Forgot your password?

Is RIM Allowing Government Spying Or Not?

Information Overload I am totally confused here. On one hand RIM has issued a statement to multiple news sources that “RIM assures customers that it will not compromise the integrity and security of the BlackBerry Enterprise Solution.” On the other hand we have the India Times reporting that “Research in Motion (RIM) has for the first time agreed to allow Indian security agencies to monitor its BlackBerry services.”

So which one is it? According to the India Times:

The company (RIM) has offered to share with security agencies its technical codes for corporate email services, open up access to all consumer emails within 15 days and also develop tools in 6 to 8 months to allow monitoring of chats… With regard to its general consumer email, RIM has said the services provided by Bharti Airtel, Vodafone Essar, Loop and Tata can already be monitored. RIM also assured that it is working with mobile phone companies like Aircel, BSNL, MTNL, Idea and Reliance Communications to install the requisite infrastructure to ensure that general consumer emails offered by these firms are in formats that can monitored by security agencies within the next 15 days, documents with the telecom ministry said. Voice and SMS services on BlackBerry handsets can be intercepted by security agencies here, the DoT’s internal note adds.

Now on the other hand RIM has issued the following statement that we saw on IntoMobile:

Due to recent media reports, Research In Motion (RIM) recognizes that some customers are curious about the discussions that occur between RIM and certain governments regarding the use of encryption in BlackBerry products. RIM also understands that the confidential nature of these discussions has consequently given rise to speculation and misinterpretation. RIM respects both the regulatory requirements of government and the security and privacy needs of corporations and consumers. While RIM does not disclose confidential regulatory discussions that take place with any government, RIM assures its customers that it is committed to continue delivering highly secure and innovative products that satisfy the needs of both customers and governments.

Many public facts about the BlackBerry Enterprise Server security architecture have been well established over the years and remain unchanged. A recap of these facts, along with other general industry facts, should help our customers maintain confidence about the security of their information.

  • RIM operates in over 175 countries today and provides a security architecture that is widely accepted by security conscious customers and governments around the world.
  • Governments have a wide range of resources and methodologies to satisfy national security and law enforcement needs without compromising commercial security requirements.
  • The use of strong encryption in wireless technology is not unique to the BlackBerry platform. Strong encryption is a mandatory requirement for all enterprise-class wireless email services.
  • The use of strong encryption in information technology is not limited to the wireless industry. Strong encryption is used pervasively on the Internet to protect the confidentiality of personal and corporate information.
  • Strong encryption is a fundamental requirement for a wide variety of technology products that enable businesses to operate and compete, both domestically and internationally.
  • The BlackBerry security architecture was specifically designed to provide corporate customers with the ability to transmit information wirelessly while also providing them with the necessary confidence that no one, including RIM, could access their data.
  • The BlackBerry security architecture for enterprise customers is based on a symmetric key system whereby the customer creates their own key and only the customer ever possesses a copy of their encryption key. RIM does not possess a “master key”, nor does any “back door” exist in the system that would allow RIM or any third party to gain unauthorized access to the key or corporate data.
  • The BlackBerry security architecture for enterprise customers is purposefully designed to exclude the capability for RIM or any third party to read encrypted information under any circumstances. RIM would simply be unable to accommodate any request for a copy of a customer’s encryption key since at no time does RIM, or any wireless network operator, ever possess a copy of the key.
  • The BlackBerry security architecture was also purposefully designed to perform as a global system independent of geography. The location of data centers and the customer’s choice of wireless network are irrelevant factors from a security perspective since end-to-end encryption is utilized and transmissions are no more decipherable or less secure based on the selection of a wireless network or the location of a data center. All data remains encrypted through all points of transfer between the customer’s BlackBerry Enterprise Server and the customer’s device (at no point in the transfer is data decrypted and re-encrypted).

RIM assures customers that it will not compromise the integrity and security of the BlackBerry Enterprise Solution.

So now I am still confused. Which one is it? Do they allow government monitoring or not? Maybe BES server email is excluded? What do you make of it? Maybe these governments will tackle how frustrating it is to open an envelope without the receiver noticing it was tampered with…

10 total comments on this postSubmit your comment!
  1. Maybe only BIS is compromised? I’d really like to know the answer. If BIS is insecure, I wonder if BESX is a workable solution to maintain my privacy.

    Corporate espionage is a real concern with certain foreign governments.

  2. No conflict. “Enterprise” vs “consumer” — it sounds to me like RIM spent a lot of time talking about how secure Enterprise customers are; while the India Times article specifically called out consumer email and chat.

  3. This really isn’t confusing at all. All that security and encryption talk from RIM applies to BES ONLY. BIS, BLACKBERRY MESSENGER, SMS, phone, all other services on the device are no more secure than on any other brand or OS. People (especially so called “journalists”) read about how secure is the “BlackBerry Solution” and make assumptions that applies to everything on the device. This is clearly not true and has been discussed at length throughout the BlackBerry community.

  4. Yeah but as far as I remember even regular BIS email is encrypted until RIM’s NOC. I am not sure about BBM. It is only once it goes from RIM’s BIS to your email server that it is unencrypted though if you have SSL enabled that might also be encrypted.

    • http://docs.blackberry.com/en/smartphone_users/deliverables/14212/BlackBerry_Internet_Service-Security_Feature_Overview–787371-0205030634-001-3.0-US.pdf

      On Page 2:
      “The BlackBerry Internet Service uses the security of the wireless network that it connects to. Email messages that are sent between the BlackBerry
      Internet Service and your BlackBerry device are not encrypted. However, email messages that are sent between the BlackBerry Internet Service
      and your messaging server can be encrypted using SSL encryption.”
      So RIM states quite clearly here (at least clear to me) that DeviceBIS is NOT encrypted, but BISServer CAN be encrypted.

      On Page 3:
      “You can set up the built-in firewall on your BlackBerry® device to block incoming SMS text messages and PIN messages, both of which are not
      encrypted.”
      Since BBM uses PIN messaging, my read of that statement is that BBM messaging is not encrypted.

      Now…if you browse around the Blackberry Security site some more (http://na.blackberry.com/eng/ataglance/security/) you can actually read things like Common Criteria EAL reports where it is clearly documented that ALL traffic DeviceBES IS encrypted. Now, I would say until proven wrong in writing that you can’t assume that just because your are on a BES that means ALL of your communications are secure, because even a BES Blackberry has the ability (unless locked out by policy) to connect to BIS and thus the security (or lack thereof) of BIS would apply. However, there are many out there (both users and so-called “journalists”) who inappropriately make that leap.

  5. Definitely sounds to me like RIM is trying to confuse people by saying it’s safe, it’s safe, by hiding the fact that it only applies to users of BES. What about BIS? Is our info free for the taking?

  6. Yea! If my bis isn’t secure, I think I will juz get an apple phone

  7. Have to dig more, but I’m sure I’ve read that only BES is encrypted between handset and RIM. And that the SSL ability in BIS is only for between RIM and your server and has no impact on the connection between device and RIM.

    So reach out to your contacts at RIM as ask them to un-bullshit-ify their statement.

  8. BES is not peer to peer, BES is device to BES and BES to device – emails are stored in plaintext on the mail server itself. There’s your backdoor.

  9. And BIS was never secure in the first place.

3 total pingbacks on this post

BlackBerry© is a registered Trademark of BlackBerry Limited. BerryReview is in no way affiliated with BlackBerry Limited though sometimes their lawyers send us love letters...

Copyright © 2007-‘2016’ BerryReview LLC