back to article RIM tries to placate everyone

RIM, operator of the BlackBerry service, has been explaining that customers' security and government contracts are equally important, and that it really, really, doesn't have any keys to hand over. The company has been very restrained on the governmental demands and statements put out recently, refusing to comment on just …

COMMENTS

This topic is closed for new posts.
  1. MrHorizontal
    FAIL

    In other words...

    RIM have implemented a proper encryption policy on their devices between customers handsets and customer's servers, and their servers merely route messages.

    I think all communications should be done this way. If police need to tap a line or access messages, they have to get the data from customers' premises in the country the server is located in. In other words, if you need access to customers' private data, sort it out with a customer, don't ask a middleman like an ISP, network operator or phone maker.

  2. Anonymous Coward
    Anonymous Coward

    I don't understand

    Can anyone explain this a bit better than the article does?

    Is the data encrypted and decrypted in the handset? If so, then the only way communication can be intercepted is by modifying the software in the handset. Is this what anyone is talking about?

    Or are we only talking about obtaining information about who was talking to who? If that's the case it's clearly very relevant where the server is.

    And what's all this about seizing the server? What's that good for, other than as a kind of extrajudicial punishment? If the owner of the server is law-abiding, you can just ask them for the logs. If they are not law-abiding, they won't have any logs, or will only store a redacted version of the logs.

    Sometimes I get the impression that articles are written by regurgitating information that the author hasn't really understood. Either that or it's badly explained.

    1. Bill Ray (Written by Reg staff)

      Re: I don't understand

      Sorry not to have made it clear - I've written about this so many times now it's starting to become a blur.

      Basically, if your employer is using BlackBerry Enterprise Server then the communication between the server in your office and the handset is encrypted beyond the whit of local security forces. But those security forces can always approach your employer and ask for a tap on your communications, a request to which your employer would be obliged to comply (in most countries).

      If, however, you buy a BlackBerry for personal use, and configure the (RIM-hosted) service to collect e-mail from a server elsewhere in the world (say, a Hotmail account) and deliver it to your handset, then there's no opportunity for the local security to intercept that message. The RIM server (in Canada, Slough, or similar) collects your mail from Hotmail, and then encrypts the message for your handset.

      Sorry if it wasn't clear in the piece.

      Bill.

      1. Anonymous Coward
        Anonymous Coward

        What about HTTPS?

        Thanks for the further explanation.

        So, if I understand it correctly, the situation with a personal BlackBerry is very similar to (and from the point of view of the spooks rather better than) someone using any old smartphone to make an HTTPS connection to some random webmail service. So, have they, or are they going to, ban HTTPS?

        I would have thought they might as well just give up trying to intercept messages between smartphones. Anyone who wants to communicate securely will easily find a way of doing it while clumsy attempts to prevent it will just inconvenience and endanger legitimate business.

        1. Anonymous Coward
          Boffin

          Re: HTTPS

          You really think that 128-bit SSL can't be read by Intelligence agencies? Even without breaking the encryption, all they need to do is watch the key negotiation. That is how products like Sonic Wall perform deep packet inspection even on https communications.

  3. Version 1.0 Silver badge

    And the answer is ...

    If you have "concerns" then run your server somewhere else - or better yet, outsource the server to a country that respects privacy - Iceland anyone ?

    1. I didn't do IT.
      Pirate

      Re: Sealand!

      Isn't this EXACTLY the type of situation that Sealand was marketing itself as the perfect place for?

      Shame about that fire, really... I wonder if it is still on the market?

  4. Anonymous Coward
    Anonymous Coward

    It's coming...

    "What the UK police can't do is monitor huge quantities of mobile phone communication to see if anything interesting turns up..."

    Yet.

    Not that any legal restrictions seem to stop UK plod from doing whatever they like...

    1. NightFox
      Black Helicopters

      Foil Fedoras

      In the same way you're allowed to walk past schools but haven't 'interfered' with any children.

      Yet.

      And on what basis do you make your second comment about the controls on interception of electronic communications?

  5. Anonymous Coward
    Anonymous Coward

    It's not like RIM (or its customers) have much of a choice

    Ultimately, if RIM wants to operate in places like Saudi, it will have to provide intercept facilities. Knowing Saudi, this will mean access to *all* data for them to trawl*. Likewise, RIM's customers rill probably have to accept this if they want to carry on using their Blackberries**.

