You may have heard that there are going to be Blackberry servers in Saudi Arabia1 that would give Saudi government access to user data in clear. When this drama unfolded, we heard Saudi Arabia wanted RIM to give them the keys to the locker lest 700,000 Blackberries be banned in that country. Blackberry came out saying there was no way anyone could get at the user data because they do not have the keys to decrypt it.
Indeed, that is how security/privacy is achieved because if RIM had the keys to decrypt user data, not only could RIM look at user data so could anyone else who hacked into RIM servers. Individuals/corporations will not send all their communication through Blackberry servers if the data was not stored encrypted. Not having the user’s key, otherwise known as “private” key since it is only known to the user- is generally the basis of cryptography based security systems. Having the decryption key would completely defeat the very basis of the security system.
But the fact of the matter is, it is possible for RIM to give access to unencrypted data to itself and other parties such as a government, competitor (and presumably hackers). That is really bad news for all Blackberry users – not just the Blackberry users in Saudi Arabia. And given that Blackberry has decided to do this for a third party which happens to be a government (and is probably going to do the same for others), it should stop making security claims it has done traditionally.
This potentially sets a disturbing precedence for electronic privacy rights in the face of government pressure as well2. What if US government asks Blackberry to have a server in Washington so the government and RIM can spy on all of our communications including Obama’s ? What about a Blackberry user from US visiting Saudi Arabia for a week ? What about terrorist states ?
- 1 2