Signal threatens to leave France if encryption backdoor required

Signal is standing its ground to protect its app’s security, threatening on Wednesday to leave France if encryption backdoor requirements are enacted, just as it said it would do in Sweden.

“Those hyping this bad law have rushed to assure French politicians that the proposal isn’t breaking encryption. Their arguments are as tedious as they are stale, as they are laughable. For those catching up, let’s review the basics: end to end encryption must only have two ends—sender and recipients. Otherwise, it is backdoored,” wrote Signal CEO Meredith Whittaker in a post on X.

“Whatever method is devised to add a third end—from a perverted PRNG in a cryptographic protocol, to vendor-provided government software grafted onto the side of secure communications that allow said government to add themselves to your chats—it rips a hole in the hull of private communications and is a backdoor.”

The Signal CEO added: “This is why, as always, Signal would exit the French market before it would comply with this law as written. At this moment especially, there is simply too much riding on Signal, on our being able to forge a future in which private communication persists, to allow such pernicious undermining.”

Whittaker shared similar thoughts when government officials in Sweden last month attempted a similar end run around encryption. 

Like all legislative bodies, the French legislators are debating various approaches to encryption and it’s not yet clear whether they will end up demanding an encryption backdoor. 

But even setting aside the French authorities’ ultimate decision, Whittaker’s argument about the cybersecurity disaster that will result from undermining encryption is valid.

“Communications don’t stay within jurisdictional boundaries, which means a hole created in France becomes a vector for anyone wanting to undermine Signal’s robust privacy guarantees anywhere,” Whittaker wrote. “Instead of contending with unbreakable math, they only have to compromise a French government employee, or the vendor-provided software used to sideload government operatives into your private chats.”

This encryption backdoor argument is also hitting many other governments globally. Apple, for example, is currently appealing an encryption backdoor demand from the UK, and the United States is chiding those same UK officials for even trying to demand an encryption backdoor. 

The underlying issue here is not limited to government encryption backdoors. If either side of an encrypted conversation is intercepted, the same problem occurs. The Ukrainian military, for example, is now fighting an aggressive phishing campaign that plants malware, oftentimes a keylogger, that bypasses the encryption even more effectively than would a backdoor.

Endpoint interception has also turned around and bitten the cyber crooks themselves. Europol officials in December stumbled on a cyberthief that cleverly used an app that made messages disappear a few minutes after being read. But, given that experienced thieves know enough to not trust other thieves, one of the recipients screen-captured a discussion about money-sharing with his colleagues. That act made all of his encrypted messages readable for law enforcement. 

Many issues with backdoors, say analysts

Analysts are concerned about the growing demands for backdoors. Aisling Dawson, digital security industry analyst at ABI Research, saw Whittaker’s post and said that many government encryption proposals “fail to display an understanding of the technical implications of such a backdoor” and that these governments “face the prospect of increasing numbers of organizations exiting their marketspace, triggering economic losses and reducing the number of security vendors within the ecosystem, or creating the potential for legal and judicial challenges to proposed regulatory action.”

Dawson also saw the encryption backdoor attempts as dangerous. 

“The use of terms like ‘side-client scanning’ within these proposals are complicating and perhaps deliberately obfuscating governments’ intentions with regard to these new proposals which is, at its core, a desire for more backdoors into vendors’ secure communications,” Dawson said. “Piercing through vendors’ cryptographic wall to create a governmental backdoor creates a hole, and it seems fantastical to believe cybercriminals and malicious attackers won’t also attempt to exploit that hole.”

Dawson also argued that there are legal issues raised by backdoors, above and beyond cybersecurity and privacy concerns.

“France’s proposal raises challenges when it comes to prospective defendants challenging any evidence obtained via surveillance through an encryption backdoor, given that the bill inhibits disclosure of any surveillance operations to defendants,” Dawson said. “This fundamentally runs against defendants’ right to hear and challenge evidence placed against them per their ECHR [European Convention on Human Rights] Article 6 fair trial rights.”

Other analysts shared similar concerns.

Fred Chagnon, principal research director at Info-Tech Research Group, said the encryption backdoor approach being debated by the legislators in France is somewhat different than what some other governments are considering.

“France wants to take a different approach with a ‘ghost participant,’ which would allow government entities to silently join encrypted conversations, basically creating a backdoor in real time,” Chagnon said. “Governments need to engage with these [encryption] providers to find a solution that doesn’t fundamentally weaken security instead of pushing for regulations that force companies to break their own encryption.”

And Anshel Sag, a principal analyst with Moor Insights & Strategy, has more general concerns about the government activities throughout Europe around encryption.

“I think this is an unsettling trend we’re starting to see from European governments, the UK’s request of Apple being a similar issue. Backdoors are inherently problematic because they simply give bad actors opportunities to take advantage of those backdoors as well,” Sag said. “Additionally, they create a false sense of security and safety that is no longer there because of the backdoor. Backdoors are simply antithetical to the security and safety that so many of these companies have built their reputations on.”