BlackBerry CEO Promises To Try To Break Customers' Encryption If The US Gov't Asks Him To

from the I-got-you dept

The DOJ's reps -- along with the new FBI boss -- keep making noises about device encryption. They don't like it. What they want is some hybrid unicorn called "responsible encryption," which would keep bad guys out but let law enforcement in. The government has no idea how this is supposed to be accomplished, but it has decided to leave that up to the smart guys at tech companies. After all, tech companies are only in it for the money. The government, however, answers to a higher calling: public safety -- a form of safety that apparently has room for an increase in criminal activity and nefarious hacking.

There's one cellphone company that's been conspicuously absent from these discussions. A lot of that conspicuous absence has to do with its conspicuous absence from the cellphone marketplace. Pretty much relegated to governments and enterprise users, Blackberry has been offering encrypted messaging for years. But it's been offering a different sort of encryption -- one it can remove if needed.

Enterprise users hold their own encryption keys but individual nobodies have their encryption keys held by Blackberry. Blackberry would likely be held up as the "responsible encryption" poster boy by the DOJ if only it held enough marketshare to make an appreciable difference. Instead, it's of limited use to the DOJ and FBI.

But that doesn't mean Blackberry isn't willing to submit multiple height bids whenever government says jump. Over the past couple of years, it has come to light Blackberry routinely decrypts messages for inquiring governments. Apparently, there's some sort of golden key law enforcement can use to access communications -- one multiple governments seem to have access to.

There are still some unanswered questions about enterprise accounts -- the ones Blackberry doesn't hold the keys to. This poses the same problem for law enforcement that other, more popular phones do. But rather than point out the problems with the government's demands for "responsible encryption," Blackberry has irresponsibly chosen to proclaim its willingness to hack into its own customers' devices if the government asks.

[CEO John] Chen, speaking at a press Q&A during the BlackBerry Security Summit in London on Tuesday, claimed that it wasn't so simple for BlackBerry to crack its own protections. "Only when the government gives us a court order we will start tracking it. Then the question is: how good is the encryption?

"Today's encryption has got to the point where it's rather difficult, even for ourselves, to break it, to break our own encryption... it's not an easily breakable thing. We will only attempt to do that if we have the right court order. The fact that we will honor the court order doesn't imply we could actually get it done."

Oddly, this came coupled with Chen's assertions its user protections were better than Apple's and its version of the Android operating system more secure than the one offered by competitors.

This proactive hacking offer may be pointed to in the future by DOJ and FBI officials as evidence Apple, et al aren't doing nearly enough to cooperate with US law enforcement. Of course, Chen's willingness to try doesn't guarantee the company will be able to decrypt communications of certain users. But I'm sure Chen's positive attitude will be used as leverage in talks with tech companies the DOJ clearly believes have added encryption to their devices solely as a middle finger to US law enforcement. This belief clearly isn't true, but the DOJ in particular has already show it's willing to be completely disingenuous when arguing for weakened encryption.

Finally, Blackberry may be opening up to law enforcement but it won't be sharing anything more with its remaining users.

Chen also said there were no plans for a transparency report that would reveal more about the company's work with government. "No one has really asked us for it. We don't really have a policy on whether we will do it or not. Just like every major technology company that deals with telecoms, we obviously have quite a number of requests around the world."

This seems a bit unfair. Blackberry will be offering more to the government and telling the public less. Then again, the general public is likely no more interested in a Blackberry transparency report than it is in Blackberry smartphones.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    aerinai (profile), 30 Oct 2017 @ 6:06am

    Physical Analogs

    I think that too many times people forget that digital is not the same as physical analogs.

    If this data was held in a safe, and only the purchaser of the safe had the key, this would be the government asking Blackberry to break into another person's safe just because they want them to.

    Blackberry has agreed to help them break into the safe. They hire a team of experts that could create a new key. The safe is opened, and everyone is happy.

    ...except this is a digital world instead. That 'experts' didn't just crack the one safe they were trying to get in; they literally cracked every safe Blackberry has ever made! With just a few kilobytes of data, this 'key creator' code can be stolen and used against any safe in existence.

    In the world of computer science, this 'key creator' is quite literally an encryption vulnerability that now has been created and documented. It undermines the credibility of all encryption from Blackberry. So much for the 'more secure than Apple' statement after this occurs, because you are holding on to a vulnerability you refuse to patch.

