RIM Helps Indian Authorities Access BlackBerry Messages

judgecorp writes "RIM has set up a surveillance facility in India to help the authorities monitor users' BlackBerry messages, according to reports. This comes after a long argument in which RIM at first tried to resist opening up to Indian government scrutiny."

Are people still buying blackberries

[Synerg1y]

http://www.informationweek.com/news/mobility/business/231300237

xnews.com/scitech/2011/10/27/class-action-suit-filed-against-rim-after-blackberry-outage/ http://www.itworld.com/mobile-wireless/216895/more-bad-news-rim-playbook-os-update-delayed-4-months-or-maybe-forever

My google search: "RIM News", not "RIM Bad News", http://www.google.com/search?q=RIM+news

Google & MS would just laugh at the silly indians and their depreciation of individual privacy.

Re:Are people still buying blackberries

MS would just laugh at the silly indians and their depreciation of individual privacy.

The same Microsoft that happily laps up the search engine market Google refused to serve in China due to massive censorship and logging requirements? MS would jump at ANY opportunity to make money, no matter how immoral.

If Google and MS are laughing, they do so because it's RIM that gets the bad PR and not them. ANY big US corporation will hand over all data in unencrypted form if their government comes running. Government contracts and favourble laws are much more important than petty private of expendable, complacent customers.

Re:Are people still buying blackberries

Canadians. Totally against freedom.

Re:Are people still buying blackberries

[Synerg1y]

Is your argument serious or are you just trolling?

Either way your completely speaking out of your ass. We're talking about the Indian government here, RIM is not based there, MS is based in the states, I'm still unclear as to whether your head is really that far up your ass to not be able to tell the difference between the two governments.

Also customers are #1 to an organization, try landing a real job that pays non-monopoly money to learn that or something. No customers, there is no organization for the government to harass.

Lastly, the login button is in the top right if you want to stand by your *ehm* argument.

Re:Are people still buying blackberries

[WNight]

Lobbying for favorable laws opens up markets, and part of getting favorable laws is doing whatever you're asked. So to get those #1 customers they'll do anything, even provide them a cut-rate service by allowing warrantless wiretapping, etc.

And they'll bow to whatever special interest makes it more profitable to deal than fight, from government to church groups.

There's no risk for the companies that do this. If someone was discovered to be in the KKK they might get beaten or killed, but build a product that allows Syria to make prisoners and slaves of its people and you're an A#1 citizen.

Following the law needs to be a minimum standard, not a free pass.

RIM sales already decreasing;not sure this'll help

[youn]

one of the only reasons it sales were still up was through enterprise phones which had insurance their communications were encrypted

Don't glare at RIM

[ackthpt]

The Indian government (among others) will twist arms of any and all carriers to get what they want. Even in the US the gummint will get what it wants one way or another.

Want privacy? Write your own encryption and scramble everything you share with your mates.

Re:Don't glare at RIM

[Flyerman]

You think they won't come knocking once they see that shit on the web?

Re:Don't glare at RIM

[CanHasDIY]

Want privacy? Write your own encryption and scramble everything you share with your mates.

Makes sense for the 99.999% of the global population who aren't cryptophiles...

Re:Don't glare at RIM

Want privacy? keep it to yourself. At least for now they can't get what's in your head. Or can they!

Re:Don't glare at RIM

Write your own encryption? What % of the population could write government proof encryption. Certainly you nor your mates.

Re:Don't glare at RIM

>Write your own encryption
I think I laughed so much my head everted.

Re:Don't glare at RIM

[Synerg1y]

No they won't, your tinfoil hat is on too tight.

Re:Don't glare at RIM

Well, they can put water into your head and that usually causes those secret things to come spilling out with the water.

Re:Don't glare at RIM

[bill_mcgonigle]

The Indian government (among others) will twist arms of any and all carriers to get what they want.

Twisting arms is exactly what it will take to get plaintext from a carrier that's carrying properly configured IMAP/TLS traffic, except it has to be the arm of the user or the server admin - all the carrier can do is block it.

RIM's architecture puts it as the weakest link in the real security model. Serious people have known this for a decade. So much so, that the Indians are only going to catch stupid and small-time criminals.

