BlackBerry users recruited to keep RIM in Check on government deals

An independent Canadian Internet security and privacy research group wants BlackBerry users to help them determine the extent of security arrangements made by Research in Motion with state authorities that have earlier threatened to ban BlackBerrys in their countries.

The Citizen Lab, which last year was largely responsible for blowing the lid off a cyber spy ring based in China, has launched Project RIM Check, a program designed to gather information on how traffic exits the BlackBerry network depending on the country in which the user of the device is located. Essentially, the project involves signing on to the RIM Check web site which automatically collects the following data: Internet Protocol Address and User Agent.

Do you feel that your BlackBerry communications have become less secure in recent weeks?survey software

Citizen Lab want to “map out global routing patterns” of the BlackBerry network to determine if RIM servers have been deployed in countries that have threatened to ban the smartphone. The group which is headquartered at the Munk School of Global Affairs at the University of Toronto hope to determine:

  1. The location of servers carrying out information requests on BlackBerry devices
  2. The existence and extent of content filtering and data sharing agreements made by RIM with countries such as India, Saudi Arabia and the United Arab Emirates

There are very serious security and privacy repercussions for BlackBerry users if RIM has entered into data sharing deals with governments with “little or no meaningful oversight on how transmissions of electronic networks are monitored,” warned Ron Deibert, director of the Citizen Lab.

“Proprietary information of businesses could be compromised or lives of people living under certain governments could be endangered,” he said.

A major concern of these regimes, Deibert said, is that BlackBerry data can be encrypted and routed through servers located outside their jurisdiction.

Sometime in August this year, Saudi Arabia, RIM’s largest Middle East market with more than 700,000 BlackBerry users, announced that it will ban the smartphones from the country. Other countries including the U.A.E., India, Kuwait, Algeria, Lebanon, and Indonesia followed suit.

A major concern of these regimes, Deibert said, is that BlackBerry data can be encrypted and routed through servers located outside their jurisdiction.

Although none of the reported were implemented, “unconfirmed reports have circulated that RIM made data sharing agreements with India, Saudi Arabia and the U.A.E. and other countries are requesting that RIM locate its data centres within their jurisdiction,” said Deibert.

ITBusiness.ca sought an interview with RIM but the company has not been able to give a statement on the matter.

However, in a statement issued at the height of the BlackBerry ban threats, RIM assured it’s customers that it “will not compromise the integrity and security of the BlackBerry Enterprise Solution.”

The company also said it respects regulatory requirements of governments as well as security and privacy needs of corporations and consumers but added “RIM does not disclose confidential regulatory discussions that take place with any government.”

“That’s the problem. The public and users of BlackBerry have no idea what agreements RIM might have signed to be able to operate in these countries and what sort of data is being collected,” said Deibert.

No need for RIM crackdown

At least one industry observer says there is actually no need for governments to crackdown on RIM.

Danny O’Brian, Internet advocacy coordinator for the Committee to Protect Journalists (CPJ) a non-profit organization focused on protecting press freedom, labeled as a mere “distraction” the battle between RIM and countries like the U.A.E.

He noted that while there are unencrypted non-corporate traffic on RIM’s network, BES (RIM’s corporate email/Net system) traffic is encrypted in a way that third parties could not access.

O’Brian argued that governments can still monitor a sizable amount of traffic because “traffic to RIM’s servers still passes largely unprotected over U.A.E.’s local wireless networks, Etisalat and Du, both of which resell BlackBerry services within the U.A.E..”

 “With suitable technical investment in domestic Internet monitoring, the U.A.E. can decode a great deal of BlackBerry traffic without RIM’s help,” he wrote in his recent blog.

The traffic that states won’t be able to decode would be end-to-end encrypted communications most often enabled by corporate BlackBerry users. “But then, as RIM explained to the Indian authorities, RIM itself could not decipher this traffic, even if it did provide government access to its own network,” said O’Brian.

What should RIM do?

“RIM can take a page from its peers who have gone through similar experiences,” Deibert told ITBusiness.ca

For example, Google had a run in with the Chinese government and now lists on its site government requests it receives for filtering or data sharing.

The search engine, Deibert said, also supports advocacy groups, bloggers and researchers pushing for access to information, privacy and freedom of speech on the Internet.

He said RIM could join the Global Network Initiative, a self-governance forum formed by Microsoft, Yahoo and Google. Issues around data sharing, data retention, content filtering are shared and discussed on GNI. “These are imperfect solutions but they are steps in the right direction.

“Ultimately, no one company can solve the problems RIM is encountering now,” said Deibert.

Nestor Arellano is a Senior Writer at ITBusiness.ca. Follow him on Twitter, read his blog, and join the IT Business Facebook Page.

Share on LinkedIn Share with Google+