Indian Government's Wild Goose "Blackberry" Chase
Added 16th Aug 2010A false sense of security is worse than not having security at all. The Indian Government's decision to ask RIM to place its servers in India citing national security as a reason only highlights the sad truth that the folks running the show in the Government understand nothing, as in, nothing, about IT security and how the Internet works. You only need to understand basics of how encryption works and how email services are offered on the Internet to realize that forcing RIM and other email messaging service providers to place their physical servers in India may not bring in even an iota of extra security.
This move by the Government is not original either. At the start of this month the UAE government (which ironically is trying to establish itself as a business hub) decided in the name of 'national security' (these two words seem to justify any and every action) to ban Blackberry services. While Blackberry has been in India for years, just days after UAE announced the Blackberry ban, the Indian Government decided to do a 'me too'. I mean, if you are copying an idea, copy a bright one and better it. Not this.
Now let's say the Government gets its way. So we will have Blackberry data residing on servers located physically in India. And let's say Blackberry commits to making the messages readable. Will the government be able to then simply read (via human or machine) all messages and emails sent by Blackberry devices? Not necessarily.
Let's understand the route a corporate Blackberry message takes: the device (Blackberry handheld) sends the encrypted message to the Blackberry server(s) which then sends that message to the corporate's Exchange server (Blackberry Enterprise Server runs on top of Microsoft Exchange Server). The exchange server then sends it 'out' to the recipient's email server. Anyone who knows this (and this is publicly available information) and does not want his email read can simply install a third party encryption tool (for instance PGP) on his Blackberry. Then what happens is, the Blackberry device encrypts the already (PGP) encrypted message and sends that out to its server. Even if the server decrypts the Blackberry encryption, there is nothing that can be done about the third party encryption that has happened at the sender's end, without the keys to decrypt it. PGP, for instance is a widely used encrypting tool - nothing illegal (yet) about using it. There are umpteen tutorials on the Internet that shows how such third party encryption can be set up on handhelds. You don't need to be a hacker to do that.
Even if one goes by the argument that the bad guys may use Blackberry devices to message each other, the presumption that the communication will be in human language is rather naïve. Using predetermined code words sensitive information can be passed on between parties in between what appears to be common everyday conversation. "How are you doing" - "My right leg is aching" may mean just that - or those could be a secret code. So much so for 'monitoring'. And am not even getting into the kind of infrastructure - server / storage farms, no less, required to scan the entire lot of transmitted Blackberry messages in near real-time and the algorithms required to pick up keywords and flag specific messages for human review. At this point I am only questioning the rationale - let alone technical near-improbability.
Then there is the question of email services that the Indian government wants to 'monitor', again, for the sake of 'national security' (am already getting tired of the massive abuse of this phrase). Today's newspaper reports said Google and Skype are under the radar as well (exactly for what, we don't know yet). In the midst of national security and all that, the Government has (conveniently) overlooked the fact that there are hundreds, if not thousands of email service providers. There is no way the Government can coax every one of them to place servers that store emails of Indian accounts to be placed in India and it will be a Herculean task consuming humongous resources for security agencies to monitor every one of them.
In a purely hypothetical world, let us say the above is indeed possible - security agencies can 'monitor' all emails sent using any email provider. The simplest solution for anyone not wanting the government snooping around their emails is to again use encryption tools - like the almost legendary open source PGP. Mathematically it is near impossible to conduct a brute-force attack within reasonable time to 'read' the message unless you have a farm of supercomputers at your disposal. Third party encryption tools are relatively easy to setup and well, relatively impossible to crack.
All that's being achieved is, potentially compromised corporate security, unnecessary hassles for the service providers like RIM or Google, who may have to setup infrastructure in order to play along and in turn pass the additional cost on to customers - you, me, your company and mine. On a side note, coming to Skype, I'd be very surprised if the company, known for its (really) strong encryption and privacy assurances would adhere to the Governments antics of wanting to monitor its traffic. What is most disturbing is the fact that Governments (not just the Indian Government) looking to ban or monitor services like the Blackberry, have not come to understand the nuances of the digital age, perhaps still stuck in the physical world, and are completely missing the point when it comes to technology, doing only lip service. And that's the real national security concern for me and anyone else who understands technology.
