Gallery

Does BlackBerry battle mark return of crypto wars?

Posted on 31 Aug 2010 at 12:00

Can Governments get their hands on encrypted email data? Stewart Mitchell investigates

Cryptology scares the life out of governments around the world. During the first “crypto wars” - waged in the US during the 1990s - civil liberty and business communities fought to ensure citizens could use advanced privacy tools to protect communications.

At the time, the US still banned the export of encryption techniques and, up until 1992, cryptography remained on the US Munitions List as an Auxiliary Military Technology.

The introduction of Phil Zimmermann's PGP system in 1991, and the 128-bit encryption used in SSL communications for credit-card transactions over the web, changed the landscape and we now take encryption for granted.

Yet here we are again. Saudi Arabia, India, and a raft of other states are demanding that BlackBerry-maker Research in Motion gives them access to communication data stored on its servers and insisting the company places those servers on their sovereign soil.

India has reportedly even asked for encryption keys that would allow security forces to look at the messages in the corporate end-to-end systems using Blackberry Enterprise Servers.

“Perhaps this is a return to the encryption wars of the 1990s,” said Professor Whitfield Diffie, of the Information Security Group at Royal Holloway University, London. “I never thought those wars would stay won."

Perhaps this is a return to the encryption wars of the 1990s, I never thought those wars would stay won

That round of the war ended with victories on each side. “In the 1990s, the battle took the form of the US Government's attempt to get back control of all of cryptography and establish the principle that it had the right to read any communication," said Diffie.

"In the US, it dropped the former without having to concede the latter. With the Communications Assistance for Law Enforcement Act, it won a much bigger victory over the right to access than anything it lost on the crypto front.

"In the UK, the Government has won a major victory with regard to access through RIPA,” he said, referencing the Regulation of Investigatory Powers Act, which lets authorities access email and browser logs.

So although cryptography is widely available, most countries have procedures in place to access data when it is static, providing the servers are on their own soil.

Sitting on servers

“This shows we got it very wrong during the encryption wars,” said info guru and chief security technology officer at BT Bruce Schneier. “The attacks against privacy are not aimed at communications. It's about data that's sitting on servers – the real issue is about static data. No-one wants to eavesdrop on individual messages when there are thousands of them on the server.”

At this stage it is very hard to say exactly what deal RIM has done with India and Saudi Arabia, but it seems likely that both countries have won their battles to host servers for BlackBerry communications on their own soil, thus giving them physical access to the servers and potentially the messages stored within them.

“RIM makes a lot of noise about its security, but this is about access to servers, and security forces could access the information on those servers,” said Schneier. “If you send an email from a PC it goes via an ISP in the clear and gets to RIM. RIM encrypts it, so RIM could certainly access the plain text.”

RIM's Blackberry Enterprise Server would present a different challenge, because it is an end-to-end system.