BlackBerry CEO on being a little bit pregnant

by Volker Weber

We reject the notion that tech companies should refuse reasonable, lawful access requests. Just as individual citizens bear responsibility to help thwart crime when they can safely do so, so do corporations have a responsibility to do what they can, within legal and ethical boundaries, to help law enforcement in its mission to protect us.

However, it is also true that corporations must reject attempts by federal agencies to overstep. BlackBerry has refused to place backdoors in its devices and software.

If BlackBerry has no backdoors into devices and software, how do they want to provide lawful access to encrypted communication? It's either secure or it isn't. I have to call b/s on this post.

More >

Comments

I'm not sure why you call b/s on the post.

Data within our network of infrastructure and devices is secure. It's only where it enters or leaves that data can be intercepted. We have the exact same weakpoints as the TOR network. ie. where we cannot control the data.

If somebody is sending a message from/to the outside world then that is something we could possibly look at... but only with the right legal authorities. If it's totally internal (ie. a message from a BB device to a BB device) then all we can look at is meta data (ie. a message was sent from 'A' to 'B' and was x bytes in size at this date/time.)


NB. I have nothing to do with the legal stuff at BB. I'm just a code monkey. But there is no way we can get at message content whilst it's inside our network. Outside, however, is a different matter...

Dragon Cotterill, 2015-12-17

I think lawful access just requires BlackBerry to hand over the encrypted data stream since that's all that they have access to, law enforcement then has to acquire the encrypt on key from somewhere else, the device or the BES.

Michael Weitzel, 2015-12-17

Dragon, John Chen is suggesting that BlackBerry has information it can provide to the "authorities". The title of his post his "The Encryption Debate: a Way Forward". Apple and Google are saying they cannot and do not want to put backdoors in encryption. Microsoft is fighting a judge who wants to make them release data from outside the jurisdiction of this court.

But John Chen wants to cooperate:"However, our privacy commitment does not extend to criminals." So he would like a backdoor, but at the same time he does not.

As we know, BBM is not not encrypted. Or it is, but with a key you have. And in a sense you also have access to the key on BES. The server is on your network, it's symmetric encryption, you only have to tell it to hand over the key. That's what John wants. Only for criminals, though. Right?

Volker Weber, 2015-12-17

Right.

Let's therefore count ourselves fortunate that criminals are so easy to distinguish from lawful citizens: they tend to wear stripy jerseys and little black masks, I believe.

Nick Daisley, 2015-12-17

"BBM is not not encrypted. Or it is, but with a key you have. "

Not encrypted in the normal sense. It's obfuscated.

As for the rest of your comment, I don't think that is what he is saying at all. If a lawful authority requests help then we will help as far as our technology allows. Although there are some things we simply cannot do (such as getting the keys to a BES as you seem to suggest). What he is objecting to, and what everybody in their right mind should be objecting to, is mass surveillance.

Of course then there is the issue of Governments changing the law so that their lawful requests are out of reasonable bounds. And at that point it's time to exit the country.

Dragon Cotterill, 2015-12-17

So what is it? Unbreakable encryption, or not?

We don't know what you can do. We have to take your word for it. And John's rhetoric suggests we should not.

Volker Weber, 2015-12-17

I don't know if that applies to american companies as well but the german E-Mail provider posteo.de is also working together with the law enforcement agencies but as they only collect very little data about their customers, there is not much they have to give out once there is such an request.

They do also reject most requests as they normally are not fullfilling the requirements of the law. Apparently the german police requests a lot via unencrypted e-mails, which is not the way they should use.

Patrick Bohr, 2015-12-17

There is no such thing as "Unbreakable encryption". Otherwise you would never be able to decrypt the messages. It's a matter of the necessary computing power to break it a reasonable amount of time.

It's all a matter of trust. Do you trust Microsoft not to route your packets via Redmond for packet inspection? Do you trust the root certificates that are the basis for current TLS connectivity? Do you trust the Government not to lie to you?

We have to pass rigorous testing procedures to be able to achieve our security levels. (Go look up FIPS). But we at least can prove that we have met them. It's hard to explain to people who don't understand the hows and whys of encryption because they don't know how it all fits together end-to-end.

Quite frankly if you really want to go into in depth paranoia about trust you may as well sit in your basement with a tin foil hat on waiting for the black helicopters.

Dragon Cotterill, 2015-12-17

It looks like you ran out of arguments. :-)

Volker Weber, 2015-12-17

@Nick: in the UK, criminals also carry a large bag on their back, lettered in big with 'SWAG'

Andrew Magerman, 2015-12-17

John Chen specifically is the reason why I have given up on using my Blackberry Passport, which I was initially very impressed with. He did that with a single LinkedIn post, similar in tone to the post you quoted above, Volker.

I like my privacy uncompromised, just like the thoughts in my head that nobody should have access to other than me. It's up to an individual to decide what he expresses and reveals. Not every thought needs to be expressed, not every document I create should ever be read by someone I don't intended to share it with. Encryption is an extension of free speech, but it's not up to the government to try and break into my stream of consciousness ... Here in the US, the 5th. amendment even grants me the privilege I can invoke in order to not have to incriminate myself. Encryption is on the same level as the 5th. amendment.

When John speaks about "It is practical to have public policy that supports law enforcement without impeding personal privacy." he seems to have found the "golden key" to the backdoor. It's something that cryptologists don't think exists. Any backdoor or compromise makes a system exploitable. Not only the good guys will have those backdoors. Chen is at odds with the security industry. But he needs lucrative government orders to keep afloat - let's just put it that simple.

The encryption debate is another diversion of public attention. The size if this problem is ridiculously small. The number of investigations where "unbreakable" encryption was encountered can be quantified by the FBI, but they don't. It would reveal that this is really not an issue. Even Silk Road's founder wasn't smart enough to use encryption all the time, every time. People make mistakes and good old police work will always outsmart the perps. Just like "you can't outrun a Motorola" you cannot outrun a bunch of motivated, smart FBI/DEA/DHS/etc. agents.

I am convinced that there are backdoors in every layer of a Blackberry product, all the way up from chips, interfaces, buses to software. Snowden pretty much revealed that the whole stack is poisoned. You can't trust anything anymore. And that's not tin foil hat talk, that's reality. But I'll stick with companies that promise me "no compromise on math". Encryption works, it's opsec that often fails. And only bad guys are worried about that.

Sascha Siekmann, 2015-12-17

I am possibly setting myself up to be shot down but I would agree more with Dragon than with Volker.

What John Chen says is not that he wants to provide a backdoor for criminals, he says that the privacy commitment does not extend to them. I read that to mean that if the authorities come with a warrant they can have any available data which fits for that person even though it is encrypted data.

Volker says Dragon ran out of arguments but what would the response been if Dragon had repeated the points he had made to try to counter Volker's later comments. Those comments read a little like 'click-bait' comments as they try to imply an answer to one question (BBM) negates an answer to a very different question (BES).

What is the more rational reaction, put a single clear response out there and let people make up their own minds or to get involved in a 'you said-he said' cycle pulling in ever more obscure references until the original discussion is drowned in irrelevancies?

Kevin Johnston, 2015-12-18

Kevin, it's actually pretty simple. Either BlackBerry can read you communication and provide it to authorities, or they can't. Apple says they can't read iMessages, and that is what John Chen is attacking. There are different architectures at play. BES has the keys used on the BlackBerry smartphones on file, Apple does not.

When I say that Dragon runs out of arguments then I mean he plays the paranoia or the unbreakable card. No need to get into this.

Volker Weber, 2015-12-18

Old vowe.net archive pages

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Paypal vowe