The blackberry imbroglio

Canadian smart phone maker RIM’s whimper that the Communications Ministry was targeting it selectively has opened a Pandora’s box full of complicated issues that India’s Department of Telecom (DoT) has no answers for.

RIM, which makes the BlackBerry smart phone, and has about 1,15,000 customers in India, mostly corporate or professionals, has argued that if its services were in violation of India’s security guidelines, then DoT should also look into similar offerings of at least four other players.

While this may be the last line of defence by RIM, which has been under the country’s security agencies fire and has been pushed to the corner with little negotiating options, the Canadian company’s argument has highlighted the larger picture, which DoT has been trying to brush under the carpet.

The proposed solution by DoT and security agencies are — set up a server in India and channel all data traffic originating from Indian mobile networks to these servers; RIM and operators like Bharti Airtel, Vodafone and Reliance Communications that provide this service create a mirror image of all emails and data sent on these devices in India and save these images for at least six months; and reduce encryption code to less than 40-bit.

It is essential to understand that the security concerns are only related to BlackBerry Enterprise Solutions (BES), which are largely used by corporates. The BlackBerry Internet Service (BIS), which is sold to individual customers, has very little security facilities and is not encrypted. At the same time, it is also important to note that the arguments presented by both sides – DoT and RIM – have several flaws, and any solution to the ongoing imbroglio will have to address each of these issues.

First is the issue of encryption. It is no secret that India’s security agencies have been unable to keep pace with the march of technology. But punishing RIM for the failure of Indian agencies to anticipate technological developments reflects poorly on the government here. While DoT may be demanding that RIM reduce encryption standards to 40 bits, it comes at the cost of the customers who use this service.

A simple indicator of this is that globally, most countries stipulate that the Internet service providers (ISP) ensure a minimum of 128-bit encryption before any financial transaction can be made online. Many industry experts accept that 40-bit encryption standards may turn back the clock on the internet emerging as a platform for commerce in India and will also give a free run to hackers.

In fact, DoT’s double standards on the issue stand exposed as almost all commercial portals in India, some of which are owned by government departments such as the Railways, Indian Airlines, telecom and bank PSUs, offer services at the 128-bit encryption standards.

This also brings into question the ultra cheap Internet telephony services offered by Skype and other such global majors where the encryption standards are well above 40 bits. Considering that more Indians use Internet telephony than they use BlackBerry services, DoT must first explain why only these services of RIM are considered a security threat.

The second issue relates to the fact that other handset majors in India, including Nokia and Motorola and software players such as Microsoft and Seven Networks, offer similar email solutions on mobile handsets. Consider what RIM said in a presentation to DoT: “In addition to BlackBerry, four other mobile e-mail solutions in market in India use comparable encryption levels — Windows Mobile ActiveSync, Nokia Intellisync, Motorola Good and Seven Networks. Furthermore, several other technologies widely used in India use strong encryption to secure communications over the Internet.

These include Web browser, WAO 2.0 mobile browser software, IIPSec VPN, PGP and SMIME. All these technologies are widely available and used throughout India. Functionally, all of these solutions use encryption similar to BlackBerry. Thus, focusing on BlackBerry alone will not solve any security concerns over encryption.” The issue assumes importance considering that tens of thousands of customers in India use Motorola Good for services such as RSS news feeds and customised email alerts and filters.

Ditto for the solutions provided by Seven Networks, which offers real-time access to work and personal information, including email, calendar, corporate directories, personal contacts and documents. Windows Mobile e-mail solutions are available on several high-end handsets and PDAs sold in the country such as HTC Touch, O2, iPAQ and even on some handsets from Samsung and Motorola.

Finnish handset major Nokia on its website states that its Nokia Intellisync wireless email solutions support a wide range of mobile devices and platforms, including Palm, Pocket PC, Windows Mobile Smartphone, Symbian, and IMAP client. Therefore, if DoT were to ask operators to discontinue BlackBerry services, the government in the next stage may be forced to extend similar orders on other players offering similar solutions.

On the other hand, RIM too is at fault on several fronts. Government officials here say that the Canadian company’s argument that it did not possess the encryption keys and the company’s public stance that it would “simply be unable to accommodate” any such request from the India government does not have any merit.

Instead, DoT has correctly pointed out that since RIM’s BlackBerry service meets the provisions of US Communications Assistance for Law Enforcement Act, 1994 (CALEA) regulations, all BlackBerry data traffic originating on Indian mobile networks can be tracked electronically by CALEA sleuths in the Federal Communications Commission. The officials added that the US would not been able to monitor this data unless RIM had opened its networks to American agencies.

In response to DoT’s request to set up servers in India, RIM in an update to its customers said: “The location of data centres and the customer’s choice of wireless network are irrelevant factors from a security perspective since end-to-end encryption is utilised.” Additionally, RIM in its presentation to DoT also said that all data that flows through its data centres is encrypted to protect it from unlawful hacking or interception, while adding: “Routing it through data centres in India will not make it any more decipherable.”

Even if RIM’s argument deserves consideration, it cannot be denied that the company is in violation of several Indian laws. Under Indian regulations, the control of remote access, i.e. activation, transfer of data, termination etc., shall be within the country and not at a remote location abroad. Also, the government agency should be given all support to record the transactions for online monitoring.

Additionally, DoT on its part is also right in demanding a solution from RIM since Indian regulations clearly state that suitable technical device should be made available at Indian end to the designated security agency/licensor for monitoring purposes