Research In Motion (s rimm) is entering last-ditch meetings with Indian security officials in an effort to meet demands of government access to encrypted communications, says Reuters. This is a considerable problem for RIM, because business customers create their own security codes, and RIM doesn’t have access to those codes.
Indeed, RIM’s very strength of allowing enterprises to control security of internal communications appears to be the sticking point of the current showdown, which has a deadline of Aug. 31. In prior meetings with Indian officials, RIM has said it will provided a manual solutions to monitor instant messages, which it will follow up with an automated means by November. But without a “master-key” or back-door method to access enterprise communications, RIM appears to have little chance of meeting India’s demand, which is largely based on national security measures.
The closest RIM has come so far towards keeping Indian security officials happy is a proposal to share the IP addresses of BlackBerry Enterprise servers, as well as the IP address and IMEI numbers of BlackBerry handsets that send or receive messages. To this point, India hasn’t accepted such a solution, as it only provides identifying information about where messages are travelling through, not the contents of the messages themselves. The Indian government seems intent on full access to monitor what all messages actually say, and since RIM doesn’t have access to decrypt such information in the enterprise, there appears little room for compromise. Indeed, RIM today issued a statement that reiterates the key challenge:
RIM does not possess a “master key”, nor does any “back door” exist in the system that would allow RIM or any third party, under any circumstances, to gain access to encrypted corporate information. In order to provide corporate customers with the necessary confidence that the transmission of their valuable and confidential data is completely secure, the BlackBerry security architecture for enterprise customers was purposely designed to exclude the capability for RIM or any third party to read encrypted information. RIM would simply be unable to accommodate any request for a copy of a customer’s encryption key since at no time does RIM ever possess a copy of the key.
RIM’s statement today also addresses concerns of trust, as the company appears to be offering another compromise: the formation of a forum to balance online privacy with security access requested from governments and security organizations:
RIM would lead an industry forum focused on supporting the lawful access needs of law enforcement agencies while preserving the legitimate information security needs of corporations and other organizations in India. In particular, the industry forum would work closely with the Indian government and focus on developing recommendations for policies and processes aimed at preventing the misuse of strong encryption technologies while preserving its many societal benefits in India.
As I mentioned earlier this month, even if RIM does meet all of the demands set forth by Indian security agencies, it could lose more than it gains. Winning the battle with India pre-empts a shut-down of BlackBerry services within the country and would allow RIM to continue selling handsets and services in a market with more than 1.2 billion potential customers. Businesses and governments in other countries, however, are apt to evaluate how safe and secure their internal communications are within the BlackBerry network based on any precedent set by the Indian showdown. If RIM finds a way to hand over keys it claims it doesn’t have, will companies trust in RIM going forward, even with the propose new forum?
Businesses aren’t the only RIM customers that would be affected if India gets what it wants. Although many consumer-driven communications services are required by law to provide personal information when requested from governments, news of RIM “giving in” to India might scare consumers away from BlackBerry devices. Such a situation didn’t happen when RIM recently provided the Saudi Arabia government the ability to monitor messages, but as each country gains the ability to be “big brother,” more individuals will give a second thought to the privacy of their online communications.
Related content from GigaOM Pro (sub req’d):