A curve to the ‘B’ storm?

Government’s real worry is probably that the service could be a backdoor for espionage, yet non-intrusive workarounds are needed

There is more to the BlackBerry issue than meets the eye. If we think it’s about security through encryption, we are assuming that the largest cache of wealth lies behind the biggest lock, one we have yet not broken. This assumption is wrong and is leading us on to the wrong track.

The BlackBerry issue has seen a series of cover page appearances across dailies, and news and business magazines. Some of the reporting has been biased (even to the point of misinformation) giving PR managers nightmares that may not cease too soon. And some are struggling with what really the issue isis—why is BlackBerry behaving haughtily?

Still others have remarked that Blackberry is exhibiting double standards as it has given in to other western governments.

Truth is never black or white.It lurks somewhere in between & this situation can therefore be no different. Let’s start from the very beginning. BlackBerry’s security architecture is based on the Advanced Encryption Standard (AES), one that is also adopted by the government of USA and considered to be among the most robust in the industry.

The government’s demand of ‘unrestricted’ access to information residing on Blackberry servers at one level smells of a bit of ignorance that is not fathomable because it is not a problem they cannot crack.

As a matter of fact they have. A statement released by the government nearly a year ago claimed, “The government has decrypted the data on Research In Motion’s (RIM) BlackBerry networks. The department of telecommunication (DoT), Intelligence Bureau and security agency National Technical Research Organisation (NTRO) have done tests on service providers such as Bharti Airtel, BPL Mobile, Reliance Communications and Vodafone-Essar networks for interception of Internet messages from BlackBerry to non-BlackBerry devices. Initially, there were difficulties in cracking the same on Vodafone-Essar network but that has also been solved.”

What it means is that the government can snoop on e-mail messages sent to the BlackBerry through the Internet service and not through Blackberry Enterprise Service (BES). It is this service that the government wants to be opened up.

However, the security built into BlackBerry devices by RIM is based on a system that allows customers to add a layer of security on top by creating their own key, and RIM does not have a master key or any mechanism that will allow it to gain access to crucial corporate data. So if RIM claims it cannot read the encrypted information, the company is not entirely incorrect. The government’s demand that RIM opens this platform amounts to asking a company to let loose a lever on which the very foundation of the company rests.

The government is thus asking RIM to put its business model of ensuring safety and privacy of data in transit at risk. And thus it came as no shock that the company’s valuation took a beating when this issue took center stage.

Security of its data in transit is exactly the reason why corporate honchos love their berries. They are assured that the ‘sensitive’ data that resides there is vaulted safe. Real-time monitoring of data that flows through the BES ecosystem will create risks of its own to businesses operating in India by exposing confidential corporate information to the eyes of others for potential misuse. Our track record of protecting such information is something that we cannot pride ourselves of. And the logic of access to the very corporate BES defeats me, it is largely a preserve of the corporate, and it is very improbable
(if not entirely impossible) that terrorists will be able to use a corporate account.

And I have reason to believe RIM’s claims that it does not offer even the US government to spy on customers realtime. And there is no reason why RIM should not extend the same measure to India, the world’s fastest growing telecom market.

While not many of us know of this, the terrorists are smarter than we often assume. This hue and cry about ‘opening up’ of the BlackBerry will only forewarn them not to use the service at all. And why should they, when they have their own encryption standard, which also has not been cracked yet.

Yes, they have their own encryption standard which bears the name Mujahideen Secrets. Early last year, an update to the same was also released. Mujahideen Secrets 2 is an easy-to-use tool that provides 2,048-bit encryption, an improvement over the 256-bit AES encryption supported in the original version. It has a very good Graphical User Interface (GUI) that is targeted at average IT users.

The second version of the software is interesting because it allows the user to encrypt not only e-mails but also Yahoo and MSN chat messages. But that’s for
the IT-literate terrorists.

There is another variety of terrorists those who are technology-averse. One of them is the grand old man of this trade—Osama Bin Laden. He has been evading authorities not because he has or uses any best-of-breed technology, but because he is a marginal user and therefore leaves no digital footprints.

So is the BlackBerry issue really about encryption? The government’s apprehension could be about something else too. Since all data travels to BlackBerry servers, this may provide for a ‘backdoor’ to other western governments. And governments have in the past used companies to further their goals of this nature. This fear and assumption is defi- nitely worth considering.

A solution is to create an escrow account where keys can be placed, with Access being  subject to certain conditions

A backdoor of this kind can make espionage easy and hassle free, albeit with limited results. And if it is this argument that the government is pushing underneath, it may make sense. Yet, the question remains how India should look at addressing such an issue.

Tomorrow it could be the Internet and there it would become impossible to ‘switch’ things off, a luxury that the government enjoys with BlackBerry. Will it then be a matter of having institutions or companies listen to the government’s demands? If yes, then the matter will have to be in the realm of compliance.

This throws another question: compliance with what? After all, the government’s reaction to the BlackBerry controversy (and I use the stronger sibling to the word ‘issue’ on purpose) is best described as knee-jerk.

To continue with the example of BlackBerry, the company operates in nearly 175 countries and its operations in all of these, I assume, are on the right side of the law. So why would BlackBerry want to be any different in India?

These issues and the risks associated with new-age services can only be mitigated if there is adequate and appropriate legislation in place. However, the law cannot and must not take a lopsided view of any situation, even if it involves national security.

For instance, laws in many countries stipulate that companies must open up in case of any emergency. This approach is widely accepted but I feel it is largely reactive and again goes against what governments are trying to achieve, monitoring on a real-time basis.

There can be less intrusive solutions. For instance, applying the fundamental principle of an escrow account can help solve such a situation. The keys or whatever IP that needs to be accessed can be placed in an escrow account, the withdrawal or access to which can be subject to certain conditions. Such arrangements can create a win-win situation for all—the government, the service provider (RIM in this case) and the customer too, who will continue   to get access to uninterrupted services. And all of this does not challenge the very business models of companies. It’s time that someone in the government sits back and ponders over the system’s weaknesses and the more transparent and democratic ways to address things.