Even when you’re one of the largest mobile companies in the world (and certainly the largest for the business elite), things change when you find yourself at odds with a sovereign nation. Or a few. That’s the situation RIM is in right now as they attempt to reconcile their longtime promise to users (uncompromising encryption and security) with the unforgiving world of global politics. As you’re likely aware if you’re reading this post, RIM has been the center of government ire in a few countries (most prominently the UAE, India, Saudi Arabia, and Indonesia), which have threatened to ban Blackberry devices if RIM doesn’t provide them reasonable access to users’ data.
RIM’s response was a stolid “relax,” but the public response appears to be different from the internal one, if reports from inside the company are true. What the Saudi Government has praised as “positive developments” are reportedly concessions by RIM giving that government unprecedented access to certain RIM resources, giving it the power to eavesdrop on any Saudi Blackberry user.
This is all according to an anonymous source within RIM, who claims to have been present at talks but is not, of course, authorized to release this information. If true, it would be quite a blow to RIM’s credibility; while they’ve assumed the posture (especially recently) that they do not, to use their words, “provide, or have ever provided, something unique to the government of one country that we have not offered to the governments of all countries,” that may soon no longer be a valid claim.
The source claimed that RIM originally offered to relocate some of its servers to within Saudi Arabia, thus placing them effectively under Saudi law; the whereabouts of RIM’s servers is a potentially serious diplomatic question, as there are issues of international law at stake. Saudi Arabia and the others insisted (reasonably, in my opinion) that the communications of users in their countries be at least partially located within their borders, so as to be subject to local law and inspection. I say reasonably, because it seems in line with their interests, but I should say I don’t like the apparent intention, clearly an expansion of surveillance powers that overcomes one of very few internationally secure modes of communication. Yet even if RIM feels as I do, the choice is not one of conscience, but one of business, and they can’t afford to lose the millions of subscribers in those countries.
At any rate, putting servers in-country seems to have been nixed (though testing was underway) in favor of simply providing “the codes to all Saudi BlackBerry users,” according to the source, who did not explain what exactly that implied. RIM has always stated that it does not have direct access to their customers’ information, so I presume that these codes are not decryption codes but identifying codes for every subscriber’s data stream. Once the government has that information, it seems they should be able to wiretap as normal and compel the subscriber to provide the decryption code themselves. If the government has access to the packets before they leave the country, it’s comparable to the in-country server plan.
But will this capitulation (again, assuming it is true) result in losing even more subscribers as the infrastructure of security RIM has established (far from impenetrable, but far better than Apple, Microsoft, or Google) is reduced to a shell? After all, if RIM makes this decision for the Saudis, similar privileges will have to be extended to every government that whines about needing to keep tabs on its citizens. Of course, it’s not like anyone with a Blackberry is immune; RIM would have to comply with any lawful wiretap order, and although RIM would not provide it directly, the information handled by RIM would be subject to subpoena in a court of law, and the company whose responsibility it is would be responsible for allowing it to be decrypted. All this by the way, to shed a little perspective on the size of RIM’s policy change.
It all depends on the scale of the concessions RIM made. Signs point to it being rather large; the Saudi government (and the others) isn’t likely to be satisfied with a simple subscriber list or it wouldn’t have made such serious threats. Until we get some more solid information from RIM or the governments involved, or the source is more forthcoming, everything is just speculation. From RIM, though, it seems to be a choice between bad and worse; I’m sure the company is prepared for many of the eventualities consequent on being internationally secure, but the rest of the world is under no obligation to make it easy for them.
Update: I’ve disabled comments on this post and deleted a bunch of the trash that was down there. Hate and racism are not welcome here.