Last week, a joint investigation by Motherboard and VICE News revealed that Canada's federal police are in possession of the "global encryption key" that unlocks every non-corporate BlackBerry user's encrypted BBM messages. But we didn't know how they got it.
BlackBerry still has not commented directly to Motherboard or VICE News on the specifics of the investigation, but CEO John Chen published a blog post on Monday addressing the report in broad strokes… very broad strokes.
Chen essentially gave a version of the US government's standard GLOMAR response—that is, neither confirming nor denying the answer to the most burning question raised by our investigation: Did BlackBerry give the Royal Canadian Mounted Police, or RCMP, the key to every consumer BlackBerry user's digital front door?
"Regarding BlackBerry's assistance," Chen wrote instead, "I can reaffirm that we stood by our lawful access principles. Furthermore, at no point was BlackBerry's BES server involved."
Chen went on to laud BES, or BlackBerry's Business Enterprise Server, for corporate customers, as "impenetrable" and described Blackberry as the "gold standard" in security for government and corporations.
Chen did not mention regular, non-corporate BlackBerry users here, possibly because the key in the RCMP's possession only targets phones not on the BES network.
BlackBerry's lawful access principles are extremely broad
BlackBerry's lawful access principles are extremely broad, stating that the access must be "limited to the strict context of lawful access and national security requirements as governed by the country's judicial oversight and rules of law." BlackBerry also "maintains a consistent global standard," and does not make special deals with specific countries.
"John's blog post today frames the point of view the company has and that's the extent to which we'll be providing our point of view," a BlackBerry spokesperson said when reached for comment. "Lawful access is a highly sensitive subject and we needed to convey that the stance we took at the beginning is the stance we're taking now."
In 2012, BlackBerry reportedly gave the Indian government access to customer BBM messages via undisclosed means under the aegis of its lawful access policy.
"For BlackBerry, there is a balance between doing what's right, such as helping to apprehend criminals, and preventing government abuse of invading citizen's privacy, including when we refused to give Pakistan access to our servers," Chen wrote.
BlackBerry's security dust-up with the Pakistani government has been well-documented, since BlackBerry refused to give the government access to its secure business servers. Again, the key in the RCMP's possession does not target business servers—instead, it can decrypt any BBM messages sent between regular, non-corporate, consumer devices.
The struggling phone manufacturer has recently capitalized on Apple's head-butting with US law enforcement over the ability to unlock suspects' phones by positioning itself as a company that provides strong security for its users, while cooperating with law enforcement when lawfully asked do so.
While BlackBerry continues to beat the security drum for its more powerful clients, however, it seems regular folks are being left out of the conversation, and potentially without adequate protection from snooping cops.