Privacy-first eSigning
Seamless Identity Check
Digital Twin
Lifecycle Updates
Simple API Integration
Real estate
Financial Services
Healthcare
Education
All industries
Sales
HR
Procurement
Legal
Legal Validity
Blog
News
You’ve likely never seen an “encryption backdoor” advertised on any eSignature provider’s website. However, just because they’re not referred to as such does not mean they don’t exist.
An encryption backdoor gives your eSigning provider the keys to unencrypt your documents, meaning they have the power to access all your data. And as long as there is access, it can be abused and poses a threat to your privacy – no matter what additional “security measures” are implemented.
An encryption backdoor can come in many shapes and sizes and can harm your privacy on more than one level. In order to protect your sensitive information, make sure you understand the implications of access to your data, no matter how well it’s disguised, or sold as “required” for the system to work.
What Is an Encryption Backdoor and Why Do Other eSigning Providers Use It
An encryption backdoor is essentially a way to circumvent any encryption in place. This means that, while for the average user or casual viewer your documents appear fully encrypted, someone with the right knowledge or access level can still see your unencrypted documents at any stage.
Encryption backdoors work in different ways. The most obvious one is simply programmed into the encryption used: If your eSigning provider developed the encryption for your documents, they can also develop a way to circumvent it. Another common access method is simply using the decryption key, which some providers ask users to send along with their encrypted documents. Last but not least, weak encryption can be hacked – which is not technically a backdoor, but still leads to the same result.
It’s rarely advertised as a backdoor, but eSigning providers often legitimize their access with concerns over security or offering AI-driven tools to improve your workflow. The former usually comes in form of the ominous “rule of least privilege,” which is supposed to put your mind at ease but essentially simply states that someone at the provider has access to your data. The latter is sold in marketing terms such as “life-cycle management and analytics,” which – no matter how useful – require unencrypted access to your data to do what they promise.
Here’s Why an Encryption Backdoor Harms the Privacy of All Your eSignatures
What would your provider want with your data, you may ask? The answer may be simple: Nothing. But it’s important to understand that, as long as there is access, you’re exposed to a number of threats. And, statistically speaking, one of them will affect you at some stage.
| Issue with an encryption backdoor | How that affects your privacy |
| It gives your provider the key to your locked door | Anyone holding the key except you and the recipient poses an unnecessary risk |
| A security breach could happen anytime | Your data could end up for sale – or used to blackmail you |
| Governments may ask for your information | They may actually be able to read it |
| Your government could intercept your data | All your information would be exposed |
| Any employee could gain access | Malice or incompetence – the risks of employees having access are serious |
| Anyone could be listening in on your digital traffic | Your unencrypted documents could end up anywhere |
| Industrial espionage is as easy as never before in the digital age | All your trade secrets could end up in your competitors’ hands |
The digital landscape can be tricky to navigate, and if there’s a backdoor to access your data, a small stumbling block quickly turns into a digital land mine. Let’s take a closer look at these issues and why they can be detrimental to your privacy.
Your provider holds the key to your sensitive information
The best encryption in the world is useless if the decryption key is stored in plain sight. And even if it’s not in plain sight, the fact that both the encrypted documents and the means to fully decrypt them are stored on the same infrastructure presents a serious threat to your privacy. If your eSignature provider requires you to store the key with them as part of the “encryption,” that’s a big red flag right there.
You would never lock your front door and leave the key on the doorstep. Locking the door means “no access,” and the key should be stored separately, hidden out of sight. The same goes for your documents. Because no matter how much you trust your eSignature provider, if the key is in plain sight, the risk of a breach is real.
A security breach is a question of “when,” not “if”
Statistically speaking, your eSignature provider will get hacked eventually. And if you think you’re safer with bigger names, think again: The bigger that target, the more lucrative a successful hack is for the attackers. No matter the level of security your eSignature provider has in place, the risk of a breach and subsequent loss of sensitive information is very real.
If there’s a way to decrypt your documents, a hacker will find it. If someone has gone through the effort of breaking into a secure system in the first place, it stands to reason to believe that they’d be able to find the backdoor into your documents as well. From there, it’s likely only a matter of time until you’re either seeing your most sensitive data publicly available on the net or, just as bad, become the victim of a targeted blackmailing effort.
