French government officials have been ordered to turn in their BlackBerrys, amid growing security concerns over the popular push email platform.
Previously, Germany had banned the device for all officials above a given security classification and other governments and security conscious organisations are expected to do likewise.
The concern stems from fundamental design features of the system – even users of BlackBerry Enterprise Server, as opposed to users of RIM’s own hosted service, have all the email routed via a RIM data centre. RIM has facilities at its head office in Waterloo, Ontario, in the United States and in London.
This heavily centralised architecture is in contrast with essentially all email systems and has been exposed in several single-point-of-failure outages.
IT follows that anyone with access to the big server also has access to all the emails passing through. Of course, any RFC822-compliant email server can read the mail passing through, but this is a trivial issue for email within one’s own network. IPSec VPNs can be used for access outside that, and public key crypto can be used to secure email to and from external addresses.
As a general rule, if anyone can collect absolutely all your traffic, they’ve got a reasonable chance of breaking the encryption, and can do traffic analysis based on the sources, destinations, times, and quantity of mail. No wonder the French government’s infosec advisers are worried. In Sir Peter Wright’s memoir ‘Spycatcher’, he described spending part of the 1960s cracking the French Embassy’s encrypted communications with Paris.
RIM advertises that its service complies with the US Federal Government’s security regulations but this is unlikely to help anyone relax if it’s the Feds they’re worried about. Canada anyway, is a party to the CAZAB intelligence agreement with the UK, US, Australia and New Zealand, so maybe the French are worried that should they want to bomb a ship in Auckland harbour again, RIM will cc everyone from President Bush to the Directorate of Wool Markets in on the email.