BlackBerry CEO Promises To Try To Break Customers' Encryption If The US Gov't Asks Him To
from the I-got-you dept
The DOJ’s reps — along with the new FBI boss — keep making noises about device encryption. They don’t like it. What they want is some hybrid unicorn called “responsible encryption,” which would keep bad guys out but let law enforcement in. The government has no idea how this is supposed to be accomplished, but it has decided to leave that up to the smart guys at tech companies. After all, tech companies are only in it for the money. The government, however, answers to a higher calling: public safety — a form of safety that apparently has room for an increase in criminal activity and nefarious hacking.
There’s one cellphone company that’s been conspicuously absent from these discussions. A lot of that conspicuous absence has to do with its conspicuous absence from the cellphone marketplace. Pretty much relegated to governments and enterprise users, Blackberry has been offering encrypted messaging for years. But it’s been offering a different sort of encryption — one it can remove if needed.
Enterprise users hold their own encryption keys but individual nobodies have their encryption keys held by Blackberry. Blackberry would likely be held up as the “responsible encryption” poster boy by the DOJ if only it held enough marketshare to make an appreciable difference. Instead, it’s of limited use to the DOJ and FBI.
But that doesn’t mean Blackberry isn’t willing to submit multiple height bids whenever government says jump. Over the past couple of years, it has come to light Blackberry routinely decrypts messages for inquiring governments. Apparently, there’s some sort of golden key law enforcement can use to access communications — one multiple governments seem to have access to.
There are still some unanswered questions about enterprise accounts — the ones Blackberry doesn’t hold the keys to. This poses the same problem for law enforcement that other, more popular phones do. But rather than point out the problems with the government’s demands for “responsible encryption,” Blackberry has irresponsibly chosen to proclaim its willingness to hack into its own customers’ devices if the government asks.
[CEO John] Chen, speaking at a press Q&A during the BlackBerry Security Summit in London on Tuesday, claimed that it wasn’t so simple for BlackBerry to crack its own protections. “Only when the government gives us a court order we will start tracking it. Then the question is: how good is the encryption?
“Today’s encryption has got to the point where it’s rather difficult, even for ourselves, to break it, to break our own encryption… it’s not an easily breakable thing. We will only attempt to do that if we have the right court order. The fact that we will honor the court order doesn’t imply we could actually get it done.”
Oddly, this came coupled with Chen’s assertions its user protections were better than Apple’s and its version of the Android operating system more secure than the one offered by competitors.
This proactive hacking offer may be pointed to in the future by DOJ and FBI officials as evidence Apple, et al aren’t doing nearly enough to cooperate with US law enforcement. Of course, Chen’s willingness to try doesn’t guarantee the company will be able to decrypt communications of certain users. But I’m sure Chen’s positive attitude will be used as leverage in talks with tech companies the DOJ clearly believes have added encryption to their devices solely as a middle finger to US law enforcement. This belief clearly isn’t true, but the DOJ in particular has already show it’s willing to be completely disingenuous when arguing for weakened encryption.
Finally, Blackberry may be opening up to law enforcement but it won’t be sharing anything more with its remaining users.
Chen also said there were no plans for a transparency report that would reveal more about the company’s work with government. “No one has really asked us for it. We don’t really have a policy on whether we will do it or not. Just like every major technology company that deals with telecoms, we obviously have quite a number of requests around the world.”
This seems a bit unfair. Blackberry will be offering more to the government and telling the public less. Then again, the general public is likely no more interested in a Blackberry transparency report than it is in Blackberry smartphones.
Filed Under: doj, encryption, john chen, privacy
Companies: blackberry
Comments on “BlackBerry CEO Promises To Try To Break Customers' Encryption If The US Gov't Asks Him To”
Physical Analogs
I think that too many times people forget that digital is not the same as physical analogs.
If this data was held in a safe, and only the purchaser of the safe had the key, this would be the government asking Blackberry to break into another person’s safe just because they want them to.
Blackberry has agreed to help them break into the safe. They hire a team of experts that could create a new key. The safe is opened, and everyone is happy.
…except this is a digital world instead. That ‘experts’ didn’t just crack the one safe they were trying to get in; they literally cracked every safe Blackberry has ever made! With just a few kilobytes of data, this ‘key creator’ code can be stolen and used against any safe in existence.
In the world of computer science, this ‘key creator’ is quite literally an encryption vulnerability that now has been created and documented. It undermines the credibility of all encryption from Blackberry. So much for the ‘more secure than Apple’ statement after this occurs, because you are holding on to a vulnerability you refuse to patch.
