On April 10, 2014, Blackberry’s enterprise chief publicly stated that his company had no intention of releasing transparency reports concerning how often, and under what terms, the company has disclosed Blackberry users’ personal information to government agencies. BlackBerry’s lack of transparency stands in direct contrast to its competitors: Google began releasing transparency reports in 2009, and Apple and Microsoft in 2013. And BlackBerry’s competitors are rigorously competing on personal privacy as well, with Apple recently redesigning their operating system to render the company unable to decrypt iDevices for government agencies and having previously limited its ability to decrypt iMessage communications. Google will soon be following Apple’s lead.
So, while Blackberry’s competitors are making government access to telecommunications data transparent to consumers and working to enhance their users’ privacy, BlackBerry remains tight-lipped about how it collaborates with government agencies. And as BlackBerry attempts to re-assert itself in the enterprise market — and largely cede the consumer market to its competitors — it is unclear how it can alleviate business customers’ worries about governments accessing BlackBerry-transited business information. Barring the exceptional situation where data from BlackBerry’s network is introduced as evidence in a court process businesses have no real insight of the extent to which Blackberry is compelled to act against its users’ interests by disclosing information to government agencies. And given that the company both owns an underlying patent for, and integrated into its devices’ VPN client, a cryptographic algorithm believed vulnerable to surreptitious government spying it’s not enough to simply refuse to comment on why, and the extent to which, BlackBerry is compelled to help governments spy on its customer base.
We know that BlackBerry has been legally and politically bludgeoned into developing, implementing, and providing training courses on intercepting and censoring communications sent over its network. At the same time, we know that many employees at BlackBerry genuinely care about developing secure products and delivering them to the world; reliable, secure, and productive communications products are ostensibly the lifeblood that keeps the company afloat. So why, knowing what we know about the company’s ethos and the surveillance compulsions it has faced in the past, is it so unwilling to be honest with its current and prospective enterprise customers and develop transparency reports: for fear that customers would flee the company upon realizing the extent to which BlackBerry communications are accessed or monitored by governments, because of gag-orders they’ve agreed to in order to sell products in less-democratic nations, or just because they hold their customers is contempt?
Research in Motion has a problem. For years they promoted themselves as a top-notch mobile security company. During those initial years most of their products were pitched at enterprise users.
Then RIM got into the consumer market.
Most consumers equate RIM’s products with security, email, BlackBerry Messenger (BBM), and a tepid suite of other smartphone features. Most of the people who report on the company tend to agonize over the fact that RIM complies with government surveillance laws. Such reports inevitably emerge each time that the public realizes that RIM meets its lawful access requirements for consumer-line products.
In this post, I want to briefly address some of the BBM-related security concerns and try to (again) correct the record surrounding the security promises of the messaging service. After outlining the deficits of consumer BBM products I briefly argue that we need to avoid fetishizing technology, encryption, or the law, and should instead focus on the democratic implications of the lawful access-style laws that governments use to access citizens’ communications.
In the interest of full disclose: I have family and friends who work at Research In Motion. I haven’t spoken to any of them concerning this post or its contents. None directly work on either BBM or RIM’s encryption systems.
Countries around the globe have been threatening Research in Motion (RIM) for months now, publicly stating that they would ban BlackBerry services if RIM refuses to provide decryption keys to various governments. The tech press has generally focused on ‘governments just don’t get how encryption works’ rather than ‘this is how BlackBerry security works, and how government demands affect consumers and businesses alike.’ This post is an effort to more completely respond to the second focus in something approximating comprehensive detail.
I begin by writing openly and (hopefully!) clearly about the nature and deficiencies of BlackBerry security and RIM’s rhetoric around consumer security in particular. After sketching how the BlackBerry ecosystem secures communications data, I pivot to identify many of the countries demanding greater access to BlackBerry-linked data communications. Finally, I suggest RIM might overcome these kinds of governmental demands by transitioning from a 20th to 21st century information company. The BlackBerry server infrastructure, combined with the vertical integration of the rest of their product lines, limits RIM to being a ‘places’ company. I suggest that shifting to a 21st century ‘spaces’ company might limit RIM’s exposure to presently ‘enjoyed’ governmental excesses by forcing governments to rearticulate notions of sovereignty in the face of networked governance.
Today I want to just briefly talk about the competition between Apple’s iPhone and Research in Motion’s Blackberry. I’m not going to bother with things like the aesthetics or the ease of using one over the other. Instead what I want to talk about is how these devices are, and will (in the iPhone’s case) be used. I’ll, as usual, provide a bit of background and then get to what is the real issue with these devices: unless secured, these devices, and other like them, can reveal a substantial amount about yourself and others, enough that it would be a relatively simple task to assume your identity and potentially negatively affect others’ identities/reputations.
Packing Some Confidential Property
I’ll admit it: whenever I go anywhere, my Blackberry comes with me. I use it to track all facets of my life: my contacts (i.e. who I know, what I know about them, notes that I see as important about them), my calendar (i.e. what I do at almost all points of my day, who I’m meeting with, why I’m meeting with them), my email (i.e the communication that I have and think should be recorded for a later date), and my instant messaging (i.e my personal discussions that let me be me with friends). This is super-convenient for me. It also means that I’m carrying a device that would give someone who found/stole it a significant insight into my life and some insight into the lives of people that I know.