Indonesia joins BlackBerry wiretapping pile-on
Stops short of ban threat
Indonesia has joined Middle Eastern states to put pressure on RIM to provide authorities with BlackBerry interception capabilities.
Today its communications regulator toned down earlier rhetoric, however, saying "so far there is absolutely no plan" to follow the UAE and Saudi Arabia in threatening to restrict BlackBerry services.
Indonesia said it had appealed to the firm last year to establish a local data centre to assist law enforcement, but insisted it was "only a plea and there is no legal sanction". In most international markets, RIM routes encrypted BlackBerry communications its via facilities in Canada, avoiding interception laws (although large corporates typically run their own local servers).
There is a Google translation of Indonesia's position here.
Saudi Arabia plans to implement its restrictions on BlackBerry tomorrow, and the UAE has set a deadline of 11 October for RIM to fall into line. Both have complained at perceived double-standards over the firm's covert cooperation with Western government eavesdroppers.
Indonesia's more conciliatory tone is good news for RIM - the country has a rapidly growing economy and a population more than seven times that of the two Arab states combined.
Lord West, until recently UK security minister, seemed to provide hints the UK is able to access the content of BlackBerry emails and instant messenger conversations this week. In a debate on Newsnight he expressed no concern over monitoring RIM traffic.
The UK may have acquired the capability quite simply. BlackBerry's security is accredited by CESG, the information assurance arm of the interception agency GCHQ. Obtaining the endorsement requires manufacturers to open their source code to inspection. ®
RIM total privacy, except for Obama, is illusionary
Few hardware based encryption systems are government-intrusion proof and this includes RIM.
RIM servers are scattered around the world, not all traffic is routed through RIM Canada. The ever nosey Canadian Government's Communications Security Establishment Canada performs some functions as does the GCHQ. They have an interesting document here: < http://www.cse-cst.gc.ca/its-sti/publications/itsb-bsti/itsb57-eng.html>.
Note the following extract: "Although PIN-to-PIN messages are encrypted using Triple-DES, the key used is a global cryptographic “key” that is common to every BlackBerry device all over the world. This means any BlackBerry device can potentially decrypt all PIN-to-PIN messages sent by any other BlackBerry device, if the messages can be intercepted and the destination PIN spoofed. Further, unfriendly third parties who know the key could potentially use it to decrypt messages captured over the air. Note that the “BlackBerry Solution Security Technical Overview” document [****] published by RIM specifically advises users to “consider PIN messages as scrambled, not encrypted”. "
[****] BlackBerry Enterprise Solution: Security Technical Overview, for BlackBerry Enterprise Server Version 4.1 Service Pack 5 and BlackBerry Device Software Version 4.5, Document Part #17930884 Version 2, Research-In-Motion, 2008. < http://docs.blackberry.com/en/admin/deliverables/3317/BB_Ent_Soln_Security_4.1.5_STO.pdf >
In other words RIM can, and does, provide the means to monitor in-country traffic.
If you want secure comms see < http://blogs.forbes.com/firewall/2010/05/25/android-app-aims-to-allow-wiretap-proof-cell-phone-calls/ >.
For further information...
So much for cell phones
I think I'll just stick with my computer where I can use encrypt my email (with TrulyMail, PGP, or whatever else I want) and anyone who intercepts it only gets garbled junk.
Since we can't trust the phone makers, we must trust other tools. Luckily, there are other tools.