Saudis Lift BlackBerry Ban: More Governments Want Access to Corporate E-Mail Servers
August 19, 2010 2:56 PM
After ten days of escalating public debate in which the Saudi Arabian government threatened to ban BlackBerry services because of security concerns, the Kingdom relented on August 9. Other governments have also expressed concern over BlackBerry’s stringent data encryption, including the United Arab Emirates, Algeria, Kuwait, Indonesia, India and Lebanon. The UAE has announced a ban on BlackBerry services as of October 11, and India has threatened to suspend all services unless Indian authorities get access to encrypted communications by August 31.
Some governments believe that access to private communications is a necessary security measure. Critics maintain that Saudi Arabia and the UAE are at least partly motivated by a desire to limit freedom of expression and strengthen their already strict policing of the internet for political content.
This is the latest in a series of “tense standoffs” between governments and private corporations over questions of individual rights and national security, as described by a July 2010 ESG Insight article. Such conflicts include Google’s faceoff with China over questions of internet censorship and Nokia Siemens Networks’ provision of “lawful intercept” capabilities to Iran, which allegedly allowed authorities to monitor and censor internet traffic during the disputed June 2010 elections.
Saudis, Others Want the Same Access as US, Canada
Along with questions about whether Western companies should provide surveillance capabilities to undemocratic regimes, these disputes also highlight a possible double standard. Nations like the US and Canada, home of BlackBerry maker Research in Motion (RIM), are largely understood to have access to personal internet traffic. The US has an advantage in that many encrypted email services such as Gmail and Yahoo have servers on US territory, rendering them subject to court-ordered disclosure.
Earlier this month, RIM flatly refused government access to its data flows, and denied cutting deals with any governments. On August 12 it also posted a set of rules for its cooperation with countries demanding access to data flowing through RIM servers, in which it reiterated its stance on the equal treatment of all countries. And yet, its settlements with India and the Saudi government suggest that some nations may be more equal than others.
RIM Can’t Read Its BES Clients’ Email
While both sides are keeping mum, the Saudis seem to have demanded access to both user data as well as a proprietary RIM decryption tool. Experts say it would be technically impossible for RIM to provide this, especially for corporate BlackBerry Enterprise Server (BES) messages.
BlackBerrys can provide three distinct data channels: the proprietary corporate BES service; RIM’s consumer BlackBerry Internet Service (BIS); and BlackBerry Messenger (BBM) communications. BES allows corporations to monitor and archive everything that happens on all company BlackBerrys, which act as a gateway to a company’s email systems. Emails sent on BES are encrypted end-to-end, from sender to recipient, and notoriously difficult to intercept and decrypt—a main differentiator for RIM. (Indeed, the White House uses BlackBerrys for its internal communications.)
The company has insisted that it “does not possess a ‘master key’” that would allow third-party access to BES email exchanges:
The BlackBerry security architecture for enterprise customers is purposefully designed to exclude the capability for RIM or any third party to read encrypted information under any circumstances. RIM would simply be unable to accommodate any request for a copy of a customer’s encryption key since at no time does RIM, or any wireless network operator, ever possess a copy of the key.
Messages sent over BIS, on the other hand, are no more secure than messages on other smartphones. BBM bypasses BES servers completely and relies on RIM servers for transmission. Even if Saudi Arabia and other governments did gain greater access to BBM data without help from RIM, tech experts say messages may still be encrypted, and thus indecipherable.
To sum up, RIM does have the capacity to expose the data flowing via BIS and BBM. But to gain access to messages sent via BES, governments must obtain it from corporate owners of BES servers.
RIM’s Deals with Saudi Arabia, India: Do Bigger Markets get Better Treatment?
RIM's settlements with Saudi Arabia and India show how the firm may accomodate other governments going forward.
Saudi Arabia has some 700,000 BlackBerry users, RIM’s largest market in the Middle East. According to a Saudi Communication and Information Technology Commission (CITC) official, RIM has agreed to install a relay server in Saudi Arabia, effectively allowing authorities to observe messages sent by BIS from and within the country.
India has an estimated one million users, and is already the largest wireless market behind China. RIM has indicated it would abide by India’s end-of-August deadline for access to data sent via BBM, though it has remained secretive as to how it will comply with government requirements. RIM has also helped the government identify corporations using BES, potentially exposing those firms to government pressure.
Bruce Schneier, chief security technology officer at BT, told the Associated Press that RIM’s Saudi arrangement is similar to deals struck in Russia and China. He also warned that every time RIM strikes such a deal, it undermines its claims about its security system’s integrity.
Needles in an Ever-Growing Haystack
Thomas Shambler, the Dubai-based editor of Stuff’s Middle Eastern edition asserts that users in the UAE are more concerned with losing service than with government scrutiny. Bahrain officials have opted not to interfere with smartphone traffic, saying that terrorists will be able to communicate no matter what channels the government tries to control. And governments may simply be fighting a losing battle in trying to read the world’s email. In May 2009, technology market research firm The Radicati Group estimated that in 2009, 247 billion email messages were sent every day—more than 2.8 million a second—by 1.4 billion email users. The sheer volume of online information may already be too much for any government to monitor, adding yet another challenge to sovereignty in an increasingly interconnected world.