The BlackBerry 'Butterfly Effect'

Aug. 24, 2010— -- Lately, all eyes are focused on the dustup between Research in Motion (RIM) and several countries that are demanding access to the communications of RIM BlackBerry users.

And if RIM doesn't comply with these requests, several countries have vowed to shut RIM out of their markets. So now RIM finds itself embroiled in a kind of high-stakes global poker match with little room to bluff.

The governments of the United Arab Emirates, Saudi Arabia, India, and Indonesia, among others, claim they need access to the BlackBerry messages because some services "allow users to act without any legal accountability, causing judicial, social and national security concerns," according to the UAE's Telecommunications Regulation Authority.

And although RIM acknowledges the right of sovereign governments to request access to personal communications for legitimate law enforcement and national security concerns, the company also says that the encryption of message traffic located in its Enterprise Servers is so good that even RIM itself can't crack the code.

Meanwhile, the government of India is reportedly planning to pursue similar demands with Skype and Google next.

Newspaper reports of RIM officials meeting behind closed doors with authorities of various governments to work out some kind of technical deal that satisfies the surveillance requests while also protecting the confidentiality of BlackBerry users adds an air of intrigue to the whole matter, which in turn makes the running media dialogue sound like the plotline of a spy novel.

BlackBerry Butterfly Effect

Why should we be concerned? After all, the controversy is happening in far-flung locales and has very little impact on an average American citizen's day-to-day digital life.

Call it the "BlackBerry Butterfly Effect": In this era of a globally interconnected world, the clash between technology, user privacy, and national security anywhere in the world eventually affects us all. Once a company like RIM concedes to one government's demands for surveillance capabilities that do not properly protect privacy rights, other governments will demand equivalence.

The reality is that all governments will – and already do – approach technology companies to assist with law enforcement and national security surveillance requirements.

At the same time, technology companies have a responsibility to respect the human rights of users, including privacy rights.

The question becomes: What is a company like RIM supposed to do to be responsive to its users, to human rights concerns, and to local laws?

RIM's Challenge Raises Issues Beyond Current Controversy

RIM's current challenge raises several issues that extend beyond the current controversy. First, companies need to be more transparent about the deals they cut with governments.

It is folly to believe that service providers consistently take a hard line when it comes to bucking a government request for surveillance. However, when the extent of that cooperation is kept secret, serious concerns arise: Users must be able to adequately assess the risks associated with the use of a particular communications tool.

Second, companies, advocates, and policymakers need to resist the imposition of broad and ill-defined technological design mandates on communications services and products.

Even the U.S. imposes certain requirements on certain service providers, but design mandates must be narrowly crafted, must recognize and protect the public value of secure communications, and, tying back to the first point, must be transparent.

And third, companies, advocates, and policymakers should insist on appropriate legal process for any governmental access to users' communications; in other words, no snooping without a just cause. And companies making deals with governments to gain market access should be thinking about advancing user privacy rights and the rule of law as much as possible.

Companies are reluctant to be more transparent when it comes to shedding light on negotiations with governments. After all, one doesn't want to give terrorists a blueprint for shielding their own communications. But the relationships between governments and service providers need to be more open. That is true not only in the UAE but also in Europe, the U.S., and the rest of the world.

Limiting Government Design Mandates

UAE officials argue they aren't asking for anything that service providers aren't already providing access to in the U.S. The UAE points to the mandates in the U.S. Communications Assistance to Law Enforcement Act (CALEA), which requires telecommunications carriers to build into their networks an easy way for law enforcement agencies to listen in.

Although CALEA has some flaws, it is just the opposite of what we're seeing in demands made by the UAE and offers a much better approach to dealing with government demands.

CALEA is a democratically enacted law implemented by the Federal Communications Commission, whose decisions are in turn subject to judicial review. It is unlikely that the UAE provides equivalent checks and balances on government design demands.

In addition, CALEA specifically recognizes the importance of unbreakable encryption to both commerce and human rights: CALEA includes a provision expressly stating that the Act gives the US government no authority to require a telecommunications carrier to design its encryption in such a way that the government can decrypt communications.

Secretary of State Clinton: U.S. Will Be Leader in Promoting Global Internet Freedom

When assessing the robustness of civil liberties protections, the other important component is the underlying standard and process that controls government authority to use those design features in the lawful interception of someone's communications.

In the U.S. and most other democracies, law enforcement agencies have to get a court order—based on probable cause and targeting a particular person—to eavesdrop on someone's conversations. That goes for national security concerns, too. While I'm no expert in UAE law, I have serious doubts that the Emirates have a truly independent judiciary or an equivalent system of checks and balances.

Not to imply that users and companies operating in the U.S. (or the EU) should be without concern: In the aftermath of 9/11, the U.S. and many other democratic allies rolled back protections on privacy and due process and engaged in activities such as warrantless wiretapping—activities that have provided countries like the UAE and China with the political cover to claim that their surveillance demands and practices were similar to those of the U.S.

Earlier this year, Secretary of State Hillary Clinton promised that the U.S. would once again become a leader in promoting global Internet freedom. And here in the U.S., human rights advocacy must begin at home. A good start would be to restore meaningful limits on some PATRIOT Act powers. Another would be to update the Electronic Communications Privacy Act.

RIM Stands Alone?

National security policies that give short shrift to civil liberties place global technology companies in the difficult position of deciding which national laws to comply with and which laws to challenge. And transparency is tough for a corporation to pull off alone.

Companies are understandably afraid that going public with the details of an agreement with one government would immediately set a floor for demands by every other country.

Joint action is the answer. Companies must work with their competitors to articulate strong, shared standards for what kinds of surveillance demands they will comply with, and under what standards. Otherwise, it will be all too easy for countries to pick off companies one-by-one.

What's more, RIM and other communications service providers should not be left out there to resist government demands alone. Technology companies need the concerted support of human rights advocates and of countries and international institutions that care about Internet freedom to bring greater transparency to such arrangements and to set high standards for governmental access to communications.

The Global Network Initiative strives to provide practical guidance for exactly these kinds of ethical dilemmas, as well as a platform for joint action alongside human rights NGOs.

RIM's dilemma is a real-time object lesson reminding us that companies should aggressively advocate for legal standards that respect human rights in all countries in which they operate, democratic and non-democratic alike. The "BlackBerry Factor" hasn't fully played out and the eventual outcome is still very much in doubt.

What ultimately happens between RIM and the various countries pressuring it to compromise its corporate values and customer trust will be used as a kind of playbook for other collisions between companies and government interest in the years to come.

Leslie Harris is president and CEO of the Center for Democracy & Technology.