Blackberry-22
August 3rd, 2010 | by jz | Published in blackberry, cloud, cybersecurity, filtering, Future of the Internet | 8 Comments
“Why did you walk around all day with rubber balls in your hands?”
Orr sniggered again. “I did it to protect my good reputation in case anyone ever caught me walking around with crab apples in my cheeks. With rubber balls in my hands I could deny there were crab apples in my cheeks. Every time someone asked me why I was walking around with crab apples in my cheeks, I’d just open my hands and show them it was rubber balls I was walking around with, not crab apples, and that they were in my hands, not my cheeks. It was a pretty good story. But I never knew if it got across or not, since it’s pretty tough to make people understand you when you’re talking to them with two crab apples in your cheeks.” –Jospeh Heller, Catch-22
I’m having similar difficulty understanding Research In Motion’s statement in response to the news cascade following threats by the UAE and other countries to terminate its license to sell Blackberrys unless it’s more cooperative with government requests for surveillance.
Part of the confusion arises from the fact that we’re only seeing a small slice of a government-to-company negotiation — the public threat part — so exactly what’s being asked hasn’t been disclosed, and neither the government nor RIM have much incentive to say more. And it’s hard to infer what’s on the table since the Blackberry is a Swiss army knife-style digital appliance — it makes phone calls, supports instant messaging, texts, and email — in communication both with other Internet users (including those without Blackberrys) and within a corporate environment. When trying to figure out what RIM could share if it wanted (or were pressured) to, it helps to consider each service and environment separately.
So how does RIM’s public statement fit in? Here’s the intro:
Due to recent media reports, Research In Motion (RIM) recognizes that some customers are curious about the discussions that occur between RIM and certain governments regarding the use of encryption in BlackBerry products. RIM also understands that the confidential nature of these discussions has consequently given rise to speculation and misinterpretation.
RIM respects both the regulatory requirements of government and the security and privacy needs of corporations and consumers. While RIM does not disclose confidential regulatory discussions that take place with any government, RIM assures its customers that it is committed to continue delivering highly secure and innovative products that satisfy the needs of both customers and governments.
Strong but vague so far — there’s a compromise to be struck, and RIM hopes to make the right one, bearing in mind the needs and interests of both its customers and its regulators. It’s how the statement continues that’s puzzling, and to understand requires going from forest to trees for a bit:
Many public facts about the BlackBerry Enterprise Server security architecture have been well established over the years and remain unchanged. A recap of these facts, along with other general industry facts, should help our customers maintain confidence about the security of their information. …
- The BlackBerry security architecture was specifically designed to provide corporate customers with the ability to transmit information wirelessly while also providing them with the necessary confidence that no one, including RIM, could access their data. …
- The BlackBerry security architecture for enterprise customers is based on a symmetric key system whereby the customer creates their own key and only the customer ever possesses a copy of their encryption key. RIM does not possess a “master key”, nor does any “back door” exist in the system that would allow RIM or any third party to gain unauthorized access to the key or corporate data.
At last some specifics. But they appear extremely selective. The first bullet point above talks about the encryption of data between a handheld Blackberry and the server operated by RIM — a way station until the data finds its ultimate recipient. (People intend to email each other, not RIM; the RIM server is just a way to route data from one person to another.) So the first bullet point offers the assurance that the data can’t readily be accessed between the Blackberry user and the RIM way station. Fair enough — such encryption is routine. For example, those who use gmail in “secure” mode — these days it defaults to that — enjoy a similar protection. No stethoscope gathering radio waves in between can easily decipher what’s going on.
OK, on to the next quoted bullet point, which suggests that once the data is in repose at the way station, even then RIM couldn’t access it. But here there’s a qualifier: it’s the Blackberry “security architecture for enterprise customers.” Enterprise customers is a term of art that means customers brought en masse under the umbrella of a corporate enterprise. If Consolidated Widgets had previously had all its internal correspondence routed through a server in its own basement and wanted to farm that out, RIM could offer an “enterprise solution” where Consolidated Widgets would become its customer, and all of Widgets’s employees could be issued Blackberrys and corresponding email accounts. In that case, promises RIM, email sitting on RIM’s server would still be inaccessible to RIM. It’d be private between one sender and one recipient.
Why limit this feature to enterprise customers? In part because encryption standards haven’t been widely enough deployed to support ready encryption between users without regard to the devices and platforms they’re using. For me to send you an encrypted email that not even our respective email providers can access requires us to coordinate ahead of time on a standard. For example, you might establish a key using the Philip Zimmerman’s legendary PGP (“pretty good privacy”) standard, and I could then use it to send you an email that only you can read. But if you haven’t gone to that trouble, I’m stumped.
That’s not RIM’s fault, but it might make misleading a statement intended to address the overall surveillance controversy — a statement that on a quick read suggests that Blackberry email users enjoy utter secrecy, when in fact it’s necessarily only talking about “enterprise” users who are emailing each other under a single corporate umbrella. With that understood, the last line of the RIM statement offers much less assurance than it might seem to the average Blackberry user:
RIM assures customers that it will not compromise the integrity and security of the BlackBerry Enterprise Solution.
