Consider the case of Skype, the very popular VoIP and chat service. Much like RIM, Skype advertises its product as offering unbreakable “end-to-end encryption” and, for that reason, is used widely among businesses, human-rights activists and other persons at risk. In 2008, however, Citizen Lab researcher Nart Villeneuve determined that the Chinese partner of Skype, TOM-Skype, was secretly monitoring private chats of Skype users and uploading the data to the servers in mainland China, presumably to share with Chinese security services. The monitoring affected not only users of the Chinese version but also regular users of Skype with whom they communicated. Skype said it had no prior knowledge of the modification to the code made by TOM-Skype and “deeply apologize[d] for the breach of privacy.”
There are, of course, legitimate reasons for companies to comply with local laws, and with law enforcement and intelligence. Bad guys can use their products, and security services may need access to their data to be able to do their job. But it’s one thing for a company such as RIM to make provisions for access to its encrypted data for law enforcement and intelligence in a country such as Canada, the U.S. or Britain and quite another to do so with Egypt, Indonesia, Saudi Arabia, Kuwait, Russia, China or the United Arab Emirates.
These are countries that do not have the same legal checks and balances over security services, or anywhere near the same degree of judicial oversight and public accountability. More important, they also have a much broader notion of what constitutes a security threat, which can include human-rights activists, political opposition groups and free-speech advocates. Complying with “local law” in this case could mean collusion with some nasty regimes.
The issues around the RIM-UAE controversy go beyond interception of data to include access to information and freedom of speech. A BlackBerry is also used to surf the Web and, in many of the countries swirling around the latest controversy, Internet filtering is de rigueur.
A Kuwaiti newspaper has reported that RIM has agreed to filter access to 3,000 pornographic websites at the request of the Persian Gulf emirate’s government. (Some users say it’s already filtering access to Web content in the UAE and Pakistan). Research undertaken by the OpenNet Initiative over the past seven years shows that governments rarely admit to filtering anything other than “pornography,” even when they block non-pornographic websites. The UAE, for example, requires its ISPS to block access to political opposition groups, religious sites and sites related to gay and lesbian issues, although it doesn’t admit it.
If that’s the case, why are there confidential negotiations at all?
Will RIM comply with those requirements? Will it inform its users that it’s doing so? Will it publicize the block lists that it’s given by the governments? Or will it take a stand against those requirements in ways that it has about interception of private data?
Part of the reason the RIM issue is so confusing is RIM itself. On one hand, it’s claiming its services are so secure even it can’t decrypt its own encrypted data streams. “RIM cannot accommodate any request for a copy of a customer’s encryption key, since at no time does RIM, or any wireless network operator or any third party, ever possess a copy of the key,” the company said in a statement this week.
On the other hand, the company said it respects “both the regulatory requirements of government and the security and privacy needs of corporations and consumers.” But how are these two principles resolved when governments require access to data for law enforcement and intelligence purposes?
RIM considers its negotiations with governments about access to be “confidential,” yet says it doesn’t make special arrangements with one country that aren’t “offered to the governments of all countries.” If that’s the case, why are there confidential negotiations at all?
