[needforbbx]

NEW DELHI: The country's law enforcement agencies will soon be able to track e-mail as well as e-mail attachments on a real time basis over BlackBerry devices, check whether chats sent over the popular BlackBerry Messenger (BBM) have been 'delivered' or 'read', and intercept web-browsing facilities on these devices, bringing to an end a long standing dispute between the government and the Canadian smart phone-maker over interception of communication on its devices.

An internal document of the Department of Telecommunications (DoT), a copy of which was reviewed by ET said, "Baring a few minor points for improvement of viewers, the lawful interception system for BlackBerry Services is ready for use."

But the government appears to have dropped its demand for accessing BlackBerry's corporate e-mail service rendered through the BlackBerry Enterprise Server. The law enforcement agencies, it seems are content simply with the identity of the corporates using the service.

A Blackberry spokesperson said the company had delivered a solution that enabled India's wireless carriers to address their lawful access requirements for its consumer messaging services, which include BlackBerry Messenger (BBM) and BlackBerry Internet Service (BIS) email. "The lawful access capability now available to BlackBerry's carrier partners meets the standard required by the Government of India for all consumer messaging services offered in the Indian marketplace. We also wish to underscore, once again, that this enablement of lawful access does not extend to BlackBerry Enterprise Server," said the spokesperson.

The DoT internal note said nine of 10 telecom service providers providing BlackBerry services were in the process of deploying interception solution.

Government officials from the DoT and IB were present when Blackberry demonstrated interception capabilities services on June 12 over Vodafone's network in Mumbai. This follows the first round of tests conducted last year in December, under which BlackBerry had first demonstrated interception solution. But interception of web-browsing facilities was not in readable format and the government had made more demands on tracking BBMs and e-mails.

Satisfied with the interception facilities, the government will soon sign an agreement with RIM and acquire the company's monitoring architecture installed at Mumbai. RIM had set up servers and other interception facilities in 2011 after India threatened to shut down BlackBerry services if the company didn't establish one. As part of the agreement to be signed between the government and RIM, the company will also train government officials at its Ontario facility to handle the technical architecture, operation and maintenance of the monitoring facility. It has offered to train up to five officials.

Three telecom service providers including BSNL, MTNLBSE 1.42 % and the Russian telecom operator Sistema-controlled Sistema Shyam Teleservices are yet to put a 'lawful interception system' in place. While MTNL is likely to meet the requirement by July and BSNL by September, SSTL is the only operator to not have communicated any deadline.

http://economictimes.indiatimes.com/...w/20995830.cms

[z10fido]

I guess security isn't a big deal when you hand someone the keys to the vault

Posted via CB10

[ssbtech]

Indian customers will all be switching to iPhones with their end-to-end encryption over iMessage.

[kevinnugent]

You mean iMessage is more secure than BBM?

[anon62607]

You mean iMessage is more secure than BBM?

iMessage is encrypted from device to apple server, decrypted there then encrypted to a different key associated with the device being delivered to.

Edit: the above statement appears to be an error. I posted a followup comment to myself about this.

in that way it is more secure, though with both BlackBerry Messenger and iMessage if Blackberry or apple cooperate the plaintext of the messages can be easily recovered.

it's not end to end encryption, which would be the message being encrypted on the source device and not then decrypted until it reaches the target decide, AND no one holds the keys to decrypt except the source and destination devices.

[STV0726]

BES > all others for security

And unless Apple found some dirty loophole use of iPhone in India with Indian carriers should require the same compliance to their government standards.

~STV on Z10STL100-3/10.1.0.2025 TMO US

[anon62607]

BES > all others for security

And unless Apple found some dirty loophole use of iPhone in India with Indian carriers should require the same compliance to their government standards.

~STV on Z10STL100-3/10.1.0.2025 TMO US

BES is not end to end encrypted either, the messages exist on the server plaintext. there are various examples (including on blackberry) of messaging and email systems that are more secure than BES. you can send SMIME messages that are encrypted with a pre shared key but then you have the problem of sharing the key (or secret) beforehand.

[timmy t]

Funny how the Indian government demanded BBRY set up this system for them and then wants BBRY to pay for the travel and lodging of the Indian government employees who are taking the training in Canada.