Re:Don't glare at RIM

... and you think that if RIM refused, the Indian government would just ban Blackberries? Businesses would crucify them.

Neither Google nor Apple have bent over on this. Why should RIM?

Re:Don't glare at RIM

[shutdown+-p+now]

Makes sense for the 99% of the population who don't really care all that much about privacy - at least as far as government access goes.

Re:Don't glare at RIM

[sitkill]

Are you sure about that?

And more to the fact, why would they? I don't believe any of their message transfering is encrypted, so why would India need to ask them for it? Note, blackberries encrypt by default. Also note, in the articles linked, they talk about Nokia giving access, so this isn't a blackberry only thing.

RIM is also not giving them access to the BES servers it seems, so they are pushing back....and to be honest, this ENTIRE slashdot submission is pretty much just here for more blackberry bashing (which seems to be pretty popular these days). This was originally announced 6 months ago, but now it makes the slashdot headlines.....

The Mumbai facility apparently deals with intercept requests for mostly consumer-facing services such as BlackBerry Messenger and email. However it is thought that BlackBerry enterprise email remains beyond(sic) the reach of Indian authorities, thanks to its higher levels of encryption.

Re:Don't glare at RIM

LOL! Nice one!

--- Anonymous Coward

Re:Don't glare at RIM

[CodeBuster]

Write your own encryption and scramble everything you share with your mates.

It's not necessary to write your own encryption. In fact, doing so is dangerous because without specialized knowledge and very careful programming, bugs or other weaknesses are all too easily introduced. No, there are already many fine open source implementations of various ciphers which are known to be secure. The problem in real world situations is always the key management. Indeed, most known breaches of modern ciphers have mainly come not from brilliant cryptanalysis, but rather attacks on the key management procedures. These can range from insecure operator procedures, bugged input devices and key logging programs to the ever ready rubber hoses when the authorities lack the sophistication and resources required by the former methods. In any case, it's probably easier for you and your mates to simply share in private without going over public networks. Have a LAN party and do your sharing there instead.

Re:Don't glare at RIM

And you're a fool. They DO come knocking to have a 'talk' with you.

Re:Don't glare at RIM

[Sean]

TLS? That's backdoored if the client accepts keys signed by one out of a huge list of trusted CAs. And that's pretty much every major client.

Re:Don't glare at RIM

On the other hand, the safest encryption is also the simplest; one time pad :)

Re:Don't glare at RIM

[Synerg1y]

Name one example in context of OP newb. Too scared to login coward?

Re:Don't glare at RIM

[bill_mcgonigle]

TLS? That's backdoored if the client accepts keys signed by one out of a huge list of trusted CAs. And that's pretty much every major client.

Yeah, like I said, "properly configured IMAP/TLS traffic". I think the organized criminals who have hundreds of millions of dollars at stake aren't going to be making these mistakes.

Setting up a CA is trivial at this point, and client-certificate TLS is getting better support. I guess one should inspect his mail client's source to make sure it properly prevents spoofed server connections if a different trusted CA's signed cert for the same host is presented. Thunderbird does the right thing here, I wonder about Android.

Re:Don't glare at RIM

[ajo_arctus]

If you want to guarantee that your secrets can be decrypted, write your own encryption.

Unless you are a genuine cryptography expert, any encryption scheme you come up with will be easily breakable. You could maybe use one time pads that are longer than your messages and swap/synchronise them in a safe way -- that'd be secure -- but it still won't work. If "they" want to know what's going on, they'll just torture you.

This is perfectly fine

[idiot900]

Nobody in the Indian government would ever consider misusing this surveillance capability. As we all know, Indian government workers do not take bribes, the rich and powerful only have the same rights as anybody else, and the Indian government has a long history of the utmost integrity. There is no reason for anyone using BlackBerry who is concerned about their privacy to switch to another provider.

Re:This is perfectly fine

[Kulfaangaren!]

"Nobody in the US government would ever consider misusing this surveillance capability. As we all know, US government workers do not take bribes, the rich and powerful only have the same rights as anybody else, and the US government has a long history of the utmost integrity. There is no reason for anyone using BlackBerry who is concerned about their privacy to switch to another provider."

