2 Comments

Summary:

Research In Motion is entering last-ditch meetings with Indian security officials in an effort to meet demands of government access to encrypted communications. But how can RIM provide what it claims to not have — access to security keys for business-run BlackBerry Enterprise Servers?

Research In Motion  is entering last-ditch meetings with Indian security officials in an effort to meet demands of government access to encrypted communications, says Reuters. This is a considerable problem for RIM, because business customers create their own security codes, and RIM doesn’t have access to those codes.

Indeed, RIM’s very strength of allowing enterprises to control security of internal communications appears to be the sticking point of the current showdown, which has a deadline of Aug. 31. In prior meetings with Indian officials, RIM has said it will provided a manual solutions to monitor instant messages, which it will follow up with an automated means by November. But without a “master-key” or back-door method to access enterprise communications, RIM appears to have little chance of meeting India’s demand, which is largely based on national security measures.

The closest RIM has come so far towards keeping Indian security officials happy is a proposal to share the IP addresses of BlackBerry Enterprise servers, as well as the IP address and IMEI numbers of BlackBerry handsets that send or receive messages. To this point, India hasn’t accepted such a solution, as it only provides identifying information about where messages are travelling through, not the contents of the messages themselves. The Indian government seems intent on full access to monitor what all messages actually say, and since RIM doesn’t have access to decrypt such information in the enterprise, there appears little room for compromise. Indeed, RIM today issued a statement that reiterates the key challenge:

RIM does not possess a “master key”, nor does any “back door” exist in the system that would allow RIM or any third party, under any circumstances, to gain access to encrypted corporate information. In order to provide corporate customers with the necessary confidence that the transmission of their valuable and confidential data is completely secure, the BlackBerry security architecture for enterprise customers was purposely designed to exclude the capability for RIM or any third party to read encrypted information. RIM would simply be unable to accommodate any request for a copy of a customer’s encryption key since at no time does RIM ever possess a copy of the key.

RIM’s statement today also addresses concerns of trust, as the company appears to be offering another compromise: the formation of a forum to balance online privacy with security access requested from governments and security organizations:

RIM would lead an industry forum focused on supporting the lawful access needs of law enforcement agencies while preserving the legitimate information security needs of corporations and other organizations in India. In particular, the industry forum would work closely with the Indian government and focus on developing recommendations for policies and processes aimed at preventing the misuse of strong encryption technologies while preserving its many societal benefits in India.

As I mentioned earlier this month, even if RIM does meet all of the demands set forth by Indian security agencies, it could lose more than it gains. Winning the battle with India pre-empts a shut-down of BlackBerry services within the country and would allow RIM to continue selling handsets and services in a market with more than 1.2 billion potential customers. Businesses and governments in other countries, however, are apt to evaluate how safe and secure their internal communications are within the BlackBerry network based on any precedent set by the Indian showdown. If RIM finds a way to hand over keys it claims it doesn’t have, will companies trust in RIM going forward, even with the propose new forum?

Businesses aren’t the only RIM customers that would be affected if India gets what it wants. Although many consumer-driven communications services are required by law to provide personal information when requested from governments, news of RIM “giving in” to India might scare consumers away from BlackBerry devices. Such a situation didn’t happen when RIM recently provided the Saudi Arabia government the ability to monitor messages, but as each country gains the ability to be “big brother,” more individuals will give a second thought to the privacy of their online communications.

Related content from GigaOM Pro (sub req’d):

Why RIM’s Future (Unfortunately) Hinges on BlackBerry OS 6

  1. They already “handed over the keys” to Saudi Arabia (see the link to the businessweek article in the above piece). Therefore, everyone involved in the negotiations knows that it is possible. Any CIO worth her salt should also already know this.

    I’m not clear on how important encryption is to enterprise clients, but if it’s really important than RIM is in big trouble.

    Share
  2. Enterprise Email when used with the BlackBerry Enterprise Server (BES) does not live on the BES. The BES is paired with a Microsoft Exchange , a Lotus Notes or a Novell GroupWise server. These enterprise mail servers are the master repository of email messages in and out of the enterprise.

    Agencies can get a copy of emails from the enterprises directly – to ask RIM to provide this access is just silly.

    In this broad sense the RIM solution is indistinguishable from any mobile device, including a laptop with a mobile data card, that uses a mail client that uses TLS or SSL (for encryption) to connect to an enterprise mail server. Again, to pick on RIM is just naive.

    The only reason RIM finds itself in a bind is it operates as some what of a virtual ISP: The secure tunnel from the hand held to the enterprise BES server hops through RIM’s data center. RIM has said the the traffic inside this 2-hop tunnel stays encrypted end to end – none the less RIM opens itself to some scrutiny on this issue.

    Note that RIM’s consumer email service is in fact stored on RIM’s servers, as are BB Messenger messages and RIM appears to have reached agreement on providing access to these services.

    Share

Comments have been disabled for this post