[Vetboy]

Snapchat, Skype, BBM not protecting users' privacy, says Amnesty International - Technology & Science - CBC News

I thought that was BBM's forte

[app_Developer]

You have to pay for BBM Protected or BES to get end to end encryption.

[erwinfr]

https://help.blackberry.com/en/bbm-s...0397548-en.pdf

read all about it... security note on non enterprise bbm

end to end encrypted but not with a generated key on the device but a global key which is the same for all devices

[app_Developer]

https://help.blackberry.com/en/bbm-s...0397548-en.pdf

read all about it... security note on non enterprise bbm

end to end encrypted but not with a generated key on the device but a global key which is the same for all devices

That is not "end to end" encryption since BB obviously has access to the one global key that's used every time for every message for every single user.

[sonicpix]

Was just about to post this. I wonder how much they make for the 'protection' and how much it costs them in lost reputation? It's meant to be a revenue generator and I bet it's not making much for them.

Posted via CB10

[app_Developer]

Was just about to post this. I wonder how much they make for the 'protection' and how much it costs them in lost reputation? It's meant to be a revenue generator and I bet it's not making much for them.

Well Chen has argued that they don't offer e2ee to everyone because it would prevent BB from handing over chats to law enforcement under subpoena. He was critical of Apple's stance on this and what they did with the iPhone 6 and above.

On the other hand, he offers e2ee for people who pay for it. He hasn't really thought this through very well IMO.

[anon(4275744)]

The source is Amnesty International... Isn't that like Peta commenting on the dairy industry?

"*messaging services like Snapchat, Skype and BlackBerry's*BBM*are not taking basic steps to ensure privacy, according to Amnesty International."

[EFats]

Doesn't matter who it comes from, it happens to be the truth.
You can argue about whether BBM has "basic" security or not or if the current level is sufficient or whatever. Those are pointless. Blackberry has been very open and honest about how the security works with standard BBM vs BBM Protected and running your own BES, that is no secret.

The problem is when the free alternatives have apparently stronger security, it does not look good for a company who rides on the reputation of being secure. I would suggest to Mr. Chen that at this stage of the game, you turn it on. There's no point in being able to "help the good guys" if nobody is using your system anyways. You don't want to get to the point of no return, there are enough users to possibly salvage BBM right now.

[ninjakaiden]

The thing that bugs me about this is that people will only call foul on BlackBerry for being insecure - even though BlackBerry has said many times that end-to-end encryption is available with BBM Protected and enterprise BBM. Data apparently Doesn't matter if it's snapchat or skype, only on BBM.

Posted via CB10

[StephanieMaks]

I believe the reason BlackBerry / BBM gets the extra scrutiny is because of the hippocracy.

They make their claim on being the secure option, they make the 'most secure' phones, but then their baseline messenger is less secure than some of the alternatives. You don't actually get that extra security unless you cough up some extra $$ for it.

To me, it seems like basic human nature. If someone goes strutting around bragging they're the best XYZ available, and it turns out that they aren't (or there's some caveats and addendums), then of course people are going to call them out on it.

[Christopher Cordray]

As a big proponent of BlackBerry in general I have been promoting it products emphasis on BlackBerry security as really great reason to choose BlackBerry. This is bad form, that e2e encryption requires a fee given how much BlackBerry touts it's security. I don't object to BlackBerry making money from it's products but when Facebook and Apple score best in Messenger security without extra fees it makes BlackBerry look bad. They might as well have a commercial stating "BBM is not just secure it's BlackBerry Secure!" - <voice lowers in volume> "some conditions and fees apply".

[NG888]

This doesn't sound good for BlackBerry, interesting to see what JC has to say about this, considering security is their primary asset.

[1122334455667788]

The thing that bugs me about this is that people will only call foul on BlackBerry for being insecure - even though BlackBerry has said many times that end-to-end encryption is available with BBM Protected and enterprise BBM.

