Term paper

on
Business Environment

Topic - Technology A security concern: In context

of Black berry.

SUBMITTED TO SUBMITTED BY

Lalit Sir Pawandeep singh

Lecturer RS3807B42

B.com(prof) 5th sem

Blackberry is a line of mobile e-mail and smartphone devices developed and
designed by Canadian company Research In Motion (RIM) since 1996.

 BlackBerry functions as a Personal Digital Assistant with address book,

calendar and to-do list capabilities. It also functions as a portable media
player with support for music and video playback and camera picture and
video capabilities. BlackBerry is primarily known for its ability to send
and receive (push) Internet e-mail wherever mobile network service
coverage is present, or through Wi-Fi connectivity. BlackBerry is mainly
a messaging phone with the largest array of messaging features in a
Smartphone today. This includes auto-text, auto-correct, text prediction,
support for many languages, keyboard shortcuts, text emoticons, push
email, push Facebook and Myspace notifications, push Ebay
notifications, push instant messaging with BlackBerry Messenger,
Google Messenger, ICQ, Windows Live Messenger and Yahoo
Messenger; threaded text messaging and a customizable indicator light
near the top right of all Blackberry devices. All notifications and
conversations from applications are shown in a unified messaging
application which third party applications can access also. Many of these
applications would have to be running in the background of other phones
to be used. BlackBerry's push gives BlackBerry devices their renowned
battery life. All data on the phone is compressed through BIS. BlackBerry
has about two thirds less data transfer than any other smartphone, while
supplying the same information.

BlackBerry commands a 20.8% share of worldwide smartphone sales, making it

the second most popular platform after Nokia's Symbian OS. The consumer
BlackBerry Internet Service (BIS) is available in 91 countries worldwide on
over 500 mobile service operators using various mobile technologies.

The first BlackBerry device was introduced in 1999 as a two-way pager. In

2002, the more commonly known smartphone BlackBerry was released, which
supports push e-mail, mobile telephone, text messaging, Internet faxing, Web
browsing and other wireless information services. It is an example of a
convergent device

Will BlackBerry face a ban in India? That's the big question in the minds of
over 10 lakh (1 million) BlackBerry users in India.

The government has now warned that it would block 'BlackBerry-to-BlackBerry

messenger' service if the maker of BlackBerry -- Research In Motion -- does not
offer a solution to monitor messages within a week.
The Indian government had raised security concerns over BlackBerry messages
since 2008. However, BlackBerry still continues its services without complying
to Indian security regulations.

While the Indian government wants BlackBerry to allow monitoring of e-mails

and SMS, RIM has said the security architecture for its enterprise customers
is based on a symmetric key system whereby the customers create their own key
and only they possess the copy of the encryption.

RIM says the security architecture for customers was designed to exclude RIM
or any third party from reading encrypted information under any circumstances.

Meanwhile, the government has stated the service providers like Airtel,
Vodafone, RCom,Tatas, BSNL and MTNL that offer BlackBerry services
should allow the security agencies to intercept any conversation or message of
subscribers if required.

BlackBerry first made headway in the marketplace by concentrating on e-mail.

RIM currently offers BlackBerry e-mail service to non-BlackBerry devices,
such as the Palm Treo, through its BlackBerry Connect software.

The original BlackBerry device had a monochrome display, but all current
models have color displays. All models except for the Storm Series had a built-
in QWERTY keyboard, optimized for "thumbing", the use of only the thumbs to
type. The Storm 1 and Storm 2 include a SureType keypad for typing, and are
the two models that are full touch-screen devices with no physical keyboard.
Originally, system navigation was achieved with the use of a scroll wheel
mounted on the right side of phones prior to the 8700. The trackwheel was
replaced by the trackball with the introduction of the Pearl series which allowed
for 4 way scrolling. The trackball was replaced by the optical trackpad with the
introduction of the Curve 8500 series. Models manufactured for use with iDEN
networks such as Nextel and Mike) also incorporate a Push-to-Talk (PTT)
feature, similar to a two-way radio.

Modern GSM-based BlackBerry handhelds incorporate an ARM 7, 9 or ARM

11 processor, while older BlackBerry 950 and 957 handhelds used Intel 80386
processors. The latest GSM BlackBerry models (8100, 8300 and 8700 series)
have an Intel PXA930 624 MHz processor, 256 MB (or 4 GB in case of the
torch 9800) flash memory and 265 MB SDRAM. CDMA BlackBerry
smartphones are based on Qualcomm MSM6x00 chipsets which also include
the ARM 9-based processor and GSM 900/1800 roaming (as the case with the
8830 and 9500) and include up to 256MB flash memory. The CDMA Bold
9650 is the first to have 512mb flash memory for applications. All modern
BlackBerrys support up to 32gb microSD cards.

