BlackBerry-Maker to UAE, Saudis: No 3rd Party Can Access Encrypted Data, Not Even RIM
A document sent by RIM to its enterprise customers offers insight on its decision to keep encrypted BlackBerry data locked down.
By Al Sacco
Managing Editor, CIO
Research In Motion (RIM), the Canadian company behind the popular BlackBerry smartphone, caught a lot of flak this week from countries including the United Arab Emirates, Saudi Arabia and India, for its refusal to open up certain encrypted data to the respective governments.
The UAE called RIM’s BlackBerry services a threat to its national security, since criminals or other miscreants could potentially use BlackBerry services to securely communicate, and it is threatening to block certain BlackBerry services, namely RIM’s BlackBerry Messenger, if the company doesn’t comply with requests to monitor encrypted BlackBerry traffic by October 11.
In addition, Saudi Arabia is demanding that wireless carriers operating within its territories disable BlackBerry services on August 6, according to Bloomberg.com, because the devices and the associated wireless services supposedly do not meet government regulatory requirements.
And RIM has been going back and forth with the Indian government during the past couple of years over similar issues. Though recent reports suggest RIM may have finally conceded to some of the Indian demands, the BlackBerry-maker denied any such actions when asked by TheStreet.com.
So, to sum that all up, RIM is being pressured by a number of nations to grant government access to BlackBerry data that is encrypted by RIM, and therefore, cannot be monitored by said governments. RIM is refusing, but to address the ongoing issue and quell some of its customers’ potential concern, the company on Monday issued a private customer statement, which a source then passed on to me.
From the document:
RIM respects both the regulatory requirements of government and the security and privacy needs of corporations and consumers. While RIM does not disclose confidential regulatory discussions that take place with any government, RIM assures its customers that it is committed to continue delivering highly secure and innovative products that satisfy the needs of both customers and governments.
RIM then goes on to list nine “facts” about the BlackBerry Enterprise Server (BES) architecture that it thinks will convince its customers that their potentially-sensitive data is safe at all times. What follow are the six most telling statements:
The use of strong encryption in wireless technology is not unique to the BlackBerry platform. Strong encryption is a mandatory requirement for all enterprise-class wireless email services.
Strong encryption is a fundamental requirement for a wide variety of technology products that enable businesses to operate and compete, both domestically and internationally.
The BlackBerry security architecture was specifically designed to provide corporate customers with the ability to transmit information wirelessly while also providing them with the necessary confidence that no one, including RIM, could access their data
The BlackBerry security architecture for enterprise customers is based on a symmetric key system whereby the customer creates their own key and only the customer ever possesses a copy of their encryption key. RIM does not possess a “master key”, nor does any “back door” exist in the system that would allow RIM or any third party to gain unauthorized access to the key or corporate data.
The BlackBerry security architecture for enterprise customers is purposefully designed to exclude the capability for RIM or any third party to read encrypted information under any circumstances. RIM would simply be unable to accommodate any request for a copy of a customer’s encryption key since at no time does RIM, or any wireless network
operator, ever possess a copy of the key.
The BlackBerry security architecture was also purposefully designed to perform as a global system independent of geography. The location of data centers and the customer’s choice of wireless network are irrelevant factors from a security perspective since end-to-end encryption is utilized and transmissions are no more decipherable or less secure based on the selection of a wireless network or the location of a data center. All data remains encrypted through all points of transfer between the customer’s BlackBerry Enterprise Server and the customer’s device (at no point in the transfer is data decrypted and re-encrypted).
In other words, RIM probably won’t be opening up its encrypted data to paranoid governments or anyone else any time soon…and it says it couldn’t decrypt the customer data even if it wanted to.
Assuming both Saudi Arabia and the UAE, home of booming business-locale Dubai, stick to their guns and disable BlackBerry services in the coming months, a whole lot of frustrated Middle-Eastern CrackBerry addicts—and travelers in the affected areas–could soon be searching for new vices devices.
FREE CIO BlackBerry Newsletter
Get better use out of your BlackBerry and keep up-to-date on the latest developments.
Al Sacco was a journalist, blogger and editor who covers the fast-paced mobile beat for CIO.com and IDG Enterprise, with a focus on wearable tech, smartphones and tablet PCs. Al managed CIO.com writers and contributors, covered news, and shared insightful expert analysis of key industry happenings. He also wrote a wide variety of tutorials and how-tos to help readers get the most out of their gadgets, and regularly offered up recommendations on software for a number of mobile platforms. Al resides in Boston and is a passionate reader, traveler, beer lover, film buff and Red Sox fan.