[Mansoor2]

Before I begin, let me just clarify that this entire post is about BBM for private usage and chats not BES/BBM Protected.

So, I have been on a recent spree of analysing the security and privacy of mobile messaging apps and as has been pointed out before ( https://www.eff.org/secure-messaging-scorecard ), BBM does not fare well on the technical aspects at all. While some points of the aforementioned study are debatable, I don't think it can be debated that the lack of end-to-end encryption and the use of 'scrambling' to protect messages in transit are truly, glaringly, poor design choices as far as the protection of user data and privacy are concerned.

Anyway, despite this I continued using BBM because I trust the Blackberry name and well, because it works better than any other messaging app on my Passport *sigh* . However, today I decided to review the privacy policy for BBM( BlackBerry - BlackBerry.com Privacy Policy from Research In Motion (RIM) - US ) and my goodness, it is probably the most vague and suspicious looking privacy policies I have EVER come across, Facebook included! They give no definite answers to any of the significant questions. For example:

1. How long are (non-deleted) messages stored on their servers? In what form?
2. Are retracted/timed messages retained on their servers? For how long?
3. Are deleted chats/conversations retained on their servers? For how long?
4. How long are User details stored after an account is deleted? (Don't know if deletion is even possible actually)
5. Are third party service providers given access to plain text messages/key+encrypted message ?

If someone can give me definitive answers to these questions, I would be very grateful. I recently convinced a bunch of my friends to shift to BBM citing its security and privacy protection as one of the main selling points but with these doubts, I have to, in good faith, advise them to shift to something else. And considering that BB world has no app for Threema or Textsecure, I guess I'll have to make do with android ports (Before you say it, I know Telegram will soon unveil a BB app but Telegram's encryption scheme is Just.Not.Secure. { Crypto Fails ? Telegram's Cryptanalysis Contest }

TL;DR: BBM privacy is shady. Please clarify above doubts to refute this claim.

PS: I am a Computer Science Master's student at ETH Zurich; if there are other technical aspects that you think might save BBM's grace then please feel free to elaborate, I would love to hear even those aspects . Also, if someone can tell why the heck does BBM just scramble messages and not have proper end-to-end encryption when their main claim to fame is security, then that would be a major plus.

[Bla1ze]

I am a Computer Science Master's student at ETH Zurich

Curious why you're reading the US privacy policy then. I'm not sure it's any different though as I can't read the other languages.

Privacy Policy

[Mansoor2]

Curious why you're reading the US privacy policy then. I'm not sure it's any different though as I can't read the other languages.

Privacy Policy

They're just translations of the same. Verbatim.

[FrankIAm]

Lol

[Mansoor2]

Lol

Helpful comment is helpful.

[Superdupont 2_0]

BBM TERMS OF SERVICE


(k) Storing of Messages. The contents of messages that have been delivered by the Services are not maintained or archived by us in the normal course of business. BBM messages are sent via data services to servers operated by or on behalf of us, and routed to the recipient(s), if the recipient(s) are online. Once a message has been delivered, it no longer resides on our servers. If the recipient(s) are not online, the undelivered message is held in servers operated by or on behalf of us until it can be delivered for up to thirty (30) days, after which the undelivered message will be deleted from our servers. The contents of any delivered messages reside directly on the sender's and recipient's devices unless deleted by those users, or by auto-delete features of the software used by such users.
Notwithstanding the above, we may retain transactional details associated with the messages and devices (for example, date and time stamp information associated with successfully delivered messages and the devices involved in the messages), as well as any other information that we are legally compelled to collect.

Posted via CB10

[Mansoor2]

BBM TERMS OF SERVICE


(k) Storing of Messages. The contents of messages that have been delivered by the Services are not maintained or archived by us in the normal course of business. BBM messages are sent via data services to servers operated by or on behalf of us, and routed to the recipient(s), if the recipient(s) are online. Once a message has been delivered, it no longer resides on our servers. If the recipient(s) are not online, the undelivered message is held in servers operated by or on behalf of us until it can be delivered for up to thirty (30) days, after which the undelivered message will be deleted from our servers. The contents of any delivered messages reside directly on the sender's and recipient's devices unless deleted by those users, or by auto-delete features of the software used by such users.
Notwithstanding the above, we may retain transactional details associated with the messages and devices (for example, date and time stamp information associated with successfully delivered messages and the devices involved in the messages), as well as any other information that we are legally compelled to collect.

