BlackBerry security: Blessing and a curse

Research In Motion's security for its BlackBerry devices has won it many fans among the corporate elite, but it's causing problems as the company looks to enter new markets.

Marguerite Reardon Former senior reporter
Marguerite Reardon started as a CNET News reporter in 2004, covering cellphone services, broadband, citywide Wi-Fi, the Net neutrality debate and the consolidation of the phone companies.
Marguerite Reardon
6 min read

Research In Motion's top-notch security is both a blessing and a curse for the company as governments in some key emerging markets, where RIM is looking for growth, threaten to block the BlackBerry service over national security concerns.

Last week, governments in several countries including the United Arab Emirates, Saudi Arabia, Indonesia, and India threatened to shut down BlackBerry e-mail and Web browsing services in their countries. Regulators in these countries said that RIM's stringent encryption and security network pose security concerns since authorities are unable to monitor and read e-mails and Web browsing activity.


With more than 90 percent of the U.S. population owning a cell phone, companies such as RIM are looking to new markets, such as the Middle East and Southeast Asia, for new subscribers. Today, Saudi Arabia is RIM's biggest Middle East market with about 700,000 users. Nearby UAE has 500,000 customers. These markets are expected to grow as smartphones become more popular worldwide.

Saudi Arabia said earlier this week it would start blocking RIM's BlackBerry Messenger service on Friday. And the UAE has said it will ban not only the consumer version of the service Messenger but also all mobile e-mail and Web browsing on the BlackBerry platform starting October 11.

RIM said in a statement earlier this week that it's working with officials in each country to hammer out a solution. The Associated Press reported over the weekend that RIM and Saudi officials had reached an agreement. RIM now has until the end of the day Monday to prove the fix satisfies the Saudi's security requirements. But the threat of shutdowns still looms.

What makes this situation interesting is the fact that RIM, the No. 1 smartphone maker in North America and No. 2 worldwide, got such a strong market position because of its tight security.

"RIM's strong security has been a double-edged sword," said Ross Rubin, an analyst with NPD Group. "On the one hand it has helped the company get where it is today. But now it's threatening its growth into new markets."

Indeed, it's RIM's rock-solid security that has made it such a popular device and e-mail service among Wall Street banks, law firms, local, and state governments, and hundreds of other security-sensitive industries. Even President Obama uses a BlackBerry, albeit a souped-up version of the device.

Scrambling for security
So what is it exactly about RIM's security that has corporate users drooling and government security officials' knickers in a knot? RIM goes above and beyond the typical secure Internet connection that any service transmitting sensitive data over the Internet uses to protect data.

All smartphones that provide corporate e-mail connect over secure Internet connections to protect data. But RIM adds a level of encryption to its service that the others do not. In other words, the message coming from a BlackBerry is already scrambled before it gets to the secure service connection. The message is then unscrambled when it reaches its destination on the other side of the connection.

The key used to scramble and unscramble the messages are controlled by the company or government agency that subscribes to RIM's BlackBerry Enterprise server service. Even though RIM hosts a network of servers around the world that stores this information, the company itself does not have access to the information stored in individual accounts.

"Think of it this way, the FBI can tap your phone, but if the people talking are speaking in code, the federal agents still won't be able to understand what they're saying," said John Pescatore, a vice president at market research firm Gartner. "That's exactly what RIM has done with the second layer of encryption. But RIM itself doesn't control the code."

Pescatore explained that the system was devised to ensure that RIM's customers--and not RIM--had ultimate control over its data. That said, RIM said in a statement released earlier this week that it works with all governments to ensure that the service meets national security requirements. But the company has said that it cannot compromise its service to meet any particular nation's standards. Still, some industry watchers have speculated that RIM has cut special deals with governments in Russia and China.

RIM spent years negotiating deals with each of these countries to get BlackBerry services in these markets. But the company is adamant that it has not changed anything significant about its service in order to operate in these countries.

"There is only one BlackBerry enterprise solution available to our customers around the world and it remains unchanged in all of the markets we operate in," the company said in a statement. "RIM cooperates with all governments with a consistent standard and the same degree of respect. Any claims that we provide, or have ever provided, something unique to the government of one country that we have not offered to the governments of all countries, are unfounded."

Prior to Saturday, Research In Motion had resisted demands to modify its server network, as well as other efforts to regulate the BlackBerry. But if the reports about a deal with the Saudis is accurate, RIM is compromising in order to ensure its devices can operate in these markets. The AP story states that the deal RIM has worked out with the Saudis includes placing a BlackBerry server in Saudi Arabia. RIM hosts a network of servers throughout the world that host its services. The largest network operations center that houses these servers is in Canada, near RIM's headquarters.

Even though RIM encrypts e-mails, placing servers in Saudia Arabia would allow security officials to open these messages and monitor them, according to Bruce Schneier, an author and chief security technology officer at British telecommunications operator BT, who was quoted in the AP story.

Schneier told the AP that the Saudi arrangement is similar to deals RIM has struck in Russia and China. RIM has said that its technology does not allow it, or any third party, to read encrypted e-mails sent by corporate BlackBerry users. But the consumer version of the service has a lower level of security. And apparently this is the service that Saudi officials are most interested in monitoring for possible illegal activity.

Representatives from RIM declined to comment on the negotiations or the deal that has supposedly been reached with Saudi officials. The company wouldn't even provide an executive to discuss the company's security architecture.

The market scrum
One thing is clear, new markets are very important to RIM, especially as competition grows in developed Western countries. RIM, like any other cell phone maker, needs to find new markets for its products.

This is especially true as RIM faces more competition in its traditional markets. Even though RIM is still the No.1 smartphone maker in North America and the second largest smartphone maker in the world, its market share is starting to slip as wireless subscribers flock to new platforms such as the iPhone and Google Android.

Even among corporate customers, where BlackBerry has had a dominant presence for years, the company is threatened. Corporate IT managers still agree that BlackBerry is the most secure smartphone on the market, but as employees pressure them to allow other devices to be used, loyalty to RIM is fading.

"Three years ago, employees bringing their own phones to work was a nightmare for the corporate IT manager from a security and management perspective," Pescatore said. "Now it's just their reality. They can't fight it."

And who can blame them. Consumers are buying their own smartphones and bringing them into work and asking to have them connected to the corporate network. While it might pose some security risks and be a bit more difficult to manage, it also means that the company doesn't have to pay for a new cell phone or data service for the employee. And the employee is happier using the phone he has picked out.

So is RIM a victim of its own success? It's very likely the company, just as it has done with Saudi Arabia, will work out deals with each of the countries threatening to ban its service. And perhaps with new devices, such as the BlackBerry Torch 9800, the company will become "cool" again, giving its corporate subscribers a reason other than security, to stick with its devices.

"You can never have security that is too good," RIM Chief Technology Officer David Yach said last week at an event in New York City launching the company's latest phone. "I suppose that (this situation) is a testament to how we have done our job."