Great job quite literally slitting your own throat, Blackberry. Because that is exactly what you signed up for.
Re: Physical Analogs
“I think that too many times people forget that digital is not the same as physical analogs.”
I have never likes this oversimplification because on a technical level it is wrong.
Data still takes up physical space. This data is stored inside of an actual “physical” safe as well which requires a physical key to open too, just like the “traditional” safes we tend to think of when someone says “safe”.
The only difference between these safes is how they operate for logically.
Both safes still use atomic particles to fully function. remove all electrons from both safes and they both literally fall apart!
But because humans are ignorant, fearful, and weak, we allow people to tell us what we can and cannot do with our property. This problem cannot be solved because too many humans want to control too many other humans… for their own good after all.
Re: Physical Analogs
Judging by his quote "The fact that we will honor the court order doesn’t imply we could actually get it done," this may not be true. They might just run a brute force attack. Good way to get government funding for a supercomputer, if these agencies are dumb enough to ask (and if anyone other than those agencies was using Blackberries).
FBI: with some funding, I’ll also try to crack encryption for you. I might run a few other jobs in the background… it takes way too long for me to compile Chromium, and I’ll need to access fbi.gov for this job, right?
In this analogy, the throat had been slit years ago and there’s little blood remaining.
I’d suggest that Blackberry has just made themselves irrelevant in the smartphone market, but they already accomplised that years ago.
Re: Re:
They got out of the smartphone market a couple years ago. (Other than licencing their name to Chinese and Indonesian manufacturers.)
But they are focusing on enterprise security software. So same accomplishment, different market.
Re: Re: Re:
well… better to sell out and live comfortably and stop having to compete in the market.
Re: Re: Re:
But they are focusing on enterprise security software. So same accomplishment, different market.
Minus the ‘security’ bit anyway, as their CEO seems to be making it very clear that their customer’s data is ‘secure’ only so long as the company graciously allows it to be.
Re: Re:
They were busy redefining the term “Crackberry”.
I interpret Chen’s comments differently. I don’t believe he is irresponsibly offering to hack his company’s encryption. It seems to me he is trying to say that he could be compelled by a court order and would still probably not be able to hack Blackberry’s encryption.
If we recall the way it played out with Apple: they refused, then the FBI said they had found a way to hack the encryption anyway.
Not sure if my interpretation is correct. But if it is, which company’s encryption seems more secure?
Re: Re:
The FBI didn’t hack the encryption itself, they found another way around the password lock.
Re: Re:
Problem is that with the government a promise to try is the same as a promise to succeed.
Re: Re:
That would be a good statement, if better worded, but there’s still the problem that we don’t know what capability they have. They say they can’t hack enterprise customers, but they use secret code and protocols, so how can we know? So when they say they’ll comply, but they encryption is unbreakable, we don’t really know non-crypto-based attacks they’re offering. Maybe they’ll sign a custom firmware just for the one phone, that sends the password to the FBI.
It would be a powerful statement if we actually knew the manufacturer had nothing better than bruteforce. Were I to design a phone, I’d make sure I’d have no access and no information about users, then offer to "comply" by giving the FBI the zero information I have about users. Still only with a valid warrant that I might contest anyway.
Responsible encryption
Easy to accomplish. It runs in the cloud of unicorn farts. The same place where Blackberry has a future.
I think the real news in this story is “Wait, Blackberry is still in business? I thought they died out a decade ago!”
There is a big difference between Apple hacking it’s phones and Blackberry doing it. Now take this with a grain of salt as I have not worked with BB servers in a long time.
BB owns servers. Someone sends an email from their phones, it goes through a server owned by BB and then to the server of the company, assuming they have one. Same goes in reverse when email is sent to a user.
This allows BB to open the server and have access to mail as it comes through. They can hack it from there (assuming the servers can’t already open them from within.)
Apple does not have their own servers. They would need to go to the phone or the company’s email system
Re: Re:
Using Blackberries didn’t necessarily mean using BB’s servers.
Enterprise users could run their own BlackBerry Enterprise Server and use their own keys without Blackberry having access. That includes small business and personal servers.
And of course you could still use your own standard encrypted-connection IMAP/SMTP servers.
Deployment vs encryption
With modern encryption algorithms there is no way to recover a private key unless the deployment of the encryption is flawed.
Any responsible company would have some experts employed specifically to try and find such flaws (and immediately correct them).
There is one thing that the tech companies could do on behalf of the government.
This would be to provide a spoofed (extra) public key for a user who has been targeted by a court order (just like an old fashioned wiretap). Thus any communicatiopn sent to the user would be readable because there would always be an extra copy encrypted with the government key.
