BlackBerry’s CEO made the company’s stance on lawful access requests clear this week and is defending actions to provide Canadian law enforcement with what it needed to decrypt communications between devices.
The company’s CEO John Chen penned a statement on Monday, reiterating that one of BlackBerry’s core principles is customer privacy but also acknowledged that BlackBerry stood by its “lawful access principles” in a recently publicized criminal investigation where it was alleged that BlackBerry assisted law enforcement in retrieving data from a phone.
“We have long been clear in our stance that tech companies as good corporate citizens should comply with reasonable lawful access requests,” Chen said. Then, in a thinly veiled jab at Apple, Chen added, “I have stated before that we are indeed in a dark place when companies put their reputations above the greater good.” Speculation around the inner workings of the case, which deals with a mafia-related murder in Montreal, has intensified over the last week following a Vice report on Thursday. According to the news outlet, the Royal Canadian Mounted Police (RCMP) – the country’s federal police force – successfully intercepted and decrypted over one million BlackBerry messages relating to the case between 2010 and 2012.
Reporters combed through thousands of court documents that strongly suggest that both BlackBerry and Rogers, a Canadian communications company, cooperated with law enforcement to do so. Particularly telling was a reference in the documents to a “decryption key” that deals with “BlackBerry interception.”
The RCMP oversees a server in Ottawa that “simulates a mobile device that receives a message intended for [the rightful recipient]” according to court filings. In another document, an affidavit, RCMP Sergeant Patrick Boismenu said the server is referred to by the RCMP as a “BlackBerry interception and processing system,” and that it “performs the decryption of the message using the appropriate decryption key.”
BlackBerry has long used a global encryption key – a PIN that it uses to decrypt messages – for its consumer devices.
It’s unclear how exactly the RCMP secured access to a BlackBerry decryption key, or for that matter if it still has the key, but BlackBerry “facilitated the interception process,” according to RCMP inspector Mark Flynn, who testified in a transcript.
Defense lawyers believe the technology the RCMP is using to target BlackBerry devices mimics a cell phone tower and can be manipulated to intercept devices and forward information to police. Largely known as Stingray tracking devices or International Mobile Subscriber Identity (IMSI) catchers, the RCMP refers to the devices as “mobile device identifiers” or “MDIs.” The Globe and Mail did a deep dive on the technology on Monday, noting the technology has been in use in Canada since 2011 and is capable of knocking people calling 911 offline.
If the RCMP is still in possession of the global key, it’s likely that Mounties could still use it to decrypt PIN-to-PIN communications on consumer devices.
While Chen didn’t get into specifics around his company’s move, he lauded it on Monday.
“Regarding BlackBerry’s assistance, I can reaffirm that we stood by our lawful access principles,” Chen wrote, further likening it to doing the right thing in a difficult situation and boasting that it helped lead to a “major criminal organization being dismantled.”
Conversely, privacy experts questioned Chen’s statement and pondered whether it could signal the beginning of the end for the company.
“I think Chen is traveling down a very dangerous path here,” Richard Morochove, a computer forensics investigator with Toronto-based computer consulting firm Morochove & Associates said Tuesday on Canada’s Business News Network, “With this announcement he’s just pounded a big nail into BlackBerry’s coffin.”
BlackBerry uses a global key for its consumer devices, but Chen insists that the company’s BlackBerry Enterprise Server (BES) was not involved in the case and that messages sent from corporate BlackBerry phones cannot be decrypted.
“Our BES continues to be impenetrable – also without the ability for backdoor access – and is the most secure mobile platform for managing all mobile devices,” Chen wrote.
While that means that many of the company’s higher end clientele, government workers and corporations, are protected, any consumers who own BlackBerry devices may have been open, or could still be open to spying by the Canadian police.
Chen’s position of course marks a stark delineation between BlackBerry and Apple, another company that’s been waging its own battle with the government over granting access to customer information.
While Apple refused to break its own crypto to let the FBI bypass the iPhone’s encryption, it sounds like all law enforcement has to do to break into a BlackBerry is ask.