No more BlackBerrys for the French government
According to French newspaper Le Monde, an agency responsible for domestic security has banned French government officials from using BlackBerry devices. The reason is said to be the threat of snooping by American and British intelligence services. There are said to be concerns that the US intelligence service (NSA) could gain access to secret government information, as all BlackBerry data is delivered from servers in the USA and Great Britain. The order from the General Secretariat for National Defence (SGDN) banning officials in all departments, in the government residence at Matignon and in the Elysée Palace - the president's official residence, from using BlackBerrys was apparently issued several months ago. However, it appears that hardly any officials have been observing the ban. There is considerable doubt as to whether the renewed ban will prove more effective.
Research in Motion (RIM), which manufacture the BlackBerry device, has rejected the allegations regarding possible access, stating that servers are operated in Canada and Great Britain only: no servers are operated in the USA. RIM point out that the data is encrypted, and BlackBerry use is permitted by organisations such as NATO. In fact, both NATO and CESG (the UK security technical authority) have approved BlackBerry devices for the transmission of classified material only at the "Restricted" level: the lowest classification (below "confidential") which would typically be applied to such information as press releases prior to distribution date (or, as has often been rumoured, departmental canteen lunch menus). The French blanket ban would obviously encompass many information transfers that would be much more sensitive than this.
Allegations concerning the security of BlackBerry services are nothing new - the German Federal Office for Information Security BSI decided in late 2005 in a study which was not originally intended for publication, that because of their insecure architecture, BlackBerrys were not suitable for use in security-sensitive areas of public administration or companies at risk from spying. The armed forces then also decided to avoid using BlackBerrys. A major contract previously signed between the Federal Ministry of defence and T-Mobile was cancelled as a result of these security concerns. In late 2006, hackers then presented a number of vulnerabilities in RIM devices and infrastructure at the 22nd Chaos Communication Congress.
In September 2006 the Fraunhofer Institute SIT came to the conclusion that BlackBerry security was sufficient for general use in companies and other organisations. Where, however, a higher level of security was required, e-mail encryption using S/MIME or PGP, plus local encryption were necessary. A core point of this repeated criticism is the permanent RIM access to company mail servers, via which RIM could theoretically gain access to internal e-mails. This, however, implies an error in implementation or a deliberately installed backdoor, with the aid of which intelligence services or others could obtain access to plain text messages. To date no evidence in support of either of these suppositions has been found, but in matters of national (and indeed commercial) security the hosting or transfer of classified information beyond national boundaries must always be approached with extreme caution.
- Fraunhofer SIT presents initial results of their BlackBerry study, report by heise Security