There, fixed it for you.

Re:This is perfectly fine

And which government does?

Re:This is perfectly fine

[Opportunist]

Mine.

Vote me for dictator!

Don't worry

[mr1911]

This will be restricted to only legitimate reasons for data. There is absolutely no way it will be abused.

Re:Don't worry

LOL :) just as legitimate as the FBI's super gags. Fck - you are the country where the secret service has formal offices at the telecom company HQs!

Why are Americans so stuck in this weird alternative reality. You have
1. No expectation or privacy (super gags etc.), and dumb GPS trackers
2. You have no control on your ultra corrupt congressmen, who will happily vote to attack another country for say $25K in campaign donations
3. Your interests almost always seem to be tangential to the business (and congress rep's ) interests. And you always lose.

And then you want to pick on policies in 3rd world country!. You guys are crazy dumb.

Re:Don't worry

[Opportunist]

I believe you.

Of course, my definition of "legitimate" might differ from theirs...

It won't work in India...

The last time India had a major terrorist attack, the perps used cell phones & sim cards that had never been used before. So there was nothing to tap until the day of the attack.

Terrorists aren't always dumb.

I read this as

[blair1q]

Here's what I saw in that article: "Rim entraps customers into paying to be spied on by their own government, and happily profits from it."

Because leaving profits on the table to do something ethical? Not Rim's business model.

Re:I read this as

Actually, it's quite the inverse. Indians won't use Blackberries now, because they are being monitored. They'll opt for some other device that the government hasn't squeezed yet. Which, I assume, is why they tried to fight it in the first place, not because of some ethical stance.

Re:I read this as

[blair1q]

Is RIM the only manufacturer allowing the government to monitor traffic?

Or is it just the only one who tried to fight it, or could?

I suspect the government already has a sniffer on all the other systems.

Doesn't change my view of RIM's capitulation. They tried to keep their entire subscriber base, now they're willing to profit from delivering up those who haven't bailed.

Re:I read this as

[ve3oat]

I read it differently. Since the Indian government can already read the communications from all other brands of mobile phone, they have now asked RIM to help them break into the more secure transmissions from Blackberries. It was inevitable.

Re:I read this as

I read it differently. Since the Indian government can already read the communications from all other brands of mobile phone, they have now asked RIM to help them break into the more secure transmissions from Blackberries. It was inevitable.

You think this might be in response to the big telecom scandal in India right now?

Re:I read this as

[TheGratefulNet]

all carriers and equip makers must give governments (and even powerful companies) ability to do DPI and MitM Bad Things(tm).

just routing packets is not 'fun' for companies anymore, nor profitable. they are ALL in the spy business. anything with a cpu, these days (ie, more than the $10 silicon home gig-e switches) will be doing DPI and triggering with hardware assist.

the new hotness is users (ie, owners, ie governments) writing their OWN apps that run *inside* the router/switch.

yeah, think of the great things (...) that they can do with wire speed access to bits on the wire and ability to write fast scripts that edit on the fly.

yup.

its here today. just pay for it and its yours.

And the next step?

[TubeSteak]

How long until criminal organizations setup Enterprise Blackberry servers?

Re:And the next step?

[Synerg1y]

They would be more secure than this shit lol.

Identity theft vs a black bag? Ez choice.

Re:And the next step?

[hawkbat05]

Another option is to write an app implementing PGP using BB PIN messages with a BBM style UI. The only text they would intercept is a public key and base 64 encoded encrypted data. Even of they got one persons private key they'd only see half a conversation. Also, they wouldn't need their own server because they would just use RIM's as the transport. This probably wouldn't be too difficult for the more sophisticated groups. The problem with lawful access is it only catches the dumb ones, but still exposes the innocent.

Re:And the next step?

Another option is to write an app implementing PGP using BB PIN messages with a BBM style UI.

Actually, you can get a PGP plugin from PGP Corp. (now part of Symantec). You have to pay for it though.

But native s/mime email encryption is built in to the blackberry, and costs nothing.

Re:RIM sales already decreasing;not sure this'll h

[ackthpt]

one of the only reasons it sales were still up was through enterprise phones which had insurance their communications were encrypted

They appear to have nails being hammered into their coffin at a brisk pace.