Posted via CB10

Actually I don't think BlackBerry has been nearly as transparent about this as you claim.
They certainly don't mention the lack of security "many times" in their marketing.
Just look at BBM.com. It starts with "BBM lets you chat and share with a speed, control and privacy you can’t get on other instant messenger apps."
I think that line is a complete lie.
Someone who buys a device named PRIVacy would naturally expect the default messing app to guarantee privacy. Their marketing certainly doesn't contradict that idea.
You really have to do the research to find out that BBM isn't end to end secure.

I definitely agree with StephanieMaks about BlackBerry's hippocracy.
Not just about BBM, but their phones too. They claim to have the most secure phones, and then they write a blog post condemning Apple and basically saying that they will help law enforcement hack any BlackBerry. If the phones are as secure as they market them, then they shouldn't technically be able to help law enforcement at all!

[app_Developer]

This doesn't sound good for BlackBerry, interesting to see what JC has to say about this, considering security is their primary asset.

Chen already addressed this when he after Apple on this issue.

Many of us said back then that his position doesn't make sense given the market position they are trying to carve/protect.

But, to his credit, he did say BlackBerry can hand over the contents of your BBM chats when asked (or ordered). For the sake of the company, though, he probably should have kept quiet.

[EFats]

... but when Facebook and Apple score best in Messenger security without extra fees it makes BlackBerry look bad. ....

Yes, it doesn't look good for BlackBerry. But at least in the case of Whatsapp/Facebook, it isn't really "free" is it? While they may not get at your message contents, they are gathering TONS of metadata about you & your contacts & selling it off. That's despite initially promising that Whatsapp wouldn't share data with Facebook. Never mind and 3rd parties, I wouldn't even trust the provider of that service!

You're paying, you just don't know it.

One other thing came to mind, how secure are BBM Private chats? These are free as far as I know. Whatever "weak" encryption you have, the messages are deleted once you're done, so as long as the deletion happens securely, there's nothing left to decrypt. The weakness would be real-time interception of your chats.
And there is one more thing, at least BBM uses a PIN. It's an extra hurdle to find out who is connected with that PIN. On the other systems, it's phone number. Anybody can easily find out who all your contacts are.

Sent from my BlackBerry 9900 using Tapatalk

[Christopher Cordray]

Yes, it doesn't look good for BlackBerry. But at least in the case of Whatsapp/Facebook, it isn't really "free" is it? While they may not get at your message contents, they are gathering TONS of metadata about you & your contacts & selling it off. That's despite initially promising that Whatsapp wouldn't share data with Facebook. Never mind and 3rd parties, I wouldn't even trust the provider of that service!

You're paying, you just don't know it.

One other thing came to mind, how secure are BBM Private chats? These are free as far as I know. Whatever "weak" encryption you have, the messages are deleted once you're done, so as long as the deletion happens securely, there's nothing left to decrypt. The weakness would be real-time interception of your chats.
And there is one more thing, at least BBM uses a PIN. It's an extra hurdle to find out who is connected with that PIN. On the other systems, it's phone number. Anybody can easily find out who all your contacts are.

Sent from my BlackBerry 9900 using Tapatalk

Yes the question is can I find hardcore proof of the "cost" of using Whatsapp/Facebook. I have to have some defence against my die hard apple friends. I will search for articles attesting to this over weekend. Having said that I still think BlackBerry needs to address this. I couldn't even figure out how to pay for ee2e for BBM.

[fschmeck]

... but when Facebook and Apple score best in Messenger security without extra fees it makes BlackBerry look bad.

I'm questioning the conclusion being arrived at by amnesty international. Maybe WhatsApp and Facebook mgr have end to end encryption, but does it really matter? Their entire business model revolves around mining your data. BB probably does some data mining too, but they also have other sources of income... Not just harvesting data from the end user.

So I guess it comes down to who you trust more: BB who may handover your data to authories, hopefully with due process? Or Facebook whose entire business model revolves around selling you crap based on your data?

