You are here: Home / News & Media / RIM Offered Security Fixes

RIM Offered Security Fixes

by Prasad Krishna last modified Apr 02, 2011 10:24 AM
In India Talks, BlackBerry Maker Said It Could Share Metadata, Notes Show
RIM Offered Security Fixes

An Indian salesman checks the audio quality of a phone given for repairs at a Blackberry store in Mumbai on Friday.

Research In Motion  Ltd. has offered information and tools to help India conduct surveillance of wireless email and messaging services on RIM's popular BlackBerry, say people familiar with the negotiations, illuminating RIM's dealings as it seeks to balance sovereign security concerns with its customers' privacy.

In a series of discussions that intensified this summer, RIM offered to provide crucial information that would help the Indian government track down messages sent via the company's popular and encrypted corporate email service, according to those familiar with the confidential talks and to minutes of meetings reviewed by The Wall Street Journal.

In a July 26 meeting, RIM representatives told Indian officials "they have a setup to help the security agencies in tracking the messages in which security agencies are interested," according to an Indian government summary of the meeting.

The Waterloo, Ontario, company has become an industry leader in part on the strength of a secure technology that offers information privacy to customers. But as RIM seeks to expand, it is grappling with how its promise of user confidentiality is encountering resistance from governments around the globe.

RIM's challenge, along with Google  Inc.'s face-off with China over censorship issues, illustrates the growing tensions between Western technology giants, who seek to woo millions of emerging-market consumers with increasingly sophisticated technology, and governments that are trying to maintain security in the face of it.

The stakes are high in India, the world's No. 2 wireless market, behind China, with 635 million subscribers. Emerging economies are vital to RIM as its smartphones face competition in North America from Apple  Inc.'s iPhone and devices that run on Google's Android software. RIM's new international subscribers for the first time outnumbered new North American subscribers in the quarter that ended Feb. 27, according to brokerage GMP Securities.

Discussions between RIM and India took a public turn Thursday when India's government threatened to block some BlackBerry services from the country's telecommunications networks unless the services could be opened to surveillance by Aug. 31. On Friday, an Indian government official said RIM had assured India it would meet the deadline.

A spokesman for RIM in India declined to comment on negotiations with India. Sachin Pilot, India's Minister of State for Communications and Information Technology said Friday there are promising signs that the company is willing to cooperate, but there's no deal "until I have something in writing."

RIM has come under scrutiny in recent months amid contentious negotiations with countries including the United Arab Emirates and Saudi Arabia, which have also sought to monitor BlackBerry services for threats to national security.

A person familiar with the negotiations in the U.A.E. said officials in the region believed RIM had been holding back from them technological solutions that had been offered to Western governments, specifically in regards to BlackBerry Messenger.

RIM declines to discuss its negotiations with governments and didn't comment on negotiations in India and other countries.

In a statement issued Thursday, RIM outlined its guidelines for how far it is willing to go in helping carriers meet surveillance needs. RIM said it will only help carriers meet strict national-security rules, won't provide more access than its competitors already do and won't alter the security architecture of its corporate email servers in response to government needs.

"RIM maintains a consistent global standard for lawful access requirements that does not include special deals for specific countries," the statement said.

Governments are pressuring RIM to comply with their demands for information in part because unlike other smartphone vendors, it operates its own network of servers, the biggest of which is in Canada, outside their monitoring reach and jurisdiction.

That contrasts with devices such as the iPhone, which don't operate their own email services. Governments generally have laws that allow them to monitor traffic on mobile and computer networks operating within their own countries.

Talks between RIM and various countries have centered mostly on data routed through the company's system for corporate emails, BlackBerry Enterprise Server, and its instant-messaging service, BlackBerry Messenger, whose high levels of encryption can prevent government monitors from deciphering content or determining sender or recipient. RIM has said that even it can't decrypt BlackBerry corporate emails.

India's security services argue they need access to selected emails to ward off criminal and terrorist threats. "In terms of our issues of national security, any responsible government would not want to compromise," said Mr. Pilot, the communications minister. "I don't think what we are asking is out of the ordinary vis-à-vis other countries."

