CPJ Internet Channel

Defending Free Expression Online

Why governments don't need RIM to crack the BlackBerry

The UAE said on Sunday it will block key features on BlackBerrys, citing national security concerns. (AP/Kamran Jebreili, File)

The United Arab Emirates' Telecommunications Regulation Authority (TRA) announced on Sunday that it would be suspending BlackBerry "messenger, e-mail and Web-browsing services" in the country from October 11, until these "applications were in full compliance with UAE regulations." Given the popularity of the BlackBerry platform in the country (an estimated 500,000 users from a population of 4.5 million) one can only assume that we are seeing a form of brinkmanship--with the privacy of e-mails, IMs, and website visits at stake.

But what is it, exactly, that the UAE wants from Research in Motion (RIM), the maker of the BlackBerry? If it gets what it wants, how would it affect journalists and readers who use RIM products? And what will it mean for the UAE if RIM refuses to back down?

UAE says that the problem lies in "legal accountability," and the location of RIM's servers abroad, but it's not as though RIM is unique in this matter. Both the Apple iPhone and Google's Android mobile phones both offer features with servers located outside the UAE (the iPhone's notification system is operated by Apple, and the Android offers GMail and GTalk, a US-based e-mail and IM system). And it's not just the UAE that has pondered making RIM a smartphone non grata. India, China, and Bahrain have all challenged RIM to make its networks accessible to the authorities. Why have they all targeted RIM, while ignoring others?

RIM's vulnerability to government pressure is largely down to an accident of its history--one that paradoxically makes RIM both seem the perfect potential spying partner for governments, as well as make it commercial suicide for them ever to adopt such a role.

The BlackBerry was first introduced in 1999, when the idea of e-mail and browsing over mobile networks was relatively new, and building an affordable mobile device that could provide those services was a novel technical challenge. To keep the BlackBerry cheap, and work around deficiencies in the existing mobile data networks, RIM did much of the heavy lifting itself. It built its own network and servers to keep track of the location of individual BlackBerrys. RIM's own network also took up the burden of translating the complexities of the Internet into a form the relatively dumb and slow BlackBerry units could understand, and compressing the data to be faster and less burdensome on slow wireless networks.

Networks have grown better and smartphones smarter since then, but RIM's original network design has remained largely unchanged. E-mail and other data arriving from the Internet still comes to RIM's network first, and then is repackaged and dispatched to the correct BlackBerry over the wireless networks.

RIM's unusual position as the constant middleman in every BlackBerry exchange has proved to be catnip to state security services. If RIM is the go-between of every communication, surely it would also be the perfect stop for tapping BlackBerry e-mail and communications? That seems to be the opinion of India, Bahrain, and now the UAE, all of whom have been putting pressure on the company to give them access to its servers. The UAE, in particular, seems to think that this is already a given in other countries, which may have prompted its particularly hard line. According to the English-language Bahrain Tribune, the TRA noted that "BlackBerry appears to be compliant in similar regulatory environments of other countries, which makes non-compliance in the UAE both disappointing and of great concern."

There's no direct evidence that RIM has provided such access, but RIM's vulnerable role has also provoked suspicion from its own corporate and government customers. When Obama fought to keep his BlackBerry after becoming president, the opposition was fueled by the government's security professionals' discomfort the idea that all the president's mail would pass through a third party server (and a Canadian third-party at that). France's Nicholas Sarkozy went through a similar battle.

But strong-arming RIM isn't the only solution to spying on its domestic BlackBerry users, just the most blatant one. In the consumer edition of the BlackBerry (as opposed to better protected corporate versions), traffic to RIM's servers still passes largely unprotected over UAE's local wireless networks, Etisalat and Du, both of which resell BlackBerry services within the UAE. With the cooperation of these companies, the UAE's government could build pervasive Internet surveillance of almost all BlackBerry (and other) Internet traffic, though at far greater cost than just arm-bending RIM to hand over the goods.

The traffic that it wouldn't be able to decode would be end-to-end encrypted communications, as is most often enabled by corporate BlackBerry users. But then, as RIM explained to the Indian authorities, RIM itself could not decipher this traffic, even if it did provide government access to its own network.

When asked for comment, RIM confirmed that the corporate BlackBerry Enterprise Servers (their corporate email/Net system) traffic is encrypted in a way that they or other third parties could not access, but would not comment on the unencrypted nature of non-corporate traffic. The security details of the Blackberry Internet Service (their consumer/mobile company service) are documented on their website, which states: "E-mail messages that are sent between the BlackBerry Internet Service and your BlackBerry device are not encrypted."

And that's the important lesson for BlackBerry users, both among journalists and their audience. If you've got end-to-end encryption activated, neither RIM nor state governments can read your traffic. Most corporate BlackBerry Enterprise Servers have the option to turn on encryption. Most non-corporate BlackBerry Internet Service systems do not.

The UAE battle with RIM is a distraction to both the UAE's would-be spies, and those who might fear their power. With suitable technical investment in domestic Internet monitoring, the UAE can decode a great deal of BlackBerry traffic without RIM's help. When it comes to secure, encrypted communications, neither RIM nor any other telecommunication provider will be able to help them beat the encryption and spy on their own journalists or readers. The power lies far less in the hands of RIM, and far more in the hands of savvy Net users' choice of the right tools.

August 3, 2010 4:37 PM ET | | Comments (6)

Comments

Great analysis. I suppose the UAE/RIM fiasco started last year after the UAE's state-run telecoms firm were caught red-handed trying to install spyware into Blackberry phones

http://www.engadget.com/2009/07/21/etisalat-blackberry-update-was-indeed-spyware-rim-provides-a-so/

why UAE government is taking this step and this will effect their travel industry too and the reason they are mentioning is not acceptable i think

What a cluster. Everyone go back to your unsecure iphonies. Everyone will be happy. Nothing is private or secure anymore. Now print this out and swallow it after you read it. :)

nope, business secrets is the goal

I am a journalist in the UAE and have observed the gradual deterioration in the relationship between the government and media. I am speaking from personal experience when I say the the regulatory aspect being enunciated is a distraction from the primary intent.

Even the Kenyan Intelligence services are getting their knickers in a twist claiming that the US donation of 21,000 Blackberries to the Interim Independent Electoral Commission (IIEC) meant the US (read NSA/CIA) were the first to know the results of Kenya's recently concluded referendum on a new constitution.
http://www.techmtaa.com/2010/08/09/kenyan-intelligence-not-happy-with-blackberry-donations/

Given that BlackBerry having been provided these services for awhile, why is it only now that the likes of India, Saudi Arabia, UAE etc are agitating for the right to sniff?


Text Size
A   A   A
Article Tools

   

Print Print

Share Share

About this Blog

The CPJ Internet Channel examines the battle for free expression online.

Active Discussions
12 Internet cases in 2014