The discussions between Research In Motion, maker of the BlackBerry, and governments such as the United Arab Emirates, Saudi Arabia, and India continue to hit the headlines. In each case, disagreements center on providing customer communications to security and law enforcement services. The rumblings from these nations over monitoring powers aren’t just limited to RIM: India has announced its intention to put the same pressure on Google (for Gmail), and Skype (for its IM and telephony services).
All of these devices and services have a reputation for security, and are therefore commonly used by journalists concerned they or their sources could be at risk of government or criminal surveillance. What should journalists working under these conditions make of these new developments? Will their online security be diminished?
Let’s take RIM’s BlackBerry, as there have been persistent reports that the company has faced pressure to placate security services in India and Saudi Arabia. Can journalists still depend on it for secure communications?
Judging from all the evidence, the answer depends on where you obtained your BlackBerry. BlackBerrys are sold either directly to individual consumers by mobile companies, or provisioned by corporate (or government) IT departments as the mobile extension of their own, private, messaging systems.
If you have been issued a BlackBerry by your employer, or use it to access company mail via what RIM calls a BlackBerry Enterprise Server (BES), the security of your device is in the hands of your employer, not RIM. Companies are worried about snooping, too, so RIM has purposefully secured its enterprise offerings so that not even RIM can spy on their traffic. As a side effect, this means communication is almost certainly secure from government interception, even if those governments require RIM to keep its servers in their control. If you feel you are in a vulnerable position, and use a corporate BlackBerry, speak to your IT department about its security.
If you have a consumer BlackBerry bought from a mobile phone company, you do not have the protection of RIM’s corporate security system. As CPJ has noted previously, this means countries like the UAE and India always had the potential to intercept your communications but may not have had the technical knowledge to exploit that potential.
We assume that this is no longer the case. Locating RIM servers in these countries (as many of them have demanded) would give the local authorities the ability to straightforwardly intercept all but SSL/TLS (https) Web traffic, and would allow local law enforcement to obtain access to stored e-mail. With a better understanding of RIM’s infrastructure (obtained either from RIM itself or through independent research), these nations and others could decode BlackBerry traffic passing over their mobile networks even without local RIM servers.
One common service used by both enterprise and consumer BlackBerry owners is “PIN-to-PIN” messaging, the feature that allows BlackBerry owners to send free messages to any other BlackBerry user. PIN-to-PIN has the strongest reputation for privacy. Unfortunately, while it is certainly harder to intercept than SMS (text) messages, the encoding system that RIM uses to send PIN messages can theoretically be decoded.
In summary: if you’re a journalist using an enterprise BlackBerry given to you by your employer for work purposes, you are probably well-protected from casual interception (although you should never depend on the inviolability of your communication systems). If you are using a consumer BlackBerry, do not presume to be any better protected from surveillance than someone using an ordinary mobile phone.
No anti-surveillance system offers perfect protection. Even enterprise BlackBerrys could be compromised through the installation of spyware on the phone (as the UAE attempted in 2009) or on the corporate servers. The encryption systems that protect Skype and Gmail from local interception are potentially vulnerable to sophisticated attacks such as fake versions of Skype with backdoors or fake websites that can convince browsers they are the real Gmail. The good news is that the majority of these techniques would be detectable, if not obvious. With the right software and expertise, they can be spotted by their victim. And their use “in the wild” would, in itself, be a major news story.
Governments planning to use these attacks on journalists should know that their spying can be spotted and exposed.