BlackBerry CEO John Chen has a posted a statement following press allegations that the Waterloo-based company may have provided the Royal Canadian Mounted Police with its global BlackBerry Internet Services (BIS) encryption key. In a post on the company’s official blog, Inside BlackBerry, Chen neither confirmed nor denied the company’s specific role in the RCMP’s effort to dismantle two major Montreal-based mafia organizations.
“We have long been clear in our stance that tech companies as good corporate citizens should comply with reasonable lawful access requests. I have stated before that we are indeed in a dark place when companies put their reputations above the greater good,” starts Chen, referencing a 2015 post in which the CEO criticized companies like Apple for refusing to cooperate with law enforcement agencies.
“This very belief was put to the test in an old case that recently resurfaced in the news, which speculated on and challenged BlackBerry’s corporate and ethical principles. In the end, the case resulted in a major criminal organization being dismantled. Regarding BlackBerry’s assistance, I can reaffirm that we stood by our lawful access principles,” he says, referring to the two Vice Canada and Motherboard articles that were published last week.
The two pieces, co-written by Vice Media’s Justin Ling and Jordan Pearson, used more than 700 pages of court documents to show the RCMP had a server in Ottawa capable of intercepting and decrypting BBM messages sent between consumer BlackBerry devices.
The documents, while extensive, don’t provide a complete overview of the case. Crucially, they don’t say whether BlackBerry willingly gave the RCMP access to its global encryption key. On this point, Chen only said the company followed its policies on lawful access (that policy precluding specific commentary on individual cases).
It should be noted, according to archive.org, this specific policy page was published in April 2013, several months before John Chen became the company’s CEO, but three years after the start of Project Clemenza. MobileSyrup has reached out to clarify if and how the company’s policy stance differed in 2010 when Project Clemenza was ongoing.
Lawyers from the federal government fought for more than two years to prevent the documents from being opened to the public. Moreover, when called upon by a judge to explain their working relationship, both lawyers from the government and BlackBerry were evasive.
While not commenting on the nature of its work with the RCMP, Chen does go on to say that BlackBerry’s BES service was not compromised. “Furthermore, at no point was BlackBerry’s BES server involved. Our BES continues to be impenetrable – also without the ability for backdoor access – and is the most secure mobile platform for managing all mobile devices,” he says. “That’s why we are the gold standard in government and enterprise-grade security.”
Chen ends the post by saying, “For BlackBerry, there is a balance between doing what’s right, such as helping to apprehend criminals, and preventing government abuse of invading citizen’s privacy, including when we refused to give Pakistan access to our servers.”
The limited nature of Chen’s statement, lacking any significant new information, appear disingenuous overall. Specifically, the security of the company’s BES was never at issue in the Project Clemenza case. The RCMP was intercepting and decrypting messages sent through BIS, BlackBerry’s consumer level encryption scheme. Likewise in Pakistan, the nation’s government asked BlackBerry for the keys to its BES servers. BlackBerry has always maintained it could not break open its BES severs even if it wanted to do so; the encryption keys to those servers are set and maintained by the company’s corporate clients, and only those clients theoretically have access to those keys.
In addition, the lack of clarity provided by Chen’s statement creates new implications regarding BlackBerry’s international legal compliance policy. On its corporate policy page, the company says, “BlackBerry maintains a consistent global standard for lawful access requirements that does not include special deals for specific countries.”
This statement, taken together with the revelations found in the Vice and Motherboard articles, as well as Chen’s statement on the matter, imply that BlackBerry is willing and able to provide BIS encryption keys to all countries that ask. Further, while Chen implied “government abuse” in the case of refusing access to Pakistan’s national government, nothing stated precludes the company giving BIS access to the country’s law enforcement agencies regarding criminal cases. There is also no stated company policy pertaining to how BlackBerry determines which requests are lawful and reasonable, or “government abuse.”
Update: When asked to comment on the company’s policies, a BlackBerry spokesperson said, “At this time, John Chen’s blog post expresses BlackBerry’s point of view. We are not providing commentary outside of what was stated in the blog post.”