What is an encryption backdoor and why is it dangerous?

An encryption backdoor is a deliberately built-in way to bypass encryption. It describes a system that provides special to access encrypted data for approved parties. Essentially, it gives law enforcement a master key to encrypted messages. Governments often frame this as "lawful access" because it's designed to let authorities decrypt data when needed.

Typically, online data is encrypted using TLS, which handles encryption of data in transit. Once the data arrives to service provider — like Google, Dropbox, or Facebook — it is decrypted and then re-encrypted on its servers using encryption keys they control. This means it can access your data, so an encryption backdoor isn't necessary, as governments can compel the provider to hand it over.

In end-to-end encryption, data is encrypted on the sender's device and isn't decrypted until it reaches the recipient's device. The service provider — like Proton or Signal — never has access to the encryption keys, so it can't decrypt anything, even under legal order. That's where law enforcement and policymakers push for encryption backdoors.

It’s important to distinguish encryption backdoors from backdoor attacks. An encryption backdoor is a feature intentionally built into a system for access under certain conditions — when required by law enforcement, for example — and that applies to all users. On the other hand, a backdoor attack — like the one orchestrated by Salt Typhoon, is a hidden vulnerability introduced by hackers that they use to gain access without detection.

If attackers discover an encryption backdoor, they can exploit it in the same way they’d use a planted backdoor. The difference is that the encryption backdoor was already there by design.

Encryption works like a lock on your hotel room: In standard encryption like TLS, you hold the key — but the hotel manager (the service provider) keeps a spare and can open the door if the police ask.

With end-to-end encryption, on the other hand, only you have the key, so no one else can enter. An encryption backdoor is when a legal entity (like law enforcement) asks the manager to create a master key that opens every door. Once such a key exists, everyone, including foreign governments and hackers, could try to steal it.

Depending on the design, this encryption backdoor can take different forms.

In a key escrow system, the encryption keys are stored by a third party, like a government. If law enforcement gets a warrant, they can retrieve the key.

In client-side scanning, your own device searches your files and messages before they’re encrypted and reports flagged content. It’s like the hotel manager inspecting everything you bring into your room and taking notes, even if the door stays locked.

In the 1990s, the US government introduced the Clipper Chip(new window), a chipset to secure landline communications. Each chipset came with its own cryptographic key, but a copy of that key was placed in a government database using key escrow. The idea was that if a government agency obtained the legal authority to intercept certain communications from a device with a Clipper Chip installed, it could request the key and use it to decrypt the conversation.

Security experts warned that storing keys in escrow created a single central point of failure, and privacy advocates objected to the idea of universal government access to private conversations. In response, developers released strong public encryption tools like PGP, PGPfone(new window), and Nautilus(new window). Within just three years, the Clipper Chip was abandoned.

Governments, law enforcement, and intelligence agencies are the strongest advocates for encryption backdoors as a way to expand access to digital communications. Agencies argue that they face a “going dark” problem — even with a court order or warrant, strong encryption can block access to critical evidence they can use to gather intelligence and investigate crimes.

This pressure often translates into legislation — such as the UK’s Investigatory Powers Act and Australia’s Assistance and Access Act, which give authorities powers to demand that companies create new ways to break end-to-end encryption and provide “lawful access” to private data.