Indian Government “give us access to all email!”, RIM “I’m sorry we can’t do that, would you like some text messages?”

Image representing Research In Motion as depic...

Image via CrunchBase

I have expressed concern in the past with RIMs position that it would explore providing access to communications between it’s devices in some countries.  My concern had usually stemmed from the fact that RIM has a proprietary encryption system and has sold itself to the business community as being the most secure communication medium for cellular devices.

As China, India, and Germany have pushed RIM and demanded access to their communications in order to continue to operate in their regions, I’ve waited to see what the ultimate outcome of this standoff would be.  Would RIM hold it’s line on securing it’s platform and risk loosing the ability to do business in those countries or would it cave to the demands of these governments (and in my opinion risk loosing much more business in many other countries).

Well it appears the answer is BOTH!  Fortunately the communications that go through RIMs network and their communication servers (the BES) will not be opened to these parties.  However RIM has offered that it can, and will provide Blackberry Messenger communications, if the proper local legal procedures have been followed to request those messages.

So what does that mean?

Emails and communications that use RIMs Enterprise services (i.e. the Blackberry Enterprise Server services) remain encrypted with the proprietary encryption and will not be accessible.  These communication services are dependant on the BES server being in place and sending and receiving communications.

What is available is the Blackberry Messenger service which utilizes PIN messaging.  What the key difference is that this is nothing more than a fancy interface into SMS messages that traverse the carriers secondary cellular channel and can provide messages directly from device to device without the need of a BES server.  Because this avoids the enterprise server (and the logging capabilities of the server) many users prefer this method of communication as they know their employer is not able to see/log the messages they send each other (without physically having the device).

Will the Indian gov’t accept this as meeting their initial request?  No, not likely.  However it was a pretty good concession by RIM to provide something without completely jeopardizing their ability to provide service in these regions.  I applaud RIM for not conceding and providing access to their encryption scheme.  I hope they can hold the line on this one…

Related Articles

Just say no! BlackBerry + Facebook = Security FAIL

Point 1:

I’m not the biggest fan of any RIM device, though I do utilize one for my job.

Point 2:

I support the development of applications for mobile devices.  Applications are key to driving the adoption and growth of many of the new “smart” (and I use that term loosely) phones on the market.

Point 3:

Applications, regardless of what platform they are developed for, should all be done securely and efficiently.  And in that order.

What the heck does all this have to do with the BlackBerry and Facebook????

Here: http://www.spylogic.net/2010/02/facebook-spam-on-blackberry-devices/

Thanks to the guys that really spend a lot of time reviewing social media stuff (specially Tom Eston and Kevin Johnson), they have noted that specifically crafted SPAM messages will show up as a Facebook notification in your Facebook for Blackberry application.

What makes this troublesome from an information protection standpoint is that, the Facebook application is actively scanning your email inbox.  In the case of many, many Blackberry users, this is not your personal email, but your corporate email.  Of the 13,934,752 monthly active users (according to facebook.com) I’m sure you all read the EULA when you installed the app right?  That’s another post…

To be fair, this is how the application is presented to the end user: “Facebook for BlackBerry smartphones allows BlackBerry smartphone users to connect their friends’ profile pictures, Facebook names, and company names to existing BlackBerry smartphone contacts in the Contacts application. Facebook for BlackBerry smartphones updates the caller ID pictures of your synchronized friends with their latest profile pictures.”

So in order to do this, you have full access to contact names.  So if you’re on a corporate BES, the information contained therein is your corporate email directory?  Uh, yeah.  So corporate BlackBerry users with the Facebook app are willingly providing a valid contact list for their entire company.  My understanding of SPAM and capitalism is that this is quite valuable information and can be sold to email distribution list providers quite readily.  Can someone please point me to the data management policy that protects this information from disclosure?  I’d be ecstatic if it existed.

To all the BlackBerry users:

Rather than send out 14,000,000 apologizes, I put it out there now.  Sorry.  But if you have this app installed on your BlackBerry.  Uninstall it.  NOW! Do not finish reading this post, uninstall the app and come back to finish the post.

To RIM:

I trust (which is always a bad thing) when you provide a singed application that you have performed a review of how the application performs on your device and that it doesn’t do anything we don’t expect.  Like skim our emails and contact information.  Much like an application requests permission to utilize your GPS coordinates (which is another bad thing) why would you not have the same request when an application wants access to your personal information and email?

Let me check here… Options – Security Options – Application Permissions -….  hmmm I’m sure the app is on here, let me look again…

Options – Security Options – Application Permissions -… nothing.  So, when I install Facebook for BlackBerry devices, it doesn’t ask me for any permissions?  NONE?!?  FAIL!

But wait, during the setup there is an option to “allow” access to your messages, calendar, and contacts.  First, the statement that it will send a copy of your contacts to the FaceBook site should be alarming enough.  But worse yet, it seems that turning all these off during the setup did not affect a SPAM’ers ability to inject a properly crafted email.  I infer from this that it still reads emails from your message list.  So can I expect it will also send contacts even if I ask it not to?

To all BES admins (you know who you are):  (updated May2010)

It appears that RIM may be slightly ad odds with the application developers here.  In the 5.0 release of BES, the settings that allow an end user to do this are set to FASLE by default.  Which is what I would expect those settings to be. It is my hope at this point that you are running BES 5.0.  If so, please make certain the IT policy Disable Organizer Data Access for Social Networking Applications is used.  I also understand that this is backwards compatible to BES 4.x installs, so everyone has the opportunity to enable this policy.