India's BlackBerry Snooping

Friday 22 February 2013

The Indian government, as I reported at Slate today, is keen to obtain data on millions of BlackBerry users across the world to help its spy agencies intercept and track messages sent in and out of the country.

I was able to obtain some revealing Indian government documents, signed and dated as recently as last month, which offer an unusual level of insight into how the authorities have been negotiating with BlackBerry to enable surveillance of communications. You can find a bunch of previously unpublished extracts from these documents below.

Why they are of particular interest is because they disclose the level of cooperation between BlackBerry and spy agencies. It is highly likely that BlackBerry has worked with other countries — not only India — to help them monitor communications sent via BlackBerry's unique "BBM" messaging service, which allows BlackBerry users to communicate for free with each other.

Authorities in the United Kingdom, for instance, struggled to intercept BlackBerry messages during the riots in 2011 due to the encryption the technology uses. However, BlackBerry later admitted that it had "engaged with the authorities to assist," presumably by providing the type of interception function that is currently being used in India. The Indian government document I obtained show the authorities there have been working with RIM to:
  • Enable interception of emails and email attachments sent using BlackBerry devices.
  • Enable monitoring of web browsing by people using BlackBerry handsets.
  • Enable eavesdropping on messages sent via BlackBerry messenger.
  • Enable the interception of "delivery reports" showing when a sent message has been received.
  • Obtain access to a trove of the unique PIN codes of all BlackBerry phones shipped to India. (These codes can be used to trace and intercept BlackBerry messenger communications. Indian authorities are seeking access to all PIN codes belonging to every BlackBerry handset across the world. They say this will enable them to track and monitor BlackBerry messages going from India to countries overseas.)

It also caught my eye that the US-based company Verint, which I recently reported is offering governments a mass surveillance system to help intercept "billions" of communications, was present while India's BlackBerry monitoring system was being tested.

You can read the specific details in the extracts indented below, taken from an Indian government department of telecommunication report, produced by its "security wing." There is quite a lot of telecom jargon in there, unfortunately, but if you can cut through the acronyms you will see that the content is significant. I've included a little glossary/acronym debunker at the bottom of this post which may help translate. I've also bolded some bits that stand out to me as particularly noteworthy.

Research in Motion (RIM), Canada, is providing the Blackberry services in India through the licensed Telecom Service Providers.

Since Blackberry services are not getting intercepted in a readable format while lawful interception and monitoring by Security agencies, RIM was asked to provide the solution for lawful interception and monitoring in a readable format.

Accordingly, RIM offered the Interception solution for testing on 19.07.2012. During the testing, some observations were made by the testing team which were forwarded to RIM for compliance vide this office even letter dated 27.07.2012.

We may ask all the TSPs [telecom service providers] to comply with the Blackberry Interception requirements by 31.12.2012.

...the initial testing of various Blackberry services offered in India by Research In Motion (RIM), Canada, was carried out on 19 July, 2012 at Mumbai. During the testing on 19 July, 2012, some observations were made and conveyed to RIM as well as Vodafone to comply, which are as follows:

  • (i) PIN resolution is required to identify the actual user behind Blackberry PIN.
  • (ii) Web-browsing services which are being offered under BIS [are] also required to be decrypted.
  • (iii) CRI [call related information] is required in the standard format as applicable for Non-Blackberry cases.
  • (iv) Correlation between attachment intercepted communication and its initial email communication is required.
  • (v) The correct direction has to be provided in the CRI as per actual case scenario.
  • (vi) In case of BES services, Enterprise server and its Public IP address should be made available.
  • (vii) The delivery & read acknowledgment communications/signaling messages are not getting intercepted.
For the compliance of the above observations, RIM offered the testing in the network of Vodafone for the verification of compliances against the observations made on 19 July 2012. Accordingly, the testing was conducted on 10 Dec 2012 at Vodafone Data Center, Sahas, Mumbai. Besides the representatives of RIM Canada, Verint & Vodafone...officers were present during the testing...

*****

The IMEI was populated in all the scenarios of BBM (incoming / outgoing) and PIN-to-PIN messages (incoming and outgoing) correctly along with the PIN details (and IMEI) details of both the target and the other communicated party. However, if the target/communicated party is international then correlation between Blackberry PIN and IMEI does not appear.

During interaction, it was clarified by RIM that database provided in the CRS [carrier routing system] is based on the information of the PINs which have been officially shipped to India and data pertaining to other countries have not been provided due to privacy and other legal provisions of those countries. However, if data for entire world is loaded in the CRS, it can correlate each & every PIN.

In OS5 — the Web browsing service is based on RIM proprietary protocol (IPPP). Presently, it cannot be intercepted in a readable format through the proposed solution. As per RIM, the solution for OS5 is still under development and will be deployed and tested by end of April 2013.

Correlation between attachment intercepted communication and its initial email communication is required. Email Attachments — In BIS Email service, attachments are not downloaded automatically for incoming mails. Attachment gets transmitted after email is delivered when the user initiates an event to download it. Thus, the attachment arrives in a later stage (after the Email product has already been marked and stored), the system shall mark an independent File Transfer product (like Email).

With respect to PIN to IMEI resolution, the tested solution is apparently satisfactory for all the handsets officially shipped to India. With regard to handsets shipped to other countries, RIM intimated that PIN to IMEI correlation in such cases can be obtained through Blackberry Public safety office (PSO). However, we may negotiate with RIM to provide the entire IMEI-PIN correlation data including other countries.

it is proposed that:

(i) We may initiate a process to take over the possession of RIM infrastructure created at Mumbai for which a suitable agreement may be entered between DOT [department of telecommunication] and RIM.

(ii) We may negotiate with RIM to provide the Blackberry PIN-IMEI Correlation data for all the Blackberry handsets.

(iii) RIM and Vodafone may be asked to demonstrate the final solution in respect in respect of [interception of delivery reports] by end of January 2013 and [email attachment monitoring and web browsing tracking/decryption] by end of April 2013.

Acronym debunker: PIN = Personal Identification Number (a unique code every BlackBerry is allocated, can be used to track and monitor communications and identify the sender); BBM = BlackBerry Messenger; IMEI = International Mobile Station Equipment Identity (another unique code used to identify a phone); OS5 = a BlackBerry operating system; BIS = BlackBerry Internet Service; CRI = Call Related Information (the who, where and when of a communication — like the time a call was made and the number of the caller and recipient); CRS = Carrier Routing System (network infrastructure through which communications travel).

1 comment: