Topic: RIM offers Indian government forum on data access
Research In Motion’s (RIM’s) Blackberry has managed to be continually successful in an increasingly competitive market with competition from the likes of Apple’s iPhone, Google Android handsets in addition to many others.
However recently Blackberry has faced concerns over what had previously been one of its strongest selling points, namely security. Yet this concern has not been over the usual security issues faced in the technology industry which tend to focus on a lack of security but on what many governments are starting to decide is too much security as these government are finding themselves unable to keep tabs on the devices’ encrypted data streams.
This news first came into the headlines on 1st August when the UAE was set to ban Blackberry services as of the 11th October. The ban would cover Blackberry Messenger, email and web browsing, according to the UAE Telecommunications Regulatory Authority (TRA). The TRA stated that it had been trying to reach an agreement with RIM for three years.
The heart of the problem was that the smartphone does not comply with local regulations because it sends data outside the country. It has not been made clear whether the authorities want to be able to read the content of email messages, or just have access to encrypted systems, or whether their problem is with Blackberry Enterprise Server customers or Blackberry Internet Service users, or both.
A statement from the TRA said “Certain Blackberry services allow users to act without any legal accountability, causing judicial, social and national security concerns for the UAE” This stance is not surprising considering the fact that UAE censorship is quite strict with websites such as Skype, other Voip services, anti government websites among many others being blocked.
The next development came two days later when the Saudi government announced a more immediate ban to take effect from the 7th of August, but only for Blackberry Messenger. While being rather vague about their request, it became clear that the Saudi authorities in the Kingdom want to be able to monitor the content of messages sent on Blackberry devices.
On the same day, local papers in Kuwait reported that RIM was in talks with authorities to block Blackberry handsets from accessing some 3,000 pornographic web sites. Other reports suggested that RIM was in talks with the Indian government about a system which could allow authorities to monitor communications on the platform for national security reasons.
Perhaps fearing that reports of RIM's doing secretive deals with various governments over the monitoring of BlackBerry data streams would undermine its security credentials, the firm issued a statement asserting the security of its enterprise services but keeping quiet on its BlackBerry Internet Services.
Later in the week, there was some better news for RIM after the Indonesian government confirmed that it has no intention of banning the use of BlackBerry devices in the country. Communications ministry spokesman Gatot Dewa Broto said that Indonesia's call for RIM to install a data centre in the country in which BlackBerry data would be stored was "only a plea", and that there is "no legal sanction" governing the requirements.
Over the weekend of 7 August, reports emerged that RIM had struck a deal with the Saudis’ agreeing to install a server in the kingdom which would allow the Saudi government to monitor BlackBerry data.
On 10 August, a statement from the Saudi Communications and Technology Commission (CITC) seemed to confirm that some kind of breakthrough had occurred. The regulator said that "positive developments in completing parts of regulatory requirements from mobile telecommunication providers has been noticed".
"CITC permits the continuation of BlackBerry Messenger services in addition to the continuation of joint work with service providers to fulfill the remaining requirements," it added.
On 11 August, a Reuters report indicated that the original idea of placing a server in the kingdom had proved unworkable. It now appears that RIM will provide authorities in Saudi Arabia with security codes that will enable them to read encrypted text messages on the BlackBerry Messenger service.
On 12 August India confirmed that it had given RIM a 31st August deadline to provide access to enterprise email and messaging traffic. This is despite admitting that it has already been given access to services like Voice SMS and BIS.
RIM released a response, restating its inability to hand over encryption keys for BES data, but left the door open for negotiations for handing over the keys for BIS data.
In response to these developments, RIM has, perhaps understandably, been fairly reserved with the statements it has released amounting to pretty much the same thing; a vigorous defense of its BES products. Crucially though, little has been said regarding the encryption keys for its BIS service.
"There is only one BlackBerry enterprise solution available to our customers around the world and it remains unchanged in all of the markets we operate in," the first statement noted.
"Any claims that we provide, or have ever provided, something unique to the government of one country that we have not offered to the governments of all countries, are unfounded.
"The BlackBerry enterprise solution was designed to preclude RIM, or any third party, from reading encrypted information under any circumstances since RIM does not store or have access to the encrypted data.
