Internet Security Center
Total Tests:
This Week:
Today:
Cybercrime Investigations Weekly
A US Federal Contractor Linked To The $46M Crypto Theft Arrested
March 12, 2026
Finnish Psychotherapy Center Hacker Gets Nearly 7 Years In Prison
March 5, 2026
Former Exec Gets 7+ Years For Selling Hacking Tools To Russian Exploit Broker
February 26, 2026
Spanish Police Arrest A Man For Allegedly Booking Luxury Hotel Rooms For One Cent
February 19, 2026
Former US DOD Employee Faces Up To 100 Years In Prison For Aiding Nigerian Scammers
February 12, 2026
Stay in Touch

Get the latest updates, weekly insights, and invites to webinars and events.


Your data will stay confidential Private and Confidential

ImmuniWebInternational Media Coverage

Encryption Backdoors: The Security Practitioners' View

SecurityWeek
SecurityWeek
Thursday, June 19, 2025

After decades of failed attempts to access encrypted communications, governments are shifting from persuasion to coercion—security experts say the risks are too high.

Ilia Kolochenko, CEO and founder at ImmuniWeb, floats just such an idea – difficult, but technically feasible. It is grounded in his research and thesis for his PhD in Computer Science at Capitol Technology University: Framework Proposal to Regulate Lawful Hacking by Police Within Criminal Investigations but expanded in conversation with SecurityWeek. The basic idea is that rather than reduce security for everyone, guilty and innocent alike, it would be more efficient to block access to E2EE for all convicted criminals.

Kolochenko wrote, “The encryption criminalization approach addresses the bad-faith use of encryption to further a criminal conduct or to deliberately hinder investigations by law enforcement agencies.” The UK’s alleged use of the IPA against Apple is an example of such a criminalization process, but it cannot be used for government access to E2EE.

Here, Kolochenko floats the possibility of blocking criminal access to E2EE services rather than breaking E2EE security for everyone. He believes it is possible and scalable, and he offers gun licensing as an analogy. “Guns are legal in most countries. But access to gun purchase or ownership is restricted by licensing. Untrusted persons cannot get a license to own a gun,” he explains.

Variations on this process exist in most countries – indeed, the details vary almost state-by-state in the US alone. But the principle is clear: the provider of E2EE services should verify the customer is not excluded (by criminal record or judicial warrant) from accessing E2EE services.

There’s the first problem: vendors will protest, insisting that it would adversely affect their business. So, it would need to be enforced by national legislation, even though it’s not altogether clear that this would damage business. Legal action against Apple and Apple’s subsequent removal of ADP from the UK is unlikely to damage iPhone sales in the UK (although that remains to be seen). However, refusal to sell iPhones to individuals included on the exclusion list would inevitably reduce sales fractionally.

But it would protect the privacy of the vast majority of ‘innocent’ users by eliminating law enforcement’s argument for demanding an encryption backdoor: if there are no criminals using E2EE, there is no need for a backdoor to access non-existent criminal communications. The same principle would apply to all providers of E2EE services, such as Telegram and Signal.

Further problems remain, including scalability and the cost of that scalability. Technology can solve the scalability issue – fundamentally it just requires a very secure database of excluded persons. This can come from existing criminal records databases and be supplemented with names where law enforcement can persuade an independent judicial office that this person, who has no criminal record, is nevertheless a terrorist.

The cost of maintaining this list of exclusions, suggests Kolochenko, could be met by a very tiny tax on the vendors. “The precedent already exists. Both the tobacco and oil companies already pay a tax to remediate the harm they do to society,” he says.

The final problem, and it’s hard to see any immediate solution for this, is that an E2EE List of exclusions would be as controversial and widely challenged as the existing No Fly List. But controversial and challenged as it is, it still exists and is in use.

The basis of Kolochenko’s idea is certainly valid. It would be easier, more secure, and fundamentally fairer to exclude criminals from E2EE, than to effectively criminalize all users without due process using a backdoor into the system. It certainly deserves exploration.

Ultimately, it is hard to find a single security practitioner who would support government demands for an E2EE backdoor. We cannot say that none exist, but we can say we couldn’t find any. “For practitioners,” says Paxson, “this isn’t just a philosophical debate, it’s stuff that reshapes their priorities.” Read Full Article


Previous Media Publications:

SiliconANGLE: UBS confirms employee data leak after ransomware attack on supplier

Reuters: UBS and Pictet report data leak after cyber attack on provider, client data unaffected

This website uses cookies to provide you with a better surfing experience. To learn more, please visit our Privacy Policy. By continuing to use this website you consent to our use of cookies.

Ask a Question