BlackBerry standoff: Some questions and answers

August 22nd, 2010 - 1:51 pm ICT by IANS  

By Prasanto K. Roy
While India’s 800,000 BlackBerry users struggle to figure out what the government wants and what its Canadian developer Research in Motion (RIM) has featured in these devices, here are some answers:

Q: What are BlackBerry services? Which aren’t?

A: Mobile push-email and messenger. RIM delivers these two services through mobile operators, such as Airtel and Reliance Communications. All other services you use on your BlackBerry handset, such as SMS, internet access or phone calls, are directly from the mobile operator, and are not BlackBerry services. Push email is so called because mail is pushed out to your handset as soon as it is received without your needing to download email periodically.

Q: What does India’s government want?

A: To intercept email and instant messages sent via BlackBerry, just as it can tap a phone. When it suspects someone of perpetrating a crime, it wants to be able to read, armed with a specific written order, any encrypted email sent on BlackBerry. The government can order interception of messages, under Section 5 of the Indian Telegraph Act,1885, only with a written order, granted only when required to prevent a major offense involving national security or terrorism. Economic offenses were once covered, but withdrawn in 1999 by a Supreme Court order.

Q: Why is BlackBerry mail encrypted?

A: Most email systems, including Gmail, use encryption. Enterprises don’t trust public email systems for business data; so they use their own secure, firewalled systems. Now, when they need to use a mobile push-email system, they want to be certain that no third party can read the mail, not even the email provider. That is BlackBerry’s USP: Mail so secure that RIM itself cannot read it.

Q: What’s BlackBerry Internet Service (BIS) and does the government have access to it?

A: BIS is the lighter flavour of RIM’s two email services. Meant for individuals, it uses weaker encryption. BIS users buy convenience more than ironclad security. Airtel or Vodafone “pipes” the encrypted mail from your handset to RIM, which then decrypts it and sends it out, to the recipient. So RIM “can” let investigative agencies read such mail, and India now has an agreement for BIS access.

Q: Is BlackBerry Enterprise Service (BES) then the only problem?

A: Can RIM really not “access” that?

Q: BES is RIM’s flagship product, designed to be so secure that not even RIM can read mail on it. It requires BES server software in the user company’s network. Email is encrypted on the BlackBerry, using a generated key shared only between the handset and the BES server. Such mail goes out via, say, Airtel, to RIM in Canada, and back to the company’s BES, staying encrypted all the way with a key that only that enterprise knows. Then it’s decrypted, within the enterprise, and moved to the email server. If the mail is to someone outside the company, it is sent out - decrypted - by the company’s mailserver. RIM itself does not have the key to “crack open” BES encrypted mail. That is the published design. Does RIM have a secret backdoor? One really does not know.

Q: Then how can government agencies access such mail, on a terror threat?

A: By going to the enterprise where the suspected terrorist is working. That company, which runs the BES, does not even need to decrypt the mail…for all mail is sitting within its own servers, or in its backups.

Q: Is the BlackBerry a terrorist’s choice of communication tool?

A: No. The BES-user is working in a company. Any mail he sends is not only traceable, but also stored and backed up. As for BIS, that is in RIM’s control: so access is easier for government agencies. The smarter terrorist would go to a cybercafe, and use a Gmail or Yahoo mail account. He’d simply read and save mail in draft mode without sending mail. So there’s nothing to intercept. Then there’s fileshare: sites like YouSendIt, where he can keep encrypted files - leaving almost no trace, unlike with a BES mail.

Q: How about Messenger?

A: BlackBerry popular instant messenger uses a weaker encryption than BES. And RIM has access to the keys used — which is why it can promise Saudi Arabia and India access. And while BlackBerry Messenger can indeed be used for real-time chat during a terror attack, so can regular, cheap cellphones, as they were during 26/11. The answer to both is part of anti-terror standard operating procedure: Cellphone jammers.

Q: Is such strong encryption legally allowed? Doesn’t India have any restrictions?

A: A creaky old law says you can’t use encryption greater than 40 bits in India without special permission, which includes depositing the key with the authorities. Now, the weakest encryption possible in a modern web browser is 40 bits and 128-bit is the most common. But then, way back in 2001, the Reserve Bank of BI recommended 128-bit encryption as the “minimum level of security” for online transactions. The recent 3G auctions were conducted using 3,000-bit technology. All in violation of Indian law!

(22.08.2010 - Prasanto K. Roy is the chief editor at CyberMedia, publishers of 15 specialty titles. This is a special article he has written for IANS. He can be found on twitter and web and at PKR@CyberMedia.co.in)

Related Stories

Tags: , , , , , , , , , , , , , , , , , , ,

Posted in Business |

Subscribe