I'd say this makes them a takeover target for ... Microsoft.

Why BB especially?

[doston]

The US government is able to go into any of the cell providers data side and look at anything with no warrant and no notice to the carrier. Both carriers I worked for provided back doors into the SMS/MMS platforms. The feds even had their own cutesy username (Leo) and password was equally adorable. Why bother with a warrant when you can just go look at the info, then if you see anything interesting, ask for the warrant. Apparently it saves Leo time. Marriage of corporations and governments = what?? That's right, folks.

Re:Why BB especially?

[jimicus]

Because Blackberry, IIRC, provide a messaging service comparable to SMS but using the phone's data connection. This messaging service offers end-to-end encryption.

Correction: Blackberry's marketing claimed it offered end-to-end encryption and that there was no way they could snoop on messages. IIRC they also told the Indian authorities something similar. The fact that this story is able to exist demonstrates that this is not true.

Can't say I'm particularly surprised myself. Telephony providers are more-or-less legally obliged to offer some sort of lawful intercept system in most countries; offering a phone for sale which provides a blatant run around that seems like an extremely good way to get your product banned in very short order.

Re:Why BB especially?

[narcc]

Had you actually read the article (this is Slashdot, I know) then you'd know that, as always, BES users are still secure.

See, RIM couldn't give them access to BES users data no matter how badly they wanted to. They simply don't have the keys.

To avoid the current privacy issues, BIS users in India can make use ot the many of third-party apps that provide additional security to contacts, sms, etc.

So, yes, in India (and just about everywhere else for that matter) Blackberry is still the only real choice when it comes to mobile security.

Re:Why BB especially?

[jimicus]

Funny, I could have sworn the iPhone (and Android for that matter) will happily check the certificate chain when establishing an SSL connection to their email server.

Re:Why BB especially?

[narcc]

There is a lot more to messaging security than just an SSL connection, you know.

Peas in our thyme

I salute the Indian goverment's gesture of peace towards Pakistan. Obviously they're deliberately behaving like a paranoid dictatorship to make Pakistan's government seem less bad by comparison. RIM would be better off walking away from this bullshit. They're compromising one of their strong selling points in order to do business in a shitty cautionary tale of a country.

Windtalkers

The Indians will just develop their own unbreakable code based on their own language.

Re:Windtalkers

[Opportunist]

Mmm... given my experience with tech support, all they have to do is talk in English and nobody will be able to break the cypher.

When do the other shoes drop?

[tqk]

Does India's justice system have an equivalent requirement for warrants prior to wiretaps?

I wonder when the DHS and (Canada's) CSIS get their own monitoring centres?

Re:When do the other shoes drop?

[GameboyRMH]

You think they don't already have the capability? LOL!

Re:When do the other shoes drop?

[shutdown+-p+now]

According to this, which, as I understand, is the current Indian law on the subject:

"On the occurrence of any public emergency, or in the interest of the public safety, the Central Government or a State Government or any officer specially authorized in this behalf by the Central Government or a State Government may, if satisfied that it is necessary or expedient so to do in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offence, for reasons to be recorded in writing, by order, direct that any message or class of messages to or from any person or class of persons, or relating to any particular subject, brought for transmission by or transmitted or received by any telegraph, shall not be transmitted, or shall be intercepted or detained, or shall be disclosed to the Government making the order or an officer thereof mentioned in the order"

(which in practice has been extended by courts to apply to all modes of communication, rather than just telegraph)

However, my understanding is that material obtained through such wiretapping is not directly admissible in the court, so it cannot itself be used as a proof of wrongdoing.

Re:When do the other shoes drop?

[TheGratefulNet]

india's justice system.

hmmm.

I know those words on their own, but for the life of me, I just can't make sense of them together as a phrase.

Re:When do the other shoes drop?

[tqk]

I wonder when the DHS and (Canada's) CSIS get their own monitoring centres?

You think they don't already have the capability?

Up until a few months ago RIM was insisting that, due to the way BBs work, such monitoring centres were simply impossible - it couldn't be done.

Sad. I suspect this sounds the death knell for RIM.

Re:When do the other shoes drop?