This assumes that the tech company is managing the public keys. If the users do this themselves then it cannot be done.
It cannot decrypt communications sent prior to the court order.
It cannot decrypt communications sent only to other users.
It does not undermine the encryption scheme itself.
It does not satisfy what the government seems to want….
This would result in every communication
Re: Deployment vs encryption
pls ignore last line of the comment above – finger trouble…
Re: Deployment vs encryption
So…a backdoor?
Re: Re: Deployment vs encryption
So…a backdoor?
Not a general backdoor – only a backdoor into communications to a particular user.
Not a compromise to the encryption algorithm either – only to a particular mode of deployment.
Re: Re: Deployment vs encryption
It wouldn’t really be a “back door”, because a provider isn’t generally managing the keys so they can do this. They’re doing it so users can recover from lost devices, forgotten passwords, … It’s really more of a weakness or design compromise in the “front door” because the code on the sender+recipient phones will be acting normally. Like when the manager of an apartment complex holds keys to all units. (They’re not doing it to let cops in, but they’ve put themselves into a situation where they’ll have little legal choice but to comply with a warrant.)
Re: Deployment vs encryption
No, only future communication from people who do not question the appearance of a new key. This is a big problem for law enforcement (but great for us): they like to gather data in secret with gag orders etc., but this leaves a record. And depending on the software, users might notice it and choose to use the old key or avoid future communication.
Same as it ever was
https://www.reuters.com/article/us-britain-riots-rim/blackberry-would-close-uk-service-in-unrest-if-ordered-idUSTRE78E3YB20110915
Who still uses blackberry?
I mean this would get me to switch if I still used it.
Re: Who still uses blackberry?
South-east Asia, mostly.
The last real Blackberry was the Priv, which ran Android. Since the Blackberry is just licencing the name to Chinese and Indonesian companies. They’ve shifted to enterprise security software.
Is this just a competitive position?
His comments might have no technical basis. They could be pure market positioning for a government-enforced windfall.
Blackberry went from owning the smartphone market to having a vanishingly tiny share. That is a trillion dollar screw-up. It puts them near the top of the worst business misses of all time.
With that perspective, it’s understandable that the CEO would grasp at any straw that might cause a government to mandate them back into relevance.
Do not trust
Generally, we should not trust in large companies. It is no secret that data is and will be collected. Just because it goes public with BB does not mean it has not yet happened with other companies (metadata FB/WA for example). We as users are responsible for our privacy. In terms of messenger one should move to secure messengers such as Threema (or some other alternative). And there are so many other things we can do to protect ourselves. We cannot give in to large companies. The more people become aware the more large companies will be forced to change something in their policies. In modern world, privacy has to be top priority.
Re: Do not trust
The problem there is, we are using the physical hardware and restricted-control OS of large corporations.
Blackberry...
…didn’t they used to be somebody?
With this move, BlackBerry will sell a lot more. /s
“Oddly, this came coupled with Chen’s assertions its user protections were better than Apple’s and its version of the Android operating system more secure than the one offered by competitors.”
So to gain an edge, they should be offering to hack their competitor’s encryption, not their own. Below the belt, but effective!
"No really, THIS service is secure, promise!"
There are still some unanswered questions about enterprise accounts — the ones Blackberry doesn’t hold the keys to.
Given their CEO’s eagerness to throw their own customers under the bus in order to appease the dangerous liars trying to screw the public over, I’d say this line should be followed by a ‘yet’ to be more accurate. Because given the demands for Unicorn Gates don’t allow for any system to be ‘warrant-proof’, you can bet that his assurance that he’ll try to undermine some of the company’s encryption will be used to pressure him to add in backdoors to the rest of the services offered as well.
Can’t have any locks that can’t be opened by law enforcement after all, and if he’s willing to help with one set clearly he’s obligated to help with the other set, unless he’s no different than the companies he’s lambasting for caring more about profits than stopping criminals.
Old news is soo exciting
Hi TD
This is considered news now? TD please give me a break. That has been known for years. Just check out what kind of deals BB does with the Indian government!
Cheers, Oliver
Re: "Oh come on, you did a hurricane story just last year, this one isn't worth the new coverage!"
The magical coding strikes again, ensnaring yet another innocent victim in it’s foul, yet apparently exquisitely coded net.
Out of curiosity, do you also visit news sites and complain when they cover things like sports, natural disasters, politics and crime?
Dear Blackberry
Dear Blackberry,
Please proclaim loudly in your advertising that you will break customer’s phone encryption any time the government ask. People will be glad to know that! It’s a huge marketing (mis)feature!