Black Day for Blackberry Users in India

Thursday, August 19, 2010

Sudha Nagaraj


If the Indian government has its way, each and every mail sent out from a Blackberry handset under the Blackberry Enterprise Service (BES-used by corporates) in the country will be carbon-copied, without the user using the cc or bcc feature.

What’s more the copy of the mail will not go to anyone in the corporate hierarchy or to clientele-who-need-to-be-in-the-loop, but to a “monitoring system” to be installed by all Internet Service Providers (ISPs) in the country.

Obviously, we are not discussing a virus or a Trojan here.

It is an open and deliberate move to intercept mails and monitor content to guard against security threats to the nation by terrorists. This mode of access to enterprise email is up for debate between the smartphone maker, Research in Motion and the Department of Telecommunications.

I will not go into the merits or feasibility of the proposal at this point. On the face of it, privacy and security of corporate communications is being pried open to safeguard a nation’s interests.

It sure sounds like a sad day for information security, consumer privacy and encryption technology. All the advancements in securing information flow on the Net, protecting customer confidentiality and improving encryption methodologies will be brought to naught with one regulatory stroke.  

Most other smartphones from Nokia, Apple, Samsung and HTC route email traffic through secure Internet connections and use commercially available encryption technology. 

RIM on the other hand, not only uses its own proprietary encryption technology, but also practices a hands-off approach to communication over BES.

Here is how: Soon after a corporate user taps in an email on a Blackberry device, a powerful code scrambles it and sends it on to a Blackberry enterprise server located at the Company’s premises over a virtual private network.

This server (computer) decodes the scrambled message, encrypts it again and sends it to the recipient over the secure service Internet connection. 

Now, Blackberry does not possess the keys to descramble the encrypted message on either half of its transmission.  The software keys that unlock the coded message reside either on the device or the server.

Technically speaking, it is RIM’s network of enterprises servers located across the world. But the smartphone maker has vested all powers of securing email communications with each client company. It claims it does not possess any master key that controls each system in its network.

The quarrel over access to Blackberry data has been on for a month between RIM and the Indian government.  After several meeting, RIM loosened up its security protocols over services like voice, SMS and Messenger services.

In the case of instant messaging which works on a less powerful encryption technology than BES does, RIM has promised manual access to messages by September 1 and automated access by end 2010.

Will RIM compromise on customer expectations from BES as well? More importantly, is the DoT solution workable? By most accounts, the monitoring device should receive a copy of the “decrypted” message from the server before it is encrypted again and sent to the recipient. Whither confidentiality? One may as well install spyware on the device or server!

Going by letters received by operators from DoT, stipulating an August 31 deadline for installation of monitoring capability, it seems like the Indian government believes RIM will give in.

Really? Would not third party access be anathema to a trail-blazer like RIM? Will RIM be able to convince and retain existing customers once security is compromised? What about existing arrangements with carrier partners?

If the server is not on Indian soil, will the local laws where the server is located become operational? If so, will India then specify where the BES servers should be located? Is that feasible?

What if a Company is headquartered in a place where local laws do not allow such interception of encrypted or decrypted messages by third party? What if the BES client is an MNC with employees all over the world including India who use Blackberry?

Will the government seek permission of Blackberry’s customer Company or does the onus rest on RIM?  Will it access all emails of the Company or only those sent by Indian employees?

There is little clarity. Questions persist.


Possibly Related Articles:
PDAs/Smart Phones
Blackberry Privacy
Post Rating I Like this!
Ray Tan We have the same problem,too.Although I can understand it, it makes me uncomfortable being monitored by someone else.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.