Getting the Message: Decoding Issues in the BlackBerry Backlash

After weeks of wrangling that nearly left the United Arab Emirates' 500,000 BlackBerry users with expensive pieces of junk in their pockets and purses, the UAE and Ontario, Canada-based Research In Motion reached an agreement earlier this month to keep the company's e-mail service in the country. A similar agreement recently was reached between RIM and Saudi Arabia, while talks continue between RIM and India.

At the heart of the government backlash against the BlackBerry device were demands to monitor its service, which is popular among corporations for the security in communications it provides. Concerns about terrorists utilizing the device to plan attacks have been chief among the reasons for the requests for scrutiny by Middle Eastern and Asian governments, though accusations of unfair treatment by the company when compared to Western governments have also been made.

Rather than simply being a debate about access, Wharton professors say that the confrontations between RIM and these governments raise a number of issues that cannot be dealt with quickly, from leadership and company response in a crisis to questions regarding the control and jurisdiction of data flowing across international borders, and the obligations global communication companies have in protecting their customers from unreasonable searches by governments.

Few confirmed details have emerged as to what spurred the Gulf countries to take action against the BlackBerry. Many reportedly have to do with national security, however. UAE officials have said publicly that they see their requests as nothing more than asking for parity, arguing that while they have been in discussions with RIM regarding oversight since service was approved by the UAE's Telecom Regulatory Authority in 2006, the American, Russian and Chinese governments have already gained permission to snoop through customers' e-mails, though RIM denies this. (In 2009, RIM alerted 145,000 BlackBerry users in the UAE that a service update suggested by a local provider would actually allow unauthorized access to their e-mails and messages, and advised them to remove the software.)

Recent security incidents have also been noted. Gulf countries are likely riding on India's demands to oversee data from the service, as India alleges the devices were used to plan the Mumbai terrorist attacks on November 26, 2008. Another incident is the assassination of a Hamas official in Dubai this past February that UAE officials allege was planned by Israeli agents using BlackBerry phones. Gulf officials have also expressed concern about Iranian spies operating in their countries, a worry that was given substance when an alleged Iranian spy ring was discovered by Bahraini law enforcement in June.

There are social concerns regarding the BlackBerry device also. It is alleged that its secure e-mail is used to circulate pornography, which is banned in most of the Middle East. Or that the phone's secure device-to-device messaging service allows for flirtation among the sexes, which is also frowned upon in the region.

There is also the issue of outspoken criticism of leadership being passed around on the devices, a social taboo within the public realm. A detailed exploration of the issue was provided by Sultan Sooud Al Qassemi, a non-resident fellow at the Dubai School of Government, in an August article for Foreign Policy magazine. What may have pushed officials, Al Qassemi wrote, was that in June "a leaked document surfaced and was distributed amongst Emiratis on BlackBerry Messenger. The document appeared to be an official request from the secretary general of the UAE's parliament, known as the Federal National Council, requesting that the Dubai Traffic Department waive the traffic fines of the parliament speaker, who hails from one of the wealthiest families in the country. Within a few hours, a virtual frenzy broke out unlike anything seen in the UAE before, with Emiratis loudly criticizing and defending the speaker personally.

"Government officials, including the local Dubai police chief [seen as somewhat of a celebrity], weighed in via radio and newspapers on the discussion of these messages that were sent via BlackBerry," Al Qassemi wrote." Although many Emiratis turned to Arabic language Internet forums, social networking sites and newspaper commentary pages expressing both outrage and support to the speaker, the most outspoken sentiments were sent via BlackBerry Messenger."

RIM and government officials in the UAE and Saudi Arabia have reached an agreement, but with few details. The agreement is "final," Mohammed al-Ghanim, director general of the country's telecom regulator, told Bloomberg News on Monday. Later, he told Reuters, "RIM is now in compliance with the UAE's telecoms regulations and there is a strategic co-operation between the authority and RIM," adding: "I will not speak about any server." In a keynote speech at a trade convention on Monday in Dubai, RIM co-CEO Jim Balsillie told the audience his company is "committed to the market and are investing in it."

