RIM – Customer Update – August 12, 2010
Here is an interesting press release from RIM regarding its security and agreements with security risk nations …
In response to the statement published today by the Government of India, and further to RIM’s Customer Update dated August 2, RIM wishes to provide this additional information to its customers. Although RIM cannot disclose confidential regulatory discussions that take place with any government, RIM assures its customers that it genuinely tries to be as cooperative as possible with governments in the spirit of supporting legal and national security requirements, while also preserving the lawful needs of citizens and corporations. RIM has drawn a firm line by insisting that any capabilities it provides to carriers for “lawful” access purposes be limited by four main principles:
1. The carriers’ capabilities be limited to the strict context of lawful access and national security requirements as governed by the country’s judicial oversight and rules of law.
2. The carriers’ capabilities must be technology and vendor neutral, allowing no greater access to BlackBerry consumer services than the carriers and regulators already impose on RIM’s competitors and other similar communications technology companies.
3. No changes to the security architecture for BlackBerry Enterprise Server customers since, contrary to any rumors, the security architecture is the same around the world and RIM truly has no ability to provide its customers’ encryption keys. Also driving RIM’s position is the fact that strong encryption is a fundamental commercial requirement for any country to attract and maintain international business anyway and similarly strong encryption is currently used pervasively in traditional VPNs on both wired and wireless networks in order to protect corporate and government communications.
4. RIM maintains a consistent global standard for lawful access requirements that does not include special deals for specific countries.
This almost seems somewhat a sleight of hand with a previous announcement just days before:
August 2, 2010
Dear Valued BlackBerry Customer:
Due to recent media reports, Research In Motion (RIM) recognizes that some customers are curious about the discussions that occur between RIM and certain governments regarding the use of encryption in BlackBerry products. RIM also understands that the confidential nature of these discussions has consequently given rise to speculation and misinterpretation. RIM respects both the regulatory requirements of government and the security and privacy needs of corporations and consumers. While RIM does not disclose confidential regulatory discussions that take place with any government, RIM assures its customers that it is committed to continue delivering highly secure and innovative products that satisfy the needs of both customers and governments.
Many public facts about the BlackBerry Enterprise Server security architecture have been well established over the years and remain unchanged. A recap of these facts, along with other general industry facts, should help our customers maintain confidence about the security of their information.
• RIM operates in over 175 countries today and provides a security architecture that is widely accepted by security conscious customers and governments around the world.
• Governments have a wide range of resources and methodologies to satisfy national security and law enforcement needs without compromising commercial security requirements.
• The use of strong encryption in wireless technology is not unique to the BlackBerry platform. Strong encryption is a mandatory requirement for all enterprise-class wireless email services.
• The use of strong encryption in information technology is not limited to the wireless industry. Strong encryption is used pervasively on the Internet to protect the confidentiality of personal and corporate information.
• Strong encryption is a fundamental requirement for a wide variety of technology products that enable businesses to operate and compete, both domestically and internationally.
• The BlackBerry security architecture was specifically designed to provide corporate customers with the ability to transmit information wirelessly while also providing them with the necessary confidence that no one, including RIM, could access their data.
• The BlackBerry security architecture for enterprise customers is based on a symmetric key system whereby the customer creates their own key and only the customer ever possesses a copy of their encryption key. RIM does not possess a “master key”, nor does any “back door” exist in the system that would allow RIM or any third party to gain unauthorized access to the key or corporate data.
• The BlackBerry security architecture for enterprise customers is purposefully designed to exclude the capability for RIM or any third party to read encrypted information under any circumstances. RIM would simply be unable to accommodate any request for a copy of a customer’s encryption key since at no time does RIM, or any wireless network operator, ever possess a copy of the key.
• The BlackBerry security architecture was also purposefully designed to perform as a global system independent of geography. The location of data centers and the customer’s choice of wireless network are irrelevant factors from a security perspective since end-to-end encryption is utilized and transmissions are no more decipherable or less secure based on the selection of a wireless network or the location of a data center. All data remains encrypted through all points of transfer between the customer’s BlackBerry Enterprise Server and the customer’s device (at no point in the transfer is data decrypted and re-encrypted).
State your thoughts everybody.