[Jiro]

However, my understanding is that material obtained through such wiretapping is not directly admissible in the court, so it cannot itself be used as a proof of wrongdoing.

They will probably just use the standard dodge that's already used in the US: once they look at the inadmissible evidence and figure out who they want to search, claim to have received an "anonymous tip" implicating that person and search them based on the "anonymous tip".

Ahh, the challenges of RIM

[bobstreo]

Secure and highly available..

Re:Ahh, the challenges of RIM

> Secure and highly available..

It is rather secure, which is why we get these messages every once in a while. Regular SMS are easy to intercept by local governments, because they go unencrypted over the network (and use only very moderate strength encryption on the air). RIM on the other hand only has the messages decrypted on the central servers and on the device, so it is much harder to intercept by local agents. RIM needs to create an interface for them.

Of course they have also demonstrated that security usually affects availability...

The coercive party is not to blame?

Why not: "Indian Authorities Put Political Pressure on RIM to Access BlackBerry Messages"? The way it's worded it's like RIM is to blame and not some democratically elected government who uses coercion to get their way. Corporations will do as they are told if that means they can stay in business. Indian officials are to blame here, not RIM.

Not anyone's business model either

Nothing special - Rim shouldn't be singled out as if they were the only one doing it.

Re:RIM sales already decreasing;not sure this'll h

[wiedzmin]

Oh please, like other companies (Google, Microsoft, AT&T) don't let other governments (UK, Canada, US) read your "encrypted" email whenever they feel like it.

Didn't RIM claim this wasn't possible?

[Sark666]

I thought I read RIM claimed that how their network is setup in such a way that the encryption is done on the device and they don't have a means of accessing the contents?

Re:Didn't RIM claim this wasn't possible?

That is how the Blackberry ENTERPRISE SERVER (BES) works. Indian gov't got access to Blackberry INTERNET Services which is what you use if you don't proactively connect to a BES server.

Re:RIM sales already decreasing;not sure this'll h

And if you had actually read the articles, instead of looking like an idiot, you would have read that this has NOTHING to do with the BES servers. This has to do with BBM/email/etc over no BES servers

So pretty much this is just FUD, and OLD news. This was reported 6 months ago, but somehow, it's become news again today! And oh, don't worry! All your other mobile company has given the EXACT same access to india! In the articles linked, it even talks about Nokia giving access (though, since nothing is encrypted by default, I don't know why they needed to go through Nokia).

But don't let facts hold you back on your bias!

What!

Those sons of bitches!

Re:RIM sales already decreasing;not sure this'll h

[youn]

Blah Blah blah :)... Dude, chill... this is slashdot... no one reads the articles even when there is just one... you actually want me to read 3 haha, you're funnnyyyy :) .. Some of us have a life you know :p... I swear I get out of the basement sometimes. YOu should try... your skin won't sparkle like a vampire, i promise. Anon, zometimez you can really be a pain in the butt/ annoying :p

Re:RIM sales already decreasing;not sure this'll h

[priegog]

Do you any sources to back these claims up? I'm genuinely interested...

S/MIME

[mr100percent]

All the more reason to use S/MIME or PGP/GPG to encrypt your email, and keep it out of government hands.

Re:RIM sales already decreasing;not sure this'll h

[Opportunist]

Huh? Who gave Google, MS and AT&T my private PGP key?

Not news

This is no change in RIM's policies or capabilities, advertised or otherwise.

They STILL are not tapping into private BES setups. They still lack the capability. This was always expected from the RIM hosted services. Really this is just Indian politicians finding a way to back down from asking what RIM cannot do and still save face. From the looks of most of the comments here, it's working.

CAPTCHA: cringe

Re:RIM sales already decreasing;not sure this'll h

[wiedzmin]

Here you go:

http://www.dslreports.com/shownews/ATT-Repeatedly-Helped-FBI-Break-Communications-Law-106553
http://www.wired.com/threatlevel/2007/03/fbi_confirms_co
http://www.itworld.com/security/216565/google-admits-it-would-give-your-data-feds-93-times-out-100
http://www.pcworld.com/article/190438/microsoft_stool_pigeon_for_the_cops_and_fbi.html