Security and technology experts say each country has different surveillance needs, technology infrastructures and laws governing how security forces and police can access data. It is generally Internet service providers and telecommunications carriers that must implement the country's monitoring regime, and the kinds of help RIM gives carriers in doing that varies with each nation, says a person familiar with RIM's operations.

According to minutes taken by the Indian side, the parties discussed whether RIM could provide "metadata" from encrypted corporate emails—information such as the email's sender and recipient and the time sent. "After some persuasion, the [RIM] representative agreed that they can provide the metadata of the message," according to an Indian summary of one discussion.

Cyber-security experts say such metadata would give government intelligence services important leads to locate BlackBerry traffic on corporate email servers, where messages are in decrypted form. It wasn't clear under what circumstances RIM would agree to divulge such information.

In the meetings, RIM also promised to develop tools to help Indian authorities tap into third-party Internet chat services, such as Google's Gmail, that run on its handsets, according to the meeting minutes. It isn't clear whether or how RIM has proposed to help security officials decode BlackBerry Messenger.

RIM also appears to have put itself in a role of educating Indian officials over the operation of its network and on network security in general, suggesting to officials that emails that aren't subject to heavy corporate encryption can be viewed with assistance from local carriers.

Governments that have been reviewing their data-access arrangements with RIM have been sharing information with each other, said an official in the region with knowledge of the Indian negotiations.

The U.A.E. and Saudi Arabia, the Middle East's largest economies, upped their ante with RIM weeks before India did. Both countries have been negotiating with RIM for the same kinds of access to data that India wants, but people familiar with talks in the Gulf countries say they have been acrimonious.

Government officials say RIM has taken a condescending attitude to developing countries' security demands, and say they believe the company was holding out on solutions to access information, such as on BlackBerry Messenger, that had been offered to other countries.

"They refuse to listen to us," said a person familiar with the negotiations. "It's like we aren't speaking the same language."

Anger boiled over last month with the U.A.E. announcing a ban on BlackBerry email, Internet and instant-messaging services from Oct. 11, citing a lack of progress in more than three years of negotiations. Saudi Arabia followed with a threatened ban on BlackBerry Messenger.

Tensions were fueled when RIM co-CEO Michael Lazaridis  said in an interview earlier this month with The Wall Street Journal that many of the nations the company deals with aren't tech-savvy and don't understand the Internet. "We work with these countries to educate them," he said.

Negotiations between the U.A.E. and RIM are ongoing. The government says it remains optimistic of a solution. In Saudi Arabia, telecommunications regulators announced earlier this week that RIM had offered them a technical fix that would let them access data from BlackBerry Messenger.

In RIM's home country of Canada, the U.S. and other countries, police and security agents typically must get a court order to gain access to things like the content of emails.

India's regulations in this area are murky. An 1885 law that has been updated over the years allows the government to intercept Internet traffic "on the occurrence of any public emergency." A 2008 law gives bureaucrats in various agencies the authority to order monitoring of any entity's Web traffic, though the matter can be challenged in court.

It remains unclear whether RIM's promise to provide metadata to corporate messages will be enough to satisfy India's concerns. A more drastic solution, says Sunil Abraham of the Bangalore-based Center for Internet and Society, would be for the government to require RIM to build a BlackBerry data center within India—something that could cost tens of millions of dollars, people familiar with the matter say—and then classify the company as an Indian Internet service provider.

Such a move would put India on stronger legal footing, analysts say, to demand data from RIM as well as companies whose employees use BlackBerrys. Under such a scenario, "the government would be allowed to get a room inside RIM and install whatever machines they want to monitor that traffic," Mr. Abraham said.

It wasn't clear from the government documents summarizing the meetings between RIM and the government whether such an option is being considered. The company would vehemently oppose such a classification, people familiar with the situation say. In the U.A.E, RIM has balked at the government's request that it set up a local data center, people familiar with those negotiations said.

Read the original in Wall Street Journal

Filed under:
banner
ASPI-CIS Partnership

 

Donate to support our works.

 

In Flux: a technology and policy podcast by the Centre for Internet and Society