RIM: No, we still can't spy on your enterprise emails
Beleaguered firm Research in Motion refuted rumors and reports that it handed over its secure corporate email encryption keys that would allow Indian authorities access to snoop on business users' messages.
RIM, which continues to battle governments over encryption -- particularly in emerging markets and those with high levels of politically instability and uncertainty -- because authorities want access to communications to prevent serious crime and terrorism.
But the company needs India to survive -- one of its last remaining emerging markets -- and its continued expansion in the region is risked on false reports that its security has been compromised.
The mobile firm said it denied the allegations and sought to correct "false and misleading information."
As we have stated on several occasions, and as we have set out in our company’s Lawful Access Principles, RIM cannot access information encrypted through BlackBerry Enterprise Server as RIM is not ever in possession of the encryption keys.
The wording next, however, is interesting. It all but throws consumers under the bus in terms of interception. The company added in a statement (via The Wall Street Journal):
RIM is providing an appropriate lawful access solution that enables India's telecom operators to be legally compliant with respect to their BlackBerry consumer traffic, to the same degree as other smartphone providers in India, but this does not extend to secure BlackBerry enterprise communications.
Previous reports suggested RIM was able to intercept both consumer and encrypted business smartphones using a solution developed by a firm called Verint.
But for ordinary consumers -- the vast majority of BlackBerry users -- the risk of legal interception is still high in India and elsewhere, following a January 31, 2011 deadline for RIM to comply with requests put forward by India's intelligence services.
While BlackBerry Messenger is encrypted to a degree, its security is limited. In short, if one encryption key is cracked, every other BlackBerry device is subject to interception. Following the 2011 London riots, Britain's security service MI5 was drafted in to crack the encryption code. They likely succeeded.
In a company note:
"BlackBerry Messenger messages are not considered as confidential as email messages that are sent from the BlackBerry Enterprise Server, which use BlackBerry transport layer encryption. Encryption using the global PIN encryption key is sometimes referred to as "scrambling".
Enterprise BlackBerrys use end-to-end encryption, with data flowing over RIM's own pipes rather than the user's individual mobile network. Because each BlackBerry-enabled corporate network has its own server with a unique encryption key, this puts email security directly in the users' hands, and RIM cannot access individual server keys.
It keeps the network infrastructure decentralized and mostly out of RIM's hands -- which is where it wants it to be.
Much of RIM's infrastructure is based in datacenters in Canada. Earlier this year, RIM set up a datacenter in Mumbai following requests from the Indian government. Given that the datacenter is on Indian soil, it would allow lawful access to consumer emails and messages.
According to the Journal, India authorities can now submit requests for data and RIM will return decoded messages as long as the firm is satisfied the request is legal.
"The fact is that BlackBerry enterprise communications in India remain secure and encrypted. No change has been made or ever can be made in India or anywhere," said RIM's head of government relations, David Paterson, in an interview with Reuters.
Image credit: CNET.