India's BlackBerry Snooping

Friday 22 February 2013

The Indian government, as I reported at Slate today, is keen to obtain data on millions of BlackBerry users across the world to help its spy agencies intercept and track messages sent in and out of the country.

I was able to obtain some revealing Indian government documents, signed and dated as recently as last month, which offer an unusual level of insight into how the authorities have been negotiating with BlackBerry to enable surveillance of communications. You can find a bunch of previously unpublished extracts from these documents below.

Why they are of particular interest is because they disclose the level of cooperation between BlackBerry and spy agencies. It is highly likely that BlackBerry has worked with other countries — not only India — to help them monitor communications sent via BlackBerry's unique "BBM" messaging service, which allows BlackBerry users to communicate for free with each other.

Authorities in the United Kingdom, for instance, struggled to intercept BlackBerry messages during the riots in 2011 due to the encryption the technology uses. However, BlackBerry later admitted that it had "engaged with the authorities to assist," presumably by providing the type of interception function that is currently being used in India. The Indian government document I obtained show the authorities there have been working with RIM to:
  • Enable interception of emails and email attachments sent using BlackBerry devices.
  • Enable monitoring of web browsing by people using BlackBerry handsets.
  • Enable eavesdropping on messages sent via BlackBerry messenger.
  • Enable the interception of "delivery reports" showing when a sent message has been received.
  • Obtain access to a trove of the unique PIN codes of all BlackBerry phones shipped to India. (These codes can be used to trace and intercept BlackBerry messenger communications. Indian authorities are seeking access to all PIN codes belonging to every BlackBerry handset across the world. They say this will enable them to track and monitor BlackBerry messages going from India to countries overseas.)

It also caught my eye that the US-based company Verint, which I recently reported is offering governments a mass surveillance system to help intercept "billions" of communications, was present while India's BlackBerry monitoring system was being tested.

You can read the specific details in the extracts indented below, taken from an Indian government department of telecommunication report, produced by its "security wing." There is quite a lot of telecom jargon in there, unfortunately, but if you can cut through the acronyms you will see that the content is significant. I've included a little glossary/acronym debunker at the bottom of this post which may help translate. I've also bolded some bits that stand out to me as particularly noteworthy.

Research in Motion (RIM), Canada, is providing the Blackberry services in India through the licensed Telecom Service Providers.

Since Blackberry services are not getting intercepted in a readable format while lawful interception and monitoring by Security agencies, RIM was asked to provide the solution for lawful interception and monitoring in a readable format.

Accordingly, RIM offered the Interception solution for testing on 19.07.2012. During the testing, some observations were made by the testing team which were forwarded to RIM for compliance vide this office even letter dated 27.07.2012.

We may ask all the TSPs [telecom service providers] to comply with the Blackberry Interception requirements by 31.12.2012.

...the initial testing of various Blackberry services offered in India by Research In Motion (RIM), Canada, was carried out on 19 July, 2012 at Mumbai. During the testing on 19 July, 2012, some observations were made and conveyed to RIM as well as Vodafone to comply, which are as follows:

  • (i) PIN resolution is required to identify the actual user behind Blackberry PIN.
  • (ii) Web-browsing services which are being offered under BIS [are] also required to be decrypted.
  • (iii) CRI [call related information] is required in the standard format as applicable for Non-Blackberry cases.
  • (iv) Correlation between attachment intercepted communication and its initial email communication is required.
  • (v) The correct direction has to be provided in the CRI as per actual case scenario.
  • (vi) In case of BES services, Enterprise server and its Public IP address should be made available.
  • (vii) The delivery & read acknowledgment communications/signaling messages are not getting intercepted.
For the compliance of the above observations, RIM offered the testing in the network of Vodafone for the verification of compliances against the observations made on 19 July 2012. Accordingly, the testing was conducted on 10 Dec 2012 at Vodafone Data Center, Sahas, Mumbai. Besides the representatives of RIM Canada, Verint & Vodafone...officers were present during the testing...


The IMEI was populated in all the scenarios of BBM (incoming / outgoing) and PIN-to-PIN messages (incoming and outgoing) correctly along with the PIN details (and IMEI) details of both the target and the other communicated party. However, if the target/communicated party is international then correlation between Blackberry PIN and IMEI does not appear.

During interaction, it was clarified by RIM that database provided in the CRS [carrier routing system] is based on the information of the PINs which have been officially shipped to India and data pertaining to other countries have not been provided due to privacy and other legal provisions of those countries. However, if data for entire world is loaded in the CRS, it can correlate each & every PIN.

In OS5 — the Web browsing service is based on RIM proprietary protocol (IPPP). Presently, it cannot be intercepted in a readable format through the proposed solution. As per RIM, the solution for OS5 is still under development and will be deployed and tested by end of April 2013.

