Blackberry’s Decryption Key Debacle: We Should Have Seen This Coming

Blackberry’s Decryption Key Debacle: We Should Have Seen This Coming

In a time when encryption is a sensitive topic and technology providers are eager to prove they have their users’ privacy at heart, reports of Blackberry handing over its global decryption key for its BlackBerry Messenger (BBM) service to a police agency couldn’t have come at a worse time. But when you look at the company’s stance on working with government agencies, the news doesn’t come as a complete surprise. We take a closer look at the BlackBerry decryption debacle that exploded last week.

The Apple versus the FBI legal battle in the US has sparked a lot of debate over encryption on computing devices and whether governments should have access to decryption methods for the sake of fighting off “the bad guys”. Being able to intercept and decrypt messages sent by suspected criminals and terrorists through devices and services that use encryption would be a godsend for law enforcement agencies.

But with growing mistrust of the government, there are concerns that giving law enforcement agencies the power to read encrypted messages could be abused. A plethora of technology companies have stood behind Apple in its battle for encryption. BlackBerry is not one of them. In fact, its CEO, John Chen, has been clear about the company’s position on working with government agencies. In a blog post by Chen in December, he said:

“At BlackBerry, we understand, arguably more than any other large tech company, the importance of our privacy commitment to product success and brand value: privacy and security form the crux of everything we do. However, our privacy commitment does not extend to criminals.”

Yet, BlackBerry continues to tout the end-to-end encryption feature on its BBM service. The image of BlackBerry devices being super secure is highly-prized in the enterprise world. It is a contributor to the survival of BlackBerry, which has been losing market share for years. In a separate blog post, BlackBerry reasserted that its devices are just as secure as they’ve always been and that no government agency could possibly crack the encryption protecting emails and other data stored on them.

It is true that BlackBerry doesn’t have backdoors on its devices, but that doesn’t stop them from giving out the global PIN encryption keys for user data that passes through its servers. Last week, VICE reported that the Royal Canadian Mounted Police received the decryption key for data that went through BlackBerry’s servers and were able to read over one million encrypted BBM messages as part of a police investigation into underground criminals.

If you’re using a BlackBerry that is integrated with a BlackBerry Enterprise (BES) server then you don’t have to worry about this global encryption key. BES allows administrators to change the encryption key for their respective organisations. But if you’re sending and receiving BBM messages through BlackBerry’s servers, that one decryption key could be used to read those messages. The RCMP reportedly intercepted BBM communication between the handset and server and used the global encryption key to unlock messages sent by the people it was monitoring.

While the case only concerns the RCMP, it is possible BlackBerry has handed over the global encryption key to governments from around the world. The company already has a history of assisting police in investigating BBM users, namely those involved in the London Riots in 2011. This is another blow to the beleaguered BlackBerry brand which has taken a beating in recent years.

BlackBerry has just responded to the allegations that it helped the RCMP. It stopped short of confirming the reports, but here’s what Chen had to say:

“Regarding BlackBerry’s assistance, I can reaffirm that we stood by our lawful access principles. Furthermore, at no point was BlackBerry’s BES server involved. Our BES continues to be impenetrable – also without the ability for backdoor access – and is the most secure mobile platform for managing all mobile devices.”

He noted that the RCMP has now managed to take down an underground criminal organisation and added:

“For BlackBerry, there is a balance between doing what’s right, such as helping to apprehend criminals, and preventing government abuse of invading citizen’s privacy, including when we refused to give Pakistan access to our servers. We have been able to find this balance even as governments have pressured us to change our ethical grounds. Despite these pressures, our position has been unwavering and our actions are proof we commit to these principles.”

I’m not entirely sure I’m convinced that BlackBerry has, as Chen said, found a balance between helping the government access encrypted private data for the greater good and protecting the privacy of citizens. I’m certainly not comfortable with it.

This is one of the dilemmas of the encryption debate: we have innately trusted technology to protect the privacy of our data. What gives technology vendors the right to decide whether our data is worth protecting or not? How can we trust their judgment in assessing whether government agencies’ requests to access customer data are legitimate or not?

We can’t stop companies like BlackBerry from assisting government agencies and compromising the privacy of our data. But we can vote with our feet and support technology organisations that respect individual privacy and don’t assume what they are doing is right because “it’s for the greater good”.

“For the greater good”… I’ve heard that one before…

Clip from the movie Hot Fuzz