BlackBerry CEO Promises To Try To Break Customers' Encryption If The US Gov't Asks Him To
from the I-got-you dept
The DOJ's reps -- along with the new FBI boss -- keep making noises about device encryption. They don't like it. What they want is some hybrid unicorn called "responsible encryption," which would keep bad guys out but let law enforcement in. The government has no idea how this is supposed to be accomplished, but it has decided to leave that up to the smart guys at tech companies. After all, tech companies are only in it for the money. The government, however, answers to a higher calling: public safety -- a form of safety that apparently has room for an increase in criminal activity and nefarious hacking.
There's one cellphone company that's been conspicuously absent from these discussions. A lot of that conspicuous absence has to do with its conspicuous absence from the cellphone marketplace. Pretty much relegated to governments and enterprise users, Blackberry has been offering encrypted messaging for years. But it's been offering a different sort of encryption -- one it can remove if needed.
Enterprise users hold their own encryption keys but individual nobodies have their encryption keys held by Blackberry. Blackberry would likely be held up as the "responsible encryption" poster boy by the DOJ if only it held enough marketshare to make an appreciable difference. Instead, it's of limited use to the DOJ and FBI.
But that doesn't mean Blackberry isn't willing to submit multiple height bids whenever government says jump. Over the past couple of years, it has come to light Blackberry routinely decrypts messages for inquiring governments. Apparently, there's some sort of golden key law enforcement can use to access communications -- one multiple governments seem to have access to.
There are still some unanswered questions about enterprise accounts -- the ones Blackberry doesn't hold the keys to. This poses the same problem for law enforcement that other, more popular phones do. But rather than point out the problems with the government's demands for "responsible encryption," Blackberry has irresponsibly chosen to proclaim its willingness to hack into its own customers' devices if the government asks.
[CEO John] Chen, speaking at a press Q&A during the BlackBerry Security Summit in London on Tuesday, claimed that it wasn't so simple for BlackBerry to crack its own protections. "Only when the government gives us a court order we will start tracking it. Then the question is: how good is the encryption?
"Today's encryption has got to the point where it's rather difficult, even for ourselves, to break it, to break our own encryption... it's not an easily breakable thing. We will only attempt to do that if we have the right court order. The fact that we will honor the court order doesn't imply we could actually get it done."
Oddly, this came coupled with Chen's assertions its user protections were better than Apple's and its version of the Android operating system more secure than the one offered by competitors.
This proactive hacking offer may be pointed to in the future by DOJ and FBI officials as evidence Apple, et al aren't doing nearly enough to cooperate with US law enforcement. Of course, Chen's willingness to try doesn't guarantee the company will be able to decrypt communications of certain users. But I'm sure Chen's positive attitude will be used as leverage in talks with tech companies the DOJ clearly believes have added encryption to their devices solely as a middle finger to US law enforcement. This belief clearly isn't true, but the DOJ in particular has already show it's willing to be completely disingenuous when arguing for weakened encryption.
Finally, Blackberry may be opening up to law enforcement but it won't be sharing anything more with its remaining users.
Chen also said there were no plans for a transparency report that would reveal more about the company's work with government. "No one has really asked us for it. We don't really have a policy on whether we will do it or not. Just like every major technology company that deals with telecoms, we obviously have quite a number of requests around the world."
This seems a bit unfair. Blackberry will be offering more to the government and telling the public less. Then again, the general public is likely no more interested in a Blackberry transparency report than it is in Blackberry smartphones.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: doj, encryption, john chen, privacy
Companies: blackberry
Reader Comments
Subscribe: RSS
View by: Time | Thread
Physical Analogs
If this data was held in a safe, and only the purchaser of the safe had the key, this would be the government asking Blackberry to break into another person's safe just because they want them to.
Blackberry has agreed to help them break into the safe. They hire a team of experts that could create a new key. The safe is opened, and everyone is happy.
...except this is a digital world instead. That 'experts' didn't just crack the one safe they were trying to get in; they literally cracked every safe Blackberry has ever made! With just a few kilobytes of data, this 'key creator' code can be stolen and used against any safe in existence.
In the world of computer science, this 'key creator' is quite literally an encryption vulnerability that now has been created and documented. It undermines the credibility of all encryption from Blackberry. So much for the 'more secure than Apple' statement after this occurs, because you are holding on to a vulnerability you refuse to patch.
Great job quite literally slitting your own throat, Blackberry. Because that is exactly what you signed up for.
[ link to this | view in thread ]
[ link to this | view in thread ]
If we recall the way it played out with Apple: they refused, then the FBI said they had found a way to hack the encryption anyway.
Not sure if my interpretation is correct. But if it is, which company's encryption seems more secure?
[ link to this | view in thread ]
Re:
But they *are* focusing on enterprise security software. So same accomplishment, different market.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Physical Analogs
I have never likes this oversimplification because on a technical level it is wrong.
Data still takes up physical space. This data is stored inside of an actual "physical" safe as well which requires a physical key to open too, just like the "traditional" safes we tend to think of when someone says "safe".
The only difference between these safes is how they operate for logically.
Both safes still use atomic particles to fully function. remove all electrons from both safes and they both literally fall apart!
But because humans are ignorant, fearful, and weak, we allow people to tell us what we can and cannot do with our property. This problem cannot be solved because too many humans want to control too many other humans... for their own good after all.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Responsible encryption
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Physical Analogs
Judging by his quote "The fact that we will honor the court order doesn't imply we could actually get it done," this may not be true. They might just run a brute force attack. Good way to get government funding for a supercomputer, if these agencies are dumb enough to ask (and if anyone other than those agencies was using Blackberries).