If the BlackBerry Enterprise Solution is but a subset of what we think of when we think about Blackberrys — namely, intra-corporate stuff — then the fact that it’s assured it both little threat to a government like UAE, which is no doubt concerned about communications and organizing among citizens outside a single corporate environment, and little solace to those very citizens. And that’s why our questions to RIM should stick to apples in cheeks rather than changing the subject to balls in hands: what assurances can be made about cooperation with government surveillance requests outside corporate intranets? The assurances need not be without exception to be reasonable — but the parameters of whatever accommodation is reached should be made public.
I welcome correction if I’m misunderstanding RIM’s attempt to dispel misunderstandings. …JZ
UPDATE 8/5/10: Bruce Schneier has written on the topic here.
August 3rd, 2010 at 4:34 pm (#)
I don’t get the Catch-22 thing, so hopefully that is the whole point. You can walk with crab apples in your cheeks and rubber balls in your hands at the same time, right…? So what is the guy on about.
August 4th, 2010 at 8:00 pm (#)
[...] have much incentive to say more.” We particularly appreciate the analyses of the situation from Prof. Zittrain and our former colleague Danny O’Brien at the Committee to Protect Journalists. Both [...]
August 4th, 2010 at 9:03 pm (#)
I’m not sure I understand your issue. Surveillance of email (and many other things) outside the single intra-corporate solution is inherently easy – in the absence, as you point out, of user-to-user encryption. That’s not really RIM’s problem – nor their business. Their news release is well summed up by the last sentence of their last bullet: “All data remains encrypted through all points of transfer between the customer’s BlackBerry Enterprise Server and the customer’s device (at no point in the transfer is data decrypted and re-encrypted). ” – i.e. RIM can’t read it.
So sure, they’re making quite a limited claim here, but I don’t see that anyone is being misled, or even misdirected.
Well, I would say that, but there’s something wrong about their bullet point on encryption which you quote. A symmetric key system where only the customer knows the key is not much good for communications (if Alice writes in a secret language known only to Alice, she will not manage to convey much to Bob). And if it’s not in fact a symmetric system, then the question is not who holds the encryption key, but who holds the decryption key.
Finally, I should clarify that the problem with general use of email encryption isn’t a lack of software – I’ll wager that, unless you’re using a webmail system, your email program almost certainly have the capability to send and receive encrypted messages with me already. It’s just a the lack of personal keys that gets in the way.
August 5th, 2010 at 12:01 pm (#)
I am curious to know why RIM is attracting the s$@* storm about security and privacy. Is it the situation mobile email on every other platform secure & uncompromised, while RIM alone is out making secret deals to compromise private user information with Repressive regimes?
I don’t know enough, obviously. I thought the situation was quite the reverse: RIMs mobile email is secure and uncompromisable, while every other platform is all the time everywhere wide open for theft of private user information a black-hat-in-the-know, or an anti-privacy government’s spy agency. Is it true that *only RIM* is secure enough to actually frustrate the efforts of anti-privacy governments? Isn’t this why RIM is being threatened by UAE and others?
For advocates of absolute email user privacy, it seems to me you are attacking the one real White Knight we have, while you disregard the rest of our erstwhile knights (Nokia, Apple/iPhone, Android) who suffer not on this issue at your hands; they have standards which please these regimes.
Please show me where I am wrong – I am no expert in this domain.
August 5th, 2010 at 7:09 pm (#)
@LW,
The point being misdirection. If you talk about another similar thing then the original question is thought answered but not in fact. Politicians do this all the time. If RIM talks about Enterprise Services then many people won’t realize this excludes them – they don’t get the same functionality, and that is never clarified or discussed.
Unfortunately people here are baffled by the opening quote.
The issue that has many “tech aware” users smiling is that user-to-user encryption is available in many other forms that apparently these governments aren’t aware of, and furthermore they seem to believe that if you make it harder for “criminals” to communicate secretly, then this will actually stop them being criminals. Odd. I would have assumed they would just find other ways to communicate, hence, nullifying the whole silly issue anyway.
August 6th, 2010 at 2:24 am (#)
[...] Pro Tweets Blackberrys, spying, and Catch-22: http://futureoftheinternet.org/blackberry-22 zittrain – Tue 03 Aug 15:53 All Things [...]
August 9th, 2010 at 3:09 pm (#)
[...] nor RIM have much incentive to say more." We particularly appreciate the analyses of the situation from Prof. Zittrain and our former colleague Danny O'Brien at the Committee to Protect Journalists. Both emphasize that [...]
August 9th, 2010 at 4:27 pm (#)
If you have a non-enterprise Blackberry, your email has to go from your email server (that’s ‘your’ in the sense of the one you use rather than necessarily the one you own) to your mobile data provider’s email server (who might be RIM) and hence to their Blackberry Enterprise Server, from where it goes securely to your Wibbleberry.
The admins of your email server and your mobile providers email server, regardless of whether the comms links are secure, have the plain text of your email. So, unless you encrypted it before you sent it, they could be served with a warrant (or succumb to general nosiness) and read it.
That’s the difference – the path BES – BB is secured but, if you don’t run your own BES, you need to ‘trust’ (in the old NSA sense – i.e. “a trusted person is one who can breach your security undetectably”) your email admin. Noting that that applies just as much to Enterprise Customer CEOs who are insider trading (or sleeping around) as to Verizon BB users.
BTW – my PGP key is on the Global Directory. You just need to unwind the nym!