Backdoor Laws Compared: Russia, UK, Canada, Australia

When Russia demands that telecom providers hand over encryption keys to the FSB, Western media calls it authoritarian surveillance. When the UK, Canada, and Australia pass nearly identical laws under different branding, it is called national security policy. The result for citizens and their private communications is the same in all four cases.

Since 2016, four countries have enacted laws forcing technology companies to either build backdoors into encrypted services or face massive fines, criminal charges, and forced market exit. Understanding what each law actually requires - stripped of political framing - reveals a global pattern that directly affects anyone who values digital privacy.

Russia: SORM, Yarovaya, and the IMEI Registry

Russia's surveillance framework is the oldest and most comprehensive of the four. The SORM system (dating to 1995) requires all Russian internet providers to install FSB-controlled hardware that gives security services direct access to communications traffic - no warrant required. The Yarovaya Law (Federal Law 374, passed in 2016) went further: telecom operators must store the actual content of calls and messages for six months, and metadata for three years. Crucially, they must provide FSB with decryption keys on demand.

In 2026, Russia tightened controls further with mandatory IMEI-SIM binding. By 2027, every mobile device must be registered in a national government database. Unregistered phones will be disconnected from networks. The FSB also gained the explicit right to order service suspension for specific users directly.

VPN providers and messaging apps operating in Russia are classified as "Information Distribution Organizers" - they must store Russian user logs domestically and surrender them on request. Most major VPN providers (NordVPN, ExpressVPN, Surfshark, ProtonVPN) removed physical servers from Russia rather than comply. Private Internet Access left entirely in 2016 after authorities seized its equipment.

United Kingdom: The Snooper's Charter Gets Upgraded

The UK's Investigatory Powers Act 2016 - nicknamed the "Snooper's Charter" by critics - legalized bulk interception of communications and gave authorities broad powers to demand decryption. The 2024 amendments made the law significantly more dangerous for end-to-end encryption.

Under the updated IPA, technology companies must notify the Home Office before releasing security updates and obtain approval before deploying new encryption features. The government can block the release of a secure app update if it disapproves. The law applies extraterritorially - any company whose services reach UK residents must comply, regardless of where the company is headquartered. Gag orders prevent companies from telling users that a secret order has been issued.

The response from the industry was unusually direct. Apple publicly threatened to disable iMessage and FaceTime in the UK rather than weaken their encryption. Signal and WhatsApp stated they would exit the British market before breaking end-to-end encryption for all users. As of mid-2026, the standoff continues with no resolution.

Australia: The Backdoor That Is Not a Backdoor

Australia passed its Telecommunications and Other Legislation Amendment (Assistance and Access) Act - known as TOLA - in 2018. The law allows law enforcement to issue Technical Capability Notices: orders forcing companies to create "new capabilities" enabling interception of encrypted communications.

The Australian government insists TOLA prohibits requiring "systemic vulnerabilities." Security researchers consistently point out the mathematical impossibility of that position - a backdoor that works for one party is a vulnerability for everyone. Signal stated plainly that it is architecturally incapable of decrypting user messages and would not write special code to do so. The law's full secrecy provisions mean that employees who disclose receiving a TCN face criminal prosecution.

The practical damage extended beyond user privacy. Australian technology startups reported losing international contracts because clients suspected their products contained government-mandated backdoors. The law essentially made Australian-built software suspect on the global market.

Canada: Secret Orders and No Judicial Oversight

Canada's Bill C-26 received Royal Assent on June 18, 2026. The Cybersecurity and Telecommunications Security Act gives the Minister of Industry sweeping and largely secret authority: the ability to secretly order telecom operators to disconnect specific services from their networks, terminate service for specific individuals, and share confidential user information with government regulators. Non-compliance carries fines of up to $15 million per day.

The Canadian Civil Liberties Association and Citizen Lab researchers at the University of Toronto were among the sharpest critics of the bill. Their central objection: there is no requirement for judicial authorization before these secret orders are issued, and companies cannot publicly contest them. The regime of secret orders with no public accountability mirrors mechanisms used in authoritarian states - the difference is procedural, not substantive.

The Common Pattern

• Secrecy mandates: All four countries prohibit companies from informing users when a surveillance order has been received.
• Extraterritorial reach: UK and Canada explicitly claim jurisdiction over foreign companies serving their residents.
• Encryption as target: Each law, in different language, aims to neutralize end-to-end encryption by requiring companies to maintain decryption capability.
• Asymmetric accountability: Governments can issue secret orders; companies and users cannot challenge them publicly.

Signal cannot comply with any of these laws without fundamentally breaking its service. It has said so in each jurisdiction. The same is true of any messaging platform built on genuine end-to-end encryption.

How VPN Providers Are Responding

Across all four jurisdictions, the VPN industry's response has converged on the same technical solution: RAM-only servers. When a server stores nothing on disk and runs entirely in memory, seizing the hardware produces no user data. This architecture directly counters laws that require companies to maintain accessible logs - there is nothing to hand over because nothing persists after the server is powered off.

For users in any of these four countries, a VPN with a verified no-logs policy and RAM-only infrastructure provides a meaningful layer of protection against mandatory data retention schemes. It cannot protect against laws that require ISPs to block VPN protocols themselves - as Russia has increasingly done through its TSPU deep packet inspection systems - but it addresses the data retention problem directly.