Blackberry WAS the Gold Standard For Security – Or Was It?

A specialized unit inside mobile firm BlackBerry has for years enthusiastically helped intercept user data — including BBM messages — to help in hundreds of police investigations in dozens of countries, a CBC News investigation reveals

For years we always thought Blackberry was the security standard that everyone else was measured by.  In April we found out that the Canadian and Dutch police had access to the Blackberry encryption key.

How’s this for security.  It turns out that for most users, there is ONLY ONE KEY!  Corporate users with their own BES server can create the own key, but all of the consumer and small business users that did not have their own BES server – they shared one encryption key.

In a document obtained by the Canadian Broadcasting Company (CBC),

One document obtained by CBC News reveals how the Waterloo, Ont.-based company handles requests for information and co-operates with foreign law enforcement and government agencies, in stark contrast with many other tech companies.
“We were helping law enforcement kick ass,” said one of a number of sources who told CBC News that the company is swamped by requests that come directly from police in dozens of countries.

Apparently extracting data from Blackberries is so popular that the company  has created a form for foreign governments to fill out.  As long as the requesting foreign government signs the form saying that it is legal in their country to get the information, Blackberry diligently decrypts the data and hands it over.

Of course they have no clue whether it is legal in that country, and apparently, they don’t care very much.

There is an international treaty called the Mutual Legal Assistance Treaty that governs this activity, but Blackberry is ignoring it – one assumes with a wink from the Canadian government in Ottawa.  I cannot believe that this has gone on for years at the apparent volume which it has and the Canadian government is not either aware or complicit.  Complying with the treaty that Canada signed allows Canadian government officials the time and ability to review requests to see if they are legal under Canadian law.

Ignoring the treaty is much simpler.  Easier.  And quicker.

Blackberry said there were not going to comment on whether they were violating international treaty.

I assume that sucking sound that you hear is the few remaining customers that they have leaving.

Of course, since they are doing this under the cover of secrecy, we have no idea what they have given to whom.

If they have given the KEY – the one and only key – to foreign governments, then all traffic is compromised.  Again supposedly except for those businesses that have a BES server.  Supposedly.

One more time, this means that people should continue to assume that unless they have gone to extraordinary measures, they should assume that communications they send from their mobile devices are not private.  This includes photos – especially ones of an adult nature.  You may remember Edward Snowden saying that analysts at the NSA  liked to especially share those with each other.

And even if you trust, say, the Canadian government, do you equally trust, say, the Russian government with whom they may have also shared that one and only key?

This does not mean that you should stop using your phone.  It is, however, useful to understand what protections you do – and do not – have.

Information for this post came from Techdirt.

Leave a Reply

Your email address will not be published.