Your information is now within reach of any government
International treaties based on the likes of the CLOUD Act in the United States allow more and more government agencies to request access to your data. And while it’s fair to say that those rules are in place to allow enforcement agencies to combat digital crime and terrorism, it’s also a fact that you as the user have absolutely no say in the matter – regardless of your innocence or the nature of the documents you’re storing.
If your encryption can be circumvented, a legal request for data could affect your privacy at any time. The irony of this situation is that you ultimately want an eSignature provider that complies with the law, for your own safety. However, if all it takes is a formal request from any number of entitled agencies to read each and every one of your private documents, that’s simply not a position you want to be in.
Your own government might be listening
Internet privacy might be lacking in your country of residence. Lists like the Internet Privacy Index offer insight into the levels of privacy individual countries offer – and you might be surprised about the position your country is in. But even this list proves faulty, or at least quickly outdated: The country with the second-highest rating, Australia, just passed a law that enables government agencies to surveil your data at will.
You might never know when your government legally intercepts all your data. If and when this happens, any backdoor to access your encrypted documents will be swiftly exposed and made use of. And while you likely have nothing of specific interest to your government – do you really want them to have a copy of every single sensitive document you’re sending to someone?
Employees have access to your data
There are numerous scenarios in which employees of your eSignature provider will gain access to your data – if that’s possible. The first one is obvious: A rogue employee could grab all your sensitive data in one fell swoop and either sell it or blackmail you with it. But even assuming anyone working for your eSignature provider has your best interest in mind, that still does not translate to absolute privacy for your data: Terminology like the “rule of least privilege” deliberately allows access for certain employees, and – last but not least – it could take as little as a single keystroke made by mistake to breach your privacy and expose your sensitive information.
Malice, incompetence, or “privilege” all translate to a breach of your privacy. And by the time you are informed of these or any number of other dangerous scenarios, it might already be too late to maintain your privacy.
It exposes to you digital interception
Your data passes through all kinds of infrastructure on the way to the recipient – and every touchpoint is a potential threat. Your home WiFi can be hacked. If you’re using public WiFi, chances are high that someone’s listening. Your ISP might be vulnerable, or even already under attack. And once past your eSignature provider, the reverse order poses the same risk: Your recipient’s ISP, and their home or public WiFi.
A backdoor to your documents opens them up for anyone. In today’s hypercomplex world, it may seem like everyone is only a click away, but in reality, the hops between sender and recipient become more numerous and certainly more complex all the time. It would literally take a Ph.D. in Information Technology, not to mention a lot of industry and insider knowledge, to be aware of every point your (unsecured) data passes through.
You risk becoming a victim of industrial espionage
What would happen if your fiercest competitor suddenly had access to all your sensitive data? While it may sound like a horror scenario, it’s actually quite common nowadays: Industrial espionage, often also referred to as corporate espionage, is becoming a more and more convenient way to gain a competitive advantage in a world where everything is connected to the internet.
Decades worth of effort may be at risk if your data is exposed. Confidential notes, legal agreements, R&D results, sensitive contracts of any kind – if there is a way to access all those documents and more, you should be seriously worried.
The Bottom Line
Few eSignature providers, if any, would admit to a “backdoor” that allows them to circumvent your encryption. But it may just be a simple case of wording: Look out for things like the “rule of least privilege”, or a type of encryption that forces you to send along the decryption key – supposedly for convenience, to be delivered to and only used by the recipient.
Backdoors come in many shapes and sizes. Luckily, at the end of the day, it’s a matter of black or white which, when you dig deep enough, is quite easy to define.
The only way to prevent access by anyone – employees, hackers, governments – through any means – backdoors, “privileges” – is to remove external access altogether.
By using asymmetric, full end-to-end encryption, documents are encrypted on your local machine, and never touch any other point of contact in an unencrypted state. The key to decrypt is unique, and sent directly to the recipient by you, using any means you deem safe. No other party along the way has technological or legal means to access your data – period.
Because if your data can be accessed, it will. It’s only a matter of time – don’t risk it.
