Person on phone

Mobile data usage face global political challenge

RIM is being pressured by governments to provide unencrypted access to its customer's data usage resulting in a conflict of interest in satisfying regulators and preserving its customer's privacy.

It's not supposed to happen to a Canadian company. Canada is a nation deemed so unlikely to acquire enemies it is often lampooned by its more forthright American neighbours. So it was surprising when a spate of countries, starting in July with the United Arab Emirates, threatened to block BlackBerry email, messenger and Web access if Canadian company Research in Motion (RIM) did not provide access to communications to the authorities.

Saudi Arabia followed suit, and India wasn't far behind. RIM is rightly worried about who will be next. And we should all be worried about what this means for the privacy rights and the civil liberties of millions of mobile email customers around the world.

So how does BlackBerry's security system actually work? RIM encrypts messages as they travel between a BlackBerry server and the BlackBerry device. If a worker loses his or her BlackBerry, RIM is able to remotely wipe all messages on the device and deactivate it.

In this sense, BlackBerry's security is unique as all BlackBerry traffic runs through RIM data centres, which help manage the devices. It also runs through BlackBerry servers, which encrypt and unscramble messages. Those servers are owned and run by RIM's business and government customers. However, RIM cannot unscramble the data of its large business and government clients because the servers that handle that task are located at its customers' premises.

US authorities can still seek a court order to tap BlackBerry traffic, giving them access to messages sent over the network.

Understandably, RIM is coy about how the relationship with the US authorities works in practice, but it's likely that the government provides these requests directly to RIM's customers. The authorities will need to put an eavesdropping box on the BlackBerry server, whether it is hosted by RIM itself or one of its customers - as this is where the decryption key would actually reside.

Other than the US and Canada, the UK is the only other country to host BlackBerry servers for consumers. Part III of the Regulation of Investigatory Powers Act (RIPA) requires persons to supply decrypted information (which had been previously encrypted by the owner) and/or the cryptographic key to government representatives. Failure to disclose these items is a criminal offence, with a maximum penalty of two years in jail.

'Certain BlackBerry services allow users to act without any legal accountability, causing judicial, social and national security concerns,' the United Arab Emirates' Telecommunications Regulatory Authority said in a statement at the beginning of August.

'BlackBerry appears to be compliant in similar regulatory environments of other countries, which makes noncompliance in the UAE both disappointing and of great concern,' UAE's regulator claimed in a more recent statement to the press.

The UAE said it would suspend BlackBerry Messenger, email and Web browser services from 11 October and threatened to halt BlackBerry services until an 'acceptable solution' was applied. This potentially would disrupt the accounts of the 500,000 customers RIM has in the country.

Morality concerns

Saudi Arabia is another country that has requested access to these decryption keys. BlackBerry handsets have become the must-have gizmo for Saudi youth, enabling them to connect with members of the opposite sex in a deeply conservative society.

'About 80 per cent of Saudi-based BlackBerry users are individual users and 20 per cent are enterprises, while these ratios are basically reversed in developing nations,' one industry source is quoted as saying.

'This problem would not have emerged if the bulk of BlackBerry users were enterprises,' added the source.

But would it? In the UAE, a significant user base would be the migrant workers from outside the country who tend to be enterprise users.

Dubai is slowly emerging from an economic slowdown brought about by the global financial crisis and property crash. Some are concerned that move is aimed at curbing free speech.

Neighbouring Kuwait said it was also talking to the BlackBerry manufacturer about security and moral concerns, particularly about access for its nationals to pornographic sites. Most recently, Lebanon and Algeria have voiced their concerns regarding access to its encrypted network - citing national security and pornographic content.

Kuwait has no intention of stopping BlackBerry services for the time being, but is talking to the device's manufacturer about moral and security concerns, Communications Minister Mohammad al-Busairi said: 'As of right now, we in Kuwait have no intention to stop the BlackBerry services... but at the same time we are following up on direct and indirect negotiations with the company and with fellow Gulf states.'

The Communications and Information Technology Commission (CITC) said it would decide whether to allow the Messenger service to continue or not 'depending on the results achieved by the service providers'. It did not say what a solution would be.

The concern over privacy predates the current spat. Last year, state-controlled local service provider, Emirates Telecommunications (Etisalat), introduced what it called a software upgrade. RIM claimed that it was an unauthorised telecommunications surveillance application.

Etisalat eventually climbed down and removed the software upgrade - but not before relations had already soured between RIM and the UAE authorities.

Peace talks

Further eastward, RIM has been asked to set up a proxy server in India to allow the government there to monitor traffic from a security perspective. This approach might be the template resolve the issue in the UAE and elsewhere.

Additionally, RIM and Saudi mobile firms are testing three servers to send communications and data through Saudi Arabia before Canada to address Riyadh's concerns over security - fuelling speculation that this proxy method is likely to be deployed in other territories.

Pressed by security authorities, the Saudi telecom regulator has given the kingdom's three mobile carriers notice to fulfil unspecified requirements before it proceeds with a threat to shut down the BlackBerry's Messenger.

The ban was originally meant to be enacted in August, and would have affected some 700,000 users - until the authorities postponed their threat.

If satisfied that the three servers will grant it suitable access to BlackBerry data and communications, the regulator will allow all BlackBerry services to continue normally.

It is too early to tell what impact this has had on RIM's reputation with its customers in Europe and North America - and now there are reports that India is targeting other foreign tech companies such as Skype and Google. Therefore, these companies may have to reach similar data-sharing deals with these nations.

Western companies are under constant scrutiny - particularly their dealings with foreign governments. For example, RIM only won access to China and Russia by agreeing to let security agencies monitor traffic. When Saudi Arabia announced it had reached an agreement with RIM, anti-government activists in these countries slammed it for caving to censors.

Rob Enderle, a technology analyst in California, says that the deals that RIM is being compelled to do with foreign governments is likely to hurt their brands with consumers and businesses in the long run.

'Once you provide access, it's very difficult to to draw a line because other countries are going to press for similar access and BlackBerry will have lost competitive advantage over its competition,' says Enderle, who believes that the company ought to have foreseen and acted on this issue.

Enderle suggests that there is still time for RIM to act by hiving off its encryption technology to a third party - thereby making it more difficult for it to be targeted directly by foreign governments.

But for now, it looks like more countries and more tech companies are likely to be targeted by foreign governments, putting tech companies in the unusual role of freedom fighter.

Recent articles

Info Message

Our sites use cookies to support some functionality, and to collect anonymous user data.

Learn more about IET cookies and how to control them

Close