    *Anonymous because I know at least one instance in which such a trawl takes place.

    **Nothing to hide, nothing to fear (but I'd advise Blackberry owners in these jurisdictions to be a bit more careful what they type from now on 8-).......

  6. Anonymous Coward
    Paris Hilton

    Server to handset encryption

    I appreciate that I am being somewhat thick here but can I just get clarity on a possible example?

    If Company A has their RIM Ent Server in say Brisbane Australia which holds the encryption key and I travel to Saudi with my crackberry is there any possible way of the Saudi authorities to decrypt the message?

    Or have I missed the point entirely!

    Paris because I feel I am having a blonde Paris "These are not the hair extensions you are looking for" type of moment...

    1. dux

      only two ends to the connection

      If your blackberry e-mail server a corporate or private setup, there is little concern unless there truly is a 'master key' built into the system...

      there are only two known ends to the pipe when it comes to blackberry encryption, and even though you may travel to Saudi, your e-mail will be encrypted from point A to point B.

      only a concern for folks that use local e-mail services, or RIM supplied e-mail addresses.

  7. Anonymous Coward
    Anonymous Coward

    The UK Police have to Pay?

    Does that mean that, if they turn up at your house, with a search warrant, you can present them with a list of charges?

    Quick Look Around, with option of checking larger cupboards for presence of persons: £50.

    Making A Mess of the Place: £500

    Really Turning It Over: £5,000

    Structural Damage to House/Garden: at cost of repair plus £50,000.

    Hmmm....

    1. Anonymous Coward
      Anonymous Coward

      Getting the police to pay

      Cool. I might print out your proposed menu and stick it up just inside my front door so I'm ready to point them at it, just in case.

      However, I wouldn't expect them to pay up. I remember reading about a case in which the UK police got the wrong address and smashed down the wrong front door. It was a listed property in a conservation area and cost the owner thousands to replace, but the police refused to pay for it and the owner had to sue. He didn't get his money back that way, either, though the tax payer ended up paying thousands more for the police to defend themselves in court.

      And then there's the case where a farmer asked the police to pay for the damage they had caused when searching his field for evidence and the police response was to publicly name him (this was a high-profile case involving an abducted child) and accuse him of hindering their enquiries.

      This is a serious problem, in my opinion, because the way things are the police are free to punish people and blackmail them by confiscating and destroying property, or threatening to do so, under the cover of gathering "evidence". They can smash your door down, steal all your computers, keep them for a couple of years and then drop all the charges, or, worse still, make you turn up in court with an expensive lawyer only to find that they are presenting no evidence against you, all with no compensation for you and no punishment for them.

      We need a "pig" icon.

    2. NightFox
      Happy

      Somethings in Life are Priceless...

      I thought this was one of those Mastercard Adverts

  8. gimbal
    Joke

    Awww, c'mon RIM, hand us over that magicikal skeleton key...

    ...and the unicorn in your broom closet! or else! ><

  9. Anonymous Coward
    Anonymous Coward

    Somebody is already reading your email

    "RIM's fourth point is that it doesn't make concessions for specific countries, which is sort of true. If RIM has a server in the UK (which it does) then that is subject to UK law, but if RIM doesn't have a server in Saudi Arabia then it is not subject to Saudi law. That's a matter of geography rather than any concessions made by RIM."

    Ha Ha. My bullshit detector just went off. If this were true, then RIM would have placed their servers in their home country of Canada - but they are actually in the USA and the UK but nowhere else. Surely it would be cheapest to locate a server at each mobile operator operating a Blackberry service - why bring everything back to the USA or UK? Given the UK's special (read "subservient") relationship with the USA and legal intercept requirements in the USA, one can assume that the US intelligence services will have access to messages through RIM's servers for subscribers in ALL countries. Which is presumably why the Germans felt it necessary to forbid the use of Blackberry services for German government business in certain departments.

    The Saudis and others have just figured out what is going on and have decided that if anyone is to read the emails of people in their country, it should be them and not the Yanks.

    About BES servers: whilst Blackberry - BES traffic may be encrypted, how would you know what other traffic is being sent to your BES? The server is proprietary, entire connection back to RIM is encrypted and the BES is connected INSIDE your corporate network. You are trusting RIM (and by implication, the authorities in the countries which their servers are located) with whatever they could reach from the BES.

This topic is closed for new posts.

Other stories you might like