Posted via CB10

Thanks for pointing that out, but what I don't understand is that if they really do delete all messages then how do they accomplish this :

18.USER DATA

In addition to any disclosures authorized by Section 17, You and Your Users consent and agree that the BlackBerry Group of Companies may access, preserve, and disclose Your or Your Users' data, including personal information, contents of Your communication, or information about the use of the Services functionality and the services or software and hardware utilized in conjunction with the Services where available to us ("User Data"), to third parties, including foreign or domestic government entities, without providing notice to You in order to: (i) comply with legal process or enforceable governmental request, or as otherwise required by law; (ii) cooperate with third parties in investigating acts in violation of this Agreement; or (iii) cooperate with system administrators at Service providers, networks or computing facilities in order to enforce this Agreement. You warrant that You have obtained all consents necessary under applicable law from Your Users to disclose User Data to the BlackBerry Group of Companies and for the BlackBerry Group of Companies to Process such User Data as described above.

?

[Mansoor2]

Also what does 'legally compelled to store' imply? For example, in india, they are required by law to divulge EVERY conversation in readable format to the government (and you thought PRISM and the NSA were bad). Link : http://www.dailymail.co.uk/indiahome...r-service.html
So doesn't this essentially nullify anything they said about deleting messages, at least as far as messages through servers and recipients in india are concerned?

[Superdupont 2_0]

Also what does 'legally compelled to store' imply?

I suggest you read your own post #7 carefullyn because there it is described what "legally compelled" means.

In my own words/understanding:
As long as you are not a suspect in a crime case, NOBODY will analyse your bbm conversations.
This also applies to India, only difference is that BlackBerry must store the data locally in India, which is a + for Indian consumers.

You may find some background stories if you google "BlackBerry" and "mafia".

PS: Every Internet Service Provider on earth does this (VPN providers, Internet Access Providers, E-Mail Hosters, etc etc...) .


Posted via CB10

[MobileMadness002]

Also what does 'legally compelled to store' imply? For example, in india, they are required by law to divulge EVERY conversation in readable format to the government (and you thought PRISM and the NSA were bad). Link : No secrets on Blackberry: Security services to intercept data after government gets its way on messenger service | Daily Mail Online
So doesn't this essentially nullify anything they said about deleting messages, at least as far as messages through servers and recipients in india are concerned?

Your local governments or telecommunications departments should be able to explain their storage retention requirements.

[1Criz]

I would also like explanation from BlackBerry which data are collected by api.mixpanel.com (as discovered in battery draining thread) and for what purpose.

Posted via CB10

[MobileMadness002]

I would also like explanation from BlackBerry which data are collected by api.mixpanel.com (as discovered in battery draining thread) and for what purpose.

Posted via CB10

I can without hesitation advise they will not explain themselves here. Probably not even on their own support forums or through any support channels.

Posted via CB10

[wehttam]

im from the Caribbean you may not know who im referring to but there is this dancehall artist from Jamaica Vybz Kartel who was convicted along with two others I believe bases upon their BBM conversation amongst each other conversation dating back to august 14th 2011 the information was retrieved from the telecommunications provider according to the report. So im really not certain who is really responsible...... is it blackberry or is it the telecommunications company or both?? the point im trying to make is msgs are being stored

[Mansoor2]

im from the Caribbean you may not know who im referring to but there is this dancehall artist from Jamaica Vybz Kartel who was convicted along with two others I believe bases upon their BBM conversation amongst each other conversation dating back to august 14th 2011 the information was retrieved from the telecommunications provider according to the report. So im really not certain who is really responsible...... is it blackberry or is it the telecommunications company or both?? the point im trying to make is msgs are being stored

Exactly what I meant to say. The terms of use and privvacy policy have contradictory clauses.