    Great job quite literally slitting your own throat, Blackberry. Because that is exactly what you signed up for.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 30 Oct 2017 @ 7:59am

      Re: Physical Analogs

      "I think that too many times people forget that digital is not the same as physical analogs."

      I have never likes this oversimplification because on a technical level it is wrong.

      Data still takes up physical space. This data is stored inside of an actual "physical" safe as well which requires a physical key to open too, just like the "traditional" safes we tend to think of when someone says "safe".

      The only difference between these safes is how they operate for logically.

      Both safes still use atomic particles to fully function. remove all electrons from both safes and they both literally fall apart!

      But because humans are ignorant, fearful, and weak, we allow people to tell us what we can and cannot do with our property. This problem cannot be solved because too many humans want to control too many other humans... for their own good after all.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 30 Oct 2017 @ 8:10am

      Re: Physical Analogs

      That 'experts' didn't just crack the one safe they were trying to get in; they literally cracked every safe Blackberry has ever made! With just a few kilobytes of data, this 'key creator' code can be stolen and used against any safe in existence.

      Judging by his quote "The fact that we will honor the court order doesn't imply we could actually get it done," this may not be true. They might just run a brute force attack. Good way to get government funding for a supercomputer, if these agencies are dumb enough to ask (and if anyone other than those agencies was using Blackberries).

      FBI: with some funding, I'll also try to crack encryption for you. I might run a few other jobs in the background... it takes way too long for me to compile Chromium, and I'll need to access fbi.gov for this job, right?

      Great job quite literally slitting your own throat, Blackberry. Because that is exactly what you signed up for.

      In this analogy, the throat had been slit years ago and there's little blood remaining.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 30 Oct 2017 @ 7:14am

    I'd suggest that Blackberry has just made themselves irrelevant in the smartphone market, but they already accomplised that years ago.

    reply to this | link to this | view in chronology ]

    • icon
      Roger Strong (profile), 30 Oct 2017 @ 7:39am

      Re:

      They got out of the smartphone market a couple years ago. (Other than licencing their name to Chinese and Indonesian manufacturers.)

      But they *are* focusing on enterprise security software. So same accomplishment, different market.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 30 Oct 2017 @ 8:27am

        Re: Re:

        well... better to sell out and live comfortably and stop having to compete in the market.

        reply to this | link to this | view in chronology ]

      • icon
        That One Guy (profile), 30 Oct 2017 @ 6:05pm

        Re: Re:

        But they are focusing on enterprise security software. So same accomplishment, different market.

        Minus the 'security' bit anyway, as their CEO seems to be making it very clear that their customer's data is 'secure' only so long as the company graciously allows it to be.

        reply to this | link to this | view in chronology ]

    • icon
      orbitalinsertion (profile), 30 Oct 2017 @ 4:06pm

      Re:

      They were busy redefining the term "Crackberry".

      reply to this | link to this | view in chronology ]

  • icon
    David Muir (profile), 30 Oct 2017 @ 7:32am

    I interpret Chen's comments differently. I don't believe he is irresponsibly offering to hack his company's encryption. It seems to me he is trying to say that he could be compelled by a court order and would still probably not be able to hack Blackberry's encryption.

    If we recall the way it played out with Apple: they refused, then the FBI said they had found a way to hack the encryption anyway.

    Not sure if my interpretation is correct. But if it is, which company's encryption seems more secure?

    reply to this | link to this | view in chronology ]

    • icon
      Nathan F (profile), 30 Oct 2017 @ 7:57am

      Re:

      The FBI didn't hack the encryption itself, they found another way around the password lock.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 30 Oct 2017 @ 8:02am

      Re:

      Problem is that with the government a promise to try is the same as a promise to succeed.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 30 Oct 2017 @ 9:13am

      Re:

      It seems to me he is trying to say that he could be compelled by a court order and would still probably not be able to hack Blackberry's encryption.

      That would be a good statement, if better worded, but there's still the problem that we don't know what capability they have. They say they can't hack enterprise customers, but they use secret code and protocols, so how can we know? So when they say they'll comply, but they encryption is unbreakable, we don't really know non-crypto-based attacks they're offering. Maybe they'll sign a custom firmware just for the one phone, that sends the password to the FBI.

