Tuesday, August 3, 2010

Blackberry, Encryption, and National Security

I've been following the progress of Blackberry vendor Research in Motion's conflicts with Saudi Arabia, the UAE, and India over the strong encryption used by its devices for instant messaging, email, and web browsing.  All three nations want access to Blackberry users' data as part of their anti-terror operations, but both Saudi Arabia and the UAE want to restrict access to certain types of information, including pornography.

These governments argue that they not only face diverse terror threats (they do), but that they are just asking for the same access that Western governments routinely have.  Both the American and British governments have had access to Internet and telecommunications services within their borders for decades, though most telephone calls, emails, and other Internet traffic is not secure - email is generally sent in clear text, phone calls are rarely scrambled (and the U.S. Government reportedly has access to individual phone switches produced by American companies), and text messages are similarly insecure.  Blackberry services are different - part of the company's appeal to businesses is that Blackberry Messenger (the platform's proprietary instant messenger) and Blackberry email are both secure.  India, Saudi Arabia, and the UAE don't have the native technical ability to crack RiM's encryption.

Their solution is to inform RiM and Blackberry users that some functions will be blocked.  After years of negotiation, the UAE gave the company a Friday deadline, and local service providers offered users iPhones or other devices that the government could snoop without difficulty because unlike RiM, Apple and Google don't use dedicated secure servers to store and forward user data.

Research in Motion caved, offering to block porn sites and allow governments to snoop user data.  Better to give up the security that users pay for than lose the users entirely.  This episode should serve as a warning to businesses and consumers alike that electronic communications are insecure unless you provide your own security (and probably not even then given the ease most commercially available security protocols are cracked).

The problem is that this is not just an issue of national security for any of these countries, nor, indeed, those in the West that already had this access.  Access to user data may also be used to suppress political dissidents or steal trade secrets.  These are issues even in the liberal democracies of the West - France is known for its efforts to use intelligence services for industrial espionage, and in the United States Quaker peace activists have been the targets of domestic intelligence gathering.  In less free countries, political reformers and foreign businesses will likely become targets of these enhanced snooping capabilities.

Meanwhile, the terrorists that India, Saudi Arabia, and the UAE fear will adapt.  Users of Blackberries, iPhones, and Android devices already have access to technologies that make their communications more secure - TOR clients to provide secure browsing and other Internet Services, PGP clients can encrypt messages and documents, and a plethora of secure instant messaging clients for the three platforms are readily available.  The highly public nature of this conflict will drive terrorists and criminals to adopt these measures, which will be all the harder for India, Saudi Arabia, and the UAE to counter due to the sheer variety of options available.  All three nations may end up being less secure for their efforts.

No comments:

Post a Comment