Much Adieu About Nothing
French government isn't saying goodbye to BlackBerrys, despite official's security warning
- By Patrick Marshall
- Jun 29, 2007
The story had a certain cachet. One headline from June 21 read 'France Bans Ministers' BlackBerrys.'
According to reports that appeared in many newspapers and Web sites, the French government had prohibited ministries and departments from using BlackBerrys because of concerns about the security of e-mail messages passing through servers in the United Kingdom and the United States.
'The risks of interception are real. It is economic war,' the French daily newspaper Le Monde quoted Alain Juillet, in charge of economic intelligence for the government, as saying. The story alluded to the threat of interception by U.S. intelligence agencies.
But even from the beginning, there were signs that the story was a little flaky.
First, Juillet's charges as reported in Le Monde were vague and did not mention specific vulnerabilities. Second, Research in Motion, the Canada-based company that manufactures the BlackBerry, maintains message servers in the United Kingdom and Canada but not in the United States. Third, although Juillet's office has reportedly confirmed that he spoke to Le Monde, his comments have not been confirmed nor have further interviews been given. Finally, it appears that BlackBerrys have not been officially banned from French government offices.
Instead, Juillet's agency has issued a warning against their use.
Research in Motion responded promptly to Juillet's charges. 'Recent news reports, originating in France and rehashing a 2-year-old rumor that speculates that data transmitted over the BlackBerry Enterprise Solution can be intercepted and read by the [National Security Agency] in the U.S. or other 'spy' organizations are based on false and misleading information,' the company wrote in a press release. 'No one, including RIM, has the ability to view the content of any data communication sent using the BlackBerry Enterprise Solution because all the data is encrypted using 256-bit Advanced Encryption Standard encryption, and the origin of the e-mails cannot be traced or analyzed for content.'Secure use
The company further noted that both NATO and the government of Great Britain have approved the BlackBerry Enterprise Solution for wireless transmission of sensitive data under 'restricted' classification, and security agencies in Australia, Austria, Canada, New Zealand and the United States have accredited the network.
Indeed, BlackBerry use is widespread in the federal government and Defense Secretary Robert Gates even alluded to the BlackBerry recently as a backup system in case the Pentagon's networks were down.
Three independent analysts GCN contacted agreed there is no basis for singling out BlackBerrys as a security risk.
'On the BlackBerry, data is AES encrypted, and RIM does not have the keys that encrypt the user data,' said John Girard, a senior security analyst at Gartner Group. 'I do not know of a way that someone on the outside could capture traffic and expect to read the encrypted packets, nor do I know of a way to get the keys from a locked device.'
Not all analysts are convinced AES encryption is fully secure.
'Can the National Security Agency crack 256-bit encryption? Probably,' said Ken Dulaney, a mobile and wireless analyst at Gartner. But that would be a vulnerability of not just the BlackBerry but also of other e-mail systems, he said. 'It's hard to figure out what the French are reacting to here.'
Eric Domage, a Frenchman and manager of International Data Corp.'s Western European Security Research and Consulting group, agrees that security isn't really the issue. 'If a security agency wants to get into an e-mail communication it will, no matter what the level of encryption,' Domage said. Accordingly, if the French people took the warnings seriously, Domage said, 'they must not use the Internet at all, they must not use the telephone at all, they must not use the computer at all. It's stupid.'
So why is a French agency picking on the BlackBerry? Domage figures that the explanation is politics. 'We have a new government here. And a single security agency is making an issue about messages going through servers outside the borders of France. It's more about paranoia than about a real technical concern.'
Dulaney suggests another possibility. 'To single out RIM makes me suspicious that a competitor may have gone in there to stir things up.'