[Sith_Apprentice]

BES is not end to end encrypted either, the messages exist on the server plaintext. there are various examples (including on blackberry) of messaging and email systems that are more secure than BES. you can send SMIME messages that are encrypted with a pre shared key but then you have the problem of sharing the key (or secret) beforehand.

BES is END to END according to BlackBerry.
By this, they mean it is encrypted (AES256 or 3DES) from BES > Internet > NOC > Wireless Carrier > Device. Your mail server is the weak spot. You can ALSO use SMIME or PGP on top of this but that adds an ADDITIONAL layer of encryption.


As for the comment about handing the keys.... BlackBerry is complying with lawful requests, if they did not, they would not be allowed to do business in the country. Why people complain about companies complying with lawful requests is beyond me. You dont like it, find a way to change the laws.

[Bluenoser63]

BES > all others for security

And unless Apple found some dirty loophole use of iPhone in India with Indian carriers should require the same compliance to their government standards.

~STV on Z10STL100-3/10.1.0.2025 TMO US

They have to go to Apple. As Apple stores a record of all iMessage texts.

DEA Accused Of Leaking Misleading Info Falsely Implying That It Can't Read Apple iMessages | Techdirt

[serbanescu]

The problem is everyone will follow suit and a significant competitive advantage BlackBerry has in some less than democratic countries (secure comunications services for individuals) will be lost - and that will happen in these hard times for the company.

--------------------

Calorie Monitor Pro for Z10, Q10, Q5 and PlayBook

[Sith_Apprentice]

The problem is everyone will follow suit and a significant competitive advantage BlackBerry has in some less than democratic countries will be lost - while that competitive advantage provided by secure comunications services for individuals was badly needed in these hard times.

--------------------

Calorie Monitor Pro for Z10, Q10, Q5 and PlayBook

Lawful access is required already, and this in no way affects BES (which is the secure component). Keep in mind BIS is NOT secure, and BBM (not on BES and encrypted to ONLY that BES) is also not considered "secure". All BBM are encrypted yes, but with the same key. This would not be something one should consider secure.

[anon62607]

BES is END to END according to BlackBerry.
By this, they mean it is encrypted (AES256 or 3DES) from BES > Internet > NOC > Wireless Carrier > Device. Your mail server is the weak spot. You can ALSO use SMIME or PGP on top of this but that adds an ADDITIONAL layer of encryption.


As for the comment about handing the keys.... BlackBerry is complying with lawful requests, if they did not, they would not be allowed to do business in the country. Why people complain about companies complying with lawful requests is beyond me. You dont like it, find a way to change the laws.

end to end means that the message does not exist in plaintext form except on the source device and the target device. if you as a BES user send a message to another BES user, the message is in plaintext form at the BES server.

[ssbtech]

According to Apple's statement to ZDNet:

Apple said iMessage and FaceTime conversations were protected by end-to-end encryption so no-one but the sender and receiver could see or read them. "Apple cannot decrypt that data. Similarly, we do not store data related to customers' location, Map searches or Siri requests in any identifiable form."

Source: Apple: iMessage and Facetime are encrypted so we can't hand over info | ZDNet

It's pretty clear to me that once iMessage detects it's sending a message to another iMessage client, it can easily negotiate an encryption key specific to that connection. BlackBerry has set up BBM so that messages are decrypted in transit and that opens them up to lawful access requests. Now Apple may face the same dilemma down the road, but I think the eavesdropping would have to be more obvious with iMessage.

[ssbtech]

end to end means that the message does not exist in plaintext form except on the source device and the target device. if you as a BES user send a message to another BES user, the message is in plaintext form at the BES server.

While it may sit on the BES server in plain text, the one advantage that BES has is that the encryption keys are private. So unless companies running their own BES servers hand over keys to the government, BES is more secure than BIS/BBM.

[Sith_Apprentice]

end to end means that the message does not exist in plaintext form except on the source device and the target device. if you as a BES user send a message to another BES user, the message is in plaintext form at the BES server.

The BES is the target (since it gives the message to the mail server). Between BES and Device is entirely encrypted, with the encryption either done on the device or the BES.

Handheld (encrypts) > mobile network > NOC > Internet > BES (decrypts)
Process flow: Sending a message from a BlackBerry device

[anon62607]

The BES is the target (since it gives the message to the mail server). Between BES and Device is entirely encrypted, with the encryption either done on the device or the BES.

