Site Search

Custom Search

SR

Wednesday, March 12, 2008

BlackBerry security issue makes e-com insecure

Indian operators offering BlackBerry services, top executives of Canadian telco Research in Motion (RIM), the company that owns the brand, security agencies and officials of the Department of Telecommunications (DoT) are expected to meet on March 14 to answer the concerns of security agencies in a bid to prevent having BlackBerry services terminated after the March-end deadline.

BlackBerry has an estimated 400,000 subscribers in India. RIM has been asked to give access to its algorithims (needed to decrypt messages), according to a source.

“The security agencies are saying that we should have access to data that are being encrypted by services like BlackBerry on mobile phones and then decrypted when the phone reaches its nominated destination," the source added. RIM does not, or has not been asked, to do this in any other country but is considering the matter.

The case, meanwhile, has opened a Pandora's box in India. Operators note that if BlackBerry services are banned, security agencies could even target various e-commerce applications – especially money transfers – that use encryption.

Encryption is the process of converting information into a form that is unintelligible to anyone except holders of a specific cryptographic key (the intended recipient). This will make e-commerce virtually impossible.

"The argument can logically be extended to all encrypted transactions on wireless devices including banking, e-commerce, email and chat. It will also have a significant impact on privacy concerns for consumers. Much thought needs to be applied before deciding on it," said Alok Shende, Practice Head, Datamonitor India.

Indeed, scrutiny has already been stepped up for all Internet Service Providers (ISPs).

Rajesh Chharia, President, Internet Service Providers Association of India (ISPAI), noted: "Routine check-ups are fine with us since the issue is one of national security. All ISPs must, and will, cooperate. What is of concern, though, is the fact that we have been asked to reduce the encryption from 128-bit to 40-bit, which is ridiculous.”

The demand, he said, will put the entire online banking and e-commerce sectors in jeopardy. Having represented our concerns, we have yet to receive a response from DoT on this issue."

Cyberlaw experts, too, are concerned over the developments. While the government's motive is good, the Indian Information Technology (IT) Act, 2000 is very unclear on this subject, noted Pavan Duggal, Supreme Court advocate and cyberlaw expert.

"Only Section 69 (Sub-section 2) gives the Controller of Certifying Authority the power to order the interception of electronic communication on computer systems located in India," he points out. In RIM's case, though, decryption is not possible without RIM's consent, which is why the government is fuming.

"This is, perhaps, the first time that the government is admitting to intercepting electronic communication. Blanket power to intercept emails will probably end up diluting the legal validity of encrypted communication in an age when privacy is of utmost importance to corporate and individuals. The Indian government could be firm, asking RIM (or any other player) to take action on a specific case that arouses suspicion. It may not be wise and practical to ban the services altogether," said Na Vijayashankar, cyberlaw expert.

Some technology experts like Vijay Mukhi note that if the email originates from India, it can be intercepted at the wireless service provider's end, since the nodes are in India.

The problem arises if the email originates from a BlackBerry device (since it goes to a server outside India where it gets encrypted). Even then, monitoring every mail that emanates from a server outside India will lead to a ridiculous state of affairs. All email services with servers in foreign lands will have to be shut down.

Google and Yahoo declined to comment on the issue and Microsoft India said the issue was not of immediate concern to them.

Sumeet Gugnani, Director, Mobile Communication Business, Microsoft India, said: “Windows Mobile-enabled handheld devices and cellphones enable users to configure mails on their respective in-house (read in India) exchange servers if they so wish.”

No comments: