rediff.com
News APP

NewsApp (Free)

Read news as it happens
Download NewsApp

Available on  gplay

Rediff.com  » Business » BlackBerry security fears: What the issue is all about

BlackBerry security fears: What the issue is all about

Last updated on: August 5, 2010 22:22 IST

Image: BlackBerry Bold 9000.

Will BlackBerry face a ban in India? That's the big question in the minds of over 10 lakh (1 million) BlackBerry users in India.

The government has now warned that it would block 'BlackBerry-to-BlackBerry messenger' service if the maker of BlackBerry -- Research In Motion -- does not offer a solution to monitor messages within a week.

The Indian government had raised security concerns over BlackBerry messages since 2008. However, BlackBerry still continues its services without complying to Indian security regulations.

While the Indian government wants BlackBerry to allow monitoring of e-mails and SMS, RIM has said the security architecture for its enterprise customers is based on a symmetric key system whereby the customers create their own key and only they possess the copy of the encryption.

RIM says the security architecture for customers was designed to exclude RIM or any third party from reading encrypted information under any circumstances.

Meanwhile, the government has stated the service providers like Airtel, Vodafone, RCom,Tatas, BSNL and MTNL that offer BlackBerry services should allow the security agencies to intercept any conversation or message of subscribers if required.

Why is there a security issue over BlackBerry usage? How did it start? What steps are being taken?

Click NEXT to get answers to these queries....

Source: Business Standard; PTI and other agencies

BlackBerry security fears: What the issue is all about

Image: Setback for BlackBerry.

More countries like Indonesia, Kuwait and Egypt are contemplating a ban against Research in Motion's BlackBerry service.

"Certain BlackBerry applications allow people to misuse the service, causing serious social, judicial and national security repercussions," a statement from the United Arab Emirates government said last week.

While the high level of encryption on data transfers has been one of the biggest advantages for many Blackberry subscribers, this has now turned out to be a grave security threat for many Asian countries.

Meanwhile, the European Union Commission has also rejected BlackBerry phones and opted for Apple's iPhone and HTC smartphones. BlackBerry is still used by many state heads and high level officials.

The United States has, however, expressed its disappointment over the ban on BlackBerry by the United Arab Emirates and said this will set a dangerous precedent in free flow of information.

"We are disappointed at the announcement. We are committed to promoting the free flow of information. We think it's innovative. It's integral to an innovative economy and we will be clarifying with the UAE their reasons for making this announcement," US State Department spokesman P J Crowley said.

The United States has said it is in touch with countries like India, the UAE and Saudi Arabia over their concerns with regard to the security features of BlackBerry.

. . .

BlackBerry security fears: What the issue is all about

Image: BlackBerry raises security concerns.

"There are issues attached to freedom of information, the flow of information, the use of technology. We are in touch with these governments," Crowley said.

"We're going to try to understand what their concerns are, the nature of the ongoing negotiations that they have with this particular company. And then you've touched on that there are number of countries that are in the midst of these negotiations and we'll see what the implications are," Crowley said.

Crowley said  there are legitimate security concerns attached to certain technologies and  the flow of information around the world. "We understand those concerns. We want to best understand what's behind those concerns."

"At the same time, we do support the flow of information, the available technology which does empower people. We are in touch, given that this issue has come up in a variety of countries, we are reaching out to those countries - have a discussion to understand the nature of their concerns and see if we can find solutions," he said.

Noting that it is about not only the free flow of information, but it's the availability  of technology, he said the cell phone in its various iterations has, in fact, opened up a new world of information to people around the world.

"It is empowering them to do many unique and different things. We are broadly supportive of trends to bring technology to bear to help people who have not had access to information before. Knowledge is power. And to the extent that you can bring knowledge through portable devices to more people around the world, this has the ability to transform societies," said Crowley.

. . .

BlackBerry security fears: What the issue is all about

Image: Tough to crack the BlackBerry code.

BlackBerry's justification

BlackBerry says the messages are encrypted. The smartphone's server is based in Canada where the encryption level is very high and extremely difficult to crack.

And any message going through a Canada server is encrypted and, therefore, cannot be accessed by intelligence agencies in India.

"RIM does not possess a master key nor does any back door exists in the system that would allow RIM or any third party to gain an unauthorised access to the key or corporate data," the company said.

It, therefore, would be unable to accommodate any request for a copy of a customer's encryption key since at no time does RIM, or any wireless network operator, ever possess a copy of the key.

Senior officials of key security agencies at a recent meeting argued that the continuation of BlackBerry services in the present format poses danger to the country.

The meeting was attended by representatives of the Ministry of Home Affairs, department of telecommunication, intelligence agencies and the National Technical Research Organisation.

