— As BlackBerry maker Research In Motion copes with international threats of bans on the use of its smart phones, the Canadian company, normally loath to say much publicly, is finally speaking out — and pulling in the help of some big (diplomatic) guns.
The Canadian government has said it's stepping it to talk with Saudi Arabia, which was on the verge of banning BlackBerry message traffic; and with the United Arab Emirates, which plans to suspend BlackBerry services as of Oct. 11. Both countries want to be able to tap into BlackBerry messages delivered using RIM’s encryption technology.
Other countries are threatening the same: The list now includes Algeria, Lebanon, Indonesia and India, which want to monitor pornography sent using BlackBerrys, as well as communications transmitted by militants.
"We are looking at the issue. If we find out that it is a danger for our economy and our security, we will stop it," the El Khabar newspaper quoted Algeria's Telecommunications Minister Moussa Benhamadi as saying.
U.S. Secretary of State Hillary Clinton said the United States plans to hold talks with the UAE and other disgruntled countries to try to sort out the problem.
RIM co-CEO Michael Lazaridis, in an interview with The Wall Street Journal, said "This is not a BlackBerry-only issue. If they can't deal with the Internet, they should shut it off."
But he also said, "This will get resolved. And it will get resolved if there is a chance for rational discussion."
RIM, he said is "going to continue to work" with the various nations "to make sure they understand the reality of the Internet."
At issue is the message encryption RIM provides to users of BlackBerry Enterprise Server, a service mainly used by those with government- and corporate-issued BlackBerrys. BlackBerry Enterprise Server customers use not only the devices, but their messages are sent via RIM’s network of servers.
Not all BlackBerry users have enterprise encryption
Most individuals who have BlackBerrys that they buy for themselves, and some small businesses which give their employees BlackBerrys, use BlackBerry Internet Service, which does not provide the same kind of encryption of BlackBerry Enterprise Server. BlackBerry Internet Service is about a $30-a-month add-on to a subscriber’s phone bill.
BlackBerry Enterprise Server is sold by the number of licenses issued for it. RIM does not list rates on its site, but a BlackBerry fan site, CrackBerry.com says BlackBerry Enterprise Server software for 20 individuals is $4,800; an additional 10 BES licenses totals $839.
Because the acronyms of BES and BIS can be confusing, some BlackBerry customers who think they have BlackBerry’s extra security protections do not.
"Only a portion of BlackBerry communications are really strongly encrypted: those sent through BlackBerry's business-oriented BlackBerry Enterprise (Server), but not those sent through the ordinary BlackBerry Internet Service," wrote Seth Schoen, senior staff technologist for the Electronic Frontier Foundation on that organization’s website.
He added that "all BlackBerry users — and other smart phone users — can optionally use other encryption tools to protect themselves.
"The subtle distinction between BES and BIS is just one reminder that users need to be skeptical about exactly what kind of protection they're getting. It also raises concerns that Blackberry's recent statements that fail to differentiate between the products may be misleading a large number of their customers — we believe Blackberry should immediately clarify this."
The Arabian Business website carried a lengthy statement by RIM, addressed to “Dear Valued BlackBerry Customer,” which said that RIM “respects both the regulatory requirements of government and the security and privacy needs of corporations and consumers.”
It said that the security architecture of BlackBerrys is designed to provide corporate customers with the ability to transmit information wirelessly while also providing them with the necessary confidence that no one, including RIM, could access their data.”
RIM says it doesn't have 'master key'
That architecture, RIM said, is "based on a symmetric key system whereby the customer creates their own key and only the customer ever possesses a copy of their encryption key. RIM does not possess a 'master key,' nor does any ‘back door’ exist in the system that would allow RIM or any third party to gain unauthorized access to the key or corporate data."
In fact, the system is "purposefully designed to exclude the capability for RIM or any third party to read encrypted information under any circumstances," the company said. "RIM would simply be unable to accommodate any request for a copy of a customer's encryption key since at no time does RIM, or any wireless network operator, ever possess a copy of the key."
And while RIM has among the best security out there, it’s not impenetrable. It has been hacked, and malware has made it through. It remains to be seen whether that’s the step governments will find themselves resorting to, or whether more civilized agreements will be reached.