Government regulation

Some countries have expressed reservations about the BlackBerry's encryption

and decryption and the fact that data is routed through Research In Motion's
servers, which are outside the legal jurisdictions of those countries. The United
Arab Emirates and Bahrain were reported to consider the BlackBerry as a
"security threat" for this reason, with the former having earlier been reported as
trying to get users to install an "update" on their BlackBerry devices, ostensibly
for performance enhancement, but which turned out to be spyware that allowed
call and email monitoring.

On August 1, 2010 Telecommunication Regulatory Authority (TRA) of The

United Arab Emirates officially announced the suspension of BlackBerry
Messenger, Blackberry Email, and Blackberry Web browsing services in the
country as of October 11, 2010. This measure was taken due to failed attempts
to bring the service and have it hosted locally as per the UAE
Telecommunication regulations.

Other copuntries threatening to ban the use of the BlackBerry Messenger

include Algeria, Indonesia and India.

Saudi Arabia had threatened to ban the service, however it was able to reach an
agreement with RIM to set up a server for the service inside the Kingdom.

Why is there a security issue over BlackBerry usage? How did it start?
What steps are being taken?

More countries like Indonesia, Kuwait and Egypt are contemplating a ban

against Research in Motion's BlackBerry service.

"Certain BlackBerry applications allow people to misuse the service, causing

serious social, judicial and national security repercussions," a statement from
the United Arab Emirates government said last week.

While the high level of encryption on data transfers has been one of the biggest
advantages for many Blackberry subscribers, this has now turned out to be a
grave security threat for many Asian countries.
Meanwhile, the European Union Commission has also rejected BlackBerry
phones and opted for Apple's iPhone and HTC smartphones. BlackBerry is still
used by many state heads and high level officials.

The United States has, however, expressed its disappointment over the ban on
BlackBerry by the United Arab Emirates and said this will set a dangerous
precedent in free flow of information.

"We are disappointed at the announcement. We are committed to promoting the

free flow of information. We think it's innovative. It's integral to an innovative
economy and we will be clarifying with the UAE their reasons for making this
announcement," US State Department spokesman P J Crowley said.

The United States has said it is in touch with countries like India, the UAE and
Saudi Arabia over their concerns with regard to the security features of
BlackBerry.

"There are issues attached to freedom of information, the flow of information,

the use of technology. We are in touch with these governments," Crowley said.

"We're going to try to understand what their concerns are, the nature of the
ongoing negotiations that they have with this particular company. And then
you've touched on that there are number of countries that are in the midst of
these negotiations and we'll see what the implications are," Crowley said.

Crowley said  there are legitimate security concerns attached to certain

technologies and  the flow of information around the world. "We understand
those concerns. We want to best understand what's behind those concerns."

"At the same time, we do support the flow of information, the available
technology which does empower people. We are in touch, given that this issue
has come up in a variety of countries, we are reaching out to those countries -
have a discussion to understand the nature of their concerns and see if we can
find solutions," he said.

Noting that it is about not only the free flow of information, but it's the
availability  of technology, he said the cell phone in its various iterations has, in
fact, opened up a new world of information to people around the world.

"It is empowering them to do many unique and different things. We are broadly
supportive of trends to bring technology to bear to help people who have not
had access to information before. Knowledge is power. And to the extent that
you can bring knowledge through portable devices to more people around the
world, this has the ability to transform societies," said Crowley.
BlackBerry's justification

BlackBerry says the messages are encrypted. The smartphone's server is based
in Canada where the encryption level is very high and extremely difficult to
crack.

And any message going through a Canada server is encrypted and, therefore,
cannot be accessed by intelligence agencies in India.

"RIM does not possess a master key nor does any back door exists in the system
that would allow RIM or any third party to gain an unauthorised access to the
key or corporate data," the company said.

It, therefore, would be unable to accommodate any request for a copy of a

customer's encryption key since at no time does RIM, or any wireless network
operator, ever possess a copy of the key.

Senior officials of key security agencies at a recent meeting argued that the
continuation of BlackBerry services in the present format poses danger to the
country.

