On January 16, 2008 the Ministry of Information Technology and Telecommunications of the Russian Federation amended paragraph 2 of Article 64 of State law regulating the requirements of telecommunications networks for operational and search activities. It requires that intercepted communications which have additional encryption be turned over in decoded form. This includes Research In Motion and all other foreign-owned companies who sell services in the RF through a Russian vendor which, in RIM’s case, is Mobile TeleSystems.

Since MTS trades on the New York Stock Exchange (MBT), it has to file with the SEC. That filing contains the following information under “Equipment Certification”:

“a Presidential decree requires that licenses and equipment certifications be obtained from the Federal Security Service to design, produce, sell, use or import encryption devices. Some commonly used digital cellular telephones are designed with encryption capabilities and must be certified by the Federal Security Service.”

MTS’ Vice President of Corporate Security is Pavel D. Belik, who’s prior employer was  the Federal’naya sluzhba bezopasnosti Rossiyskoy Federatsii (Federal Security Service of the Russian Federation); popularly known as the FSB. Hence, there is little doubt that MTS complies with Russian law which requires that encrypted messages be decoded. It also requires remote access from a console installed in FSB headquarters which reports the names of the sender and receiver of the targeted phone call, e-mail, or SMS message, the message itself, and the geo-location of the sender as well as access to the customer database and billing records.

Operation Roadside

Operation Roadside was a 2006 espionage case in Moscow that involved MI6 agents and their Russian assets who used an electronic dead drop disguised as a rock. The “rock” was actually a sophisticated receiver and transmitter contained within a rock-like casing. It would receive and transmit information protected by encryption without the person having to stop and physically place or remove anything. When the FSB rounded up the individuals involved and examined the rock, they discovered that it was powered by a Blackberry (Moscow NTV Mir in Russian 1735 GMT 29 Jan 06 – “Emergency Incident: Investigation” television program). Considering that this happened in 2006 in the same year that Research In Motion was struggling to gain entrance to the Russian market, I would rate the possibility that RIM received a pass from the FSB to abide by its monitoring requirements at about 0%.

These are just some of the facts regarding RIM and its dealings with the Russian government in order to sell its products and services to Russian consumers. Rather than issuing public statements like this one, RIM should simply acknowledge that it is no different from any other telecommunications provider as regards complying with monitoring laws of the countries in which they sell services, and that its corporate customers in those countries do not enjoy secure communications across the board. A little honesty and transparency would be a refreshing change from RIM’s current strategy of employing corporate doublespeak in communications to its customers and the general public while secretly engaging in negotiations with governments that belie its public announcements.

If you want to get to the truth about government monitoring of Blackberry consumer and enterprise customers by foreign governments, here’s a simple way that doesn’t require you to be an expert in encryption, a network architect or even a technologist. Just follow the numbers:

1. The government of (________) mandates that all communications services be monitored and supervised.

2. Research In Motion sells communications services in (__________).

3. Therefore, Research In Motion’s customers in (________) are subject to supervision and monitoring.

You may fill in the blank with the state of your choice. Deductive reasoning stipulates that if the premises of an argument are true (1 and 2), then the conclusion must also be true (3). Everything else is a moot point (BES encryption hacks, the existence of back doors, compromised third party applications, etc.).

So when the executives at Research In Motion send a statement like this one to their customers (“RIM respects both the regulatory requirements of government and the security and privacy needs of corporations and consumers”), you can call it for what it is – a logical impossibility.

I recently wrote a post for Forbes.com on how Research In Motion has quietly been making deals to provide encryption keys to the Russian and Chinese governments, with India in the queue for a set as well, while the UAE and Saudi Arabia are threatening to kick RIM out of their respective countries unless they get the same access.

My issue with this is not that RIM is abiding by the laws of the nation within whose borders they want to conduct business. That’s what companies do – Google’s dealings with China being the latest example. The issue that has prompted this Project Grey Goose investigation is RIM’s lack of transparency regarding which governments have the ability to monitor their customers message traffic and which do not. That is a critical bit of data for enterprise blackberry users to know who, by virtue of their place of employment, are high value targets for cyber attacks including espionage by state or state-sponsored actors.

Research In Motion executives are invited to provide an accurate accounting at any time. In the meantime, if you’d like to participate in discovering which other countries have the ability to decrypt your Blackberry’s email or other encrypted messages, please let me know via the Contact button on this website.

Steve Tornio and Brian Martin just published a 5,000 word rant against anyone who dares utter the name Sun Tzu in connection with information security. According to Tornio and Martin, Sun Tzu – the principal strategic authority who’s seminal work has served to guide China’s military and civilian leadership for 2500 years, is “not relevant to modern day InfoSec” because “information security is not warfare (leaving aside actual warfare, of course”.