Smartphones optimize

India says yes to the BlackBerry, no to encrypted mail

In the latest roundup to previous conflicting signals about whether the ubiquitious BlackBerry service will be banned in India or not, the Indian government has thrown down the gauntlet and indicated that while the use of the BlackBerry Smartphone is fine, its inherent ability to send encrypted e-mail is not.

In the latest roundup to previous conflicting signals about whether the ubiquitious BlackBerry service will be banned in India or not, the Indian government has thrown down the gauntlet and indicated that while the use of the BlackBerry Smartphone is fine, its inherent ability to send encrypted e-mail is not.

Excerpt from The Economic Times:

The Department of Telecom (DoT) has asked BlackBerry service providers such as Bharti Airtel, Vodafone, BPL and Reliance Communications to specify a time frame by which they will resolve all security concerns associated with this service. At the same time, the DoT reiterated that the government is not looking at banning BlackBerry services, but was keen to resolve the issue at the earliest.

According to other incoming reports, it appears that Indian security agencies want RIM to give them access to algorithms needed to decrypt messages. The Economic Times reported that another option the DoT is also looking at is "asking RIM to migrate all data traffic originating from Indian mobile networks to servers in India." There were rumors of a 15 day deadline to resolve the "security issue," though all the players offering the BlackBerry service in India say that they have received no official news of any such directives.

In my earlier post, I questioned the point of banning RIM's BlackBerry when competing technologies, such as Microsoft's Direct Push, already allows for SSL encryption of data. Looking at it from another angle though, you can probably attribute the India government's brazen request to the fact that unlike Microsoft's implementation, RIM's BlackBerry service requires special provisioning on the Telco end.

It is unclear if any of the proposed "solutions" above will eventually be enforced or how will they affect roaming BlackBerry users in India. I am not sure if this entire fiasco gets you thinking more about the value of encryption. If so, fellow blogger Chad Perrin has written an insightful piece on the importance of being encrypted over at TechRepublic's Security blog that you will probably want to check out.

What are your thoughts about using the BlackBerry without encrypted e-mail?

About

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

10 comments
DelphiniumEve
DelphiniumEve

So many US companies now need to re-evaluate what their presence in India will be in the present and future if email is no longer secure. This also creates issues for companies that must meet the EU Privacy Directive, PCI, as well as HIPAA. All help desk operations or support operations/relationships will also have to be re-evaluated with this decision.

BALTHOR
BALTHOR

I can't imagine India having all of the ground cell equipment installed in their country.I know that they would have a hard time grocery shopping without it.

Mr L
Mr L

This decision should immediately be reviewed by any organization which may have blackberry users travelling to or residing in India. There are clear requirements for many companies that a defined set of information must be encrypted, in-flight or otherwise. This policy will likely have the immediate impact (for organizations with those encryption policies in place) of taking Blackberry out of the approved device list for any member of those organizations travelling to or residing in India. I find the proposal that RIM hand over the ability to decrypt traffic to Indian government agencies particularly troubling, as there is no way to prevent (since RIM traffic rides on cell carriers) those agencies from intercepting and decryting any RIM messaging, whether its intended destination is India or not(Which raises the question of whether RIM has ever done that for another government...whole other conversation).

apotheon
apotheon

"[i]I find the proposal that RIM hand over the ability to decrypt traffic to Indian government agencies particularly troubling, as there is no way to prevent (since RIM traffic rides on cell carriers) those agencies from intercepting and decryting any RIM messaging, whether its intended destination is India or not(Which raises the question of whether RIM has ever done that for another government...whole other conversation).[/i]" This is why I never really consider something protected by encryption if the encryption keys are in anyone's hands other than mine and the recipient's. The only party actually protected by encryption is the party that controls the encryption keys. Considering the gag orders persuant to many data acquisition policies here in the United States, there's simply no way to know for sure that the security of your encrypted data is intact if someone other than you has access to your encryption keys -- [b]particularly[/b] if some corporation has access to them -- to say nothing of the fact that trusting a corporation like RIM means trusting all its employees, too. I've never met any RIM employees. How would I know whether [b]any[/b] of them can be trusted, let alone [b]all[/b] of them? I avoid relying on the security of third-party encryption management schemes like the plague, because they're simply not reliable.

paulmah
paulmah

I was not 100% certain, which was why I did not comment in the write-up itself. As I understand it however, the decrypting of the encrypted packets can only be done by the BlackBerry device itself. The RIM NOC only facilitates the flow of encrypted traffic. It have no way of knowing the contents of the encrypted packets itself. I believe that is the reason why the BlackBerry is approved for use by the various departments in the US government. Regards, Paul Mah.

apotheon
apotheon

RIM can, in fact, comply -- by offering limited capabilities. RIM does offer public key encryption capabilities that cannot be decrypted by RIM or with RIM's help. On the other hand, there are other encryption capabilities that could be decrypted by RIM or with RIM's help. If RIM limits the capabilities of clients in India to the latter set, and establishes a symmetric key database, it could conceivably submit to India's demands in this matter. At least, that's the way of things based on my understanding of Blackberry encryption capabilities. I'm not exactly an expert on RIM technologies and service offerings, so I might be misinformed in this matter.

Mr L
Mr L

This situation does serve as a great reminder of the genuine risk in trusting anyone to keep your secrets but yourself.

jasonemmg
jasonemmg

What about those in the Healthcare industry who deal with companies based in India. All information must meet strict HIPAA regulations which require all e-mail to be encrypted,etc..

Prana7
Prana7

I strongly agree with Jason. What about health information and health industry who deal with this big issue. USA HIPAA is very strict and wants to make sure everything MUST meet HIPAA regulation. This means everything including email, documents, etc, How crazy they will not provide!

paulmah
paulmah

Anyway, what are your thoughts about using the BlackBerry without encrypted email?