Posted via the CrackBerry App for Android

[thurask]

It's Amnesty, having some IT schmuck in Cupertino reading one's messages is less dangerous than having some IT schmuck in [insert third world dump here]'s state security apparatus reading one's messages. The kerfuffle over various unsavory governments asking BlackBerry for BBM access in the past (India, Pakistan, the UAE), and sometimes even receiving it (Canada) shifts the balance of privacy firmly away from the user. Hiding end to end behind a pay wall and other general opacity doesn't help.

The ideal scenario for Amnesty seems to be an app using FOSS protocols, providing free end to end encryption and user-facing privacy tools and notifications, and being supported by organizations that stand (or at least claim to stand) for the user's privacy in the face of government nosiness. Whatsapp and Telegram tick all three boxes. BlackBerry might tick the last one sometimes, but to only narrowly edge out the Chinese in a privacy assessment is not something to be proud of.

[app_Developer]

So I guess it comes down to who you trust more: BB who may handover your data to authories, hopefully with due process? Or Facebook whose entire business model revolves around selling you crap based on your data?

For many people around the world, a visit from the secret police or the religious police is just a bit scarier than an ad.

The bigger point is this: if I'm having a conversation with my wife or kids or colleagues, I don't want to trust anyone. I want to know that my message is encrypted end to end such that only the recipient can read it. That way I don't have to trust anyone in between whether that be FB or Google or BlackBerry.

[fschmeck]

For many people around the world, a visit from the secret police or the religious police is just a bit scarier than an ad.

The bigger point is this: if I'm having a conversation with my wife or kids or colleagues, I don't want to trust anyone. I want to know that my message is encrypted end to end such that only the recipient can read it. That way I don't have to trust anyone in between whether that be FB or Google or BlackBerry.

Fair point. It is just when I look at WhatsApp, the recent "share your phone #" issue, and the fact that they are owned by a huge company known for the exact opposite of privacy, I'm not convinced. However it is fair to point out that if BlackBerry is going to talk the talk, then they need to walk the walk. Then again, I don't think Joe Public is their primary focus anymore, so having to pay for good encryption fits their business plan better than offering it for free to the masses.

Posted via CB10

[Omnitech]

That is not "end to end" encryption since BB obviously has access to the one global key that's used every time for every message for every single user.

You're confusing modern BBM with legacy BBM on BIS devices over carrier data only.

It was only in that scenario (and continues today) where BBM uses the "global scrambling key".

Otherwise even on BIS devices when used over WiFi, or on ANY BB10 version of BBM using any transport, or ANY Android/iOS/WinPhone version of BBM using any transport, it uses standard assymetric public-key/Diffie-Hellman TLS transport encryption.

They keep the old method basically so old BIS BlackBerries can still use BBM on the modern network.

[Omnitech]

I believe the reason BlackBerry / BBM gets the extra scrutiny is because of the hippocracy.

They make their claim on being the secure option, they make the 'most secure' phones, but then their baseline messenger is less secure than some of the alternatives. You don't actually get that extra security unless you cough up some extra $$ for it.

To me, it seems like basic human nature. If someone goes strutting around bragging they're the best XYZ available, and it turns out that they aren't (or there's some caveats and addendums), then of course people are going to call them out on it.

It needs to be pointed out that Amnesty International is an organization that was founded as an advocacy organization for political dissidents around the world.

As such, their primary concern is keeping private messaging traffic out of the hands of third-parties, INCLUDING the government, law-enforcement and the organization(s) that operate the communications and/or messaging network. This is reflected in their rating criteria, which focuses heavily on the end-to-end encryption element. (Also see my prior post: not having end-to-end encryption DOES NOT mean the whole world can see your messages. It DOES mean that the network operator - eg BlackBerry - *possibly* can. )

That said, there are a variety of aspects to what constitutes a "secure messenger". And while BBM indeed does not include end-to-end encryption capability in their free messaging product, a variety of other important aspects are good.

