27 Aug Cracking the BlackBerry
The showdown between the Indian government and Research in Motion, the Canadian company behind the BlackBerry service has reached a crescendo. Indian security agencies have always been leery of BlackBerry’s walled garden approach. But after the UAE, Saudi Arabia and now Lebanon announced a ban on BlackBerry services, the Indian government seems to have been galvanised into action.
Is there really a security risk with the BlackBerry or is the government over-reacting? There are many ways to access email with your mobile device. Most smartphones are designed to integrate the mobile device with the office network. To the server, the smartphone appears as just another computer which can pull emails from the server and users read emails on their phones in much the same way as they do on their laptops. The BlackBerry service, on the other hand, is designed so that all data sent by a BlackBerry device is compressed to a fraction of its original size before being sent to vast RIM server farms in Canada. These servers connect to individual BlackBerries using a “push” technology that allows email messages to reach the recipient device almost as soon as it hits the Canadian server. The compression also ensures that the message is encrypted, imparting, in addition to rock-steady reliability, an unparalleled privacy in email communication.
Now, while privacy is good — perhaps even necessary for the legitimate business user — it is a nightmare for law enforcement agencies constantly locking horns with tech-savvy terrorists. The inability to read email exchanges between individuals plotting anti-national activity is often the difference between preventing a crime and getting there too late.
Under Indian telecom licenses, the government has the right to require telcos to allow the government access to their networks. However, interception is of little use if the message being intercepted is itself encrypted. The encryption algorithms used by BlackBerries are designed to withstand decryption attempts by super-computers. Which is why the Indian government wants RIM to part with its encryption keys.
Even if RIM does agree to do this, of itself, this will not solve the problem. Even if the government has access to encryption keys in respect of all retail customers, it would still be unable to access emails sent from corporate BlackBerry accounts. Enterprise customers can buy their own BlackBerry servers with advanced security features. These private BlackBerry servers have their own encryption keys, over which RIM has no access, in order to assure customers that no one outside their organisation have access to their email. It is currently impossible for RIM to provide the government access to the many thousands of keys already issued to enterprise customers even if a decision is taken to do so going forward.
There is a third service that is potentially even more dangerous from a law enforcement perspective — BlackBerry Messenger. Anyone who has a BlackBerry device can share their PIN with any other BlackBerry owner and send messages between their respective devices instantly and without charge. This extremely popular application has a huge following in the Blackberry universe, but since it enables instant messaging, has real time implications for law enforcement.
There is little doubt that the fears of Indian law enforcement agencies are well founded. But practically, is there anything one can do about it?
The BlackBerry service provides an encrypted solution that protects customer emails without the need for customers to implement complex settings. However, encryption technology, of the high level used by the BlackBerry service, is not the exclusive preserve of RIM. Anyone with even moderate computer skills would be able to implement the same level of encryption to cloak email passing between personal computers or other mobile devices. It will be relatively easy for a terrorist armed with such devices and using the normal 3G or GPRS data connectivity to ensure that their messages are impossible to read, even if intercepted. What then will the government do next — ban all connected mobile devices? While there is every need to be vigilant and to constantly evolve our defences, we must be rational and measured in our reactions. There is a fine line between precaution and paranoia.
The writer is a Bangalore-based lawyer