Putting RIM’s “Security” Challenges In Perspective
Research In Motion has been in the news a lot over the last few days. Last week, the news broke that the governments of the United Arab Emirates and India threatened to suspend service to RIM customers in their countries because of alleged threats to national security. I was quoted in today’s USA Today about this unfolding story.
But let us be clear: the “security problem” that officials in these governments were citing had nothing to do with actual security. As we have written about extensively, the BlackBerry device is well-designed from a security perspective. Its cryptography modules are FIPs-certified, and all of its communications are encrypted using industry-standard algorithms. We have called the BlackBerry the “gold standard” of secure corporate devices and continue to stand by that assessment.
The security issue these two governments – and more recently, the governments of Saudi Arabia, Indonesia and Lebanon – have is that they cannot decrypt the traffic that passes through RIM’s servers, making it impossible to monitor e-mail and messaging coming from or to devices inside their countries. In short, rather than being insecure, the RIM devices are too secure (Mr. Orwell, white courtesy phone…). Political judgments aside, this story shows just how important traffic and content analysis has become for national governments – and how strong encryption will continue to be an important tool for those who wish to evade these controls. (See the Tor project for an example of how far some will go to guarantee their anonymity online.)
When I spoke with USA Today, the reporter asked me, “Why is all this happening now?” While it would be inappropriate for me to speculate about the motivations of sovereign nations, perhaps the better question is “Why RIM?” It’s worth stepping into the Hot Tub Time Machine and reviewing a little history.
The BlackBerry was introduced in 1999 as a two-way pager on steroids. Back then, TCP/IP over GSM (and other wireless networks) was just a pipe dream. RIM implemented a system by which all traffic is collected from the mobile networks of the sender, funneled through RIM servers and then routed back onto the recipient’s mobile networks and pushed to the handset. In essence, RIM – rather than the Interwebs – provided the routing capabilities needed to ensure that mail and messages are delivered. That was necessary, and worked well, when Internet data plans were not universally available. It gave BlackBerry instant push e-mail and guaranteed delivery. And critically, it was a competitive advantage that no other wireless vendor had.
From the standpoint of national security, a “bonus” of this centralized approach was because RIM controls the keys that encrypt traffic to and from consumer (non-BES) devices, governments like the US had a central point of accountability. They could simply compel RIM to deliver unencrypted data for reasons of national security under the authority of laws such as the US’ CALEA statute. The exact details of the arrangements RIM has made with the governments of the US and Canada have never been disclosed, but it is generally understood that these governments have this ability. In the case of BlackBerry devices tied to corporate BES servers, companies rather than governments hold the keys, so interception isn’t possible in the ways that it is with consumer BlackBerry devices.
However, RIM’s centralized model is now a weakness because smaller governments like the UAE are now demanding the same rights that US and a few other sovereign governments reputedly enjoy.
This is a no-win situation for RIM. If they refuse the UAE (or the Indian, Saudi, Lebanese and Indonesian governments), they lose customers. If they cave in, where does it stop? There are 175 more national governments that might want the same privileges. More to the point, if they cave in, they will weaken their reputation for security with enterprise buyers, even those with BES servers not otherwise susceptible to interception. How comfortable would you be, as an IT security manager, if you suspected (even erroneously) that e-mail could be intercepted by a half-dozen, or many, sovereign governments? Not very.
This story shows how one of RIM’s historical strengths – namely, its own proprietary delivery network for delivering e-mail and messaging – is now turning into a weakness. Ultimately, RIM should dismantle its centralized delivery network for its consumer devices and move to a decentralized model, where (1) the Internet provides the routing and (2) centralized communications monitoring is much more difficult. That is what Microsoft and Apple, in essence, do today because the devices connect directly to company servers rather than through a single service provider. There is no way national governments could tap encrypted iPhone or Windows Mobile traffic even if they wanted to, short of approaching each company directly. Whereas in the RIM case, they have just one throat to choke.
Decentralized encrypted communications is made possible by the universal availability of TCP/IP data networking on top of cellular networks. There is nothing stopping RIM from switching to a model like this, and they probably should. Otherwise, it is going to be Death by 1000 Cuts from every government that wants to intercept BlackBerry traffic.
Mike Lazaridis, the co-CEO of RIM, said in today’s Wall Street Journal: “Everything on the Internet is encrypted… If they can't deal with the Internet, they should shut it off.” Indeed, the same could be said about RIM’s proprietary delivery network.