The latest development indicates that security agencies are again finding it difficult to intercept or decipher messages sent through these phones, which use codes with an encryption of 256 bits.

This encryption code first scrambles the emails sent from a BlackBerry device and unscrambles them when the message reaches its target.

...

BlackBerry security fears: What the issue is all about

Image: Misuse of smartphones.

How can the services be misused?

RIM willing to locate its servers in India (allowing interception) since the costs are not justifiable on commercial grounds.

BlackBerry phones have been recovered from terrorist gangs in the past. With a BlackBerry, a user can have instant and encrypted communication with another, simply by calling the other person's unique four character number.

However, a BlackBerry can be traced to a user, the same cannot be said about throwaway Hotmail and Yahoo addresses accessed from a cybercafe.

After the emails of some terrorists were intercepted in the late 1990s, they have adopted another strategy.

A group of them create a webmail address and agree on a password. Thereafter they type their messages, but instead of sending them, they save them in the 'drafts' folder -- no internet traffic is generated and other terrorists just log on and check the 'drafts' folder for messages.

Others use steganographic techniques, which allows concealing encrypted messages in video/audio/pictures that can be exchanged in open forum chatrooms or on sites like Orkut and Facebook.

. . .

BlackBerry security fears: What the issue is all about

Image: BlackBerry faces ban.

What does the government want?

The Ministry of Home Affairs has reiterated that BlackBerry emails and other data services must comply with formats that can be monitored by security and intelligence agencies.

The government will allow telecom operators to offer services, which can be intercepted by the security agencies. If any service is not allowed to be intercepted, it will ban such services.

There are reports that has a server has been placed in China. The home ministry asked the department of telecom to check whether it is true.

The government also wants a BlackBerry server in India but the company has been resisting the move. Once the server is in India, it will be easier to track the messages.

The home ministry maintains that the RIM has been addressing security concerns of several other countries, including the United States, where it operates and, therefore, there is no justification to not comply with the same in India.

. . .

BlackBerry security fears: What the issue is all about

Image: BlackBerry, a popular smartphone.

The BlackBerry saga

In 2008, the Indian government had threatened to block BlackBerry services unless the RIM provided intelligence agencies access to all data, especially emails, routed through these handsets.

The government had also insisted that the RIM put in place a system that would allow them to intercept data sent through these handsets as it feared that these services could be exploited by terrorists.

After several rounds of talks between the government and RIM, the telecom department, in late 2008, the government had announced that the issue had been resolved.

4 types of BlackBerry services in India

There are four major types of RIM's BlackBerry services in India:

(a) Voice communication to or from another device, whether the latter is a BlackBerry or not;

(b) SMS & MMS to or from another device, whether the latter is a BlackBerry or not;

(c) E-Mail between two BlackBerry Devices;

(d) E-Mail between a BlackBerry and a non-BlackBerry.

Of these, (a), (b) and (d) can technically -- and legally -- be intercepted by Indian security agencies even today, since they pass through an Indian mobile network (Airtel, Vodafone, Reliance in a reformatted form. It is only (c) that cannot easily be intercepted by Indian security agencies.

...

BlackBerry security fears: What the issue is all about

Image: BlackBerry woes.
Is the government demand acceptable?

India's security agencies were the first to successfully use cyberforensics, around 1996-97, to track email and cellphone communications of the Liberation Tigers of Tamil Eelam and the Lashkar-e-Toiba.

LeT attacks in the country, for instance, were solved when the Hotmail and Yahoo accounts of those in charge of the LeT logistics were monitored -- this was made easier by the fact that the state-owned VSNL was the monopoly ISP in the country.

Even the Red Fort attack was solved when the emails on the terrorists' laptops were later traced.

In comparison, security agencies in countries like the US restricted themselves at that time, through Project Echelon, to monitoring international phone calls to/from the US - this was not very efficient and there were huge backlogs in the analysis.

From the late 1990s, the US and the United Kingdom eased the legal restrictions on snooping on email and phone calls.

The FBI-developed IP-packet sniffing tools CARNIVORE, and later, OMNIVORE were installed on all Internet Service Providers in the US to track suspicious email traffic.

After 9/11, all legal restrictions preventing snooping without reasonable cause were lifted.

In this context, the Indian security agencies' demand to intercept Blackberry email or to ask BlackBerry to deposit its decryption keys with them is hardly unacceptable (the ISP licence does not allow encryption beyond 40 bits unless the decryption keys are deposited with the security agencies on demand).

"Allowing governments to monitor messages shuttling across the Blackberry network could endanger the company's relationships with its customers, which include major companies and law enforcement agencies," a BlackBerry official told The New York Times.
AGENCIES