There has been some controversy regarding RIM's BlackBerry security and giving away a backdoor key to governments. An article in the Times of India stated that RIM has agreed to hand over / allow India's Department of Telecom to intercept all incoming and outgoing data from a BlackBerry.
There has been a (non-public) denial by RIM regarding this issue, which basically states that RIM can't give a secret key to anyone even if it wanted to, other than this they can not disclose any information about confidential talks with governments.
Well, basically both seem to be correct - here's how: If you read the Times of India article closely you will notice the sentence "...Canada-based Research In Motion (RIM) may allow the Indian government to intercept non-corporate emails sent over BlackBerrys." - and the keyword here is non-corporate!
RIM has basically two architecture models for BlackBerrys:
1) Enterprise/Corporate where and end-to-end encryption is applied and the BlackBerry Enterprise Servers to whom the corporate BlackBerrys talk to are located and operated directly the the company using it. In this case RIM does not know the encryption key which is set by the corporation itself - ergo it can not hand it over to anyone else (at least using the presumption that there is not other hidden backdoor in the RIM Enterprise servers or Blackberrys - the French government does believe in this possibility). Both even in this case only communication with the same corporate environment would be secure - mails to the rest of the world would have to pass to the "normal", unsecured Internet and may be intercepted as any other Internet email.
2) Non-Enterprise which uses BlackBerry Internet Service (BIS) hosted/operated by the telco service provider of the local country. And the BIS server does not use any special encryption technique as all these emails are stored in a webmail account (like Hotmail, Gmail etc.) and could be ready by government given appropriate access. Sounds worse than it is because all received and send mail by these non-Enterprise users are routed through the unsecured Internet anyway, making the eavesdropping trivial (although governments get even an easier access if the directly "wiretap" the consumer BlackBerry server).
So do I trust RIM and their Enterprise Blackberry security? Maybe, at least as much as I would trust any proprietary, closed source system like Skype.
But then I always believed in the good of man (and government). Not that this will stop me from getting some tickets for the new X-Files movie...
Update 2008-08-11: Most of the journalists publishing news articles, InformationWeek and India Times beside others, obviously did not take the time to properly read the RIM whitepapers on Blackberry security.
0 comments:
Post a Comment