However, industry experts have gleaned some details regarding conditions of the agreements. Reportedly, one such condition is that RIM will leave the decision with corporations to decide whether or not to allow authorities to have access to their information, experts say. Though RIM is able to distance itself from the contentious issue, it also shifts the responsibility to the corporations who use its service, many of whom may not be technically prepared to deal with the security demands, or have any policy in place to address them.

Individuals would not have such protections, and another potential condition is that targets for observation would be reviewed on a case-by-case basis, experts say. The authorities would have to detail their concerns regarding an individual to RIM, but would not have to notify the intended target of their investigation.

Learning Local Sensitivities

Though the BlackBerry service is under scrutiny in a number of countries, and Google has experienced similar concerns about the restricted use of its Internet search engine in China, the examples do not represent a change in the outlooks of international markets towards their services, says Wharton management professor Mauro F. Guillén.

"I would tend to think that this is an isolated incident and these sorts of things happen," Guillén notes. "There have been all sorts of problems, not just in telecommunications, but in various industries. I think what's obviously different in this case is that the countries are not doing this for protectionism, they are taking action for other reasons, such as national security."

"What happened in China to Google and to BlackBerry in the UAE was unavoidable," Guillén continues. "These countries reacted strongly to the business model of each of these firms. It's very difficult to anticipate."

Though it may seem intuitive, Guillén says that companies new to a country have to establish a channel of communications with the government, and go beyond business meetings to include inviting officials to events for more casual conversations. "When the crisis comes, you have somebody to talk to, and you have somebody who already knows something about you, and can play a role to help your company resolve the situation," he notes. "And it's very, very important that the CEO is in charge of the response. You cannot delegate that."

Such confrontations also highlight the need for a company operating overseas to make a strong effort to learn about the culture and governmental system that it is operating in, says Wharton management professor Michael Useem. Integration, rather than imposition, should characterize the tone of such approaches, he suggests.

"Put yourself into the position of the UAE's view of the world," Useem notes. "Separately, put yourself in the position of people who run Research In Motion, and recognize that both have a legitimate argument and an appropriate claim. So I think a good starting point is not to work on the premise that either is right or either is wrong, but that they are what they are, and then work through how you can reconcile two seemingly incompatible mindsets."

"Let's say RIM called me — I would say a couple of things," Useem adds. "One is about the importance of becoming savvy, the effort of learning about sensitivities, how governments work, and how the world works differently from what we know in North America….

As an example, Useem says when Microsoft faced antitrust allegations from the U.S. government in the late 1990s the company reacted by "radically increasing" staff in the company's Washington office "because it felt it was blindsided by not knowing enough about how the Justice Department operated [the case was settled in 2001]. So [in the case of] RIM, I'm sure they've got a lot of smart people thinking about the world out there. But [it's important to redouble] that effort — to know how is it that the UAE works, or Indonesia, or wherever else, [or] you'll run into trouble."

What Companies Owe

Considerations regarding access bring a complex set of questions for communications and information services companies, experts note, from deciding the appropriate responses to choosing between customer expectations and state interests.

"The question is how much access to allow governments and in what way," says Wharton legal studies and business ethics professor Nien-hê Hsieh. "And then you want to distinguish, by granting access to this information, [is the company] acting in a way that is violating some kind of legitimate expectation that customers can have about the security that they should expect from BlackBerry? Or are they acting in a way that no company, regardless of customer expectations, should be acting at all?"

Allowing legitimate access to communications is a fair concession, Hsieh notes. What RIM owes its clients and the public, he says, is an explanation of those concessions and the conditions for allowing access. "I think they could try to address the concerns of the customer base, and they probably could do more from a perspective of trying to make clear where they stand, because unfortunately, BlackBerry is taking a hit on this issue, even though comparatively the security they offer their clients is probably as great, or better, than their competitors," he points out.