      It would be a powerful statement if we actually knew the manufacturer had nothing better than bruteforce. Were I to design a phone, I'd make sure I'd have no access and no information about users, then offer to "comply" by giving the FBI the zero information I have about users. Still only with a valid warrant that I might contest anyway.

      reply to this | link to this | view in chronology ]

  • identicon
    Pixelation, 30 Oct 2017 @ 8:03am

    Responsible encryption

    Easy to accomplish. It runs in the cloud of unicorn farts. The same place where Blackberry has a future.

    reply to this | link to this | view in chronology ]

  • icon
    Ryunosuke (profile), 30 Oct 2017 @ 8:06am

    I think the real news in this story is "Wait, Blackberry is still in business? I thought they died out a decade ago!"

    reply to this | link to this | view in chronology ]

  • icon
    Berenerd (profile), 30 Oct 2017 @ 8:11am

    There is a big difference between Apple hacking it's phones and Blackberry doing it. Now take this with a grain of salt as I have not worked with BB servers in a long time.

    BB owns servers. Someone sends an email from their phones, it goes through a server owned by BB and then to the server of the company, assuming they have one. Same goes in reverse when email is sent to a user.
    This allows BB to open the server and have access to mail as it comes through. They can hack it from there (assuming the servers can't already open them from within.)

    Apple does not have their own servers. They would need to go to the phone or the company's email system

    reply to this | link to this | view in chronology ]

    • icon
      Roger Strong (profile), 30 Oct 2017 @ 8:42am

      Re:

      Using Blackberries didn't necessarily mean using BB's servers.

      Enterprise users could run their own BlackBerry Enterprise Server and use their own keys without Blackberry having access. That includes small business and personal servers.

      And of course you could still use your own standard encrypted-connection IMAP/SMTP servers.

      reply to this | link to this | view in chronology ]

  • icon
    Richard (profile), 30 Oct 2017 @ 8:18am

    Deployment vs encryption

    With modern encryption algorithms there is no way to recover a private key unless the deployment of the encryption is flawed.

    Any responsible company would have some experts employed specifically to try and find such flaws (and immediately correct them).

    There is one thing that the tech companies could do on behalf of the government.

    This would be to provide a spoofed (extra) public key for a user who has been targeted by a court order (just like an old fashioned wiretap). Thus any communicatiopn sent to the user would be readable because there would always be an extra copy encrypted with the government key.

    This assumes that the tech company is managing the public keys. If the users do this themselves then it cannot be done.

    It cannot decrypt communications sent prior to the court order.

    It cannot decrypt communications sent only to other users.

    It does not undermine the encryption scheme itself.

    It does not satisfy what the government seems to want....

    This would result in every communication

    reply to this | link to this | view in chronology ]

    • icon
      Richard (profile), 30 Oct 2017 @ 8:19am

      Re: Deployment vs encryption

      pls ignore last line of the comment above - finger trouble...

      reply to this | link to this | view in chronology ]

    • icon
      Stephen T. Stone (profile), 30 Oct 2017 @ 12:50pm

      Re: Deployment vs encryption

      This would be to provide a spoofed (extra) public key for a user who has been targeted by a court order (just like an old fashioned wiretap). Thus any [communication] sent to the user would be readable because there would always be an extra copy encrypted with the government key.

      So…a backdoor?

      reply to this | link to this | view in chronology ]

      • icon
        Richard (profile), 30 Oct 2017 @ 2:02pm

        Re: Re: Deployment vs encryption

        So…a backdoor?

        Not a general backdoor - only a backdoor into communications to a particular user.

        Not a compromise to the encryption algorithm either - only to a particular mode of deployment.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 30 Oct 2017 @ 2:13pm

        Re: Re: Deployment vs encryption

        It wouldn't really be a "back door", because a provider isn't generally managing the keys so they can do this. They're doing it so users can recover from lost devices, forgotten passwords, ... It's really more of a weakness or design compromise in the "front door" because the code on the sender+recipient phones will be acting normally. Like when the manager of an apartment complex holds keys to all units. (They're not doing it to let cops in, but they've put themselves into a situation where they'll have little legal choice but to comply with a warrant.)

