“Why did you walk around all day with rubber balls in your hands?”
Orr sniggered again. “I did it to protect my good reputation in case anyone ever caught me walking around with crab apples in my cheeks. With rubber balls in my hands I could deny there were crab apples in my cheeks. Every time someone asked me why I was walking around with crab apples in my cheeks, I’d just open my hands and show them it was rubber balls I was walking around with, not crab apples, and that they were in my hands, not my cheeks. It was a pretty good story. But I never knew if it got across or not, since it’s pretty tough to make people understand you when you’re talking to them with two crab apples in your cheeks.” –Jospeh Heller, Catch-22
I’m having similar difficulty understanding Research In Motion’s statement in response to the news cascade following threats by the UAE and other countries to terminate its license to sell Blackberrys unless it’s more cooperative with government requests for surveillance.
Part of the confusion arises from the fact that we’re only seeing a small slice of a government-to-company negotiation — the public threat part — so exactly what’s being asked hasn’t been disclosed, and neither the government nor RIM have much incentive to say more. And it’s hard to infer what’s on the table since the Blackberry is a Swiss army knife-style digital appliance — it makes phone calls, supports instant messaging, texts, and email — in communication both with other Internet users (including those without Blackberrys) and within a corporate environment. When trying to figure out what RIM could share if it wanted (or were pressured) to, it helps to consider each service and environment separately.
So how does RIM’s public statement fit in? Here’s the intro:
Due to recent media reports, Research In Motion (RIM) recognizes that some customers are curious about the discussions that occur between RIM and certain governments regarding the use of encryption in BlackBerry products. RIM also understands that the confidential nature of these discussions has consequently given rise to speculation and misinterpretation.
RIM respects both the regulatory requirements of government and the security and privacy needs of corporations and consumers. While RIM does not disclose confidential regulatory discussions that take place with any government, RIM assures its customers that it is committed to continue delivering highly secure and innovative products that satisfy the needs of both customers and governments.
Strong but vague so far — there’s a compromise to be struck, and RIM hopes to make the right one, bearing in mind the needs and interests of both its customers and its regulators. It’s how the statement continues that’s puzzling, and to understand requires going from forest to trees for a bit:
Many public facts about the BlackBerry Enterprise Server security architecture have been well established over the years and remain unchanged. A recap of these facts, along with other general industry facts, should help our customers maintain confidence about the security of their information. …
- The BlackBerry security architecture was specifically designed to provide corporate customers with the ability to transmit information wirelessly while also providing them with the necessary confidence that no one, including RIM, could access their data. …
- The BlackBerry security architecture for enterprise customers is based on a symmetric key system whereby the customer creates their own key and only the customer ever possesses a copy of their encryption key. RIM does not possess a “master key”, nor does any “back door” exist in the system that would allow RIM or any third party to gain unauthorized access to the key or corporate data.
At last some specifics. But they appear extremely selective. The first bullet point above talks about the encryption of data between a handheld Blackberry and the server operated by RIM — a way station until the data finds its ultimate recipient. (People intend to email each other, not RIM; the RIM server is just a way to route data from one person to another.) So the first bullet point offers the assurance that the data can’t readily be accessed between the Blackberry user and the RIM way station. Fair enough — such encryption is routine. For example, those who use gmail in “secure” mode — these days it defaults to that — enjoy a similar protection. No stethoscope gathering radio waves in between can easily decipher what’s going on.
OK, on to the next quoted bullet point, which suggests that once the data is in repose at the way station, even then RIM couldn’t access it. But here there’s a qualifier: it’s the Blackberry “security architecture for enterprise customers.” Enterprise customers is a term of art that means customers brought en masse under the umbrella of a corporate enterprise. If Consolidated Widgets had previously had all its internal correspondence routed through a server in its own basement and wanted to farm that out, RIM could offer an “enterprise solution” where Consolidated Widgets would become its customer, and all of Widgets’s employees could be issued Blackberrys and corresponding email accounts. In that case, promises RIM, email sitting on RIM’s server would still be inaccessible to RIM. It’d be private between one sender and one recipient.
Why limit this feature to enterprise customers? In part because encryption standards haven’t been widely enough deployed to support ready encryption between users without regard to the devices and platforms they’re using. For me to send you an encrypted email that not even our respective email providers can access requires us to coordinate ahead of time on a standard. For example, you might establish a key using the Philip Zimmerman’s legendary PGP (“pretty good privacy”) standard, and I could then use it to send you an email that only you can read. But if you haven’t gone to that trouble, I’m stumped.
That’s not RIM’s fault, but it might make misleading a statement intended to address the overall surveillance controversy — a statement that on a quick read suggests that Blackberry email users enjoy utter secrecy, when in fact it’s necessarily only talking about “enterprise” users who are emailing each other under a single corporate umbrella. With that understood, the last line of the RIM statement offers much less assurance than it might seem to the average Blackberry user:
RIM assures customers that it will not compromise the integrity and security of the BlackBerry Enterprise Solution.
If the BlackBerry Enterprise Solution is but a subset of what we think of when we think about Blackberrys — namely, intra-corporate stuff — then the fact that it’s assured it both little threat to a government like UAE, which is no doubt concerned about communications and organizing among citizens outside a single corporate environment, and little solace to those very citizens. And that’s why our questions to RIM should stick to apples in cheeks rather than changing the subject to balls in hands: what assurances can be made about cooperation with government surveillance requests outside corporate intranets? The assurances need not be without exception to be reasonable — but the parameters of whatever accommodation is reached should be made public.
I welcome correction if I’m misunderstanding RIM’s attempt to dispel misunderstandings. …JZ
UPDATE 8/5/10: Bruce Schneier has written on the topic here.