Research in Motion has a problem. Their well-regarded encryption technology is upsetting national governments. Now, RIM has to make a choice; concede to the .govs or keep subscriber's traffic secure.
Research in Motion (RIM) is under intense scrutiny. Several national governments; notably U.A.E., India, Kuwait, and China are concerned that BlackBerry traffic is undecipherable. Due to current geo-political conditions, that level of secrecy is unacceptable. Thus they handed RIM an ultimatum. Give us unfettered access or forget about doing business in our countries.
It's no secret — RIM is losing market share. Besides that, their new entry, Torch is not creating anywhere near the buzz of the iPhone 4 or Android phone releases. So the conundrum of dealing with this encryption issue is something they really do not need.
The involved countries are taking a stance similar to that described by the United Arab Emirate's Telecommunications Regulatory Authority courtesy of WSJ.
"BlackBerry data is immediately exported offshore, where it's managed by a foreign, commercial organization. BlackBerry data services are currently the only data services operating in the U.A.E. where this is the case," the agency said. "Today's decision is based on the fact that, in their current form, certain BlackBerry services allow users to act without any legal accountability, causing judicial, social and national-security concerns."
India is even more forthcoming in their concern. This Gulf Times blog quotes a senior interior security official as saying:
"Wherever there is a concern on grounds of national security the government will want access and every country has a right to lawful interference."
So, these countries are demanding access to all encrypted RIM traffic, something a vast majority of RIM's approximately 45 million members probably don't want. Why? Corporate management and IT departments are comfortable with RIM's technology because it's encrypted.
RIM's encryption process
Every message is encrypted before it leaves the phone. All messages are sent to RIM's BlackBerry Enterprise Solutions (BES) servers located in network operating centers throughout the world. After which, it is sent on to the intended recipient. In a prepared statement, RIM's co-Chief Executive Mike Lazaridis explains the process in more detail:
"The BlackBerry security architecture for enterprise customers is based on a symmetric key system whereby the customer creates their own key and only the customer ever possesses a copy of their encryption key. RIM does not possess a "master key", nor does any "back door" exist in the system that would allow RIM or any third party to gain unauthorized access to the key or corporate data."
The statement also mentions:
"RIM would simply be unable to accommodate any request for a copy of a customer's encryption key since at no time does RIM, or any wireless network operator, ever possess a copy of the key."
Here is where I get confused. Somewhere along the way there has to be another copy of the symmetric key. How else will the data get decrypted? Maybe the clue is in this last part of the statement:
"All data remains encrypted through all points of transfer between the customer's BlackBerry Enterprise Server and the customer's device. At no point in the transfer is data decrypted and re-encrypted."
After reading the above statement several times, I found two key phrases:
- That would allow RIM or any third party to gain unauthorized access to the key or corporate data.
- All data remains encrypted through all points of transfer between the customer's BlackBerry Enterprise Server and the customer's device.
Does this mean that the encryption process is strictly between the BlackBerry device and BES servers? Bruce Schneier believes so:
"Am I missing something here? RIM isn't providing a file storage service, where user-encrypted data is stored on its servers. RIM is providing a communications service. While the data is encrypted between RIM's servers and the BlackBerrys, it has to be encrypted by RIM — so RIM has access to the plaintext.
In any case, RIM has already demonstrated that it has the technical ability to address the UAE's concerns. Like the apocryphal story about Churchill and Lady Astor, all that's left is to agree on a price."
It would seem so. This Wall Street Journal blog by Phred Dvorak points out what maybe the real concern of the U.A.E. government:
"It's worried it wouldn't be able to compel RIM to turn over customer data, now processed in RIM's private servers outside the country. The U.A.E. wants RIM to locate servers in the country, where it has legal jurisdiction over them."
The responses I have read regarding this subject have fallen into two camps. Privacy advocates feel as this person does:
"Congratulations to RIM for making a product which has privacy and security built into its physical structure to make it impossible to physically snoop into the data, regardless of the political power of any totalitarian government. Privacy is important for customers and I think their sales will now go way up!"
The other side feels that governments have the right to access information that could affect national security. One comment that caught my attention was at Arabian Business.com:
"Governments have other means to satisfy their security needs. I'll translate for you: Most governments have the hardware and software to break the encryption."
That is an interesting viewpoint. It might explain why other countries do not appear concerned about this.
Is RIM being singled out? Most web-based email systems are encrypted. I use Gmail and traffic is encrypted between my computer and Google's servers. For that matter, so are IP telephony services such as Skype. Are they next?
This is where I normally have some final thoughts. I really don't this time. I feel the discussion is just getting started. It seems Mr. Eric Schmidt, Google's CEO is adding fuel to this fire with his comments about anonymity online being dangerous. So, which side are you on?
Information is my field...Writing is my passion...Coupling the two is my mission.