Dot Vs.Blackberry – Round 3 and 4

The Hindu Business Line reports today that “the Department of Telecom has asked telecom operators not to provide certain features offered by Research In Motion’s (RIM) BlackBerry until monitoring systems are put in place.” It is not known what “certain” features are exactly, but “industry sources indicated that e-mails sent from one Blackberry to another Blackberry may be barred.”

Gee.. Emails huh? That’s all? Waittaminute.. isn’t that all one does with a Blackberry!?

Currently, talks are on directly between Research In Motion – owners of the Blackberry technology and the DoT after ‘GSM operators opted out of Blackberry talks‘

At a meeting held last week, RIM requested that it be allowed to discuss its plans to address the security concerns directly with Government authorities instead of going through the mobile operators. Sources said that RIM officials were concerned that since the topic of discussion was sensitive for security purposes, the proceedings of the meeting may be leaked out to the media in case the operators were also involved. While representatives of the various mobile operators were present during the meeting last week, RIM executives and DoT officers met separately in another room.
..

Sources within the GSM camp said that with only 2 lakh Blackberry users, there is no crisis even if the service was banned. They also pointed out that there were many other handset devices available today which provides similar type of services though the security levels may not match up to that of a Blackberry.

So.. what’s the big fuss about again?

DoT Vs. Blackberry – Round 2 – FIGHT!

The DoT on Friday has reportedly given two weeks to Research in Mobile (RIM) – the company that has developed Blackberry – to install servers and requisite equipment in India in order to tap e-mails sent through the service.

This was the message conveyed to the RIM representative in the country at a high level meeting in the department of telecommunications (DoT), which was chaired by the deputy director general (access services).

Officials from the ministry of home and representatives of Airtel, Vodafone, Reliance and Blackberry were also present in the meeting. The deadline for setting up this facility will be decided in a meeting scheduled next week, when high level officials of RIM from Canada will be present.

And also

RIM is currently operating services in 13 countries around the world. The present problem with Blackberry came to limelight when Tata Teleservices was not granted permission to operate the services. The government said that it was not possible to lawfully intercept e-mails sent through Blackberry phones. It is not yet clear how other operators like Reliance, Airtel and Vodafone are operating the services.

It is not clear. Not clear at all. The DoT website does not list any of these three as having obtained a UMS license. Does the ISP license imply a UMS license? Clearly not – since a UMS license requires a licensee to obtain, in addition, an ISP license.

So what happens next?More meetings.

Another meeting with RIM officials has been scheduled next week to discuss the issue further. In today’s meeting only a local sales representative of the company was present. “These are high level technical issues and hence the DoT officials today asked RIM representative to bring senior technical officials from Canada preferably by 2nd or 3rd of April for the next meeting,” said the industry representative.

DoT issues 15 day ultimatum to Blackberry service providers

The Blackberry controversy drags on with the DoT issuing a fifteen day ultimatum to telecom companies to put in place a suitable wiretapping system. The Business Standard article linked to above suggests that before Tata, other operators may not have specifically applied for and obtained a license to specifically introduce Blackberry devices.

The Blackberry service corresponds to the description of a Unified Messaging System – the license for which bars bulk encryption without placing a specific limit of 40 bits or otherwise. (However, UMS providers are required to obtain an ISP license as well, and so the 40 bit restriction is inherited). The DoT website has a list of UMS licensees which does not include any of the Blackberry providers.

What is a UMS?
“UMS shall have the ability to record, send and process Voice, Fax and E-Mail messages of subscribers. The terms “Message” in the document shall collectively indicate Voice, Fax and E-mail unless otherwise indicate. The system shall consist of Voice Processing sub-system, Storage sub-system (for voice, fax and e-mail), and Network Interfaces and Maintenance sub-system.

The objective of UMS is to allow subscribers to send, retrieve and manage messages in a uniform way, regardless of whether the message is a voice mail, a fax mail or an e-mail. In addition it shall be possible to manage the messages from various terminal types including phones, web browsers, standard e-mail clients and WAP terminals.”

I think this controversy has more to do with the existence of bulk/block encryption itself at a network-wide level, rather than at the individual user leve. Bulk encryption is forbidden for use by the “Licensee” under both the ISP and the UMS licenses. Individuals are given some relaxation on this rule and permitted to use encryption not-exceeding 40 bits and they may apply for a relaxation of this rule. However, ISPs themselves are not permitted any leeway and no mechanism exists even to apply for a relaxation.

