Research in Motion Ltd. confirmed that it is extending an offer to the Government of India, in a statement released Thursday.
The offer proposes the establishment of an industry forum, led by RIM in India, that would support “the lawful access needs of law enforcement agencies while preserving the legitimate information security needs” of corporations and organizations.
“The industry forum would work closely with the Indian government and focus on developing recommendations for policies and processes aimed at preventing the misuse of strong encryption technologies while preserving its many societal benefits in India,” states RIM.
RIM also emphasized its desire to “unequivocally clarify certain misperceptions.” The first misperception is that it is possible for RIM to provide keys to decode or decrypt encrypted data through the BlackBerry Enterprise Solution (BES).
“RIM does not possess a ‘master key,’ nor does any ‘back door’ exist in the system that would allow RIM or any third party, under any circumstances, to gain access to encrypted corporate information,” states RIM.
The security architecture for BES was purposefully designed to exclude the capability for RIM or any third party to read encrypted information and RIM would simply be unable to accommodate any request for a copy of a customer’s encryption key, states the company.
A second misperception is that the location of BlackBerry Infrastructure can assist government efforts to access encrypted information.
BES’s security architecture was also purposefully designed to perform as a global system independent of geography, so the location of infrastructure and choice of wireless network are irrelevant factors from a security perspective, states RIM.
“The transmission of encrypted data is no more decipherable or less secure based on the location of RIM’s BlackBerry Infrastructure or the customer’s selection of a wireless network,” states the company.
The third misperception is the idea that the company has offered solutions to certain governments while denying the same solutions to other governments.
RIM said while it “does not disclose confidential regulatory discussions that take place with government,” the company “maintains a consistent global standard for lawful access requirements that does not include special deals for specific countries.”
The statement also highlights the fact that strong encryption is not unique to the BlackBerry platform. To single out and ban one solution, states RIM, would be ineffective because there are other services with strong encryption available on the market.
“This challenge can only be truly overcome if the Information and Communications Technology industry comes together as a whole to work with the Government of India,” states RIM.
Mark Tauschek, research director at Info-Tech Research Group Ltd., said there has been a need for RIM to clarify their message.
There is a widely-held belief that there was some capitulation on RIM’s part and that the company was going to do something different for certain governments than they normally do in common business practice, he said.
As for RIM’s offer to form an industry forum, Tauschek said it is “a good proposal” and a way to get the issues laid out on the table and bring in other interested parties so “it’s clear to everyone.”
The approach is about educating government, he said. And RIM has been doing “some of this education on their own independently with individual governments” for some time, he said.
“The only real stumbling block right now is that they can’t accommodate when it comes to BES,” said Tauschek. “They developed it for a reason – to be secure. So even if they wanted to, they couldn’t break their own encryption mechanism within the BES environment,” he said.
“This is a reasonable offer to India,” said Ken Dulaney, vice-president and distinguished analyst at Gartner Research, in an e-mail interview.
But while RIM’s descriptions of BES are accurate, the company fails to cite the differences between BES, BlackBerry Messenger (BBM) and BlackBerry Internet Service (BIS) in its statement, said Dulaney.
“BBM is the real issue and it’s based on a global key,” he said.
Governments can access BBM and BIS information through carriers, as BBM is not encrypted and BIS traffic is managed to some extent at the carrier level, said Tauschek. "BIS and BBM are what they are and just like any other traffic crossing a carrier's network, [carriers] can provide access to that," he said.
“BES is a different thing entirely … even if RIM wanted to capitulate and give access to BES traffic, they can’t because it’s a one-to-one encryption relationship,” said Tauschek.
And any strongly encrypted VPN offers “the same sort of stumbling block for any government that wants to have full visibility into all of the traffic crossing the network," said Tauschek.
"Certificates for VPNs, if it is 256-bit encrypted, are not the property of the government or the carrier – it's the property of the organization that has the VPN concentrator or server," he said.
While RIM is the target right now, “we will see more of this from other companies and other technologies with relation to how do you provide government access to that data that is strongly encrypted with a certificate that you don’t own,” said Tauschek.
Follow me on Twitter @jenniferkavur.