For example, while WhatsApp rates highly in their report due largely to its inclusion of end-to-end encryption, it also requires every user to divulge to the company and any correspondent your personal mobile phone number. That by itself would disqualify it for me. But to add insult to injury, WA is now owned by one of the most privacy-abusive companies on the planet - Facebook. AND, Facebook made a recent U-turn on prior assurances and decided they now want to suck all that WA personal data into the general Facebook dossier on every user. (Leading them into a fierce confrontation over that move with the governments of Germany and France, among others)

So in a nutshell, while Amnesty International makes a valid comparison, you need to place all of that into perspective. For some people it will be important, for others not so much.

[NAA1]

Hi all,
to be honest, to get the clear picture, it must be read not only the AI web-page which was here provided. There is the small link at the beginning of text on other page which leads to downloading PDF detailed report.
Finally I got the impression that this was made at least unprofessional and intransparent for end user, who is not prepared in these issues a bit deeper.
The second is that they described BBM features partially, and which are true for Apple/Android/Win OSs only. Despite of that the security notes BBM are placed in the open source, they wrote that BBRY didn't reply on their request and gets the lowest rank as there it is published.
All what they found about the security of BBM was TLS protocol. Only!
Finita La Comedia!

[app_Developer]

You're confusing modern BBM with legacy BBM on BIS devices over carrier data only.

It was only in that scenario (and continues today) where BBM uses the "global scrambling key".

Otherwise even on BIS devices when used over WiFi, or on ANY BB10 version of BBM using any transport, or ANY Android/iOS/WinPhone version of BBM using any transport, it uses standard assymetric public-key/Diffie-Hellman TLS transport encryption.

They keep the old method basically so old BIS BlackBerries can still use BBM on the modern network.

I think we're talking about two different layers of encryption. TLS isn't end to end from one user to another. The messages themselves are readable by BlackBerry (and Emtek now) as they are stored and relayed to the recipient over a different TLS session.

All other messaging services/apps also use TLS. The difference is the message content is itself also encrypted using a key known only to the sender and recipient. That prevents the service from reading the content as it is being stored or relayed.

[Omnitech]

I think we're talking about two different layers of encryption. TLS isn't end to end from one user to another. The messages themselves are readable by BlackBerry (and Emtek now) as they are stored and relayed to the recipient over a different TLS session.

Once upon a time, none of the common 'free' messaging apps and networks used encryption anywhere. This was true for apps like ICQ, YIM, MSN Messenger, AIM, etc.

BBM was one of the first to do something about that*, they have come to refer to that tactic as "scrambling". Basically it was a form of simple transport encryption (not data-at-rest encryption) that used a simple encryption key that was shared among all BBM devices. BlackBerry kept this key secret (in theory) but eventually the cat was out of the bag. This was during the heyday of BBOS and BIS.

When BB10 came out, the BB10 version of BBM encrypted ALL chats on the wire with TLS, except in specific scenarios. Specifically, communicating using carrier data (not WiFi, which maintained TLS over the WiFi link) to a device running BBOS. In such a case, the transport-layer reverted to 'scrambling' in order to allow the BB10 devices to communicate with the older generation devices.

All other messaging services/apps also use TLS.

The difference is the message content is itself also encrypted using a key known only to the sender and recipient. That prevents the service from reading the content as it is being stored or relayed.

What you are describing there in the second paragraph is referred to as "end-to-end encryption" and NOT all messaging clients/networks support this. (Though more and more do, these days.)

With BBM, the ONLY instance where that sort of encryption is used is if both sides of the connection are using what used to be called "BBM Protected" compatible clients (and at least one side is paying for this fee-based service), or what is now called "BBM Enterprise". Standard, free BBM clients do NOT use end-to-end encryption except in the scenario above. (Eg, you are communicating with someone who pays for the premium service. In this case you will get a notification at the beginning of the chat that the "protected" chat is being setup - basically the key exchange is taking place - and then afterwards it will inform you that you are in a BBM Protected chat, and the text color changes to indicate this.)



*(Another early exception was Skype - before Microsoft bought the company. Once Microsoft owned Skype, it built a backdoor into Skype encryption so they could provide government agencies access to communications upon legal request)