RIM Resisting Saudi Demand to Break BlackBerry Encryption

By Wayne Rash  |  Posted 2010-08-04

RIM Resisting Saudi Demand to Break BlackBerry Encryption

BlackBerry maker Research In Motion had last ditch talks with the government of Saudi Arabia today in an effort to forestall an order to shut down parts of the BlackBerry wireless service, particularly its text messaging. But at this point, neither side has given an inch.

In fact, RIM has sent a letter to its customers in regions affected by threatened shutdowns saying that the company "assures customers that it will not compromise the integrity and security of the BlackBerry Enterprise Solution."

In a separate statement provided to eWEEK by RIM, the company said, "The BlackBerry enterprise solution was designed to preclude RIM or any third party from reading encrypted information under any circumstances." In its statement to eWEEK, the company pointed out that its encryption method requires that the user create the key, and that neither RIM nor any carrier ever has possession of it. Because of this, it's impossible for RIM to open up the encryption for the convenience of the Saudi government or anyone else.

Meanwhile, in its letter to its owners, RIM said that governments have the resources at their disposal to gather this information without requiring it from RIM. The Saudi government, as is the case with authoritarian regimes everywhere, is unhappy about this, claiming that people might commit crimes using their BlackBerrys. This is similar to concerns expressed by the governments of India, Indonesia and Dubai.

The Saudi government, in a statement released to eWEEK by the embassy press office here in Washington, casts the problem as a licensing issue. The statement notes that the government's Communications and Information Technology Commission notified carriers in the country that RIM was not in compliance with its regulations a year ago. Now, according to the statement, the government has requested the three carriers of BlackBerry devices block those services by Aug. 7.

The Saudi Press Agency is quoting CITC as saying, "It's keen on prompting telecom companies to provide the latest communication services in conformity with license requirements." Those license requirements include allowing the Saudi government to monitor the content of all communications, including by providing keys to encryption, something that RIM says it is unable to do.

RIM's position is that its commercial customers depend on strong encryption and that RIM plans to deliver it. As the company points out, RIM's security is strong enough that it's a preferred choice for a vast number of enterprises and governments, including the government of Saudi Arabia. Leaving aside for a moment the question of whether the government itself is prepared to let its own communications be unencrypted, the first questions that come to mind is why these governments are so willing to alienate Western businesses that depend on the confidentiality of their communications.

Saudi Arabia Poised to Punish the Messenger

In the case of Saudi Arabia, the answer is probably that it doesn't care. Remember, this is a government that some regard as, as totalitarian as North Korea, and has approximately the same regard for human rights, except that North Korea doesn't single out its women for slavelike status. Remember also that this is a government that willingly allowed a school full of young girls to burn to death rather than let them seek safety without having male relatives to escort them. Human rights are clearly not a priority in Saudi Arabia.

The real fear by the Saudi government is almost certainly that human rights advocates might be able to communicate with each other. This is, of course, a huge risk, since the free flow of information is the enemy of despots everywhere.

The situation in Dubai makes less sense. Here's a nation that's been seeking Western investment. It's been trying to make itself seem to be the commercial hub of the Middle East. But now, it wants to compromise the commercial activities of the companies it wants to attract. By doing this, it gives those companies one more reason to find some other place to do business.

And this isn't just because Western businesses want to keep secrets. The fact is that they're required by their governments to keep information protected, regardless of the desires of the governments that they may travel through. If you're traveling through one of these countries, do you think your compliance auditors are going to accept the Saudi government's paranoia as an excuse for a security breach?

But realistically, this may not actually come to pass. There are millions of BlackBerry users in each of these countries, and despite the total disregard for the rights of their citizens, the Saudi government is probably not in a position to say no to all those business users who will go elsewhere if forced to do so by the government.

The same is even truer in Dubai, which is desperate to attract business, especially given the worry caused by the government's huge debt. That government has to choose whether to simply give up on attracting Western companies or think of some other way to satisfy its cultural worries. On the other hand, Dubai has given RIM until October to come up with a solution. It's entirely possible that the problem will quietly slip out of sight in the meantime.

RIM, unfortunately, is learning the truth about a saying that is frequently heard here in Washington: No good deed goes unpunished. RIM's good deed was making its devices as secure as its customers needed them to be. Now the company is being punished for doing its job too well.

Rocket Fuel