While Hsieh says it would be hard for a BlackBerry user to argue they have legitimate claim to be protected against RIM providing information that is consistent with a legal search, it does beg questions as to the nature of the searches. "What is the rationale for wanting access to that information, and is the legal system or the country [in which] they are operating have in place any safeguards, so that the search is consistent with the basic tenets that we have for what we could call a reasonable kind of procedure?" Hsieh asks. "In other words, these are the universal standards we have. If a government wanted to go in, and use their access to track people to violate human rights, this would be a problem. On the other hand, if there is a concern about terrorism or security, then that would be deemed reasonable."

To maintain a presence in the region, yet avoid some of the moral pitfalls involved in agreeing to questionable requests, Hseih suggested that RIM could take Google's approach in China — the Internet search engine only offered web search services, not chat or e-mail, because it didn't want to be in a position of having to give up a user to the authorities. Since the concern in the Middle East is regarding the BlackBerry's instant messaging service, RIM could choose to offer their future phones without that service, he notes.

Information Keeps Flowing

Ultimately, the issue behind the attempts to restrict BlackBerry's messaging service, or Google's Internet searches, is bigger than any one company or the technology behind the services, says Gurpreet Dhillon, professor of information security at Virginia Commonwealth University. Instead, he suggests, it is the legal issue surrounding the control and oversight of data flows, particularly the jurisdiction over that data.

"RIM's data resides in Canada, and Canadian laws are applicable on that data," Dhillon says. "The concern is not about data encryption, it is about how you as a country are going to get access to that data…. If there are criminals using the service, I as a country need to know."

Usually, the mobile provider offering services in these foreign markets are controlled by or linked to the country, Dhillon notes, and so they can access data easily. But regarding the BlackBerry, the local providers in the Middle East do not control the data, thereby setting in motion the collision of state interests and private business.

According to Dhillon, the UAE and other countries are not the only ones to have made requests regarding data oversight, citing legal action the U.S. took in the mid-1990s against Phillip Zimmermann, the creator of Pretty Good Privacy (PGP), the most commonly used e-mail encryption software today. By releasing the software on the Internet, where it ended up being downloaded overseas, the Customs Service alleged Zimmermann violated the Arms Export Control Act. Dhillon says the real motivation behind the action was to push Zimmermann to tone down the encryption, because the government couldn't crack it.

Though measures have been negotiated, and countries continue to talk with RIM, Dhillon is critical of the approach of attempting to restrict or outright end certain services — partly because he contends that it is ineffective. Dhillon offers an analogy of owning a car. "Maybe there is a high risk of it getting stolen. But I'm not going to stop driving it, I'm going to use a layered security approach — I'm going to keep my keys rather than leave them in the ignition, install a car alarm and a wheel lock.

"I have a strong belief in the fact that communication technology is here, and you can't win by banning it, you are going to have to change with it."

Useem agrees. "In the end, open communication and the free flow of ideas is better than the opposite," he notes. "If you look at what has happened with Google in China, both sides backed off a bit … In the case of the UAE and elsewhere, it's really technically hard to limit information in anyway. Thus, in the longer term, if somebody called me to think about this, I'd say, 'Find ways of achieving what you want, without trying to get in the way of how these information providers operate.'"

Forced To Learn

Whatever agreements are settled upon, Dhillon predicts that it is only a matter of time before another terrorist incident occurs, or criminals find a new way to exploit communications technology, and new calls are made to put more stringent restrictions on data services. "I would say the issue is smoldering," he says. "There is going to be continuous debate, as there are a number of issues regarding the control of a ubiquitous computing environment. How do you manage it? Nobody has the answer that question, particularly nation states."

In that regulatory and legal void, an increased burden will be on global-spanning companies to supply some of the answers, Hsieh suggests. "I think companies on the ground will have to take on the roles that have traditionally been left to other entities and social institutions…. For example, in some places, multinationals have been asked to provide healthcare for the local workers building hospitals or schools…. What companies should try to do is close that institutional gap, rather than taking on the role of other civil society actors in the state."

Despite the challenges posed to companies in the global market by government demands, Useem says they are ultimately outweighed by the benefits of operating within it, even if it is in a restricted fashion. "It's a little bit like operating in cities like Bangalore, where the power goes for three hours a day," Useem notes. "It's a royal pain in the backside, but you still create your operation there. It's one more challenge there of doing business."