Are Software Backdoors Legal? Real Cases, Legal Views, and Hidden Threats

Yesterday I browsed Zhihu and found a question about software backdoors, so I gathered three particularly interesting answers to share.

Answer 1 – A practical backdoor for payment protection : The respondent described an outsourced Android ROM project with a 160,000 CNY development fee and a 20,000 CNY annual maintenance fee. Payments were split into three stages, and before delivering the production ROM they embedded a timestamp check hidden among driver code that would render the device unbootable after six months. When the client delayed the final payment, the backdoor prevented them from using the product, and later, after the client’s downstream customers complained, the remaining payment was finally collected. The author notes that such a self‑protective measure is not illegal, though it is risky.

They also recalled personal experience of freelancers disappearing after software delivery, emphasizing the temptation to embed time‑based restrictions.

Answer 2 – Legal perspective on backdoors : According to the respondent, Chinese law does not have a specific statute that punishes the mere existence of a backdoor because “backdoor” is hard to define objectively. Questions arise such as whether automatic update mechanisms, hot‑patch systems, or remote maintenance features count as backdoors. The law judges based on the actual malicious use: a dormant backdoor that is never used is generally not prosecuted, but if it is employed for wrongdoing, liability follows the specific harmful act.

Answer 3 – Historical and advanced backdoors : The third answer recounts Ken Thompson’s famous compiler backdoor at Bell Labs, where a hidden password check was inserted into the C compiler, making any Unix system compiled with it vulnerable regardless of later modifications. This technique resurfaced in the Xcode Ghost incident. The answer classifies backdoors by depth: low‑level code, tool‑chain level, compiler level, and ultimately hardware‑level, which is virtually impossible to defend against. The author concludes with a plea to treat programmers kindly.

Finally, the post mentions a recent case where a hacker group poisoned the IDA reverse‑engineering tool, illustrating how even security‑focused software can be targeted.

Readers are invited to share any personal experiences of embedding backdoors in code.