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 30 Oct 2017 @ 2:05pm

      Re: Deployment vs encryption

      This would result in every communication

      No, only future communication from people who do not question the appearance of a new key. This is a big problem for law enforcement (but great for us): they like to gather data in secret with gag orders etc., but this leaves a record. And depending on the software, users might notice it and choose to use the old key or avoid future communication.

      reply to this | link to this | view in chronology ]

  • identicon
    Jordan Chandler, 30 Oct 2017 @ 9:13am

    Who still uses blackberry?

    I mean this would get me to switch if I still used it.

    reply to this | link to this | view in chronology ]

    • icon
      Roger Strong (profile), 30 Oct 2017 @ 9:31am

      Re: Who still uses blackberry?

      South-east Asia, mostly.

      The last real Blackberry was the Priv, which ran Android. Since the Blackberry is just licencing the name to Chinese and Indonesian companies. They've shifted to enterprise security software.

      reply to this | link to this | view in chronology ]

  • icon
    DB (profile), 30 Oct 2017 @ 9:26am

    Is this just a competitive position?

    His comments might have no technical basis. They could be pure market positioning for a government-enforced windfall.

    Blackberry went from owning the smartphone market to having a vanishingly tiny share. That is a trillion dollar screw-up. It puts them near the top of the worst business misses of all time.

    With that perspective, it's understandable that the CEO would grasp at any straw that might cause a government to mandate them back into relevance.

    reply to this | link to this | view in chronology ]

  • identicon
    Hugh, 30 Oct 2017 @ 10:25am

    Do not trust

    Generally, we should not trust in large companies. It is no secret that data is and will be collected. Just because it goes public with BB does not mean it has not yet happened with other companies (metadata FB/WA for example). We as users are responsible for our privacy. In terms of messenger one should move to secure messengers such as Threema (or some other alternative). And there are so many other things we can do to protect ourselves. We cannot give in to large companies. The more people become aware the more large companies will be forced to change something in their policies. In modern world, privacy has to be top priority.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 30 Oct 2017 @ 10:37am

    Blackberry...

    ...didn't they used to be somebody?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 30 Oct 2017 @ 1:39pm

    With this move, BlackBerry will sell a lot more. /s

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 30 Oct 2017 @ 5:10pm

    "Oddly, this came coupled with Chen's assertions its user protections were better than Apple's and its version of the Android operating system more secure than the one offered by competitors."

    So to gain an edge, they should be offering to hack their competitor's encryption, not their own. Below the belt, but effective!

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 30 Oct 2017 @ 7:07pm

    "No really, THIS service is secure, promise!"

    There are still some unanswered questions about enterprise accounts -- the ones Blackberry doesn't hold the keys to.

    Given their CEO's eagerness to throw their own customers under the bus in order to appease the dangerous liars trying to screw the public over, I'd say this line should be followed by a 'yet' to be more accurate. Because given the demands for Unicorn Gates don't allow for any system to be 'warrant-proof', you can bet that his assurance that he'll try to undermine some of the company's encryption will be used to pressure him to add in backdoors to the rest of the services offered as well.

    Can't have any locks that can't be opened by law enforcement after all, and if he's willing to help with one set clearly he's obligated to help with the other set, unless he's no different than the companies he's lambasting for caring more about profits than stopping criminals.

    reply to this | link to this | view in chronology ]

  • identicon
    oliver, 31 Oct 2017 @ 2:31am

    Old news is soo exciting

    Hi TD

    This is considered news now? TD please give me a break. That has been known for years. Just check out what kind of deals BB does with the Indian government!

    Cheers, Oliver

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 31 Oct 2017 @ 6:46am

      "Oh come on, you did a hurricane story just last year, this one isn't worth the new coverage!"

      The magical coding strikes again, ensnaring yet another innocent victim in it's foul, yet apparently exquisitely coded net.

      Out of curiosity, do you also visit news sites and complain when they cover things like sports, natural disasters, politics and crime?

      reply to this | link to this | view in chronology ]

  • icon
    DannyB (profile), 31 Oct 2017 @ 8:17am

    Dear Blackberry

    Dear Blackberry,

    Please proclaim loudly in your advertising that you will break customer's phone encryption any time the government ask. People will be glad to know that! It's a huge marketing (mis)feature!

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.