoring system is unable to decipher it. It requires internet service providers to report customers using “all such mechanisms including EVPNs (encrypted virtual private networks) that conceal communication to the extent that prohibits monitoring.” According to the notice, anyone using this technology needs to apply for special permission.
It came to force on February 19, 2007. The law sets out the legal framework for the Portuguese Information Security System (Sistema de Informações/SIS) and for the Portuguese Services for Strategic Defence (SIED). It does not grant powers of interception, encryption or decryption, direct access to communications, or the possibility of requesting such access being granted by electronic communications service providers.
Released on August 29, 2008, the law establishes the legal provisions applicable to homeland security in Portugal. This law states that access and control of communications may only be carried out following judicial authorization and performed solely by the police.
The act came into force on April 1, 2020. It allows authorities to install spyware on the devices of suspects of a crime. CPO Magazine, a website that covers data privacy and cybersecurity issues, commented: “The new expanded powers have attracted the attention of privacy advocates and human rights activists. They are concerned that Swedish law enforcement agencies will overstep their boundaries and eventually usher in a modern surveillance state in which anyone – even someone not suspected of a crime – might be the subject of digital surveillance.”
The Digital Freedom and Rights Association, an organization that promotes human rights online, was critical of this law: “If someone finds a new vulnerability, this person has a choice. … This gives the police the possibility to buy unknown vulnerabilities to hack into computers and smartphones. It is actually more profitable not to report them and sell them instead.” In case you would like to read the full text, the law is available here in Swedish.
It does not specifically address government access to encrypted communications. The legal obligations of telecommunications companies in assisting government surveillance may include enabling the decryption of encrypted communications.
Under Taiwanese law, an interception warrant generally needs to be sought by a prosecutor upon request by the judicial police authorities and issued by a court before interception can commence. The intelligence agency, however, does not appear to need a warrant from the court when intercepting the communications of foreign governments or cross-border terrorist organizations for national security purposes.
Moreover, telecommunications operators are required by the Surveillance Act to assist law enforcement agencies in setting up and maintaining systems used for surveillance purposes. A failure to fulfill the obligations of assisting surveillance is punishable by a fine of 500,000– 2,500,000 TWD (about $15,500–$77,000), an additional accumulative daily fine, and revocation of licenses. The full text of the Surveillance act is available here.
Also known as the Snooper’s Charter, the act came into force in 2016. It laid out and expanded the electronic surveillance powers of the UK government.
Alec Muffett, a technical advisor and board member for the Open Rights Group, said that the government “will lose the battle because they will never force the global open-source community to comply. <...> It would be an ugly battle, and (win or lose) it would be self-defeating. People would flee a less secure, less competitive Facebook and move to other platforms – ones with less cordial government relationships, or with no corporate presence at all.”
The draft of the Online Safety Bill became available on May 12, 2021. The bill aims to make the UK the safest place in the world to be online while also defending free expression.
Internet Society, a nonprofit organization, says: “Encryption technology keeps you safe: it secures your transactions, preserves your confidentiality, and in a world of connected objects, it protects your physical safety. Weakening, bypassing, or removing encryption puts everyone, including children, at greater risk: it exposes their communications to third parties, and it deprives children of secure lifelines to help and advise.”
However, Michelle Donelan, Secretary of State for Digital, Culture, Media and Sport, when commenting on the bill in October, 2022, said: “We want it in law as soon as possible to protect children when they’re accessing content online.”
The bill was introduced on March 5, 2020. It seeks to set best practices to detect and report child sexual exploitation materials. Although the act has good intentions, it has received a lot of criticism.
The ACLU’s senior legislative counsel Kate Ruane said: “The EARN IT Act threatens the safety of activists, domestic violence victims, and millions of others who rely on strong encryption every day. Because of the safety and security encryption provides, Congress has repeatedly rejected legislation that would create an encryption backdoor.”
Matthew Green, a cryptographer and professor at Johns Hopkins University, called the bill a direct attack on end-to-end encryption. He wrote: “This bill is a backdoor way to allow the government to ban encryption on commercial services. And even more beautifully: it doesn’t come out and actually ban the use of encryption, it just makes encryption commercially infeasible for major providers to deploy, ensuring that they’ll go bankrupt if they try to disobey this committee’s recommendations.”
The act was introduced on June 23, 2020. It aims to provide police and security agencies with the ability to quickly access information on a suspect’s encrypted device.
Richie Koch from ProtonMail said: “LAED targets all data that is encrypted, both in transit and at rest. So not only would a tech company be forced to help the FBI break into a smartphone seized from a suspect, but it would also have to build a way to let officials monitor end-to-end encrypted communications, including whoever the suspect is talking to. <...> This law would require any American company with more than 1 million users in the US to be able to decrypt its users’ data and present it to law enforcement.”
President Biden signed an Executive Order to implement Privacy Shield 2.0. The order will create a new body within the U.S. Department of Justice that will oversee how American national security agencies are able to access and use information from both European and U.S. citizens.
To determine which factor put internet users at a greater cyber risk on a country level, we collected and analyzed data from 50 countries.
Thousands of internet users tested their cybersecurity-savvy. Find country rankings by score and average scores in different demographics and categories.
We analyzed how people share their personal devices and what measures they take to protect themselves and their family online.