FBI: with some funding, I'll also try to crack encryption for you. I might run a few other jobs in the background... it takes way too long for me to compile Chromium, and I'll need to access fbi.gov for this job, right?
In this analogy, the throat had been slit years ago and there's little blood remaining.
[ link to this | view in thread ]
BB owns servers. Someone sends an email from their phones, it goes through a server owned by BB and then to the server of the company, assuming they have one. Same goes in reverse when email is sent to a user.
This allows BB to open the server and have access to mail as it comes through. They can hack it from there (assuming the servers can't already open them from within.)
Apple does not have their own servers. They would need to go to the phone or the company's email system
[ link to this | view in thread ]
Deployment vs encryption
With modern encryption algorithms there is no way to recover a private key unless the deployment of the encryption is flawed.
Any responsible company would have some experts employed specifically to try and find such flaws (and immediately correct them).
There is one thing that the tech companies could do on behalf of the government.
This would be to provide a spoofed (extra) public key for a user who has been targeted by a court order (just like an old fashioned wiretap). Thus any communicatiopn sent to the user would be readable because there would always be an extra copy encrypted with the government key.
This assumes that the tech company is managing the public keys. If the users do this themselves then it cannot be done.
It cannot decrypt communications sent prior to the court order.
It cannot decrypt communications sent only to other users.
It does not undermine the encryption scheme itself.
It does not satisfy what the government seems to want....
This would result in every communication
[ link to this | view in thread ]
Re: Deployment vs encryption
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Same as it ever was
[ link to this | view in thread ]
Re:
Enterprise users could run their own BlackBerry Enterprise Server and use their own keys without Blackberry having access. That includes small business and personal servers.
And of course you could still use your own standard encrypted-connection IMAP/SMTP servers.
[ link to this | view in thread ]
Who still uses blackberry?
[ link to this | view in thread ]
Re:
That would be a good statement, if better worded, but there's still the problem that we don't know what capability they have. They say they can't hack enterprise customers, but they use secret code and protocols, so how can we know? So when they say they'll comply, but they encryption is unbreakable, we don't really know non-crypto-based attacks they're offering. Maybe they'll sign a custom firmware just for the one phone, that sends the password to the FBI.
It would be a powerful statement if we actually knew the manufacturer had nothing better than bruteforce. Were I to design a phone, I'd make sure I'd have no access and no information about users, then offer to "comply" by giving the FBI the zero information I have about users. Still only with a valid warrant that I might contest anyway.
[ link to this | view in thread ]
Is this just a competitive position?
Blackberry went from owning the smartphone market to having a vanishingly tiny share. That is a trillion dollar screw-up. It puts them near the top of the worst business misses of all time.
With that perspective, it's understandable that the CEO would grasp at any straw that might cause a government to mandate them back into relevance.
[ link to this | view in thread ]
Re: Who still uses blackberry?
The last real Blackberry was the Priv, which ran Android. Since the Blackberry is just licencing the name to Chinese and Indonesian companies. They've shifted to enterprise security software.
[ link to this | view in thread ]
Do not trust
[ link to this | view in thread ]
Blackberry...
...didn't they used to be somebody?
[ link to this | view in thread ]
Re: Deployment vs encryption
So…a backdoor?
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Deployment vs encryption
So…a backdoor?
Not a general backdoor - only a backdoor into communications to a particular user.
Not a compromise to the encryption algorithm either - only to a particular mode of deployment.
[ link to this | view in thread ]
Re: Deployment vs encryption
No, only future communication from people who do not question the appearance of a new key. This is a big problem for law enforcement (but great for us): they like to gather data in secret with gag orders etc., but this leaves a record. And depending on the software, users might notice it and choose to use the old key or avoid future communication.
[ link to this | view in thread ]
Re: Re: Deployment vs encryption
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Do not trust
[ link to this | view in thread ]
So to gain an edge, they should be offering to hack their competitor's encryption, not their own. Below the belt, but effective!
[ link to this | view in thread ]
Re: Re:
But they are focusing on enterprise security software. So same accomplishment, different market.
Minus the 'security' bit anyway, as their CEO seems to be making it very clear that their customer's data is 'secure' only so long as the company graciously allows it to be.
[ link to this | view in thread ]
"No really, THIS service is secure, promise!"
There are still some unanswered questions about enterprise accounts -- the ones Blackberry doesn't hold the keys to.
Given their CEO's eagerness to throw their own customers under the bus in order to appease the dangerous liars trying to screw the public over, I'd say this line should be followed by a 'yet' to be more accurate. Because given the demands for Unicorn Gates don't allow for any system to be 'warrant-proof', you can bet that his assurance that he'll try to undermine some of the company's encryption will be used to pressure him to add in backdoors to the rest of the services offered as well.
Can't have any locks that can't be opened by law enforcement after all, and if he's willing to help with one set clearly he's obligated to help with the other set, unless he's no different than the companies he's lambasting for caring more about profits than stopping criminals.
[ link to this | view in thread ]
Old news is soo exciting
This is considered news now? TD please give me a break. That has been known for years. Just check out what kind of deals BB does with the Indian government!
Cheers, Oliver
[ link to this | view in thread ]
"Oh come on, you did a hurricane story just last year, this one isn't worth the new coverage!"
The magical coding strikes again, ensnaring yet another innocent victim in it's foul, yet apparently exquisitely coded net.
Out of curiosity, do you also visit news sites and complain when they cover things like sports, natural disasters, politics and crime?
[ link to this | view in thread ]
Dear Blackberry
Please proclaim loudly in your advertising that you will break customer's phone encryption any time the government ask. People will be glad to know that! It's a huge marketing (mis)feature!
[ link to this | view in thread ]