As a number of Middle Eastern countries move to suspend BlackBerry services questions arise as to whether their concerns are really over security or more about an attempt to exert control in a cyber domain that does not adhere to national borders.
By Jennifer Cole, Head of Emergency Management
The ongoing conflict between BlackBerry makers Research in Motion (RIM) and certain nation states, unhappy with restrictions on their ability to monitor and access information transmitted by the devices, highlights a number of issues that are at the forefront of the cyber security debate. These include the governance of cyber space, international compliance, legal frameworks surrounding cloud computing and, ultimately, who owns and controls both cyber space itself and the information contained within it.
In the name of security
Earlier this week, Mohammed Al Ghanem, director general of the United Arab Emirates' Telecommunications Regulatory Authority (TRA)1, confirmed that the UAE will suspend BlackBerry services from 11 October 2010. Access to the network will not resume until RIM is prepared to operate within the regulatory framework introduced in 2007, with which it does not currently comply. In addition, on 3 August Sultan Al Malik, spokesman of Saudia Arabia's Communications and Information Technology Commission (CITC) stated that the kingdom will ban the BlackBerry Messenger text service - though not other functions of the smartphone service - from 6 August onwards.
Saudi Arabia and the UAE both cite security concerns for this decision: primarily, the restricted state access to the BlackBerry network. All mobile voice and data networks are utilised extensively by terrorists and criminal networks but the threat posed by such groups - so claim the Saudi and Emirates authorities - is increased if communications between them cannot be monitored and investigated by state authorities. These concerns are understandable as security in the region has recently come under international scrutiny: Saudi Arabia has been a victim of Al-Qa'ida terrorism and is working hard to counter the organisation's influence within its borders, while the UAE government and police have also been involved in the high-profile investigation surrounding the assassination of Hamas leader Mahmoud al-Mabhouh in Dubai earlier this year.
Concerns focus on the unique composition of the BlackBerry network; neither the UAE nor Saudi Arabia has any issue with Nokia smartphones or Apple iPhones, which are configured differently. All data sent between BlackBerry devices, including between two devices both physically located inside the UAE, is routed through RIM's Network Operating Centres. These are mainly located in Canada with additional servers in the USA and UK. Data is therefore stored outside of the Middle East.
BlackBerry's configuration does not prevent the UAE authorities from monitoring, intercepting and reading transmissions as they happen but it does introduce complications. If the authorities wanted to investigate previous communications between individuals that took place before a monitoring or surveillance operation began, they would have to request access to that information - from RIM initially and, potentially from the Canadian government, who may or not be willing to grant such access. As the statement on the TRA website says, the main concern is that data transmitted inside the UAE, by UAE subjects, is managed by a 'foreign, commercial organisation'. In other words, it is data over which the UAE has no control.
If the UAE's concerns are purely limited to its ability to monitor the communications of criminals and terrorists, is it hard to see why either RIM or the Canadian government would not comply with any requests for access to the data and, therefore, why the UAE is unhappy with the data being stored outside its borders. The problem, of course, is that what constitutes a criminal in one country could vary considerably across international borders.
The official TRA website has published the view that: 'in their current form, certain BlackBerry services allow users to act without any legal accountability, causing judicial, social and national security concerns for the UAE.'
It is the middle one of those listed concerns that has caught the attention of the world, and in particular of human rights groups. The desire of the state to control not only judicial and national security concerns but also social ones has been interpreted as a desire to restrict personal freedoms. The Washington-based organisation Freedom House, for example, has issued a press release2 describing the UAE and Saudi decisions as, 'a clear attempt to restrict freedom of expression and association within the countries'.
Such a reaction is not surprising considering that Saudia Arabia in particular has a questionable human rights record. The kingdom is habitually listed in the FCO's Annual Reports on Human Rights as a 'Country of Concern'. The 2008 report3 listed major limitations on the local media and freedom of expression, stating 'there are few facilities or outlets for those who wish to express their views. The internet is heavily censored'. In 2008, a Saudi blogger was held in custody for 137 days without charge after criticising prominent officials. These concerns had been only slightly allayed in the FCO's most recent, 2009 report.
Freedom of expression
RIM shares the concerns of such groups. In July 2009, UAE State-controlled service providers Emirates Telecommunications (Etisalat) sent out an unauthorised software update to BlackBerry users which it claimed would improve performance. RIM considered it to be 'a telecommunications surveillance application' and subsequently issued instructions on its website on how to remove the software, recommending that all users did so.
Whether one believes that UAE and Saudi Arabia want to spy only on criminal elements within their society or on everyone, the ongoing debate highlights the complexities surrounding who controls cyber space, who controls access to cyber space and the ownership of the data that passes through it. The real issue here is about the legal ownership of information, far more than the content.
At present, owning a BlackBerry gives UAE and Saudi citizens unprecedented levels of freedom precisely because the UAE does not own the servers on which data transmitted and received within its shores resides, nor does any government: RIM does. The UAE does not own a small - but in its mind - vital field of cyber space and so cannot control what happens in that field. The one thing it can control is whether or not people who are physically located in the UAE are allowed into it.
This may well prove to be a test case in future debates on the ownership and governance of the cyber domain. After all, which is more restrictive - to be denied access to a network entirely or to be aware that what you are doing over that network might be monitored? If denial of access is the more restrictive, would it be better for RIM to compromise or to stand their ground?
To Western minds it is completely unreasonable that a state should demand ownership of, and therefore access to, every communication that takes place between its citizens. Such capability enables very effective control over social behaviour. Political dissidents, potential terrorists and young lovers alike will think twice before sending a message that might implicate or incriminate them but they still have the ability to send the message if they choose. By refusing to compromise it could be argued that RIM are taking away the freedom to send a message regardless of the consequences. In some situations, that may be preferable to not being able to send the message at all.
Finding a solution
A compromise, suggested but not currently taken up, is that RIM locate a proxy server inside the UAE which is subject to the TRA's regulatory control. Such a solution has already been considered as a way to appease India, which also has concerns over lack of state access to BlackBerry data; the gunmen who killed 166 people in the November 2008 Mumbai attacks coordinated their efforts over Blackberry-like devices. The Indian government too is threatening to suspend BlackBerry services within the country unless changes are made.
France has similar concerns, and has cautioned officials against using BlackBerry's services because it considers data routed through US servers to be vulnerable to surveillance by US intelligence networks. In an interview with French newspaper Le Monde in June 2007, Alain Juillet, the official in charge of economic intelligence for the French government aired concerns over the risks of interception and protection of information. The issue is, once again, that the servers on which French data is stored are not located in France.
Posing new questions for cyber security
The row between the UAE and RIM is primarily a debate about the right of the state to be able to intercept communications between its citizens. However, on a global scale it plays into the larger debate on how a country might exert control over a domain that has no geographical borders, regardless of its reasons for wanting to do so. What right of access should governments have over a message that has originated in one country, been sent to a smartphone in another, and is ultimately stored on a server somewhere else entirely? Without international convention and ratification, this is a question that has no easy answer but it is going to become increasingly important in the future.
As cloud computing grows, and reliance on geographically dispersed clouds increases, control of that cloud will become ever more complex. Politically, it seems, there is a will to ground the control of cyberspace, if not the domain itself, within existing geographic boundaries. This is the area upon which debates on future governance will increasingly need to focus.
Jennifer Cole is programme head for RUSI's annual Cyber Security conference and resilient communications research.