Correlation between attachment intercepted communication and its initial email communication is required. Email Attachments — In BIS Email service, attachments are not downloaded automatically for incoming mails. Attachment gets transmitted after email is delivered when the user initiates an event to download it. Thus, the attachment arrives in a later stage (after the Email product has already been marked and stored), the system shall mark an independent File Transfer product (like Email).

With respect to PIN to IMEI resolution, the tested solution is apparently satisfactory for all the handsets officially shipped to India. With regard to handsets shipped to other countries, RIM intimated that PIN to IMEI correlation in such cases can be obtained through Blackberry Public safety office (PSO). However, we may negotiate with RIM to provide the entire IMEI-PIN correlation data including other countries.

it is proposed that:

(i) We may initiate a process to take over the possession of RIM infrastructure created at Mumbai for which a suitable agreement may be entered between DOT [department of telecommunication] and RIM.

(ii) We may negotiate with RIM to provide the Blackberry PIN-IMEI Correlation data for all the Blackberry handsets.

(iii) RIM and Vodafone may be asked to demonstrate the final solution in respect in respect of [interception of delivery reports] by end of January 2013 and [email attachment monitoring and web browsing tracking/decryption] by end of April 2013.

Acronym debunker: PIN = Personal Identification Number (a unique code every BlackBerry is allocated, can be used to track and monitor communications and identify the sender); BBM = BlackBerry Messenger; IMEI = International Mobile Station Equipment Identity (another unique code used to identify a phone); OS5 = a BlackBerry operating system; BIS = BlackBerry Internet Service; CRI = Call Related Information (the who, where and when of a communication — like the time a call was made and the number of the caller and recipient); CRS = Carrier Routing System (network infrastructure through which communications travel).

Give Light

Saturday 9 February 2013

After writing a short note here yesterday about weak and deferential journalism in the United States, I was reading today about a fearless American newsman from a different age.

In the 1920s, Carl C. Magee kicked up a shitstorm when his Albuquerque newspaper published revelations about what was called the Teapot Dome scandal. This was, according to the History News Network:

...the most famous of several scandals that ruined the reputation of President Warren G. Harding, who served from March 1921 to August 1923 and is often described as the worst president our country has ever had. At its bare bones, Teapot Dome is a simple case of bribery. Secretary of the Interior Albert Fall, a former senator from New Mexico and a friend of Harding's, was convicted of taking bribes from oil executives.

Magee's newspaper, the Albuquerque Morning Journal, had apparently infuriated President Harding by revealing details about this corruption. He was later called to testify in Washington and his testimony helped convict Fall, who was sentenced to one year in prison and fined $100,000.

There was a backlash against Magee during these years. He received death threats, was physically assaulted, and one district judge at the time was implicated (pdf) in efforts to discredit, or possibly imprison him. Eventually he was forced to sell off the Journal after being driven close to bankruptcy by financial institutions which, under political pressure, refused to renew his loans.

But Magee couldn't be stopped for long — emerging just two months later with another newspaper, named Magee's Independent. On the front page, printed beneath the sketch of a rising sun, there was a motto: Give Light And The People Will Find Their Own Way.

The firebrand continued to call out corrupt officials and reveal wrongdoing in a regular column titled "Turning on the Light." He was unfazed by the threats and intimidation.

"They did as they pleased without criticism," Magee was quoted as saying. "State institutions were run negligently. Public money was deposited in the banks, and state officials took the interest and put it in their own pockets."

Magee died in 1946 aged 73. A brilliant character whose tenacious muckraking embodied the pure spirit of good journalism.

Saudi Drone Base Blackout

Thursday 7 February 2013

Yesterday it was widely reported that the United States has been operating "secret" drone base in Saudi Arabia since 2011. Not only that, but some American news organisations had known about the base for more than a year and chose not to disclose its existence because of a blackout agreement made with the government.

Here's a snippet from the Washington Post's report:

The Washington Post had refrained from disclosing the location at the request of the administration, which cited concern that exposing the facility would undermine operations against an al-Qaeda affiliate regarded as the network’s most potent threat to the United States, as well as potentially damage counterterrorism collaboration with Saudi Arabia.

The Post learned Tuesday night that another news organization was planning to reveal the location of the base, effectively ending an informal arrangement among several news organizations that had been aware of the location for more than a year.

But the logic here doesn't stack up. Why? Because on 26 July 2011 a story was published by the London Times titled "Secret drone bases mark latest shift in US attacks on al-Qaeda." This report revealed the existance of a CIA drone base in Saudi Arabia, and even went as far as to speculatively pinpoint its exact location:

The CIA has set up a network of secret drone bases in Arab states in a major escalation of its campaign against al-Qaeda militants in Yemen.

Sources in the Gulf say the agency is now massed along Yemen’s borders, launching daily missions with unmanned Predator aircraft from bases in Saudi Arabia, Oman, Djibouti and the United Arab Emirates. [...]

