If you've been following RIM news for a while, you'll know over the past four years there has been a bit of a security struggle for RIM with India. The Indian government has on numerous occasions requested the encryption keys for BlackBerry services such as corporate emails and BlackBerry Messenger. For their part, RIM has stated on just as many occasions that they do not possess any master key nor does any backdoor exist in the system that would allow RIM or any third party to gain unauthorized access to corporate data.
The only people capable of such access are the corporate customers in control of the accounts in question, therefore, any Indian government agency requiring lawful access would need to request it from the corporate customers themselves and not RIM directly. With threats coming from India that they would shut down BlackBerry services if a solution was not met, RIM agreed to set up BlackBerry servers in Mumbai that met enough compliance with the Indian government that they were able to continue operations but as always though there was NO access to BES services.
Recently, looking to further their agreement with the Indian government RIM has worked with Verint and demonstrated a new solution for server monitoring that meets the lawful access requirements requested. That said; there has been a few inaccuratereports now that imply the newly introduced solution offers more than what RIM is stating. They go so far as to suggest that even BES services could be monitored using the Verint solution. This is not the case at all. In speaking to RIM, they've advised:
RIM is providing an appropriate lawful access solution that enables India's telecom operators to be legally compliant with respect to their BlackBerry consumer traffic, to the same degree as other smartphone providers in India, but this does not extend to secure BlackBerry enterprise communications. As we have stated on several occasions, and as we have set out in our company’s Lawful Access Principles, RIM cannot access information encrypted through BlackBerry Enterprise Server as RIM is not ever in possession of the encryption keys.
As a reminder of RIM’s longstanding position regarding “lawful access” matters around the world, RIM adheres to its published Lawful Access Principles. These four core principles outline RIM’s approach to providing carriers with the capabilities necessary to address lawful access requirements in their respective countries and include the following:
RIM lawful access principles:
- The carriers’ capabilities be limited to the strict context of lawful access and national security requirements as governed by the country's judicial oversight and rules of law.
- The carriers’ capabilities must be technology- and vendor-neutral, allowing no greater access to BlackBerry consumer services than the carriers and regulators already impose on RIM’s competitors and other similar communications technology companies.
- No changes to the security architecture for BlackBerry Enterprise Server customers since, contrary to any rumors, the security architecture is the same around the world and RIM truly has no ability to provide its customers’ encryption keys.
Also driving RIM’s position is the fact that strong encryption is a fundamental commercial requirement for any country to attract and maintain international business anyway and similarly strong encryption is currently used pervasively in traditional VPNs on both wired and wireless networks in order to protect corporate and government communications.
- RIM maintains a consistent global standard for lawful access requirements that does not include special deals for specific countries.
Given this technological battle has been going on with India for over 4 years now, it makes sense RIM would take whatever measures they can to ensure further success in India, it's one of their hugest markets right now. However; as noted many times, what the Indian government is asking for is not possible. Not technologically and not by RIM's principals and no access to the BES infrastructure will be granted via RIM.