RIM's backdoor sniffed by BBM-snooping Indian spooks

BlackBerry biz pushes BES access headache to operators


Research In Motion is finally set to offer the Indian authorities a permanent system for access to its consumer-focused messaging services with the installation of new Mumbai-based servers.

The Times of India was given a government briefing on the matter. It claimed that the servers have been inspected by government officials and that permission would shortly be granted by the BlackBerry maker for lawful interception of messages if the intelligence agencies there suspect terrorist or other serious illegal activity is being conducted via the platform.

The news comes a few months after a Wall Street Journal report claimed that a monitoring facility had already opened in Mumbai to deal with any requests from the authorities. The Reg is still waiting to hear back from RIM on whether the two stories are linked.

It is also believed that RIM was co-operating with the authorities before this on ad hoc requests to access any email or BBM messages sent over its consumer service.

The Indian reports also claim that the government has backed down on its demands to gain access to BlackBerry Enterprise Service (BES) messages. RIM rightly always maintained that it couldn’t provide access to content running on its corporate service because it didn’t hold the encryption keys – they reside with the sponsoring organisation or business.

Intelligence Bureau director Nehchal Sandhu admitted to the paper that such corporate communications were not of “high concern” anyway from a security standpoint.

However, RIM has reportedly reached an agreement with the government which effectively pushes responsibility for providing access to BES communications down to the service provider level.

The report said that the government would be tapping up mobile operators like Vodafone, Airtel and RCom for a list of the approximately 5,000 BES servers in the country and their locations.

However, while the deal will enable RIM to comply with local laws while washing its hands of the tricky BES problem, it remains unclear how the network operators will be any more able to provide access to BES – given that the encryption keys remain in the hands of their customers.

It’s not all about RIM, of course. The report revealed that the Nokia Push Mail service would be targeted next by the Department of Telecommunications.

Other online communications giants including Yahoo!, Google and Skype are also thought to be in dialogue with the authorities over providing more local services which can be brought under the same strict guidelines. ®


Other stories you might like

  • Another VPN quits India, as government proposes social media censorship powers
    New Delhi now fighting criticism of eroding free speech and privacy with two proposed regulations

    India's tech-related policies continue to create controversy, with fresh objections raised to a pair of proposed regulation packages.

    One of those regulations is the infosec reporting and logging requirements introduced by India's Computer Emergency Response Team (CERT-In) in late April. That package requires VPN, cloud, and numerous other IT services providers to collect customers' personal information and log their activity, then surrender that info to Indian authorities on demand. One VPN provider, ExpressVPN, last week quit India on grounds that its local servers are designed not to record any logs so compliance would be impossible. ExpressVPN will soon route customers' traffic outside India.

    On Tuesday, another VPN – Surfshark – announced it would do likewise.

    Continue reading
  • Indian government signals changes to infosec rules after industry consultation
    Reports suggest SMBs will get more time, but core elements including six-hour reporting requirement remain

    Indian media is reporting that the government has consulted with industry about its controversial infosec reporting rules, possibly resulting in concessions that slightly ease requirements for some businesses.

    The rules, introduced on April 29 with no warning and a sixty-day compliance deadline, require organizations operating in India to report 22 different types of information security incidents within six hours of detection, maintain extensive logs of their own and customers' activities and provide that info to authorities as required, and use only network time protocol (NTP) servers provided by Indian authorities or synced to those servers.

    The rules generated swift and widespread opposition on grounds that they were loosely worded, imposed enormous compliance burdens, made India less attractive to foreign tech companies, and would harm privacy. The requirement to report even trivial incidents within six hours was criticized as likely delivering a deluge of reports that would contribute little to the stated goal of securing intelligence with which to defend the nation. The Internet Society warned that insistence on using Indian NTP servers would create an unhelpful reliance on that infrastructure.

    Continue reading
  • BSA kicks multiple holes in India's infosec reporting rules
    Strongly suggests extensive re-writes and consultation - backed up by Microsoft, Intel, AWS, and friends

    Lobby group The Software Alliance (BSA)* has written to India's government, pointing out impractical requirements, inconsistencies, and flaws in the nation's recently announced infosec reporting rules. The organization says the problems can only be addressed with extensive consultations and a delay to implementation.

    The BSA has already co-signed another letter that eleven tech and finance lobby groups sent to India's government, which requests changes to requirements such as extensive logging of user activities and reporting of even trivial infosec incidents within six hours of detection. That multi-party letter states that these rules will harm the nation's economy by discouraging foreign investment.

    The Alliance's own document [PDF] raises issues not addressed in the multi-party letter – such as an argument that requiring cloud providers to supply logs of customers' activities is futile as clouds don't log what goes on inside resources rented by their customers.

    Continue reading

Biting the hand that feeds IT © 1998–2022