Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

Mandatory Encryption Backdoors Would Be Ineffective: Study

The introduction of legislation that requires vendors to place backdoors in encryption products would be futile due to the global nature of the encryption marketplace, a new study shows.

The introduction of legislation that requires vendors to place backdoors in encryption products would be futile due to the global nature of the encryption marketplace, a new study shows.

In 1999, researchers conducted a global study of more than 800 hardware and software encryption products from 35 countries outside the United States to demonstrate that encryption export controls did not have the desired effect.

Now, with governments demanding backdoors in encryption products to allow them to solve crimes and fight terrorism, cryptography expert Bruce Schneier and researchers Kathleen Seidel and Saranya Vijayakumar replicated the study to determine if such policy would be as efficient as authorities believe it to be.

The researchers identified 865 hardware and software encryption products from 55 different countries, including 546 from outside the United States. Of the non-US products, 47 are for encrypting files, 68 for email, 104 for messages, 35 for voice, and 61 for private networking.

While big players like the US, Germany, the UK, Canada and France account for two-thirds of the total number, small countries like Algeria, Belize, the British Virgin Islands, Chile, Cyprus, Estonia, Iraq, Malaysia, Saint Kitts and Nevis, Thailand, and Tanzania all have at least one product.

Of the total number of non-US products, 44 percent are available for free and 34 percent are open source.

The study found that while both domestic and foreign encryption products use strong algorithms, including proprietary ones, some solutions have been described as “jurisdictionally agile,” meaning their source code and services are stored in multiple jurisdictions and the organizations behind them can easily move to countries with more favorable legislation.

The study concluded that the international nature of the encryption marketplace would make mandatory backdoors ineffective.

“Yes, it will catch criminals who are too stupid to realize that their security products have been backdoored or too lazy to switch to an alternative, but those criminals are likely to make all sorts of other mistakes in their security and be catchable anyway,” researchers said. “The smart criminals that any mandatory backdoors are supposed to catch—terrorists, organized crime, and so on—will easily be able to evade those backdoors. Even if a criminal has to use, for example, a US encryption product for communicating with the world at large, it is easy for him to also use a non-US non-backdoored encryption product for communicating with his compatriots.”

The authors of the study have pointed out that they likely haven’t catalogued every encryption product that is available to the public. The list of products will be expanded as the research continues.

While authorities in countries like the United States and the United Kingdom believe encryption backdoors would be beneficial for law enforcement investigations and national security, experts have argued that a backdoor that can be used by governments can also be exploited by criminals and terrorists. The Dutch and French governments agree with experts and have voiced their opposition to encryption backdoors.

In January, UK Home Secretary Theresa May told a joint committee tasked with analyzing the Draft Investigatory Powers Bill that the government doesn’t want backdoors in encryption, but it does want companies to provide authorities unencrypted data when presented with a warrant. These contradictory statements are in line with the conclusions reached by the Parliament’s Intelligence and Security Committee earlier this week, which said the bill is “inconsistent.”

A report published on Thursday by the joint committee also rejected the idea of encryption backdoors.

Related: Charting a Middle Path on the Encryption Debate

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Cybersecurity Funding

CommandK announced that it has raised $3 million in a seed funding round for a solution designed to help organizations secure sensitive data.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...