No, RIM hasn't handed their BES encryption keys over to India

By Bla1ze on 2 Aug 2012 12:00 am EDT

If you've been following RIM news for a while, you'll know over the past four years there has been a bit of a security struggle for RIM with India. The Indian government has on numerous occasions requested the encryption keys for BlackBerry services such as corporate emails and BlackBerry Messenger. For their part, RIM has stated on just as many occasions that they do not possess any master key nor does any backdoor exist in the system that would allow RIM or any third party to gain unauthorized access to corporate data.

The only people capable of such access are the corporate customers in control of the accounts in question, therefore, any Indian government agency requiring lawful access would need to request it from the corporate customers themselves and not RIM directly. With threats coming from India that they would shut down BlackBerry services if a solution was not met, RIM agreed to set up BlackBerry servers in Mumbai that met enough compliance with the Indian government that they were able to continue operations but as always though there was NO access to BES services.

Recently, looking to further their agreement with the Indian government RIM has worked with Verint and demonstrated a new solution for server monitoring that meets the lawful access requirements requested. That said; there has been a few inaccurate reports now that imply the newly introduced solution offers more than what RIM is stating. They go so far as to suggest that even BES services could be monitored using the Verint solution. This is not the case at all. In speaking to RIM, they've advised:

RIM is providing an appropriate lawful access solution that enables India's telecom operators to be legally compliant with respect to their BlackBerry consumer traffic, to the same degree as other smartphone providers in India, but this does not extend to secure BlackBerry enterprise communications. As we have stated on several occasions, and as we have set out in our company’s Lawful Access Principles, RIM cannot access information encrypted through BlackBerry Enterprise Server as RIM is not ever in possession of the encryption keys. 

As a reminder of RIM’s longstanding position regarding “lawful access” matters around the world, RIM adheres to its published Lawful Access Principles. These four core principles outline RIM’s approach to providing carriers with the capabilities necessary to address lawful access requirements in their respective countries and include the following:

RIM lawful access principles:

  • The carriers’ capabilities be limited to the strict context of lawful access and national security requirements as governed by the country's judicial oversight and rules of law.
  • The carriers’ capabilities must be technology- and vendor-neutral, allowing no greater access to BlackBerry consumer services than the carriers and regulators already impose on RIM’s competitors and other similar communications technology companies.
  • No changes to the security architecture for BlackBerry Enterprise Server customers since, contrary to any rumors, the security architecture is the same around the world and RIM truly has no ability to provide its customers’ encryption keys. 

Also driving RIM’s position is the fact that strong encryption is a fundamental commercial requirement for any country to attract and maintain international business anyway and similarly strong encryption is currently used pervasively in traditional VPNs on both wired and wireless networks in order to protect corporate and government communications.

  • RIM maintains a consistent global standard for lawful access requirements that does not include special deals for specific countries.

Given this technological battle has been going on with India for over 4 years now, it makes sense RIM would take whatever measures they can to ensure further success in India, it's one of their hugest markets right now. However; as noted many times, what the Indian government is asking for is not possible. Not technologically and not by RIM's principals and no access to the BES infrastructure will be granted via RIM.

Reader comments

No, RIM hasn't handed their BES encryption keys over to India


Indian government always cries for everything, they r such cry babies, their system of government isnt good, yet they need access to BES

The title should say that RIM hasn't handed the BES keys to India, because those are on the enterprise customer's own servers.

BIS, that's a whole different story. India's government should be happy spying on their private citizens.

I'm confused, what are we clarifying here? I read both articles and both say that BES is not accessible by the DoT.

The Hindu Business Line:

"When contacted, David Paterson, Vice-President for Government Relations for RIM, confirmed that the company is offering solutions that will enable telcos to comply with the security requirements on consumer services. He, however, added that the monitoring solution was not for BlackBerry Enterprise service."

The Economic Times:

"I can confirm that RIM is providing an appropriate lawful access solution that enables India's telecom operators to be legally complaint with respect to their BlackBerry consumer traffic," said a company spokesman. But he said there was no access to secure encrypted BlackBerry enterprise communications or corporate emails as these were accessible only to the owners of these services."

From what I read, the Verint solution has the technical ability to access BES if the right permissions exist, just like a locksmith can get into your car but shouldn't if you're not around.

BES can't be accessed unless they go into the company that is hosting the BES server and gain access from their corporate mail server end. BIS, which does not have the end-to-end encryption that BES has, can be intercepted and read now that these servers are located inside India.

BIS has never been sold as a solid end-to-end encryption solution.

No Indian carrier will sell you a data plan that will allow you to do that. If you want to use BES from inside India you will need to buy a SIM card from a carrier elsewhere that does support BES traffic and roam while in India.

I found the same situation exists in Russia when I was researching my options there. Local carriers only support BIS.

makes sense. The enterprise BES server that generates the key that get used to encrypt the data which transported by RIM NOC. The RIM has no capability to decrypt it without the key unless per security standards unless it has backdoor key.
Security is the bread n butter of RIM so RIM should not give up ever. Just like swiss accounts, used by special people for specai purpose.

I Agree withe the comment on confusion. There doesn't seem anything to clarify as both articles clearly state bes is not accessible.

Perhaps crackberry should concentrate on its own articles instead of simply trawling other sites.

This Indian Goverment,has no work to do, they dont even know what is the meaning of a Encrypted Messages and how the BES works, they just only know how to take the money and feed them to their cabinet ministers....Thats all they know very well...and i belive sometimes even the Media is also not having any news, so they keep on writing such articles..

When you have had the equipment you are importing stuck in the docks in India for two weeks because someone had put the word "Computer" in the customs documentation, rather than "Industrial Controller" and then when it arrived on site the racks had been clearly deliberately damaged by somebody (perhaps the bribe hadn't been big enough?) then you start to understand the problems that Indians have with their government.