The BlackBerry advertisement beamed on Indian television tells of the growth of the brand in a country where half of its 1.2 billion population is busy chatting on mobile phones. From boardroom executives to university students to housewives, the ad portrays an India clamoring for its phones, and with good reason. Beyond the phone’s traditional enterprise customers, he BlackBerry Messenger is the "in" gadget for children in India’s large cities, while their parents lap up the BlackBerry handsets developed for the Indian market.
BlackBerry handsets are now available in more than 70 Indian cities, compared with just a handful just a year ago. There are now an estimated 1 million BlackBerry users in India, according to press reports. That’s good news for the balance sheet of Research in Motion (RIM), the Canadian company that produces the BlackBerry. But the tremendous growth in such a short time span has also spurred a delicate problem: How to handle national security concerns in a country that has suffered from several recent terrorist attacks involving mobile phones in one way or another. India’s government has given the company behind the BlackBerry, Research In Motion (RIM), until the end of next January to allow its national intelligence services full, real-time access to all services available on the device. That leaves RIM in a quandary.
But this isn’t an isolated case for RIM. Several other governments and regional institutions are reviewing BlackBerry services in their countries, all citing security fears over the level of encryption employed by RIM. The German government has banned politicians and civil servants from using the BlackBerry. The European Commission opted in early August for its staff to use Apple’s iPhone and HTC smartphones instead. Meanwhile, policy makers in the U.S. Sweden, Canada and the United Kingdom are debating or passing laws giving their enforcement agencies new powers of Internet surveillance, in many cases requiring communications-system providers to redesign products and services. More are passing data retention laws, requiring companies to hang on to customer data in case they need to be investigated later.
An Open Debate
But RIM says singling out its products is futile as people who misuse its Internet-encrypted technologies would simply migrate to numerous other alternatives. Authorities, however, retort that unlike other smartphones, whose services are handled locally by a service provider, BlackBerry messages are first encrypted and securely stored within the smartphone technology. They are then sent in an encrypted manner. A country-specific solution could be to install network connection points nationwide to handle the local data.
Earlier this year, RIM came under pressure in countries like the United Arab Emirates (UAE) and Saudi Arabia, which threatened to cut off certain BlackBerry services for security reasons if the manufacturer did not give the government access to its technology. But while the UAE and Saudi confrontations have ended — seemingly to mutual satisfaction — the Indian debate remains open.
In India, the BlackBerry issue surfaced in early 2008 when the country’s Department of Telecommunication asked Tata Teleservices to delay the launch of its BlackBerry service until "appropriate security mechanisms" were in place. It also threatened to shut down the entire network in India if RIM didn’t provide access to its encrypted networks. Later that year, the government announced that it had decrypted the data on RIM’s networks, saying the intelligence could intercept Internet messages sent from the BlackBerry to non-BlackBerry devices. It was widely reported that RIM agreed in principle to allow the government to monitor BlackBerry’s "consumer mails," which have a lower level of encryption than its other types of mail. RIM declined to comment on the reports.
When the UAE raised security-related concerns earlier this summer, the issue heated up again in India. RIM stated that it would try to meet India’s security needs while ensuring its clients’ privacy by agreeing to a 60-day test to see if security agencies could tap its mail services, an Indian Home Ministry spokesperson told reporters. RIM also said the test would involve feeding a copy of all corporate emails sent through a server on a company’s premises to monitoring systems run by Internet service providers. And it offered to lead an industry-wide forum to find ways to balance India’s security needs with its customers’ privacy.
On August 12, RIM announced that the decision to provide carriers with capabilities to access data would be based on four principles. First, a carrier would have to observe the access and national security requirements set by the country. Second, the carrier’s demands must be "technology and vendor neutral," so RIM isn’t asked to do anything more than competitors. Third, it would not change the security architecture for BlackBerry Enterprise Server. Fourth, RIM maintained a "consistent global standard for lawful access requirements that does not include special deals for specific purposes."
In October, the case took another turn when India reportedly rejected a RIM proposal to allow government authorities limited access to its network. RIM said it would continue to work with India "within the framework of the core principles.
Deadline Driven
The government extended the initial October 31 deadline by 90 days to give it time to assess RIM’s proposals. While RIM has not commented on what has transpired since its update in August, India’s home ministry said the company has already granted the government manual access to its messenger service and promised automated access by January 1.
While India is keen to get its hands on the encrypted email services through RIM’s enterprise servers, the company says it can’t oblige because only individual businesses offering the service to their employees have the ability to grant such access. That’s where the issue stalls. But it’s widely believed that the two sides will come to a solution as RIM has done with other governments. "We are working with Indian officials and we don’t disclose the details of the talks," Frenny Bawa, RIM’s managing director for India told a reporter recently. "Suffice it to say that we are quite bullish that the outcome will be positive."
What will RIM have to part with to satisfy a government sensitive about use of technology? In September, Canadian Trade Minister Peter Van Loan said Canada’s police were allowed to intercept telephone and other forms of communications by obtaining a warrant from a judge and India’s demand for access to BlackBerry encrypted data was similar to the access Canadian security agencies had.
It boils down to India’s government wanting RIM to deploy an interception server in India, says Gurpreet Dhillon, professor of information security at Virginia Commonwealth University. This has to be done with an Indian service provider and include a definitive tracking system, he says. It is relatively easier for Indian authorities to gain access to data from Indian service providers than from RIM, he adds.
While RIM says it will provide data just as it does to the Canadian police, but Indian officials remain unhappy. According to Dhillon, it would ultimately be easier for authorities to monitor suspect individuals continuously, rather than receive piecemeal information from RIM.
If Indian authorities install network connection points nationwide, Dhillon says, they could be used less for tracking individuals and their phone calls and data, rather than for insight into overall usage patterns in order to detect anomalous behavior. But Dhillion adds wonder who else will fall under scrutiny. "Are [India’s authorities] going to require Google and Yahoo to do the same? Or are they going to go the China and Saudi Arabia route where all Internet traffic has to pass through government-controlled filters?" he asks.
The outcome is important for RIM in a country that adds 16 million new mobile subscribers every month and still has only half the country’s population covered. A shutdown of its services, which would likely cause RIM to lose customers, would certainly dampen its growth strategy in India. Its current one million user base is likely to grow now that it has launched a prepaid service — nearly 97% of the overall Indian market is prepaid subscribers. But it is the prepaid services that its government is worried about, given that’s the service terrorists have used in the past.