The meeting was attended by representatives of the Ministry of Home Affairs,

department of telecommunication, intelligence agencies and the National
Technical Research Organisation.

The latest development indicates that security agencies are again finding it
difficult to intercept or decipher messages sent through these phones,
which use codes with an encryption of 256 bits.

This encryption code first scrambles the emails sent from a BlackBerry device
and unscrambles them when the message reaches its target.
How can the services be misused?

RIM willing to locate its servers in India (allowing interception) since the costs
are not justifiable on commercial grounds.

BlackBerry phones have been recovered from terrorist gangs in the past. With a
BlackBerry, a user can have instant and encrypted communication with another,
simply by calling the other person's unique four character number.

However, a BlackBerry can be traced to a user, the same cannot be said about
throwaway Hotmail and Yahoo addresses accessed from a cybercafe.

After the emails of some terrorists were intercepted in the late 1990s, they have
adopted another strategy.

A group of them create a webmail address and agree on a password. Thereafter

they type their messages, but instead of sending them, they save them in the
'drafts' folder -- no internet traffic is generated and other terrorists just log on
and check the 'drafts' folder for messages.

Others use steganographic techniques, which allows concealing encrypted

messages in video/audio/pictures that can be exchanged in open forum
chatrooms or on sites like Orkut and Facebook.

What does the government want?

The Ministry of Home Affairs has reiterated that BlackBerry emails and other
data services must comply with formats that can be monitored by security and
intelligence agencies.

The government will allow telecom operators to offer services, which can be
intercepted by the security agencies. If any service is not allowed to be
intercepted, it will ban such services.

There are reports that has a server has been placed in China. The home ministry
asked the department of telecom to check whether it is true.

The government also wants a BlackBerry server in India but the company has
been resisting the move. Once the server is in India, it will be easier to track the
messages.

The home ministry maintains that the RIM has been addressing security
concerns of several other countries, including the United States, where it
operates and, therefore, there is no justification to not comply with the same in
India.

The BlackBerry saga

In 2008, the Indian government had threatened to block BlackBerry services

unless the RIM provided intelligence agencies access to all data, especially
emails, routed through these handsets.

The government had also insisted that the RIM put in place a system that would
allow them to intercept data sent through these handsets as it feared that these
services could be exploited by terrorists.

After several rounds of talks between the government and RIM, the telecom
department, in late 2008, the government had announced that the issue had been
resolved.

4 types of BlackBerry services in India

There are four major types of RIM's BlackBerry services in India:

(a) Voice communication to or from another device, whether the latter is a

BlackBerry or not;

(b) SMS & MMS to or from another device, whether the latter is a BlackBerry
or not;

(c) E-Mail between two BlackBerry Devices;

(d) E-Mail between a BlackBerry and a non-BlackBerry.

Of these, (a), (b) and (d) can technically -- and legally -- be intercepted by
Indian security agencies even today, since they pass through an Indian mobile
network (Airtel, Vodafone, Reliance in a reformatted form. It is only (c) that
cannot easily be intercepted by Indian security agencies.

Is the government demand acceptable?

India's security agencies were the first to successfully use cyberforensics,

around 1996-97, to track email and cellphone communications of the Liberation
Tigers of Tamil Eelam and the Lashkar-e-Toiba.

LeT attacks in the country, for instance, were solved when the Hotmail and
Yahoo accounts of those in charge of the LeT logistics were monitored -- this
was made easier by the fact that the state-owned VSNL was the monopoly ISP
in the country.

Even the Red Fort attack was solved when the emails on the terrorists' laptops
were later traced.

In comparison, security agencies in countries like the US restricted themselves

at that time, through Project Echelon, to monitoring international phone calls
to/from the US - this was not very efficient and there were huge backlogs in the
analysis.

From the late 1990s, the US and the United Kingdom eased the legal restrictions
on snooping on email and phone calls.

The FBI-developed IP-packet sniffing tools CARNIVORE, and later,

OMNIVORE were installed on all Internet Service Providers in the US to track
suspicious email traffic.

After 9/11, all legal restrictions preventing snooping without reasonable cause
were lifted.

In this context, the Indian security agencies' demand to intercept Blackberry

email or to ask BlackBerry to deposit its decryption keys with them is hardly
unacceptable (the ISP licence does not allow encryption beyond 40 bits unless
the decryption keys are deposited with the security agencies on demand).