"RIM cannot accommodate any request for a copy of a customer's encryption key, since at no time does RIM, or any wireless network operator or any third party, ever possess a copy of the key."
RIM co-chief executive Mike Laziridis softened the stance a little after this statement was released, telling The Wall Street Journal that the firm would allow access to the "encrypted data stream" of BlackBerrys if requested by court order.
The original statement refers specifically to the enterprise BES solution rather than for those individual users of BIS, in effect giving RIM some room to maneuver in negotiations with governments.
Based on the statement by the governments concerned it is likely that the Saudis will be most concerned about being able to monitor private users chatting on Messenger through BIS which, according to Rob Rutherford (Managing Director of QuoStar Solutions) is probably why a deal appears to have been reached between the two parties.
In RIM’s second general statement the company drew a firm line by insisting that any capabilities it provides to carriers for “lawful” access purposes be limited by four main principles:
1) The carriers’ capabilities be limited to the strict context of lawful access and national security requirements as governed by the country's judicial oversight and rules of law.
2) The carriers’ capabilities must be technology and vendor neutral, allowing no greater access to BlackBerry consumer services than the carriers and regulators already impose on RIM’s competitors and other similar communications technology companies.
3) No changes to the security architecture for BlackBerry Enterprise Server customers since, contrary to any rumours, the security architecture is the same around the world and RIM truly has no ability to provide its customers’ encryption keys. Also driving RIM’s position is the fact that strong encryption is a fundamental commercial requirement for any country to attract and maintain international business anyway and similarly strong encryption is currently used pervasively in traditional VPNs on both wired and wireless networks in order to protect corporate and government communications.
4) RIM maintains a consistent global standard for lawful access requirements that does not include special deals for specific countries.
It is important to note how these recent issues are affecting both businesses in the regions in addition to the effect on RIM itself.
Firstly with regards to businesses operating in the affected regions, it is clear that there will be a great deal of uncertainty until a definitive agreement is reached.
Gartner analyst Nick Jones commented that, despite assurances from RIM that its enterprise solution is inviolate, the continued speculation over whether deals are being struck behind closed doors could turn CIOs off the idea of deploying BlackBerrys in the region.
"To be honest, whether we're talking about the consumer or enterprise solution, it is still damaging," he said.
"The lack of a clear statement means CIOs cannot make a clear decision. They can't say whether it's safe for an employee to get a BlackBerry from a local operator, for instance. It reflects badly on RIM and it makes it harder for the CIO to resist the iPhone deluge."
Forrester analyst Andrew Jaquith went further, speculating that any RIM concessions could force CIOs to reconsider their investments.
"If they cave in, they will weaken their reputation for security with enterprise buyers, even those with BES servers not otherwise susceptible to interception," he wrote in a blog post. "How comfortable would you be, as an IT security manager, if you suspected (even erroneously) that email could be intercepted by a half-dozen, or many, sovereign governments? Not very."
From this it appears that RIM need to very careful what they conclude with the governments concerned. For many businesses the smart phones their employees use are a big issue, particular if they use exchange email etc. and any uncertainty regarding such services is going to make these businesses seriously consider other alternatives. A disruption in such services could also cause major disruption for businesses using these systems and would be something virtually all companies would be eager to avoid. On the other side however if RIM were to concede too many points to these governments it would lose one of its major selling points, security. Therefore many companies will perhaps be holding off, waiting for a conclusion, before further investment in Blackberry solutions.
A possible solution to the current discussions between RIM and the Indian and UAE authorities would involve setting up servers in the countries, removing the concern over data traveling abroad, and providing access to encrypted data streams.
This would help law enforcers monitor suspects, but falls short of full wire tapping as they would be unable to decrypt the data.
If reached, such an agreement would be unlikely to set alarm bells ringing in the CIO's office as long as they have deployed a BES infrastructure.
With regards to how this situation could directly affect RIM, for a company which has built its business on the security of its services, rumours of closed door deals with various governments on monitoring BlackBerry data is the last thing RIM needs as it seeks to expand its global footprint and compete with rivals such as the iPhone.
"RIM is not in a wonderful situation. It's expanding its shipments, but the market is expanding faster," said Gartner's Jones.
"It needs to look overseas for growth but, in these markets when there are question marks over security and those questions are unanswered, that's bad for RIM unless it changes things."
