Against backdoors in end-to-end encrypted communications

Apr 17, 2025 5 min read
PDF

Sweden recently proposed a new national regulation to fight crime. A major shortcoming of the proposal is the introduction of backdoors in end-to-end encrypted messaging apps, which caused an uproar especially when Signal’s CEO, Meredith Whittaker, voiced that the app would simply pull back from the country if they were forced to weaken their system.

With Simone Fischer-Hübner (Professor in Cybersecurity at Karlstad University) and Elena Pagnin (Assistant Professor in Cryptography at Chalmers University of Technology), we initiated an open letter signed by 87 researchers at the time of writing (PDF enclosed) arguing why it’s a terrible idea. The letter caught a bit of attention, and eventually led to a popular article in SVD, a major Swedish outlet.

You can find the English version that served as a basis for the Swedish translation of the article below.

Three reason why the Governments’ plan to introduce Backdoors in Secure Messaging Apps is a bad idea

The Swedish government is revising its law on data storage and access to electronic information, which now also proposes the requirement for large scale secure messaging apps providers, such as WhatsApp or Signal, to implant backdoors in their systems. The government hopes that such backdoors could be a valuable means for Swedish law enforcement to fight organised crime. It would allow them to decrypt and hence read conversations between criminals, who currently can “protect” and hide the content of their communication by the secure messaging encryption system.

However, in a joint statement and open letter to the government, signed by 85 Cybersecurity researchers at 15 Swedish universities and research organisations, we express our doubts and concerns regarding this proposal. It only creates an illusion of security: Including backdoors in end-to-end encryption systems will be an ineffective and inappropriate means for fighting crime, because criminals can easily find other means for communicating privately. On the other hand, security risks for industry, society, and individuals’ fundamental rights for privacy will significantly increase.

Implanting a backdoor would weaken the security and privacy of every user: both criminals and civilians alike will be affected.

To clarify the impact: the backdoor affects anybody who is using the app from anywhere in the world if they are chatting with a Swedish phone number. Moreover, once the backdoor exists, anyone could find it and exploit it, including hacker groups. Currently, the Swedish Defence uses the Signal app for secure communication with mobile phones, due to its high security standard. Introducing a backdoor would defeat such security standard, and would compromise secure communication. The Swedish Defence has already raised this concern and warned that this approach will backfire. Recent history shows that introducing backdoors into computer systems enables the exploit of these vulnerabilities by malicious actors as well. For instance, see the 2024 Salt Typhoon hack in the USA. A hacker group, believed to be operated by China’s Ministry of State Security, benefited from a wiretap system installed in major US telecom companies to penetrate the networks of these providers.

The backdoor allows the Swedish Police (or whoever finds the backdoor) to read all communication seamlessly.

This makes it hard, if not impossible, to guarantee transparency and accountability by keeping track of and controlling which conversation are monitored and which are not, and does not follow the current regulation proposed by the new law.

Signal, one of the targeted messaging apps, is an open source project, this means that anyone with enough basic knowledge of computers can download, modify, and run the Signal software.

This could result in people (potentially criminals) creating their own secure, backdoor-free, version of the messaging app, and therefore bypass any government monitor, rendering moot the goal of the proposal. Moreover, criminals can easily use other known tools beyond encryption to achieve “private” communication in a public space. For instance, steganography tools allow hiding a secret message inside a regular file, like an image or audio file, that serves as a cover message, so that no one notices the hidden secret message if the cover message is communicated.

Therefore, consequences of introducing backdoors can be severe, putting security of organisations and privacy of individuals at risk, while potential benefits may be uncertain and questionable. We therefore suggest abandoning this proposal, and to find instead more appropriate means to fight organised crime. Within a reasonable legal framework (as suggested in the regulation proposal), an “on-device access” approach could be a more appropriate way forward that does not require including backdoors that affect the security of every app user. It would therefore not impact any individuals other than the targeted criminals and their direct contacts. However, for significantly reducing the risk of mass surveillance and possible misuses by malevolent actors, this must be a targeted measure strictly following legal procedures and should under no circumstance require or promote (but it should rather disallow) a broad implementation of “on-device access by design".

Asst. Prof. Elena Pagnin – Chalmers University of Technology

Prof. Simone Fischer-Hübner – Karlstad University

Dr. Victor Morel – Chalmers University of Technology

References: