Gallery

Does BlackBerry battle mark return of crypto wars?

Posted on 31 Aug 2010 at 12:00

Governments are demanding such access in the name of national security, saying terrorists could organise attacks or recruit members using secret missives.

Of course, this isn't the first time governments have wanted to access information and found reasons to justify the stance.

“In the 1990s, the reason was child protection, making sure people weren't sending abuse images," said Schneier. "This time it's about stopping terrorists and it's just bull. It's about getting access to data when they want to and using any excuse to justify it.”

While Middle East countries and India are being criticised because the move has privacy implications and could hamper political activism, other governments already probably have such access.

The UK and US have legal procedures in place to force communications companies to reveal data, and RIM insists that it will only give up communications details in emerging markets where requests similarly comply with due legal process.

If the FBI have a word with BlackBerry, it is hard to assume they wouldn't get access to those emails

“The big difference here is that if the FBI go to the Canadian secret service and they have a word with RIM, it is hard to assume they wouldn't get access to those emails,” said Richard Clayton, a security expert at the University of Cambridge Computer Laboratory.

“It's only a guess that they actually do this, but there is certainly a legal framework. The difference is that the government of India may not get on so well with the Canadians.” This explains why both India and the Saudis were so keen on having communications servers hosted on their soil.

Not just BlackBerry

Although RIM has taken the brunt of criticism, India has also said it plans to look at other services, including webmail with encryption. Saudi Arabia, on the other hand, has so far targeted only RIM's services.

One reason that RIM has taken centre stage, according to experts, is that it may be easier for governments to snoop on webmail than we might imagine.

Although webmail is encrypted, it can be subject to a sophisticated man-in-the-middle attack which would be within the capabilities of professional snoopers.

“A government could arrange to send your traffic through a proxy server,” said Clayton. “You could relay all the webmail traffic through your own proxy server and then you would get to see all the traffic, including their password, so the next time you wouldn't need to use a proxy.”

According to Clayton, although there are tell-tale signs of such subterfuge – such as the url prefix changing from https to http - most people wouldn't notice it.

And if we enter the world of conspiracy theory, there is a commonly-held view that security officials could eliminate these tell-tale signs by employing a fake SSL certificate to mimic a secure connection.

That governments might exploit this weakness was first outlined in a security paper by Christopher Soghoian and Sid Stamm entitled Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL.

The report, endorsed by the Electronic Frontier Foundation, claimed a company called Packet Forensics was selling hardware enabling governments to fake a secure connection.

"You could provide https connections by getting a certificate for the
webmail provider and putting it onto the proxy," said Clayton. "You'd go to a certification authority and ask it to provide a certificate."

"There are 60 or more CAs in your browser, and getting any of them to sign the certificate would work - and one CA is widely believed to be under the control of the government of China, and one is run by the government of Turkey..."

Demanding the keys

Although the current storm involves communications data, the crux of the matter is about data stored on hard drives. But what happens if security officials know they want to read data in an encrypted file but don't have a key to unlock the documents?

To get access in such cases, Section Three of the Regulation of Investigatory Powers Act (RIPA) came into force in 2007, allowing police to demand encryption keys or a readable transcript of encrypted text.

Anyone refusing to do so can be jailed, for either two years in civil cases or five years if national security is at stake.

There are two problems with this. The first is that any such system is open to abuse. Among the first suspects asked to hand over such data was an animal-rights activist - just the sort of political protagonist that the West has been complaining might be targeted by Saudi Arabia's demands for access to communications, supposedly to fight terrorism.

The second problem, as one security official told us, is that if giving the police the codes proves you are guilty of crimes such as paedophilia or terrorism, the owners of the data would be better off withholding the information. Because of this, authorities would prefer to access encrypted data via their own means.

Ending the war with shopping

The one thing that might smooth the path of encryption in countries such as Saudi Arabia and India is the same thing that finally appeased US officials during the last war - commerce.

Safe networks and secure secure data centres are essential ingredients in global commerce, which all governments embrace. They will all find a way of accessing data if they really need to, but it is hard to imagine that Saudi Arabia, which relies so much on outside trade, would actually enforce measures that upset its biggest business partners.

The pragmatic stance taken by Gulf neighbour Bahrain, for example, highlights the need for communications being greater then the need for security. “There are many other ways for the criminals or terrorists to communicate, so we decided we might as well live with it,” foreign minister Sheik Khaled bin Ahmed Al Khalifa said regarding RIM. “We really kind of lose a lot of communication freedom just for the sake of dealing with one matter.”

Because of this, communication might remain free and essentially secure in the short term, but if governments really want to know what an individual is saying, they have ways to get what they want.

Author: Stewart Mitchell