I don't like this, but I'm starting to see double standards. Why aren't people just as upset about companies giving the same kind of access to the US Government thanks to the Patriot Act?
Because in the USA any criticism against surveillance gets directed to "9/11" either indirectly or in tone. Yes people are upset about the Patriot Act but out of fear of being seen as unpatriotic, sympathetic to terrorists, or disrespectful to 9/11 victims the general population just accepts surveillance as a necessary evil.
While the article implies that corporate BES customers would be compromised with this move, Crackberry is refuting that aspect: http://crackberry.com/rim-encryption-keys
I think you will find that the key is used for a VPN link to the RIM servers, which in turn push the email out to the telco over another encrypted link.
Bottom line the handset has to be able to decript it, so between the telco and the handset there is a common key at work.
Still if you don't trust your own goverment then why would they trust you.
Just wished some goverments were as open as they like us the public to be.
>> if you don't trust your own goverment then why would they trust you.
In the context of intercepting and storing your messages, trusting "your own government" means thousands of strangers, government employees and contractors alike, in this and future administrations, both now and as long as the data is stored (likely beyond your lifetime).
It means trusting that they won't leak that data intentionally, for political or personal gain, or by incompetence, under attack by hackers all over the world. (And let's face it, almost no one is competent when it comes to that level of attacks.)
If you send any information at all, business or personal, that you wouldn't want to be used against you, you can either trust all of these people, or you can use strong encryption and never worry about it again.
>It means trusting that they won't leak that data intentionally, for political or personal gain, or by incompetence, under attack by hackers all over the world.
This! No communication is as secure as it could be if gives access to someone that is not an intended recipient.
It's not a matter of trust, it is a matter of design and common sense. I trust plenty of people, but I don't email them the passwords to all my accounts. Doing so would be an unnecessary risk with zero benefit even if they are 100% trustworthy (possible) and even if they are never compromised (extremely unlikely) because other people's systems are beyond my knowledge and my control. How can someone analyze risk under such circumstances?
* Do you think a secretive intelligence agency is going to announce that they were compromised?
* Even if they do, how much data are they going to provide on what exactly was stolen?
According to RIM, the device key is used to encrypt all messages. The device tells the corporate server its key and the corporate server encrypts every message before it is sent. There is no common key between the telco and handset for the message content.
(This is on top of the VPN link etc.)
Of course it's hard to verify RIM's claims since the whole system is run by them.
Of course they do have access to these keys.
Their own code runs on the device. They could very well have the OS communicate the keys back to RIM's servers.
They could of course have some code on the device which reports this back, or failing that something which lets them force an update to the OS to add this functionality.
But if they haven't put either of those in place already then it's too late. They'd be relying on customers updating the software themselves, which is unlikely - especially for many security conscious companies.
This is a move made from weakness. The reason our company saddles middle managers with Blackberrys is the no-brain encryption. Some of us travel to India. There goes more market share for RIM.
Conversely, if they were shut down in India they would lose lots of market share. They might gain more market share in India than lose in the USA (say).
Further to techinsidr's link, here is El Reg's take. This is not the first time Indian authorities have claimed to have keys that arguably don't exist (did they mean THESE keys, did they mean THOSE keys, the debate rages in the comments :p ), and it won't be the last.
