Sounds like a good move on the face of it
Wonder if the BB users will get able to get that policy reversed.
Blackberry will pull out of Pakistan on New Year's Eve in protest of its government's demand to intercept and decrypt people's communications. The Canadian company refuses to open what it considers a backdoor in its BlackBerry Enterprise Service (BES). Pakistan's Telecommunication Authority in July asked BlackBerry and other …
Don't they just essentially provide cloud email? So Pakistan is presumably making the same request of Google (GMail) and Microsoft (Office365) right? Or are they just picking on Blackberry alone because almost no one in Pakistan uses their devices, so it is a low risk way for the government to appear that it is doing something about terrorism without actually offending anyone?
I thought I read that BB was used heavily by "government types"? Might be that they need to watch them more than the common people. The numbers aren't huge, IIRC, but out of all the users a significant number were government types.
If I'm wrong I'll admit it. as I'm not finding the links at this moment except for several about the government leaders using the BB.
The numbers aren't huge, IIRC, but out of all the users a significant number were government types
The problem that Pakistan has is that it has no genuinely functioning democracy (and little cultural acceptance of Western democratic structures), and the security services (ISI) are a power player in their own right, widely believed to be in cahoots with domestic terrorists, insurgents in Afghanistan, and supporting (for example) the Mumbai terror attacks.
The difficulty of this request is that it may not be clear (even in Pakistan) who is the prime mover of the request, why they want this, nor what they will do with the intelligence. The worst and perhaps most likely case is that the ISI want the powers to cement their own power base and to subvert what limited democracy does exist, whilst continuing to support terrorism and failing to stop meddling in Afghanistan.
I'd guess that BB asked the Canadian and perhaps US authorities about this, and were told that it was a very bad idea, so bad that retreat was better than acceding to the request.
I remember El Reg making this allegation in the original article(s), they added nothing to support it at the time beyond a quote from the company that said something along the lines of "Blackberry is cooperating with law enforcement services" which is pretty standard boilerplate PR.
I didn't find any links confirming messages had been handed over and most other news agencies were reporting that BB's cooperation was mainly to suspend messaging services in London temporarily so they couldn't be used to organise riots.
I believe that the difference is between BB Messenger and Blackberry Enterprise Service.
With BB Messenger, the keys are held by BB so they can decrypt messages.
With BES, the keys are held on the Enterprise server which is in the customer's possession so BB can't decrypt.
Two different services.
In either case, what the ISIL Sponsors Incorporated (abbreviate it yourself) want is all keys to decrypt themselves instead of a case by case basis.
That is a non-starter as it will allow them to snoop on BB communications outside the territorial boundaries of Pakistan. Their need for it is clearly understandable as it will provide them with an early warning so they are not surprised by midnight raids to execute international terrorists they are hiding inside Pakistan. I do not see why we should cater for this need.
Like I said - a backdoor into BlackBerry services. It the 'man in the middle' (in this case Blackberry) can decrypt all emails sent through it, then this is a backdoor in the product.
TRUE encryption prevents anyone but the sender and the intended recipient from reading the mail.
Even web browsing via SSL (https) is not actually secure. It's based on the TRUST that the certificate authority, or one of their approved subordinate CAs, which issued the web certificate has been issued only to the valid site owner. There is nothing stopping that CA owner from issuing another cert with the same name from the same CA (either by malice, stupidity or at the request of the spooks) and it being used in a man-in-the-middle attack.
"There is nothing stopping that CA owner from issuing another cert with the same name from the same CA"
I am curious as to why nobody has asked the question if the Certificate Authorities keep a copy of the private cert somewhere on tape for purpose of delivering to any government.
Implementing your own BES means you control the keys on both server and device. BlackBerry just relay the traffic between the BES server and the device. This means that between the BES server and the device, no-one else can read the email. Of course, there's many steps before email gets to the BES server, but that is down to an organisation.
BlackBerry have provided details of how BBM Protected operates, including dataflows, key usage (key agreement and storage) and the impact of different devices. That allows you to understand how it is implemented, and is an interesting read to see how complex such things are in real life. The document is simply titled "Security Note BBM Protected". I wish some other vendors would read it and take notes!
Blackberry only holds the keys to the servers they operate, not the ones enterprises run themselves. It seems when India was demanding access, blackberry put a server in India for consumer users there so that India could make requests for access to that data for users in India. This of course didn't do anything for access to messages for corporate users since they tend to have their own blackberry server with their own keys. Seems India thought that was good enough for them. Sounds like Pakistan wants a lot more than that which no one has ever gotten. If you want to access the messages going to a corporate blackberry server, bring a warrant to the company, not blackberry. I seem to recall blackberry said they would leave India too when they were demanding everything until they got a clue and accepted what blackberry said they could provide.