So what’s going to happen?

DoT examining encryption code compliance?

As a fallout of the Blackberry illegality “controversy”, the DoT has reportedly begun to insist that all ISPs adhere to the prescribed encryption code. For those who didn’t know, Clause 2.2(vi) of the ISP license issued by the DoT mandates that if encryption technology greater that 40 bits is used, the decryption code must be submitted to the Government.

The Licensee shall ensure that Bulk Encryption is not deployed by ISPs. Further, Individuals/ Groups/ Organizations are permitted to use encryption up to 40 bit key length in the symmetric key algorithms or its equivalent in other algorithms without obtaining permission from the Licensor. However, if encryption equipments higher than this limit are to be deployed, individuals/groups/organizations shall obtain prior written permission of the Licensor and deposit the decryption key, split into two parts, with the Licensor.

So under what law does the Central Government get a monopoly over encryption?

Under the Telegraph Act, the Central Government has the “exclusive privilege” of establishing, maintaining and using telegraphs (which is broadly defined to include anything which is capable of sending and
receiving messages electronically).

So do we understand Clause 2.2(vi) as saying that the Central Government licenses the individual to use his lan card (which is a kind of telegraph) for accessing the internet on the condition that the message is not encoded greater than 40 bits?
Under this interpretation, if anyone contravenes this provision, he/she can be proceeded against under section 20A of the Telegraph Act – contravention of conditions of a license..”fine which may extend to one thousand rupees, and with a further fine which may extend to five hundred rupees for every week during which the breach of the condition continues”.

My web browser uses SSL which is a 128 bit technology!

Alternatively, there is the interpretation that suggests that as a third party to the contract, the DoT cannot proceed against me directly. The best it can do is to cancel the license with the ISP and proceed against the functionaries of the ISP.
But if there is no contract between the DoT and me, and DoT maintains that it owns encryption absolutely, I’m still in trouble. This way, I’m “Establishing, maintaining or working unauthorized telegraph” – an offence punishable with a fine which may extend to one thousand rupees.

Unless the DoT relaxes this rule, this is going to be an interesting fight on the lines of the battle over PGP in the US when it first began.

New Delhi/Mumbai March 18: Online banking operations and e-commerce transactions including purchase through credit cards may be open to Government surveillance as a fallout of the recent Blackberry controversy.

The Department of Telecom is now taking steps to ensure that all providers of Internet services strictly follow the prescribed encryption code. As per the existing law, all Internet-based service providers are required to submit a decryption key to the Government if they use more than 40 bit encryption code to secure the transactions.

Encryption codes are essentially a way to scramble information sent online in such a way that only the desired recipient has the key to unscramble it and convert it back to its original form.

However, as it was found out in the Blackberry case, a number of service providers are not strictly following the rule and have not submitted the decryption code. The issue came to light when telecom operators providing Blackberry services told DoT last week that the Government was singling out one service for allegedly violating the encryption laws.

Most of the e-commerce web sites like those selling airline and movie tickets and banking application web sites use more than 128 bit encryption code. The higher code is required to keep the transactions secure. The problem with using higher encryption codes is that the Indian security agencies find it impossible to track any specific transaction unless they have the decryption codes.

However, the Internet Service Providers termed DoT’s policy as archaic and said that they have already requested DoT to raise the permitted levels from 40 bits to at least 128 bits in line with the changing technology. “The existing encryption laws were made when Internet services were just beginning to take shape in the country. It is really unfair to stick to the same standards when technology is enabling more secure transactions and highly complex transactions. If DoT insists on the 40 bit encryption then it will be taking the Internet back to the dark ages,” said Mr Rajesh Chharia, President, Internet Service Providers Association.

Industry experts said that DoT’s policy was not practical on two counts. First, no company will give away its patented codes to leaky Government departments as it could make e-commerce applications unsecure and, therefore, useless. Second, under the existing rules, the procedure for submitting decryption keys, which is in digital form, has not been laid out. So even if anyone was bold enough to give the code to the Government, they would not know how to submit it. “In developed countries like the US there is no limit on the encryption code. Monitoring is done by their security agencies using the most sophisticated technology. DoT should invest in setting up monitoring centres which can do the job without limiting the scope of Internet services,” said Mr Amitabh Singhal of Elxess Consulting Services.