"Allowing governments to monitor messages shuttling across the Blackberry

network could endanger the company's relationships with its customers, which
include major companies and law enforcement agencies," a BlackBerry official
told

While India's 800,000 BlackBerry users struggle to figure out what the
government wants and what its Canadian developer Research in Motion (RIM)
has featured in these devices, here are some answers:

Q: What are BlackBerry services? Which aren't?

Ans: Mobile push-email and messenger. RIM delivers these two services
through mobile operators, such as Airtel and Reliance Communications. All
other services you use on your BlackBerry handset, such as SMS, internet
access or phone calls, are directly from the mobile operator, and are not
BlackBerry services. Push email is so called because mail is pushed out to your
handset as soon as it is received without your needing to download email
periodically.
Q: What does India's government want?

Ans: To intercept email and instant messages sent via BlackBerry, just as it can
tap a phone. When it suspects someone of perpetrating a crime, it wants to be
able to read, armed with a specific written order, any encrypted email sent on
BlackBerry. The government can order interception of messages, under Section
5 of the Indian Telegraph Act,1885, only with a written order, granted only
when required to prevent a major offense involving national security or
terrorism. Economic offenses were once covered, but withdrawn in 1999 by a
Supreme Court order.

Q: Why is BlackBerry mail encrypted?

Ans: Most email systems, including Gmail, use encryption. Enterprises don't
trust public email systems for business data; so they use their own secure,
firewalled systems. Now, when they need to use a mobile push-email system,
they want to be certain that no third party can read the mail, not even the email
provider. That is BlackBerry's USP: Mail so secure that RIM itself cannot read
it.

Q: What's BlackBerry Internet Service (BIS) and does the government

have access to it?

Ans: BIS is the lighter flavour of RIM's two email services. Meant for
individuals, it uses weaker encryption. BIS users buy convenience more than
ironclad security. Airtel or Vodafone 'pipes' the encrypted mail from your
handset to RIM, which then decrypts it and sends it out, to the recipient. So
RIM 'can' let investigative agencies read such mail, and India now has an
agreement for BIS access.

Q: Is BlackBerry Enterprise Service (BES) then the only problem?

Ans: Can RIM really not 'access' that?

Q: BES is RIM's flagship product, designed to be so secure that not even RIM
can read mail on it. It requires BES server software in the user company's
network. Email is encrypted on the BlackBerry, using a generated key shared
only between the handset and the BES server. Such mail goes out via, say,
Airtel, to RIM in Canada, and back to the company's BES, staying encrypted all
the way with a key that only that enterprise knows. Then it's decrypted, within
the enterprise, and moved to the email server. If the mail is to someone outside
the company, it is sent out - decrypted - by the company's mailserver. RIM itself
does not have the key to 'crack open' BES encrypted mail. That is the published
design. Does RIM have a secret backdoor? One really does not know.
Q: Then how can government agencies access such mail, on a terror
threat?

Ans: By going to the enterprise where the suspected terrorist is working. That
company, which runs the BES, does not even need to decrypt the mail...for all
mail is sitting within its own servers, or in its backups.

Q: Is the BlackBerry a terrorist's choice of communication tool?

Ans: No. The BES-user is working in a company. Any mail he sends is not only
traceable, but also stored and backed up. As for BIS, that is in RIM's control: so
access is easier for government agencies. The smarter terrorist would go to a
cybercafe, and use a Gmail or Yahoo mail account. He'd simply read and save
mail in draft mode without sending mail. So there's nothing to intercept. Then
there's fileshare: sites like YouSendIt, where he can keep encrypted files -
leaving almost no trace, unlike with a BES mail.

Q: How about Messenger?

Ans: BlackBerry popular instant messenger uses a weaker encryption than BES.
And RIM has access to the keys used -- which is why it can promise Saudi
Arabia and India access. And while BlackBerry Messenger can indeed be used
for real-time chat during a terror attack, so can regular, cheap cellphones, as
they were during 26/11. The answer to both is part of anti-terror standard
operating procedure: Cellphone jammers.

Q: Is such strong encryption legally allowed? Doesn't India have any

restrictions?

Ans: A creaky old law says you can't use encryption greater than 40 bits in
India without special permission, which includes depositing the key with the
authorities. Now, the weakest encryption possible in a modern web browser is
40 bits and 128-bit is the most common. But then, way back in 2001, the
Reserve Bank of BI recommended 128-bit encryption as the 'minimum level of
security' for online transactions. The recent 3G auctions were conducted using
3,000-bit technology. All in violation of Indian law!