On Friday, the Kingdom of Saudi Arabia put into effect a ban on the use of the messenger services on the BlackBerry smartphones. This ban follows closely on the UAE?s decision to similarly pull the plug on a wider range of BlackBerry features, including the bread-and-butter e-mail and mobile applications. These decisions, which have been met with worldwide dismay and condemnation, are believed to stem from the refusal of Research In Motion (RIM), maker of BlackBerry, to allow these governments access to the large volumes of encrypted data that flow through RIM?s servers. An additional level of frustration for these and other countries? governments is that RIM?s servers are based in Canada, which effectively puts them beyond the reach of their jurisdiction.
In an era of increasing threat from terrorist and criminal activity, law enforcement and national security agencies of every government in the world are looking for ways to ensure that every sliver of information that is even remotely related to potential threats is identified and tracked. As these countries go about enacting laws that give their government agencies increasingly wide-ranging surveillance powers, services such as BlackBerry, which hang their hats on their exceptional security measures, come as a major hurdle to effectively executing these surveillance mandates.
BlackBerry?s communication is protected by 256-bit encryption, which is quite a stiff ask for any external hacker to break down purely through brute force methods, and even more sophisticated technologies can take quite a bit of time. When the Indian government first asked RIM for access to their encrypted data, it was accompanied by another?extremely amusing?request, to use a lower grade encryption so that they could snoop on the data without RIM?s active support. What this means is that governments will have to receive decryption keys from RIM to unlock the data, because it?s too difficult to do it on their own.
There are two distinct aspects to BlackBerry operations?the enterprise and the consumer. While in both cases, RIM?s communication servers are the backbone of the service, and its encryption, there is one additional layer in the case of the enterprise environment. This is the authentication system that lies in the BlackBerry Enterprise Server that is deployed by enterprises to manage their e-mail and communications on wireless networks. All e-mail traffic for enterprise users is mediated through the Enterprise Server before it reaches RIM, which receives the plaintext, or unencrypted, data and uses a combination of a public (server-generated) key and a private (BlackBerry PIN) key. This ensures that only the recipient device can decrypt and read the data that is sent through.
In the case of BlackBerry Messenger, a peer-to-peer messaging system, encryption is done using a common system shared across all devices. This system is routed entirely through RIM?s servers, regardless of enterprise or customer use. In countries such as Saudi Arabia, the UAE and Lebanon, the Blackberry Messenger is an extremely popular communication tool and cuts across large cross-sections of users, and is particularly secure because it is mediated through RIM?s offshore servers only. While this keeps users happy that the snoops are out of their business, it makes governments nervous, as is evident in the Middle East.
However, security experts such as Bruce Schneier suggest that there is nothing unusual about the requests made by the Middle Eastern countries; they are only asking RIM to give them what they already provide to other governments. RIM has agreed to give American authorities data, provided there is a court order accompanying the request. In China and Russia, RIM has agreements with both governments on data sharing, although they are tight-lipped about the details. In India, the dispute between RIM and the government dissipated without warning. These examples and others lead to the speculation that RIM is being disingenuous when it claims that it has no access to the decryption keys for the data it hosts.
International security scenarios are forcing governments to compromise citizens? privacy rights in order to keep them safe, while businesses such as RIM have no such luxury as they jostle for elbow room in a very crowded marketplace. In doing so, they are also forced to deal with the complex and sometimes draconian legal frameworks of the countries in which they operate, and will have to choose between keeping their customers or being kicked out of these countries. RIM has found ways to stay in business, but whether it has been completely honest with its users is questionable. Meanwhile, the stare-off is under way in the Middle East, and while RIM has blinked first in other markets, what will happen in this case remains to be seen, and the result could well determine a cascade of similar events across the world.
?The author, a digital marketing professional since 2004, is now part of Microsoft Advertising?s India team
