BlackBerry's CEO said that he believes they've found "balance" in cooperating with police, after VICE News reported that the Royal Canadian Mounted Police got ahold of BlackBerry's global decryption key in 2010.
John Chen broke the company's silence and took to its official blog to contend that the cellphone and software manufacturer was just "doing what's right."
VICE News revealed on Thursday that the RCMP had somehow obtained BlackBerry's global encryption key, which they used to read more than a million messages they had intercepted, with the cooperation of either cellphone provider Rogers or Blackberry itself.
Chen's statement does not refute any of the details of the story.
"We have long been clear in our stance that tech companies as good corporate citizens should comply with reasonable lawful access requests," Chen said. "I have stated before that we are indeed in a dark place when companies put their reputations above the greater good."
What remains unclear is exactly what sort of lawful access request was made to BlackBerry. The assistance orders filed to the company under this investigation — a two-year surveillance program aimed at dismantling Montreal's Italian mafia — do not appear to be for the key itself.
The RCMP itself wrote in response to the story that "there is no specific power in the Criminal Code to compel a third party to decrypt or develop decryption tools, nor is there any requirement for telecommunications services to provide these services."
Nevertheless, Chen defended the company's "lawful access principles."
"For BlackBerry, there is a balance between doing what's right, such as helping to apprehend criminals, and preventing government abuse of invading citizen's privacy."
Those principles, posted to the company's website, states that "BlackBerry maintains a consistent global standard for lawful access requirements that does not include special deals for specific countries" and that the company will only cooperate with police under a court order. One principle "driving" BlackBerry's corporate philosophy is that "strong encryption is a fundamental commercial requirement for any country to attract and maintain international business."
Chen's blog post goes on to comment specifically that the VICE News story "speculated on and challenged BlackBerry's corporate and ethical principles. In the end, the case resulted in a major criminal organization being dismantled."
The statement goes on to underline that "at no point was BlackBerry's BES server involved" — something that was never in contention.
BES, or BlackBerry Enterprise Server, allows clients to run their own localized servers. The system offers increased security, and allows the operator to use a unique encryption key that is stored locally. The original story noted that the global encryption key that was obtained by the RCMP would only give the police access to consumer BlackBerry's that operate on the public BlackBerry Internet Service (BIS), not BES.
Chen nevertheless focused on BES, which the company still relies on for a significant amount of its business. "That's why we are the gold standard in government and enterprise-grade security," Chen wrote.
Christopher Parsons, a postdoctoral fellow at the University of Toronto's Citizen Lab, said that the statement from Chen was disappointing. "It, again, demonstrated that BlackBerry is going to independently decide, absent an engagement with customer stakeholders, the kind of security that's provided to customers."
He added that complying with lawful access requests is one thing, but that handing over the encryption keys outright — instead of providing assistance on case-by-case basis, as Apple and Google purport to do — is much more serious. "It's very different in terms of who, exactly, is in the driver's seat," Parsons said.
Parsons added that what's "not surprising at this point, but distressing" is that BlackBerry has consistently refused to publish its transparency guidelines about which governments it cooperates with, and which countries it does not, nor does it publish statistics or numbers on how often it complies with those requests.
"For BlackBerry, there is a balance between doing what's right, such as helping to apprehend criminals, and preventing government abuse of invading citizen's privacy, including when we refused to give Pakistan access to our servers," the post continues. "We have been able to find this balance even as governments have pressured us to change our ethical grounds. Despite these pressures, our position has been unwavering and our actions are proof we commit to these principles."
The company is set to leave the Middle Eastern country because Islamabad wanted access to BES. The global encryption key for BIS was not at issue.
As Parsons puts it, Chen's comments about Pakistan "have very little to do with the Canadian case" and don't even address whether BlackBerry shared the BIS global encryption key with the Pakistani government.
BlackBerry has still not responded to repeated requests for comment. VICE News and Motherboard have been asking for an interview with Chen himself.
Prime Minister Justin Trudeau was asked about the story on Friday during a coincidental visit to Waterloo, Ontario — BlackBerry's global headquarters — but did not address the substance of the story. Instead, he re-committed to bringing in parliamentary oversight of Canada's national security agencies, a familiar talking point for the prime minister.
"This is an issue that, obviously, is of concern to many people and when we think about the community we're in right now, and the innovative advances in computing technology, in encryption, and in telecommunications here in Waterloo through [BlackBerry] and elsewhere. This is an issue of concern to people. I got elected on a commitment to bring in proper oversight of our national security agencies and police agencies," Trudeau said. "We are both keeping them safe, and protecting their rights and freedoms."