Recent reports have indicated that the Royal Canadian Mounted Police (RCMP) has had a key to unlock encrypted messages sent between BlackBerry users since 2010. The key is thought to have been used for approximately one million messages in investigations from 2010 to 2012. Privacy excerpts have highlighted the contrast it represents with the clash between Apple and the FBI in the United States, where the technology company refused to create a backdoor for security officials to access the iPhone of one of the perpetrators in the San Bernardino shooting.
Citizen Lab Postdoctoral Fellow Christopher Parsons commented on the significance of the revelations in an interview with VICE Motherboard, saying that it is likely the RCMP have the ability to read anyone’s encrypted BlackBerry messages, so long as it is not registered with the company’s business servers. BlackBerry’s personal messaging is encrypted with a “global encryption key” loaded onto mobile phones during manufacturing. This key allows all messaging between consumer BlackBerry phones to be decrypted using it. The company’s Business Enterprise Servers (BES), for corporate customers, has its own unique encryption key for each user, which BlackBerry has no access to.
Christopher Parsons said that it was unlikely BlackBerry had changed the PIN since the operation that ended in 2012, given that it would require a “massive update that was likely on the per-handset level.” Even if it had been changed, Parsons suggested that the RCMP would likely just get the new key. Though the case which prompted reports involved the investigation of a gang murder, Parsons added that the RCMP possessing such a tool could have a chilling effect on innocuous uses of communications technology.
“People are willing to say things or do things online when they believe that they enjoy security,” said Parsons. “In this case they caught a bunch of mobsters, but there’s a lot of people that may engage in risky or politically sensitive communications because they believe that their BlackBerry communications are secure.”
Following the report by VICE, BlackBerry CEO John Chen commented on the story in a blog post, saying that the company was doing the right thing by following its responsibility to cooperate with lawful access requests. Christopher Parsons told VICE that the response was disappointing, but unsurprising. He said: “It, again, demonstrated that BlackBerry is going to independently decide, absent an engagement with customer stakeholders, the kind of security that’s provided to customers.” Parsons said that it was important to distinguish between case by case lawful access requests, and simply handing over the encryption keys to security and intelligence agencies outright.