What does India's government want?
To intercept email and instant messages sent via BlackBerry, just as it can
tap a phone. When it suspects someone of a terror crime, it wants to be able to
read, armed with a specific written order, any encrypted email sent on a
BlackBerry.
Why is BlackBerry mail encrypted?
Most email systems, including Gmail, use encryption. Enterprises don't trust
public email systems for business data, so they use their own secure, firewalled
systems. Now, when they need to use a mobile push-email system... they want to
be certain that no third party can read the mail, not even the email provider.
That is BlackBerry's USP: mail so secure (with AES or Triple DES encryption)
that RIM itself cannot read it.
What's BIS? Does the government have access to it?
BlackBerry Internet Service is the lighter flavor of RIM's two email services.
Meant for individuals, it uses weaker encryption. BIS users buy convenience more
than ironclad security. Airtel or Vodafone 'pipe' the encrypted mail from your
handset to RIM, which then decrypts it and sends it out, to the recipient. So
RIM can let investigative agencies read such mail, and India now has an
agreement for BIS access.
So is BES the problem? Can RIM really not 'access' that?
BlackBerry Enterprise Service is RIM's flagship product, designed to be so
secure that not even RIM can read mail on it. It requires BES server software in
the user company's network. Email is encrypted on the BlackBerry, using a
generated key shared only between the handset and the BES server. Such mail goes
out via, say, Airtel, to RIM in Canada, and back to the company's BES, staying
encrypted all the way with a key that only that enterprise knows. Then it's
decrypted, within the enterprise, and moved to the email server. If the mail is
to someone outside the company, it is sent out-decrypted-by the company's mail
server. RIM itself does not have the key to 'crack open' BES encrypted mail.
(That's the published design. Does RIM have a secret backdoor? I don't know.)
Then how can government agencies access such mail, on a terror threat?
By going to the enterprise where the suspected terrorist is working. That
company, which runs the BES, does not even need to decrypt the mail...for all
mail is sitting within its own servers, or in its backups.
Is the BlackBerry a terrorist's choice of communication tool?
No. The BES-user is working in a company. Any mail he sends is not only
traceable, but also stored and backed up. (As for BIS, that is in RIM's control:
so access is easier for government agencies.) The smarter terrorist would go to
a cyber cafe, and use a Gmail or Yahoo mail account. He'd simply read and save
mail in draft mode without sending mail (so there's nothing to intercept). Then
there's fileshare: sites like YouSendIt, where he can keep encrypted
files-leaving almost no trace, unlike with a BES mail.
How about Messenger?
BlackBerry popular instant messenger uses a weaker encryption than BES. And RIM
has access to the keys used-which is why it can promise Saudi Arabia and India
access. And while BlackBerry Messenger can indeed be used for real-time chat
during a terror attack, so can regular, cheap cell phones, as they were during
26/11-and the answer to both is part of anti-terror SOP (standard operating
procedure): cellphone jammers.
Prasanto K Roy is chief
editor (ICT) at CyberMedia.You can follow him at twitter.com/prasanto or on
his blog at www.pkr.in