Feeds

RIM proposes crypto forum to dodge India BlackBerry ban

But will it be enough for New Dehli?

High performance access to file storage

RIM has prosed that an industry forum be established to help governments manage lawful intercept, in the hope of forestalling India's threatened ban.

The proposed body would be led by RIM, but the company is clearly hoping that others will join in. There's strength in numbers and India has made it clear that Skype and Google are next in the firing line, so RIM would like such powerful allies at the table beside them rather than watching from the sidelines. But it remains to be seen if that's enough to stop India pulling the plug on Wednesday.

India isn't the first government to demand access to messages encrypted by RIMs servers, but its demands do seem to go further than other countries in a similar situation, and that might make resolving the issue impossible.

Many governments resent not being able to intercept messages destined for BlackBerry handsets. The UAE and Saudi Arabia both threatened bans on BlackBerry devices unless some sort of lawful intercept was arranged, and both backed down after coming to an agreement with RIM.

But India's demands are more intrusive and less palatable to the Canadian company behind the BlackBerry service, which might mean a million Indians lose connectivity next Wednesday.

There are two distinct kinds of BlackBerry user: employees of a company that runs its own BlackBerry Enterprise Server, and ordinary members of the public who buy a BlackBerry handset and sign up to the service, then forward their existing email accounts to one provided and hosted by RIM.

It's those members of the public that have been the focus up to this point, as emails sent to the RIM-hosted BES are encrypted before being forwarded to the handset. That encryption is, in this context, unbreakable, but if you get a copy of the message before it's encrypted then there's no problem. If the server is located in a friendly country then that can be arranged - lawful intercept will permit the government to copy messages just like every other email service. But if the server is in a less agreeable country then it gets more difficult.

This is exactly the same as checking a Gmail account over an SSL connection, which is why RIM is hoping companies like Google will join its new body.

"Singling out and banning one solution, such as the BlackBerry solution, would be ineffective and counter-productive," RIM said. "It would be ineffective because anyone perpetrating the misuse of the technology would continue to have easy access to other wireless and wireline services that utilize strong encryption and are readily available in the market today."

The UAE and Saudi Arabia dropped their threats once RIM promised to put servers in their respective countries. But that doesn't solve the problem of the corporate BES user, whose communication is encrypted from their own office to their own handset, and can't be usefully intercepted en route.

Larger corporations may find themselves required to open their BES server to investigation, where an employee is suspected of a serious crime, but there's a significant risk of the employee getting wind of the operation - a risk that increases the smaller the company is.

The BES, in the corporate office, shares an encryption key with the BlackBerry handsets it supports (that key is normally exchanged over a wire, or physically typed in at both ends). The key is different for every BlackBerry, and shared with no one else - making it impossible for RIM to decrypt messages in real time as the Indian government is demanding.

So far, according to Reuters, RIM has offered to provide the IP address of every BES in India, along with the IMEI and PIN for every BlackBerry handset. But that still won't allow interception of messages. At best it would mean that Indian security forces could track a specific user (by their IMEI), physically grab their BlackBerry, unlock it using the PIN and then access the messages - hardly discreet.

So now we have a proposal for an "Industry Body" to look at the whole issue of how governments intercept encrypted communications - RIM is obviously tired of taking the flak for the whole industry, and hopes to broaden the argument, but Google, Skype and their ilk have little to gain by signing up rather than watching what happens to RIM. India still holds the ultimate sanction of a ban, and we'll have to wait until next week to see if its prepared to use it. ®

SANS - Survey on application security programs

More from The Register

next story
A black box for your SUITCASE: Now your lost luggage can phone home – quite literally
Breakfast in London, lunch in NYC, and your clothes in Peru
Broadband Secretary of SHEEP sensationally quits Cabinet
Maria Miller finally resigns over expenses row
AT&T threatens to pull out of FCC wireless auctions over purchase limits
Company wants ability to buy more spectrum space in auction
EE dismisses DATA-BURNING glitch with Orange Mail app
Bug quietly slurps PAYG credit - yet EE denies it exists
Like Google, Comcast might roll its own mobile voice network
Says anything's possible if regulators approve merger with Time Warner
Turnbull leaves Australia's broadband blackspots in the dark
New Statement of Expectations to NBN Co offers get-out clauses for blackspot builds
Facebook claims 100 MEEELLION active users in India
Who needs China when you've got the next billion in your sights?
Facebook splats in-app chat, whacks brats into crack yakety-yak app
Jibber-jabbering addicts turfed out just as Zuck warned
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.