“Oman, Saudi and the UAE are being used as bases for drones. The operation against al-Qaeda has been stepped up in Yemen and in Somalia,” said a Gulf defence source. [...]

A senior Gulf intelligence source believes the most likely base in Saudi Arabia is at Khamis Mushayt in the southwest. The site has been used by Saudi forces for airstrikes against Houthi rebels in northern Yemen. A possible alternative is Sharurah in the kingdom’s Empty Quarter, close to the Yemeni border but considered less secure.

What this means is that the information the United States government was pressuring American reporters to keep secret was already in the public domain — it had already been "outed," as it were, and it hadn't damaged counter-terrorism operations or the relationship with Saudi Arabia. Anyone with an Internet connection — and yes, that includes members of al-Qaeda — could find out that the CIA had a "secret" drone base in Saudi Arabia simply by doing a quick Google search. (Even though the Times story is behind a paywall, the first few paragraphs, which include the Saudi detail, can still be viewed for free.)

Defending the decision not to publish this information after some criticism, Washington Post reporter Greg Miller posted a tweet today saying: "For the record, WaPo has reported CIA drone base on Arabian peninsula since 2011, w/out disclosing it was in Saudi." I asked him why not disclose the specific country when it had already been published elsewhere, and he responded: "Short answer: US govt concerned more about US press than British, and saying on Arabian peninsula puts readers pretty close."

I think this shows poor judgement. It seems flawed to make a distinction between the British and American press here, especially in the age of the Internet. All news stories published online are distributed instantly to an international audience. By disclosing the existence of an "Arabian peninsula" base while suppressing the exact country in question — even though it is already in the public domain — not only are you serving no substantive purpose but you are doing your readers a disservice.

In national security journalism, difficult decisions often have to be made under incredible pressures. Sometimes, there can be a legitimate need to keep a certain military operation undisclosed if, for example, lives are at stake. But in this case I think the American press got it wrong. Unfortunately, it comes off looking like another example of deference to power that will ultimately taint the reputations of the newspapers involved.

Guantanamo's Anonymous Censor

Sunday 3 February 2013

When a suspected terrorist mastermind goes on trial at the Guantanamo Bay military commission, strange things can happen.

Last week, midway through the pretrial hearings for five accused 9/11 plotters, an anonymous outside censor unilaterally blacked out an audiovisual feed that provides public access to journalists reporting on the proceedings. The incident frustrated the military judge, who is supposed to have total control over the courtroom, and in the process illustrated the acute tension between open justice and obsessive-compulsive national security secrecy.

Here's how it went down, according to Jason Leopold, a reporter for Truthout who was in attendance:

...the audio feed to the proceedings was interrupted Monday when defence attorney David Nevin, who represents [accused 9/11 planner Khalid Shaikh] Mohammed, discussed the title of an exhibit pertaining to the CIA's secret black site prisons, where the self-professed 9/11 mastermind and his alleged co-conspirators had been held prior to their transfer to Guantanamo.

When Nevin uttered the word "secret," a warning light, which is silent, positioned on the judge's dais, started to flash and the sound of white noise was fed through the audio feed. Moments later, the monitors inside the gallery went black. The outage lasted three minutes. (The courtroom is visible to members of the gallery but is separated by soundproof glass; the audio feed is delayed by 40 seconds).

The judge, Col. James Pohl, was not happy about the act of censorship because he had not approved it. "If some external body is turning the commission on or off based on their own views of what things ought to be, with no reasonable explanation ... then we’re going to have a little meeting about who turns that light on and off," he said, reported the Huffington Post.

The fascinating debacle raised a number of questions, most importantly: who was this mysterious outside censor, watching proceedings from outside the courtroom and able to hit a "white noise" button on a whim? Leopold's report offers the closest thing to an answer:

It was later revealed by the government that the third party monitoring the hearings who was responsible for the interruption ... was the "original classification authority," or OCA, likely a reference to the CIA since that is the agency that operated the black site prisons.

But the government refused to provide information about whether the censor had been monitoring proceedings from a room at Guantanamo or was in fact located somewhere in the United States (like, say, the CIA's headquarters at Langley, Virginia).

"Who is the invisible hand?" asked one of the defence attorneys, not content with the lack of clarity. "Who is the master of puppets?"

It's a question that's difficult to answer with 100 percent certainty, given the secrecy. But whoever was responsible, he or she is not likely to be hitting the blackout button again any time soon. On Thursday judge Pohl ordered the government to unplug any outside censors. “This is the last time that will happen,” he said. “No third party can unilaterally cut off the broadcast.”

A rare triumph for transparency, it seems.

[You can a detailed report about the case, United States v. Mohammed, et al., here, courtesy of the Public Record.]