In a response to reports that Canadian police have had the private key to decrypt BlackBerry Messenger messages for years, the company’s CEO said BlackBerry complies with “lawful access requests” and is still committed to customer privacy.
In a blog post that only addressed the BBM encryption issue obliquely, BlackBerry CEO John Chen said that the company’s guiding principle is to do what’s right for citizens, as long as that doesn’t interfere with legal requests. The case that stirred up the trouble involves a complicated investigation into organized crime operations in Montreal several years ago. Documents from the case, exposed last week, shows that the Royal Canadian Mounted Police have had the ability to decrypt BBM messages for several years.
“Over one million private messages were intercepted and analysed as evidence using the PIN to PIN interception technique. This was the first time that this technique was used on such a large scale in a major investigation in North America,” the RCMP said in a statement in 2014.
The exact technique that the agency used to decrypt the messages isn’t clear, but one detail is: BlackBerry devices not connected to an Enterprise Server all use one hardcoded key for encryption. That means that if the RCMP had or has the key, it could decrypt any intercepted messages. Chen said that BlackBerry acted properly in the case, and emphasized that the BlackBerry Enterprise Server was not part of the investigation.
“Regarding BlackBerry’s assistance, I can reaffirm that we stood by our lawful access principles. Furthermore, at no point was BlackBerry’s BES server involved. Our BES continues to be impenetrable – also without the ability for backdoor access – and is the most secure mobile platform for managing all mobile devices. That’s why we are the gold standard in government and enterprise-grade security,” Chen wrote.
Organizations that use the BES as part of a BlackBerry deployment do not use the hardcoded key for BBM encryption. Instead, they use individual, device-specific keys. Like many other technology vendors and Internet companies, BlackBerry finds itself in the position of needing to respond to requests for information or access to networks from law enforcement agencies while trying to protect users’ privacy. Some of these situations turn into public disputes, as in the Apple-FBI case, while others remain hidden.
Chen said BlackBerry has refused some government access requests that it thought to be improper, but will continue to aid agencies with lawful requests.
“For BlackBerry, there is a balance between doing what’s right, such as helping to apprehend criminals, and preventing government abuse of invading citizen’s privacy, including when we refused to give Pakistan access to our servers. We have been able to find this balance even as governments have pressured us to change our ethical grounds. Despite these pressures, our position has been unwavering and our actions are proof we commit to these principles,” Chen wrote.