|Rediff India Abroad Home | All the sections|
Is the Blackberry email a security threat?
Ravi V Prasad and Alok Shende | April 02, 2008
While other countries allow intelligence agencies to snoop on email, a host of other transactions, including e-commerce, using similar encryption levels will be affected.
'India has successfully cracked terrorist cases by tracking and intercepting email'
India's security agencies were the first to successfully use cyberforensics, around 1996-97, to track email and cellphone communications of the LTTE and the LeT. LeT attacks in the country, for instance, were solved when the Hotmail and Yahoo accounts of those in charge of the LeT logistics were monitored - this was made easier by the fact that the state-owned VSNL was the monopoly ISP in the country.
Even the Red Fort attack was solved when the emails on the terrorists' laptops were later traced. In comparison, security agencies in countries like the US restricted themselves at that time, through Project Echelon, to monitoring international phone calls to/from the US - this was not very efficient and there were huge backlogs in the analysis.
From the late 1990s, the US and the UK eased the legal restrictions on snooping on email and phone calls. The FBI-developed IP-packet sniffing tools CARNIVORE, and later, OMNIVORE were installed on all ISPs in the US to track suspicious email traffic.
After 9/11, all legal restrictions preventing snooping without reasonable cause were lifted. In this context, the Indian security agencies' demand to intercept Blackberry email or to ask Blackberry to deposit its decryption keys with them is hardly unacceptable (the ISP licence does not allow encryption beyond 40 bits unless the decryption keys are deposited with the security agencies on demand).
There are four major types of RIM's BlackBerry services being provided in India, viz (a) Voice communication to or from another device, whether the latter is a BlackBerry or not; (b) SMS & MMS to or from another device, whether the latter is a BlackBerry or not; (c) E-Mail between two BlackBerry Devices; (d) E-Mail between a BlackBerry and a non-BlackBerry. Of these, (a), (b) and (d) can technically � and legally � be intercepted by Indian security agencies even today, since they pass through an Indian mobile network (Airtel, Vodafone, Reliance) in a reformatted form. It is only (c) that cannot easily be intercepted by Indian security agencies.
Theoretically, security agencies can send letters rogatory to RIM since their servers are located outside India, but this takes too long. Nor is RIM willing to locate its servers in India (allowing interception) since the costs are not justifiable on commercial grounds.
That said, it is unlikely a terrorist, smuggler or hawala operator in India would use a Blackberry - while a Blackberry is traced to a user, the same cannot be said about throwaway Hotmail and Yahoo addresses accessed from a cybercaf�. After the emails of some terrorists were intercepted in the late 1990s, they have adopted another strategy.
A group of them create a webmail address and agree on a password. Thereafter they type their messages, but instead of sending them, they save them in the 'drafts' folder - no internet traffic is generated and other terrorists just log on and check the 'drafts' folder for messages. Others use steganographic techniques, which allows concealing encrypted messages in video/audio/pictures that can be exchanged in open forum chatrooms or on sites like Orkut and Facebook.
Ravi V Prasad is an alumnus of Carnegie Mellon and IIT Kanpur, heads a group on C4ISRT (Command, Control, Communications and Computers Intelligence, Surveillance, Reconnaissance and Targeting) in South Asia
'Revealing encryption codes will effectively kill e-commerce in the country'
If the larger fence that your neighbours built to protect their house led to a higher chance of burglary at your home, would you call it a fair play? Perhaps not. But, in effect, this is precisely the nature of argument that manifests from the pervading debate between DoT, telecom service providers and RIM.
At the heart of this debate is the forward march of technology and how it impacts consumers and business, both in terms of the yin and the yang - the benefits and the challenges that emanate from technology adoption.
Internet and wireless mobility have spawned innovation and value creation of proportions that we are yet to comprehend in their potential and true impact. Businesses and consumers have gained productivity by the deployment of internet and email services; however, in doing so, they have also inadvertently opened themselves to increased vulnerability by way of internet and email frauds.
For business and consumers to bet on their continued reliance on internet and mobility, they need an assurance that the investments in these technologies will not compromise their relationship capital and material worth. It is precisely this need that technologies such as encryption fulfil and players such as RIM have found their raison d'�tre in meeting this unmet need.
While the issue relating to providing government agencies access to email services from RIM is recent, the adoption of encryption technology in India can only be characterised by its ubiquity: right from consumer banking transactions to enterprises exchanging data between different offices and financial institutions conducting business with each other to government organisations, all use encryption technology in one form or the other.
And hence, any initiative to dilute the right of business and consumers to use encryption technology and, by extension, restrict suppliers to offer this technology will perforce lead to increased vulnerability for businesses on one hand, and loss of privacy to consumer on the other.
Any resolution to the quagmire posed by the issue at hand needs to address the trinity of stakeholders: government, business and consumers. While the government's position on security is consistent with the coercive security threats that India faces in general, there's a need for due recognition of the broader implications of technology adoption and need for security for all stakeholders.
There needs to be creative exploration on addressing the issues. While requesting the wireless email service provider to host its relay station in India is one possibility, it is unlikely to provide any meaningful solution unless government agencies pierce open the encrypted data using decryption keys.
Given the fact that the decryption keys are system-generated and not available to anyone including RIM, the implied implication is for the government to ban encrypted services altogether, an implication fraught with severe negative consequences and risks for all concerned.
What is at stake is not the issue of access to emails on the on blackberry platform alone, rather it is the entire business economy and community of services that have been built around internet and wireless technology.
Alok Shende is Practice Head, IT & Telecom, Datamonitor