LONDON, August 4, 2010 – The plan announced this week by the United Arab Emirates to ban use of BlackBerry Messenger, e-mail and web browsing services by Oct. 11 unless the company allows it to access the encrypted messages on demand has drawn universal condemnation from freedom and privacy groups, but more a muted governmental response.
Some countries, such as India and Saudi Arabia, have threatened to follow the UAE’s lead, arguing that growing availability of BlackBerry smart phones around the world poses a threat to national security. Such fears are founded on the much stronger encryption supported by BlackBerry-maker RIM than found on most rival smart phones, which prevents governments from being able to decrypt messages without assistance.
RIM supports two encryption algorithms, Triple DES and Advanced Encryption Standard. These are both private key systems in which the keys are generated over a secure link, using authentication to detect attempts to eavesdrop at this stage, and then assigned to each BlackBerry user.
Each secret key is subsequently stored only in the user’s secure enterprise account in systems such as Microsoft Exchange or IBM Lotus Domino, and on the user’s BlackBerry smart phone.
This means foreign governments or anyone else can only decrypt messages sent from a BlackBerry if they originally intercepted this key generation process to obtain the private keys, which would be unlikely since it probably took place within the user’s own country, often the United States. Even the most powerful computers cannot break encrypted Triple DES data by brute force attack without access to the keys.
The U.S. government, which itself uses AES technology to protect sensitive information, has been among the first to condemn the UAE announcement, leaving it open to accusations of hypocrisy, since it also has powers to wiretap, access e-mails and web browsing histories both for law enforcement and national security.
The UAE government argued that it was merely seeking the same powers of access as the United States, United Kingdom and other European countries. Indeed this conflict between privacy and security led the Canadian government to remain silent rather than speak up in defense of RIM, headquartered in Waterloo, Ontario, drawing strong criticism from freedom groups.
Both Robert Guerra, the internet freedom project director at Washington-based Freedom House, and Ronald Deibert, director of the Citizen Lab at the University of Toronto’s Munk School of Global Affairs, charitably stopped short of accusing the Canadian government of cowardice, suggesting instead it had been guilty of lack of attention during the summer holiday.
The Canadian government’s current silence highlights how the advent of global mobile and broadband communications at ever-higher bandwidths is amplifying an old argument, exposing it to global and public scrutiny – the tension between national security as well as law enforcement, and right to privacy.
This may be no bad thing, for the arguments have never been truly resolved, leaving governments to adopt unilateral measures in their own interests. It will be difficult to establish a global framework controlling state access to messages, perhaps by holding the private keys in escrow, since governments are unlikely to allow a neutral body to arbitrate over what constitutes a threat to their national security.
It is unclear how the European Union, for example, will respond during its current overhaul of telecom law across its 27 member states. The objective is to harmonize the roll out of mobile broadband and eliminate cross-border regulatory barriers. While the initial focus was more on digital copyright and licensing issues, this thorny question of compliance with government access to messages now will rise steeply up the agenda.
As for RIM, the whole incident has provided valuable publicity for its security architecture. RIM said in a statement it is very proud of that architecture and has no intention of changing it for any one country.
The company also insisted that it cannot accommodate any request for a copy of a customer’s encryption key, since neither RIM, nor or any wireless network operator or any third party, ever possesses a copy of the key. If this is the case, there seems little to stop the UAE implementing its ban, leaving the debate over access on grounds of national security as unresolved as ever.