RIM is certainly playing a dangerous game in asserting that it treats all governments equally. QuoStar Solutions' Rutherford labelled the statement " bizarre", citing reports that Chinese and
Russian authorities have already reached agreements with RIM over data monitoring which were a prerequisite for the services to be allowed to operate in the regions.
There have also been reports quoting ex-US government officials that law enforcers have been able to tap BlackBerry communications as long as they have the right court orders, although this is likely to refer to BIS devices.
Even if RIM offers the UAE the same solution as the Saudis over its Messenger service, there remains the demand to monitor encrypted email and browser traffic there.
India, another major market for RIM, also appears to be taking a hard line over the deciphering of encrypted corporate email and messages, despite admitting that it has already been given access to services like Voice SMS and BIS.
Forrester's Jaquith believes RIM should dismantle its centralised delivery network for consumer devices and move to a decentralised model.
"That is what Microsoft and Apple, in essence, do today because the devices connect directly to company servers rather than through a single service provider," he wrote.
"There is no way national governments could tap encrypted iPhone or Windows Mobile traffic even if they wanted to, short of approaching each company directly. Whereas in the RIM case, they have just one throat to choke."
However with the latest news on the Indian government forum it seems RIM could be moving closer to a more permanent solution and also confirming that RIM are serious about remaining in the concerned markets.
It would not be difficult to believe that a solution will be able to be met between RIM and the concerned parties as despite some recent statements by RIM it seems they have, in the past, come to accommodations with other governments.
In the US for example, the authorities can tap into conversations on the device as long as they have proper court orders. In addition there are also reports that RIM made deals with Russia and China back in 2008 to meet their security requirements.
It seems likely therefore, that this forum will result in some sort of solution. Whether that solution is temporary or permanent it does seem unlikely that BlackBerry would be willing to give up on such a large potential market and also unlikely that the Indian government would be keen to go ahead with an outright ban at this stage. Therefore with it seemingly being in both parties best interests to come to some sort of agreement it just remains to be seen what form this will take.
If a permanent solution, that allows RIM to maintain its integrity regarding security, is concluded soon then the effect on business could start to settle down and RIM could once again focus on expanding its market in India. However if only a temporary solution was concluded this could perhaps continue to damage RIM’s business in India as companies may choose to look for, seemingly, more dependable solutions which do not appear to run the risk of disruption in the near future.
References
1. http://www.v3.co.uk/v3/news/2268815/rim-offers-indian-government
2. http://www.v3.co.uk/v3/analysis/2268151/rim-security-woes-bluffer-guide?page=3
3. http://www.bbc.co.uk/news/technology-10866417
Original News Article
Topic:RIM offers Indian government forum on data access Release Date: 26th August 2010 View date: 27th August 2010
RIM offers Indian government forum on data access
Wants to set framework for policy on encryption and privacy
Iain Thomson in San Francisco, V3.co.uk 26 Aug 2010
Research in Motion (RIM) has offered to set up an official forum to sort out concerns over the rights of the Indian government to monitor its mobile traffic.
The Indian government has said that it wants the ability to track and access messages sent via the company’s handsets, and gave a deadline for compliance of 31 August or else it would have to shut down operations in the country.
In response, RIM has now offered “an industry forum focused on supporting the lawful access needs of law enforcement agencies while preserving the legitimate information security needs of corporations and other organisations in India”.
“In particular, the industry forum would work closely with the Indian government and focus on developing recommendations for policies and processes aimed at preventing the misuse of strong encryption technologies while preserving its many societal benefits in India,” the company said in a statement.
RIM stressed that this is not a problem unique to its handsets and it urged the Indian government to sit down and discuss the policy structure it needed to put in place if it was to deal with all companies fairly.
“Singling out and banning one solution, such as the BlackBerry solution, would be ineffective and counter-productive. It would be ineffective because anyone perpetrating the misuse of the technology would continue to have easy access to other wireless and wireline services that utilise strong encryption and are readily available in the market today,” it said.
The Indian government has reportedly said that it can access the information it wants using its own means, but today’s announcement shows RIM is serious about finding a solution rather than withdrawing from the Indian market altogether.
Reference
http://www.v3.co.uk/v3/news/2268815/rim-offers-indian-government