Handheld (encrypts) > mobile network > NOC > Internet > BES (decrypts)
Process flow: Sending a message from a BlackBerry device

by that definition, even gmail is end to end encrypted as the message is transmitted via SSL to the handset.

[hornlovah]

This PDF document should help clear things up for you valeuche, please refer to pages 22-24:

To encrypt data that is in transit between the BlackBerry Device Service and devices in your organization, the BlackBerry Device Service and devices use BlackBerry transport layer encryption. BlackBerry transport layer encryption is designed to encrypt data in transit over the BlackBerry Infrastructure.

Before the BlackBerry Device Service and devices send data to each other, they compress the data, encrypt the data using message keys, and encrypt the message keys using the device transport key. When the BlackBerry Device Service and devices receive data from each other, they decrypt the message keys using the device transport key, decrypt the data, and then decompress the data.

The BlackBerry Device Service and devices use AES-256 in CBC mode as the symmetric algorithm for BlackBerry transport
layer encryption.

Source: BlackBerry Enterprise Service 10
BlackBerry Device Service Solution
Version: 6.2

[anon62607]

This PDF document should help clear things up for you valeuche, please refer to pages 22-24:


Source: BlackBerry Enterprise Service 10
BlackBerry Device Service Solution
Version: 6.2

that's fine, but traditionally end to end encryption means encryption on the device writing the message and not decrypted until it is received at the device of the reader. if it is decrypted at any point between those two endpoints, it is not end to end as the term is regularly used.

[Sith_Apprentice]

that's fine, but traditionally end to end encryption means encryption on the device writing the message and not decrypted until it is received at the device of the reader. if it is decrypted at any point between those two endpoints, it is not end to end as the term is regularly used.

Traditionally, I would agree with you, but mobile is anything but. At some point it will have to be decrypted (BES, FixMo, Good, etc) on the server, because it needs to be moved to the mail server / mailbox from there.

And even if you look at VPN traffic, it is end to end in terms of your start point to your company/agency's network, from there the traffic may or may not be encrypted (and likely isnt across your internal network).

[hornlovah]

that's fine, but traditionally end to end encryption means encryption on the device writing the message and not decrypted until it is received at the device of the reader. if it is decrypted at any point between those two endpoints, it is not end to end as the term is regularly used.

Obviously, the BES server is another attack vector, but as Sith pointed out, it is also a target (destination). I don't agree with your definition of end-to-end encryption. Look at another (from Wikipedia):

End-to-end encryption*(E2EE) is an uninterrupted protection of the confidentiality and integrity of transmitted data by encoding it at its starting point and decoding it at its destination. It involves encrypting clear (red) data at source with knowledge of the intended recipient, allowing the encrypted (black) data to travel safely through vulnerable channels (e.g. public networks) to its recipient where it can be decrypted (assuming the destination shares the necessary key-variables and algorithms).

[STV0726]

The thing I still don't get here is why would they flee to Apple products when surely they must be forced to comply with the same laws?

~STV on Z10STL100-3/10.1.0.2025 TMO US

[CrackedBarry]

Funny how the Indian government demanded BBRY set up this system for them and then wants BBRY to pay for the travel and lodging of the Indian government employees who are taking the training in Canada.

Considering how corrupt Indian society and government is, it's not exactly coming as a surprise, is it? Getting freebies and/or having somebody else pay the bill is close to a national sport.

Gotta say though, that it can't be coincidental that this latest development comes when BBs marketshare in India is falling like a rock. BB aren't exactly negotiating from a position of strength right now.

At the same time, having BB surveillance capabilities isn't as useful as it used to be. As I recall, the latest marketshare figures from India, has BBRY drooping 8% to around 10 percent.

[anon62607]

Obviously, the BES server is another attack vector, but as Sith pointed out, it is also a target (destination). I don't agree with your definition of end-to-end encryption. Look at another (from Wikipedia):

that definition agrees with mine. if I have the secret and I want to tell you and send you that message over BES, it exists in plaintext form somewhere between me and you. this it is not end to end.

[Sith_Apprentice]

that definition agrees with mine. if I have the secret and I want to tell you and send you that message over BES, it exists in plaintext form somewhere between me and you. this it is not end to end.

It depends on your definition of end points. The endpoint is the BES and the origin is the device. It is a completely seperate path to go from BES to another device (where it is again end to end encrypted).